Cheatsheet: AWS Security Services
Published in
2 min readJan 20, 2023
GuardDuty, Macie, Inspector, oh my!
AWS has many services for securing AWS resources and for making other security services easier to use. I got a little confused while reading about them so I put them into a table, as one does. Below are other interesting things about each service that did not fit into the table.
AWS Config
- Here’s a list of all AWS resources supported by AWS Config
- A Conformance Pack is a collection of Rules and Remediation Actions
- Setup is region specific, but aggregator allows multi-region
- Multi-account is supported via aggregator and AWS Organizations
Amazon GuardDuty
- VPC flow logs contain network traffic logs into and out of VPC
- CloudTrail event logs contain API calls made from the account
- DNS query logs contain queries from EC2
- Custom trusted IP lists and threat IP lists can be configured
- Findings are kept for 90d by default
- Multi-account is supported via adminstrator/member accounts and AWS Organizations
Amazon Macie
- Monitored buckets must have SSE enabled, but cannot have application-level encryption
- Custom regex or keywords can be defined for finding sensitive data
- Findings are generated only when Macie jobs are run
- Findings are kept for 90d by default
- Macie Classic is a deprecated version of Macie
- Multi-account is supported via adminstrator/member accounts and AWS Organizations
AWS Security Hub
- Certified SOC, ISO, PCI, HIPPA
- For security standards to work, AWS Config must be enabled
- Multi-account is supported via adminstrator/member accounts and AWS Organizations
AWS Trusted Advisor
- Multi-account is supported via AWS Organizations
Amazon Inspector
- Uses latest CVEs to find vulnerabilities
- Multi-account is supported via AWS Organizations
Stray thoughts and observations
- Most of these services integrate with Amazon Cloudwatch Events, Amazon EventBridge or AWS Lambda to allow further automation to happen based on the findings
- I’ve left out AWS IAM Access Analyzer from the table as it’s not a standalone service but part of AWS IAM. Security-wise, this service finds resources shared externally, and validates IAM policies against best practices
- I wonder why are some services prefixed with “AWS” and some with “Amazon”? Does the prefix actually matter?
References
- AWS Certified Security Specialty All-in-One Exam Guide
- AWS docs
I usually write about Software Engineering and Cybersecurity topics, if you’re into that, here’re some articles you might like: