When you dive into Amazon Web Services (AWS) security, you’ll face dozens of different tools and features. As a result, it can be challenging to know where to start—and it’s even more difficult to see if you’re genuinely secure. (Hint: AWS security alone often isn’t enough for full protection and efficiency.)
This curated list cuts through the noise to highlight essential AWS security tools and third-party integrations that will help you build a comprehensive, efficient security posture for your cloud environment. You’ll learn about top tools to save you time and help you build your cloud security posture, as well as the resources you’ll need to secure your cloud beyond AWS’s foundational tools.
Agentless Full Stack coverage of your AWS Workloads in minutes
Learn why CISOs at the fastest growing companies choose Wiz to help secure their AWS environments.
The need for AWS security tools today
One of the steps that organizations can take to prevent attacks and vulnerabilities is to use the tools they already have. If you operate your cloud through AWS, for example, it’s critical to take full advantage of available resources. AWS security tools do more than just prevent unauthorized access or data breaches—they actively strengthen the overall security of your AWS account, the applications you run, and the services you use.
You can categorize AWS’s security offerings into these five categories:
Identity and access management (IAM)
Data protection
Network and application protection
Compliance management
Threat detection
In the following sections, you’ll explore these tools in depth and learn about their features, use cases, and the benefits they bring AWS users.
AWS Security Best Practices [Cheat Sheet]
This cheat sheet goes beyond the essential AWS security best practices and offers actionable step-by-step implementations, relevant code snippets, and industry- leading recommendations to fortify your AWS security posture.
Download Cheat Sheet
3 stellar AWS compliance management tools
AWS provides tools like AWS CloudTrail and AWS Config to help you stay compliant by tracking resource changes and auditing configurations. These resources strengthen governance and align with regulatory expectations.
1.AWS CloudTrail
AWS CloudTrail gives you visibility into user and resource activity across your AWS environment. By logging all changes and updates, CloudTrail helps you maintain a secure and compliant AWS setup while supporting operational and risk auditing.
CloudTrail offers several key features:
Comprehensive API activity logging: Get detailed logging for all API calls across your AWS environment and a complete audit trail for security analysis and operational troubleshooting.
import boto3
from datetime import datetime
cloudtrail = boto3.client('cloudtrail')
response = cloudtrail.lookup_events(
LookupAttributes=[
{
'AttributeKey': 'EventName',
'AttributeValue': 'ConsoleLogin'
}
],
StartTime=datetime(2025, 2, 1),
EndTime=datetime(2025, 2, 21)
)Network activity events for VPC Endpoints: Leverage CloudTrail for network activity events to gain enhanced visibility into API activity that traverses VPC endpoints.
aws cloudtrail create-trail --name my-trail --s3-bucket-name my-bucket \
--include-global-service-events --is-multi-region-trail \
--enable-log-file-validation \
--event-selectors '[
{
"ReadWriteType": "All",
"IncludeManagementEvents": true,
"DataResources": [
{
"Type": "AWS::S3::Object",
"Values": ["arn:aws:s3:::my-bucket"]
}
],
"ExcludeManagementEventSources": [
"kms.amazonaws.com",
"rdsdata.amazonaws.com"
]
}
]'Real-time monitoring: Integrate CloudTrail with Amazon CloudWatch Events to enable real-time monitoring and automated responses for specific API activities.
{
"source": ["aws.cloudtrail"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": "s3.amazonaws.com",
"eventName": ["PutObject", "DeleteObject"]
}
}Insights: Proactively identify unusual API activity patterns—such as excessive resource provisioning, elevated error rates, or anomalous user behavior—for rapid investigation and remediation of potential security or operational issues.
# Python code snippet to get insights events
insights = cloudtrail.lookup_events(InsightSelectors=[{'InsightType': 'ApiCallRateInsight'}])
for insight in insights['Events']:
print(insight['EventName'], insight['InsightDetails'])Limitations:
While there are many pros to AWS CloudTrail, users complain about uncomfortable UI/UX, advanced filtering limitations with logs and overload, and an alerting system that lacks flexibility. Additionally, AWS CloudTrail shows only 90 days of events, which makes long-term improvement and analyses more difficult.
2. AWS Config
AWS Config provides organizations with a clear view of their AWS resources, configurations, and dependencies. It also tracks changes and lets you evaluate configurations against your desired setup, which can help you keep your AWS environment secure and compliant.
Key features include:
Resource inventory: Audit and review configurations across your environment and use AWS Config to track resources across multiple accounts with AWS Organizations integration. Custom tagging can also help you categorize resources granularly.
# Python code snippet to list discovered resources
import boto3
config = boto3.client('config')
resources = config.list_discovered_resources(resourceType='AWS::EC2::Instance')
for resource in resources['resourceIdentifiers']:
print(resource['resourceId'])Advanced configuration history: Compare configurations across time periods and detect anomalous changes with machine learning to maintain a clear audit trail.
Configuration change notifications: Set up granular SNS notifications with custom filtering to receive real-time alerts on critical configuration changes. Integrations with popular DevOps tools like Slack or PagerDuty can give your team immediate notifications as well.
Compliance auditing: Implement custom compliance checks against your internal policies and external regulatory standards. AWS Config Rules can also automate continuous compliance monitoring and generate detailed reports for auditors.
The following illustration shows how AWS Config integrates with other cloud services:
Limitations:
Some users express frustration with AWS Config’s setup, poor documentation, and a lack of guidance on how to use the tool. Additionally, while Config can help you manage configuration and auditing, it doesn’t prevent users from making non-compliant adjustments.
While some users have also reported challenges with setup and documentation, AWS has recently improved its guides and now provides hands-on labs for easier onboarding. To mitigate non-compliant adjustments, implement AWS Config Rules with auto-remediation actions.
3. AWS Security Hub
AWS Security Hub streamlines security and compliance management across your AWS ecosystem. Consolidating findings from AWS services and third-party tools provides you with a unified view, which can help you focus on critical security alerts and maintain a strong security posture.
AWS Security Hub’s features include:
Automated security checks: Leverage Security Hub’s integration with AWS Config to automate security best practice checks. You can then create custom security checks using AWS Lambda to address your organization’s specific security requirements.
Integrated AWS services: Connect Security Hub with various AWS services and third-party tools to create a comprehensive view of your security posture and compliance findings. Then, use the AWS Security Finding Format to normalize and analyze security data from multiple sources.
Compliance standards: Monitor and evaluate your AWS resources against frameworks like CIS AWS Foundations, PCI DSS, and NIST. You can also create custom controls to align with your organization’s unique compliance requirements.
Centralized dashboard: Aggregate findings from multiple AWS accounts and services into one dashboard for better security and compliance insights. Custom actions can help you automate response and remediation workflows directly from the Security Hub console.
Security Hub also allows you to filter and prioritize findings to quickly identify and respond to the most urgent security threats.
Limitations:
Some users find AWS Security Hub’s custom rule creation capabilities to be limiting and want more flexibility. Additionally, security engineers often need more granular control over rule definitions than Security Hub provides, as well as the ability to implement complex, organization-specific security checks.
Based on surveys, PeerSpot recommends combining Security Hub with Wiz for a holistic, cloud-native security posture.
2 top threat detection tools for AWS
AWS provides tools that continuously monitor and detect potential threats to your AWS accounts and workloads. These services use machine learning and threat intelligence feeds to identify and respond to security risks.
1.Amazon GuardDuty
Amazon GuardDuty is an advanced threat detection service that integrates seamlessly into the AWS ecosystem. By continuously scanning for malicious or unauthorized activities, GuardDuty helps you keep your AWS accounts and workloads secure, even as new threats emerge.
GuardDuty’s API integrates threat detection into existing security workflows and SIEM systems. Your team can also use AWS Lambda functions to automate responses to GuardDuty findings and enable rapid threat mitigation.
Key features include:
Anomaly detection: Continuously monitor AWS environment activity and identify unusual patterns that may indicate potential threats and anomalies, such as unusual API calls, suspicious port scanning, and compromised EC2 instances.
Machine learning: Detect new threats—even those you’ve never seen before—by leveraging GuardDuty’s evolving machine learning capabilities, as in the example below:
# Note: GuardDuty uses machine learning internally and its findings reflect its ML capabilities
findings = guardduty.list_findings(DetectorId=detector['DetectorId'])
for finding in findings['FindingIds']:
print(finding)Unusual API calls: Receive alerts for unexpected or suspicious API calls that could signal malicious activity.
# Python code snippet to filter findings related to unusual API calls
criteria = {
'type': [{'Value': 'Recon:IAMUser/UnusualAPIActivity', 'Comparison': 'CONTAINS'}]
}
unusual_api_findings = guardduty.list_findings(DetectorId=detector['DetectorId'], FindingCriteria=criteria)
for finding in unusual_api_findings['FindingIds']:
print(finding)Unauthorized deployments: Detect unexpected resource deployments that may indicate a compromised account or misconfiguration.
Limitations:
As Michael Wittig writes in Cloudonaut, “Amazon GuardDuty Malware Protection for S3 can scan files in real-time. [...] Unfortunately, that’s it. Each file is scanned only once. There is no way to trigger a scan programmatically.” Wittig continues with other limitations, such as the inability to delete files without separating them into a separate S3 bucket and barriers to the mitigation process.
Additionally, in a popular thread on Hacker News, users complain about GuardDuty pricing within the AWS ecosystem: “All of these things have a variable cost that grows with usage and [is] very hard to predict ahead of time.”
2. Amazon Inspector
Amazon Inspector is a powerful security assessment tool that integrates seamlessly with AWS. By automatically evaluating applications for potential vulnerabilities and deviations from AWS best practices, Inspector helps you keep your applications secure and compliant throughout their lifecycle.
For example, you can integrate Amazon Inspector into CI/CD pipelines to automate security assessments during deployment. You can also leverage Inspector’s APIs to feed vulnerability findings into your ticketing systems, which streamlines remediation workflows.
Key capabilities include:
Assessment templates: Define templates that establish the rules and standards for evaluating your applications.
Findings: Receive detailed reports after assessments that highlight security issues and enable timely remediation.
Best practices: Verify that your applications follow AWS best practices, such as properly configured security groups or SSH settings.
Limitations:
Amazon Inspector is specific to AWS, so you would need another tool to assess resources outside of AWS, specifically in hybrid environments. And while Inspector does assess EC2 instances and Lambda functions, it lacks inspection for vulnerabilities for S2, RDS, and similar services.
2 popular data protection tools
Data is one of an organization’s most valuable assets. To help you securely store data and protect sensitive information like PII, AWS offers Secrets Manager and Amazon Macie.
1.AWS Secrets Manager
AWS Secrets Manager is essential for safeguarding access control for applications, services, and IT resources. It uses AWS Key Management Service for encryption, which provides granular control over key management.
By securely managing sensitive information, it prevents secrets from becoming vulnerabilities through three key capabilities:
Secrets rotation: Automatically update secrets at set intervals to minimize the risk of unauthorized access.
Secure and scalable secrets storage: Encrypt and store secrets securely to ensure access for authorized entities only.
Secrets monitoring: Track and audit secrets access to maintain transparency and security.
Below are two AWS Secrets Manager use cases:
Use case 1: Managing credentials for third-party services
You can securely store API keys, database credentials, and other secrets using the code below:
aws secretsmanager create-secret --name MyTestDatabaseSecret
--description "My test database secret created with the CLI"
--secret-string '{"username":"testuser","password":"mypassword"}'This command creates a new secret called MyTestDatabaseSecret, which includes a description and a secret string in JSON format that contains a username and password.
Use case 2: Automating secrets rotation
Regularly changing secrets helps you reduce the risk of breaches. To automate secret rotation, create a Lambda function that defines the rotation logic. Then, configure the secret in AWS Secrets Manager to use this function:
aws secretsmanager rotate-secret --secret-id MyTestDatabaseSecret
--rotation-lambda-arn
arn:aws:lambda:region:account-id:function:rotation-function-name
--rotation-rules AutomaticallyAfterDays=30The command for MyTestDatabaseSecret specifies a Lambda function to ensure automatic rotations for the secret (for example, every 30 days).
Limitations:
Some users wish that the tools offered more customizations. They also express frustration over integrations for non-AWS services, rate limit issues, and complicated setups.
2. Amazon Macie
Amazon Macie uses machine learning and pattern recognition to detect and protect your confidential data within AWS. It also helps you understand and manage sensitive data at scale, which makes compliance with data privacy regulations easier.
Key features include:
Data discovery: Automatically scan Amazon S3 buckets to locate sensitive data within your AWS environment:
# Python code snippet to list S3 buckets and check them with Macie
import boto3
s3 = boto3.client('s3')
macie = boto3.client('macie2')
# List all S3 buckets
buckets = s3.list_buckets()
for bucket in buckets['Buckets']:
# Check each bucket with Macie for sensitive data
response = macie.create_classification_job(
jobType='ONE_TIME',
s3JobDefinition={
'bucketDefinitions': [{'bucketName': bucket['Name']}]
}
)Data classification: Categorize data based on its sensitivity, such as PII, using predefined data identifiers:
# Python code snippet to get classification findings
findings = macie.get_findings()
for finding in findings['findings']:
print(f"Sensitive data type: {finding['type']}")Security alerts: Receive notifications via AWS CloudWatch or SNS when Macie detects potential unauthorized access or data breaches:
# Python code snippet to get insights events
insights = cloudtrail.lookup_events(InsightSelectors=[{'InsightType': 'ApiCallRateInsight'}])
for insight in insights['Events']:
print(insight['EventName'], insight['InsightDetails'])You can also customize Macie’s machine learning models to detect organization-specific sensitive data patterns using a custom data identifier.
aws macie create-custom-data-identifier \
--name "CustomSSNIdentifier" \
--regex "\\b\\d{3}-\\d{2}-\\d{4}\\b" \
--keywords '["SSN","Social Security"]'Limitations:
Macie analyzes S3 buckets but lacks the same feature for other services throughout the AWS suite. Due to its limited scope, this can leave vulnerabilities throughout your process. Additionally, while Macie can spot issues, it won’t automatically remediate them without additional integrations or human input.
You can streamline these processes by using CloudWatch Events, which can trigger Lambda functions for automated responses, such as quarantining sensitive data.
1 top identity and access management tool
Restricting who can view what’s in your ecosystem is critical in today’s digital world. The key solution here is AWS’s well-known IAM web service.
AWS IAM
AWS IAM, a cornerstone of AWS security, enables organizations to control access to their AWS services and resources. It also lets you create and manage AWS users and groups so only authorized individuals can access specific resources.
AWS IAM’s key features include:
Shared access to your AWS account: Allow multiple users to access your AWS account while maintaining secure and collaborative operations.
Granular permissions: Fine-tune permissions to ensure that users can only access the necessary resources for their job.
Secure access to applications: Integrate IAM with other AWS services to enhance application security.
Multi-factor authentication: Strengthen security by requiring two or more verification methods.
IAM is ideal for managing permissions in large teams and ensuring that users can access AWS resources without compromising security. It also restricts access to authorized personnel for sensitive data protection through the principle of least privilege (PoLP).
You can use AWS Organizations and service control policies (SCPs) to enforce PoLP. For instance, the following SCP restricts EC2 instance types:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LimitEC2InstanceTypes",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringNotLike": {
"ec2:InstanceType":
["t3.micro", "t3.small"]
}
}
}
]
}This policy restricts instance launches to t3.micro and t3.small to enforce cost control and security standards across the organization.
Limitations:
Some users say that AWS IAM misses key features and has a higher learning curve, mainly because of a poor user interface. Additionally, the IAM console can be complex, especially for managing large numbers of users and roles.
Without proper organization and management, large organizations may also have trouble implementing PoLP with too many IAM roles to manage, which increases security risks. To alleviate this concern, consider using IAM Access Analyzer to identify unused roles and permissions.
1 leading tool for network and application protection
Protecting your network and applications from potential threats is essential. By using the right tool and implementing a multi-layered security approach, you can strengthen your cloud posture as threats evolve.
The tool in this section can help you safeguard applications against risks like distributed denial-of-service (DDoS) attacks, volumetric attacks, and application layer attacks.
AWS Shield
AWS Shield is a fully managed DDoS protection service that secures AWS applications. It also ensures application availability and performance, even during a DDoS attack, without requiring any changes to your application.
Key features include:
DDoS protection: Defend against the most common DDoS attack vectors to keep your applications available:
# Python code snippet to enable AWS Shield Advanced protection
import boto3
shield = boto3.client('shield')
response = shield.create_protection(
Name='MyProtection',
ResourceArn='arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188'
)Cost protection: Don’t worry about financial strain when your AWS services scale during a DDoS attack—Shield covers these scaling charges.
Threat intelligence: Gain detailed insights into ongoing and past attacks to understand the threat landscape more comprehensively and strengthen your defenses.
Limitations:
Users face challenges with AWS Shield’s architecture, and as a result, they feel that ongoing support needs improvements. Some also want the tool to offer more flexibility for customized security protocols.
While AWS Shield provides robust baseline protection, organizations with highly specific security requirements may need to supplement it with custom web application firewall rules or third-party DDoS mitigation solutions.
Enhancing AWS security services with third-party tools
While AWS provides a robust suite of native security tools, the cloud security landscape constantly evolves—and as you’ve read in many of the above limitations, not every tool offers the perfect solution.
However, third-party solutions can complement AWS’s offerings by adding extra layers of protection, specialized functionalities, and enhanced analytics.
The value of integration
Integrating third-party tools with AWS security services offers several benefits, including:
Aggregated security information: Centralize security data from AWS services and third-party tools into a unified platform for comprehensive visibility. This helps security teams correlate events, identify trends, and develop a holistic understanding of their AWS security posture, which accelerates threat detection and response.
Enriched findings: Enhance AWS data, such as GuardDuty findings, with third-party intelligence to detect and respond to threats more quickly and accurately. This equips security analysts with contextual information, reduces false positives, and improves the accuracy and speed of threat investigations.
Specialized capabilities: Close security gaps and gain specialized capabilities beyond native AWS tools by integrating third-party solutions for CPSM, SIEM, and CWPP. This enables organizations to tailor their security strategy to their specific needs and risk profile.
Unfortunately, adding more solutions doesn’t offer improved security by merit. The key is making up for these differences with a unified platform that can fix security gaps and pull it all together.
Without a unified approach, security teams have to manage disconnected data, inconsistent policies, and overlapping tools—which creates new blind spots instead of reducing risks. But a CNAPP like Wiz eliminates this complexity by integrating security insights across your AWS environment to provide a single, holistic, cloud-first security platform.
Connect Wiz with AWS
Gain complete visibility into your entire AWS estate across workloads, data stores, accounts, and environments.
Learn more
Wiz: Enhancing AWS security
Wiz helps organizations identify and remediate critical risks in their AWS environments. It also integrates with over 50 AWS services to provide complete visibility into your cloud estate and uses machine learning to identify risks that traditional security tools often miss. That way, instead of juggling multiple AWS tools and trying to fill in the gaps on your own, you can use Wiz for a unified view and security approach.
Wiz works with AWS in a few different ways:
Its AWS service integrations provide visibility and context. For example, Wiz can integrate with AWS CloudTrail to collect logs from your AWS resources and use machine learning to identify patterns that indicate risks. It can also integrate with AWS Security Hub to give you a consolidated view of your security fin across AWS.
Wiz provides recommendations for remediation once it identifies a risk. These recommendations include “change the password for this user” and “enable two-factor authentication for this resource.”
It also provides remediation automation for some risks, such as changing passwords or enabling two-factor authentication. This can help organizations reduce the time they spend keeping their AWS environments secure.
By integrating with AWS services and using machine learning, Wiz can spot and address critical vulnerabilities that traditional security tools often miss.
Case study: Monese
Monese experienced these improvements firsthand. The financial service company, which operates in Europe and uses AWS, needed complete visibility into its environment to prioritize security tasks, as well as misconfiguration visibility to meet industry standards and regulatory expectations.
When Monese adopted Wiz, it gained a full view of its AWS environment. That way, its small team could manage tasks more efficiently by catching and fixing vulnerabilities—which made its cloud environment much safer, despite rising threats.
“Wiz allowed us to pinpoint exactly where we had issues. If we had tried to figure out everything that was affected by log4J without Wiz, it would have taken at least seven or eight days to pinpoint everywhere that we needed to fix something. Wiz allowed us to pinpoint those areas immediately.”
Aneel Sandhu, CISO, Monese
Want to improve your visibility and security within your AWS environment? Download Wiz’s free Actionable AWS Security Best Practices [Cheat Sheet] to learn more—or improve your security posture today by trying Wiz’s demo.
Agentless Full Stack coverage of your AWS Workloads in minutes
Learn why CISOs at the fastest growing companies choose Wiz to help secure their AWS environments.
Other security tool roundups that you might be interested in: