The Ultimate AWS Security Cheat Sheet Bundle

Protect your AWS workloads from threats with our curated bundle of security best practices. Gain insights into S3 security, security group management, and more to ensure the confidentiality, integrity, and availability of your data.

Top Native AWS Security Tools

11 native tools for IAM, data protection, network and application protection, compliance management, and threat detection

Wiz Experts Team
10 minutes read

Understanding AWS Security Tools

In today's digital age, the cloud has become a cornerstone for many businesses, offering scalability, flexibility, and cost-effectiveness. However, with the continued adoption of cloud services, security concerns have also spiked. Ensuring the safety of data and applications in the cloud is paramount for organizations, and this is where Amazon Web Services (AWS) steps in.

This post delves into the essential AWS security tools designed to bolster cloud security in today's digital landscape. As businesses increasingly depend on the cloud for scalability, flexibility, and cost-effectiveness, the importance of safeguarding data and applications has never been higher. In this context, Amazon Web Services (AWS) offers robust solutions to address these security concerns.

The Imperative of Cloud Security

While offering numerous advantages, a cloud environment is also susceptible to many threats. From data breaches to unauthorized access, the potential risks are vast. Recognizing these challenges, AWS has prioritized providing a secure infrastructure as the first line of defense. AWS's commitment to security is evident in its comprehensive suite of tools designed to safeguard every layer of the cloud.

Top Security Tools Offered by AWS 

The Role of AWS Security Tools

AWS security tools are not just about preventing unauthorized access or data breaches. They play a multifaceted role in ensuring the overall security of an AWS account, the applications running within it, and the services being utilized. These tools play a critical role in AWS' robust security infrastructure, offering solutions that cater to specific security needs while providing a holistic view of your security posture.

AWS's security offerings can be broadly categorized into:

In the following sections, we will dive deeper into these tools, exploring their features, use cases, and the benefits they offer AWS users.

Identity and Access Management

Restricting who can view what in your ecosystem is critical in today’s digital world. The key solution here is AWS’s well-known identity and access web service. 

AWS Identity and Access Management (IAM)

AWS IAM is a cornerstone of AWS security, enabling organizations to control access to its AWS services and resources. It also lets you create and manage AWS users and groups, ensuring only authorized individuals can access specific resources.

AWS IAM basics

The primary features of IAM can be summarized as follows.

Shared access to your AWS account: Grant multiple users access to your AWS account, ensuring collaborative yet secure operations.

Granular permissions: Fine-tune permissions to ensure users are only granted access to resources they require for their job.

Secure access to applications: Integrate IAM with other AWS services to secure application access.

Multi-factor authentication: Get an extra layer of security by mandating two or more methods of verification.

IAM is especially suitable for managing permissions for large teams by making sure they can access AWS resources without compromising security. You should also use it when securing sensitive data since it will restrict access to only authorized personnel.

Data Protection

Data is often the most valuable asset for organizations. AWS provides tools like AWS Secrets Manager and Amazon Macie to ensure that data is stored securely and that sensitive information, like personally identifiable information (PII), is protected.

AWS Secrets Manager

AWS Secrets Manager is a pivotal tool for when organizations need to safeguard access to applications, services, and IT resources. It securely manages sensitive information, ensuring that secrets don't become vulnerabilities by way of three important capabilities.

Secrets rotation: Automatically change secrets at set intervals, reducing the risk of unauthorized access.

Secure and scalable secrets storage: Store secrets securely to make sure they're encrypted and accessible only by authorized entities.

Secrets monitoring: Track and monitor access to secrets, ensuring transparency and security.

AWS Secrets Manager is helpful for the following use cases.

Managing Credentials for Third-Party Services 

You can store API keys, database credentials, and other secrets securely using the code below:

aws secretsmanager create-secret --name MyTestDatabaseSecret 
--description "My test database secret created with the CLI" 
--secret-string '{"username":"testuser","password":"mypassword"}'

This command creates a new secret named MyTestDatabaseSecret, with a description and a secret string in JSON format containing a username and password.

Automating Secrets Rotation 

This guarantees that secrets are changed regularly, reducing the risk of breaches. To set up the automatic rotation of secrets, create a Lambda function that defines the rotation logic and configure the secret in Secrets Manager to use this function:

aws secretsmanager rotate-secret --secret-id MyTestDatabaseSecret 
--rotation-lambda-arn 
arn:aws:lambda:region:account-id:function:rotation-function-name 
--rotation-rules AutomaticallyAfterDays=30

The command for MyTestDatabaseSecret uses a specified Lambda function and will make sure the secret is rotated automatically every 30 days.

Amazon Security Lake

Amazon Security Lake centralizes security data from various sources, providing a unified platform for advanced threat detection and analysis with the following key features.

Data encryption: Ensure that all data within the Security Lake is encrypted, maintaining confidentiality.

Data lake export: Export data for further analysis or for compliance purposes.

Custom data uploads: Integrate data from various sources, ensuring a comprehensive view of security.

Amazon Security Lake workflow

This tool is beneficial for threat hunting by proactively searching for potential threats or vulnerabilities. In addition, it offers analytics of the security data to derive insights and improve your security posture.

Amazon Macie

Amazon Macie utilizes machine learning and pattern recognition to detect and safeguard your confidential data within AWS. With Macie, AWS users can understand and manage sensitive data at scale, making it easier to meet data privacy regulations via a few primary features. We cover these below, along with some sample code.

Data discovery: Automatically scan S3 buckets to identify where sensitive data resides within AWS:

# Python code snippet to list S3 buckets and check them with Macie
import boto3

s3 = boto3.client('s3')
macie = boto3.client('macie2')

# List all S3 buckets
buckets = s3.list_buckets()
for bucket in buckets['Buckets']:
    # Check each bucket with Macie for sensitive data
    response = macie.create_classification_job(
        jobType='ONE_TIME',
        s3JobDefinition={
            'bucketDefinitions': [{'bucketName': bucket['Name']}]
        }
    )

Data classification: Categorize data based on sensitivity, such as PII, using predefined data identifiers:

# Python code snippet to get classification findings
findings = macie.get_findings()
for finding in findings['findings']:
    print(f"Sensitive data type: {finding['type']}")

Security alerts: Receive notifications via AWS CloudWatch or SNS when Macie detects potential unauthorized access or data breaches:

# Python code snippet to create an SNS topic for Macie alerts
sns = boto3.client('sns')
topic = sns.create_topic(Name='MacieAlerts')
macie_alert_arn = topic['TopicArn']

Network and Application Protection

Protecting your network and applications from potential threats is crucial. Tools covered in this section are designed to safeguard applications from risks such as distributed denial-of-service (DDoS) attacks.

AWS Shield

AWS Shield is a comprehensive managed distributed denial-of-service (DDoS) protection service designed to safeguard AWS applications. It lets users ensure the availability and performance of their apps, even under DDoS attack, without needing to make any changes to an application. Its key features are listed below, along with sample code where relevant. 

DDoS Protection: Get robust protection against the most prevalent DDoS attack vectors, ensuring your applications remain available:

# Python code snippet to enable AWS Shield Advanced protection
import boto3
shield = boto3.client('shield')
response = shield.create_protection(
    Name='MyProtection',
    ResourceArn='arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188'
)

Cost protection: Prevent financial strain when your AWS services scale due to a DDoS attack since AWS Shield will cover the scaling charges.

Threat intelligence: Receive detailed insights into ongoing and past attacks, helping you understand the threat landscape and improve your defenses.

Compliance Management

Ensuring compliance with the relevant industry regulations and standards is a must. AWS offers tools like AWS CloudTrail and AWS Config to help organizations maintain compliance by tracking resource changes and auditing configurations.

AWS CloudTrail

AWS CloudTrail is a powerful service that provides visibility into user and resource activity across your AWS environment. By capturing a comprehensive log of changes and updates, CloudTrail helps organizations maintain a secure and compliant AWS environment, facilitating operational and risk auditing.

AWS CloudTrail has a few key features. 

Event history: Review all past actions and changes in your AWS environment via CloudTrail’s chronological log of events:

# Python code snippet to look up recent events
import boto3
cloudtrail = boto3.client('cloudtrail')
events = cloudtrail.lookup_events(LookupAttributes=[{'AttributeKey':'EventName', 'AttributeValue':'RunInstances'}])
for event in events['Events']:
    print(event['EventName'], event['EventTime'])

Management events: Stay on top of information about management operations performed on resources in your AWS account:

# Python code snippet to filter management events
management_events = cloudtrail.lookup_events(EventCategory='Management')
for event in management_events['Events']:
    print(event['EventName'], event['Username'])

Data events: Leverage insights into the resource operations performed on or within the resource itself:

# Python code snippet to filter data events for an S3 bucket
data_events = cloudtrail.lookup_events(LookupAttributes=[{'AttributeKey':'ResourceType', 'AttributeValue':'AWS::S3::Object'}])
for event in data_events['Events']:
    print(event['EventName'], event['Resources'])

Insights: Identify unusual activity, such as spikes in resource provisioning:

# Python code snippet to get insights events
insights = cloudtrail.lookup_events(InsightSelectors=[{'InsightType': 'ApiCallRateInsight'}])
for insight in insights['Events']:
    print(insight['EventName'], insight['InsightDetails'])

AWS Config

AWS Config is a dynamic service designed to give organizations a clear view of their AWS resources, configurations, and dependencies. It tracks changes and allows you to evaluate configurations against desired setups, ensuring that your AWS environment remains secure and compliant via the following capabilities.

Resource inventory: Audit and review configurations across your environment, as AWS Config continuously monitors and records your AWS resource configurations:

# Python code snippet to list discovered resources
import boto3

config = boto3.client('config')
resources = config.list_discovered_resources(resourceType='AWS::EC2::Instance')
for resource in resources['resourceIdentifiers']:
    print(resource['resourceId'])

Configuration history: Dive deep into the historical configurations of your AWS resources, providing a clear audit trail.

Configuration change notifications: Set up SNS topics to receive real-time alerts when configurations change, ensuring you're always informed.

Compliance auditing: Ensure that your AWS resources are set up according to both internal policies and external regulatory standards.

The integration of AWS Config to other services is shown in the following visualization:

AWS config architecture

AWS Security Hub

AWS Security Hub is a centralized service designed to simplify security and compliance management across your AWS ecosystem. By consolidating findings from AWS services and third-party tools, Security Hub provides a unified and organized view, allowing you to focus on the most critical security alerts and maintain a robust security posture.

Automated security checks: Continuously evaluate your AWS environment against a set of AWS best practices and industry standards.

Integrated AWS services: Integrate Security Hub with various AWS services, providing a comprehensive view of security and compliance findings.

Compliance standards: Monitor and assess your AWS resources against standards like CIS AWS Foundations; 

Centralized dashboard: Consolidate findings from multiple AWS accounts and services via a centralized dashboard for security and compliance insights.

Security Hub allows you to filter and prioritize findings, meaning you can quickly identify and respond to the most pressing security threats:

AWS Security Hub controls and findings

Threat Detection

AWS offers tools that continuously monitor and detect potential threats to AWS accounts and workloads. These services employ machine learning and threat intelligence feeds to uncover potential threats.

Amazon GuardDuty

Amazon GuardDuty is a cutting-edge threat detection service that seamlessly integrates into the AWS ecosystem. By continuously scanning for malicious or unauthorized activities, GuardDuty ensures that AWS accounts and workloads remain secure, even as new threats emerge. Its key features are listed below, with code snippets where relevant.

Anomaly detection: Constantly monitor AWS environment activity, identifying patterns that deviate from the norm and might indicate potential threats.

Machine learning: Identify new threats even if they haven't been seen before, leveraging GuardDuty’s ability to evolve over time via machine learning:

# Note: GuardDuty uses machine learning internally and its findings reflect its ML capabilities
findings = guardduty.list_findings(DetectorId=detector['DetectorId'])
for finding in findings['FindingIds']:
    print(finding)

Detecting unusual API calls: Get alerted to unexpected or suspicious API calls that might indicate malicious activity:

# Python code snippet to filter findings related to unusual API calls
criteria = {
    'type': [{'Value': 'Recon:IAMUser/UnusualAPIActivity', 'Comparison': 'CONTAINS'}]
}
unusual_api_findings = guardduty.list_findings(DetectorId=detector['DetectorId'], FindingCriteria=criteria)
for finding in unusual_api_findings['FindingIds']:
    print(finding)

Monitoring unauthorized deployments: Detect unexpected resource deployments, which could be a sign of account compromise or misconfiguration. 

Amazon Inspector 

Amazon Inspector is a powerful security assessment tool that integrates seamlessly with AWS. By automatically evaluating applications for potential vulnerabilities or deviations from AWS best practices, Inspector ensures that your applications remain secure and compliant throughout their lifecycle via a few primary capabilities.

Assessment templates: Define templates that specify the rules and standards against which your applications should be evaluated.

Findings: After an assessment, get detailed results highlighting security issues, allowing for timely remediation.

Ensuring best practices: Ensure your applications are aligned with AWS best practices, such as having properly configured security groups or SSH settings.

Amazon Inspector findings

Amazon Detective

Amazon Detective is a powerful tool designed to enhance the security posture of AWS environments. Leveraging advanced techniques like machine learning, statistical analysis, and graph theory provides deep insights into security findings, making the investigation process more efficient and accurate.

The key benefits of Amazon Detective can be summarized as follows.

Anomaly Detection: Be flagged to potential security concerns when Amazon Detective's machine learning algorithms automatically identify unusual patterns and behaviors: 

# Python code to enable anomaly detection
detective = boto3.client('detective')
response = detective.enable_anomaly_detection(accountId='123456789012')
print(response['Status'])

Visualizations: Explore security findings through detailed visualizations, making it easier to understand complex security events.

Security findings: Correlate data from various AWS services, gaining a holistic view of security events:

# Python code to list security findings
findings = detective.list_findings(accountId='123456789012')
for finding in findings:
    print(finding['Id'], finding['Type'])

Analyzing historical account behavior: Review past account activities to identify trends, vulnerabilities, or potential threats, ensuring a proactive security approach. 

Enhancing AWS Security Services with Third-Party Tools

While AWS offers a comprehensive suite of native security tools, the cloud security landscape is vast and ever-evolving. Third-party solutions can augment AWS's native offerings, providing additional layers of protection, specialized functionalities, and enhanced analytics.

The Value of Integration

Integrating third-party tools with AWS security services can offer several advantages:

  • Aggregated security information: By bringing all security information under a unique data model, organizations can have a unified view of their security posture.

  • Enriched findings: Enriching AWS data, such as findings from GuardDuty, with third-party intelligence can provide more context, helping to detect and respond to threats faster and more accurately.

  • Specialized capabilities: Some third-party tools offer specialized functionalities not available in native AWS tools, catering to niche security needs.

Wiz: Enhancing AWS Security

Wiz helps organizations identify and remediate critical risks in their AWS environments. Wiz integrates with 50+ AWS services to provide complete visibility into your cloud estate, and uses machine learning to identify risks that are often missed by traditional security tools.

Wiz works with AWS in a few different ways:

  • Wiz integrates with AWS services to provide visibility and context. For example, Wiz can integrate with AWS CloudTrail to collect logs from your AWS resources, and then use machine learning to identify patterns that indicate risks. Wiz can also integrate with AWS Security Hub to get a consolidated view of your security findings from across AWS.

  • Wiz provides recommendations for remediation. Once Wiz has identified a risk, it will provide recommendations for remediation. These recommendations can be specific, such as "change the password for this user" or "enable two-factor authentication for this resource."

  • Wiz can automate remediation. Wiz can automate the remediation of some risks, such as changing passwords or enabling two-factor authentication. This can help organizations to reduce the time and effort required to keep their AWS environments secure.

By integrating with AWS services and using machine learning, Wiz can identify and remediate critical risks that are often missed by traditional security tools.

For those looking to bolster their AWS security further, we recommend trying a demo of Wiz. Experience firsthand how it can provide a more comprehensive and effective security solution for your AWS environment.

Agentless Full Stack coverage of your AWS Workloads in minutes

Learn why CISOs at the fastest growing companies choose Wiz to help secure their AWS environments.

Get a demo 

Other security tool roundups that you might be interested in:

Continue reading

Unpacking Data Security Policies

Wiz Experts Team

A data security policy is a document outlining an organization's guidelines, rules, and standards for managing and protecting sensitive data assets.

What is Data Risk Management?

Wiz Experts Team

Data risk management involves detecting, assessing, and remediating critical risks associated with data. We're talking about risks like exposure, misconfigurations, leakage, and a general lack of visibility.

8 Essential Cloud Governance Best Practices

Wiz Experts Team

Cloud governance best practices are guidelines and strategies designed to effectively manage and optimize cloud resources, ensure security, and align cloud operations with business objectives. In this post, we'll the discuss the essential best practices that every organization should consider.

What is Data Detection and Response?

Data detection and response (DDR) is a cybersecurity solution that uses real-time data monitoring, analysis, and automated response to protect sensitive data from sophisticated attacks that traditional security measures might miss, such as insider threats, advanced persistent threats (APTs), and supply chain attacks.