AWS Key Management Service (KMS) lets you make and control keys that act like locks, so only authorised people and apps can use your data.
AWS Shield is a managed service that protects apps running on AWS against DDoS attacks. AWS Shield Standard is automatically enabled to all AWS customers at no additional cost. AWS Shield Advanced is an optional paid service.
AWS Web Application Firewall (WAF) monitors network requests to your web apps, protecting AWS resources by allowing or blocking specific requests.
Amazon Inspector runs security assessments to ensure your applications adhere to security best practices and compliance standards.
Amazon GuardDuty helps you identify and respond to security threats and vulnerabilities in your AWS environment.
By combining security groups, Elastic Load Balancers, AWS Shield, and AWS WAF, your applications are well-equipped to withstand distributed denial-of-service (DDoS) attacks and maintain availability.
Security is a top priority for any company, and AWS has a range of services to protect your valuable data and applications.
Let's start by understanding a very common security threat called denial-of-service attacks, then explore other security services in AWS.
Denial-of-service attacks (DDoS attacks) are a big threat to companies. These attacks aim to overwhelm applications to the point where they can't function properly anymore.
For example, an attacker might flood a website or application with excessive network traffic until the targeted website or application becomes overloaded and is no longer able to respond. If the website or application becomes unavailable, this denies service to users who are trying to make legitimate requests.
What are DDoS attacks?
Now, suppose that the one attacker has enlisted the help of friends.
In a distributed denial-of-service (DDoS) attack, multiple sources are used to start an attack that aims to make a website or app unavailable.
This can come from a group of attackers, or even a single attacker using infected computers (also known as “bots”) to send heaps of traffic to a website or app.
How AWS fights against DDoS attacks
Security groups help mitigate network-level attacks, making sure only legitimate requests are allowed.
For more advanced attacks, services like AWS Shield with AWS WAF offer specialised defence tools. More on them in a second!
AWS Shield identifies and mitigates complex DDoS attacks.
AWS WAF uses a firewall to filter incoming traffic for malicious signatures. It uses machine learning to proactively guard against an evolving list of threats.
Elastic Load Balancers help defend against DDoS attacks by distributing the incoming traffic effectively across servers and rejecting unusually frequent requests. Since ELB is operates at the regional level, an attack on a specific region doesn't affect the entire AWS network. Attackers would need to target multiple regions at the same time, making DDoS attacks really complex and costly!
AWS' security services
Here's an overview of some of the essential security features and services provided by AWS:
AWS Key Management Service (AWS KMS)
AWS KMS allows you to secure your data, both at rest and in transit, using cryptographic keys.
A cryptographic key is a random string of digits used for locking (encrypting) and unlocking (decrypting) data. Cryptographic keys are a fundamental part of encryption processes, and they are what make the encryption and decryption of data possible.
You can use AWS KMS to create, manage, and use cryptographic keys.
You can have control over how keys are used in various services and applications. For example, when you want to encrypt your data in Amazon DynamoDB to keep it safe while it's not in use, you can use KMS to manage the cryptographic keys.
You can choose the specific levels of access control that you need for your keys. For example, you can specify which IAM users and roles are able to manage keys.
You can temporarily disable keys so that they are no longer in use by anyone.
Your keys never leave AWS KMS, and you are always in control of them.
AWS Shield is a service that protects applications against DDoS attacks.
AWS Shield can protect web sites not hosted in AWS too.
AWS Shield provides two levels of protection: Standard and Advanced.
AWS Shield Standard automatically protects all AWS customers at no cost. It protects your AWS resources from the most common types of DDoS attacks. As network traffic comes into your applications, Shield Standard uses different analysis techniques to detect any bad traffic in real time and automatically stops it.
AWS Shield Advanced is a paid service that provides detailed attack analysis and protection against larger DDoS attacks. AWS Shield Advanced provides enhanced protection for applications running on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53 resources.
AWS Web Application Firewall (AWS WAF)
AWS WAF watches over the requests coming into your web apps.
It works with Amazon CloudFront and Application Load Balancer to protect your AWS resources.
Suppose your application has been receiving malicious network requests from several IP addresses. You want to prevent these requests from continuing to access your application, so you configure the web access control list (ACL) to allow all requests except those from the specific IP addresses.
When a request comes into AWS WAF, it checks against the list of rules that you have configured in the web ACL.
If a request does not come from one of the blocked IP addresses, it allows access to the application.
However, if a request comes from one of the blocked IP addresses in the web ACL, AWS WAF denies access.
Amazon Inspector gives you security advice for your applications.
It runs automated security assessments, helping you improve the security and compliance of your applications.
It checks for vulnerabilities, deviations from best practices, and potential security issues.
After Inspector performs an assessment, it provides you with a list of security findings. The list prioritises by severity level, including a detailed description of each security issue and a recommendation for how to fix it.
You can use an API to access the security findings. This means instead of manually reading Inspector's findings and making fixes, you can create scripts or apps that automatically address the identified security issues.
AWS does not guarantee that the recommendations resolve every potential security issue. Customers are still responsible for the security of their applications, processes, and tools that run on AWS services.
GuardDuty is a watchful guard for your resources.
It offers intelligent threat detection for your AWS infrastructure and resources.
It runs independently from your other AWS services, so it won't affect performance or availability of your existing infrastructure and workloads.
After you have enabled GuardDuty for your AWS account, GuardDuty begins monitoring your network and account activity.
You do not have to deploy or manage any additional security software.
GuardDuty then continuously analyses data from multiple AWS sources, including VPC Flow Logs (network traffic data) and DNS logs (records of requests made by devices/apps to translate domain names into IP addresses).
If GuardDuty detects any threats (for example, a malicious IP address), you can use the AWS Management Console to review detailed findings about the threats and steps to fix them.
You can also make an AWS Lambda function to take GuardDuty's recommended steps automatically.
Note: Does GuardDuty similar to Amazon Inspector? GuardDuty is focused on threat detection, while Inspector is focused on security assessments.
Other security services
We've just gone through the key services, but there are a bunch that also fall under the security ecosystem of AWS services. Let's have a quick look!
AWS Security Blog: A blog that shares updates on the latest AWS security developments.
AWS Knowledge Center: A resource hub for accessing expert guidance and best practices on various AWS topics, shown through tutorials, videos and documentation. Security is one of the many topics in the Knowledge Center.
AWS Security Center: An online portal dedicated to AWS security best practices, documentation, tools, and resources.
AWS Security Hub: A comprehensive security service that provides a centralised view of security alerts and compliance status across multiple AWS accounts.
AWS Secrets Manager: Manages sensitive information such as API keys, passwords, and database credentials securely, so you won't need to hardcode such secrets in applications.
Amazon Macie: A security service that uses machine learning to automatically discover, classify, and protect sensitive data, such as personally identifiable information (PII). More on Macie when we talk about AWS' artificial intelligence and machine learning services!
Amazon Cognito: A service for identity and access management that lets users securely sign in and access AWS resources. Amazon Cognito Identity Pool provides temporary AWS credentials for users that have been authenticated through their social media logins. Amazon Cognito User Pool is a user directory in Amazon Cognito.
AWS Detective: Investigative service that makes it easy to analyse, investigate, and identify security issues across AWS resources.
AWS Marketplace: An online store that lets users find, buy, and deploy software that runs on AWS, including security products from third-party vendors. Users may opt for third-party security products to address specific security needs that go beyond what is provided by native AWS security services. Popular third-party security products on AWS Marketplace include firewall solutions, antivirus software, threat intelligence, and compliance tools.
AWS Trusted Advisor: A service that provides real-time guidance to help users optimise their AWS infrastructure. Security best practices is one of the many things that Trusted Advisor looks into.
AWS Solutions Architects: Professionals in AWS who work with customers to understand their requirements and design solutions. Security is one of the many domains of expertise that a Solution Architect can bring.