Native Cloud Tools for AWS

Commercial and open source tools were present on the market for decades. The choice and differences they present are not new and somehow well understood by enterprises. But Cloud Adoption not only disturbed and changed the way companies doing IT, it also disturbed and introduced new category of Tools, especially security tools — Native Cloud Tools.

Native Cloud Security Tool is a cloud service which is built and optimized for the cloud platform it supposed to defend. Sometimes Cloud Providers acknowledge the reality of multiclouds deployments and offer limited integration with other cloud platforms, but mostly it is not the case and each platform heavily depend on its own set of tools to allow its customer to make their cloud deployments secure. This category introduces new delemma: “Cloud Native tools vs 3rd party”.

In the reminder of this series we will analyze in depth Cloud Native tools for AWS and Azure and will try to provide unbiased comparison between them.

Native Cloud Tools Overview:

In General Cloud Security methodology can be divided into several categories:

i. Identity and Access Control

ii. Network Access Controls (L3/4/7)

iii. Data Security (at rest and in transit encryption, KMS, Certificate and Secret Management)

iv. Logging (Management Plane, Data Plane, network traffic)

v. Monitoring and Alerting

vi. Configuration and Compliance monitoring

Each Cloud provider has their own set of Tools (Services) in each Category

Identity and Access Control


AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

IAM gives you the following features:

· Secure Identity Management (Users, Groups, Roles) and secure credentials management

· Authorization: Permission Management (IAM Policies)

· Identity Federation


The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users)

In simple words –STS is secure token vending machine which provides temporary security credentials to roles to access and perform authorized actions on the services and its instances.


Secure and scalable user directory, Social and enterprise identity federation, Standards-based authentication, Security for your apps and users, Access control for AWS resources, and simple integration with your app.

Directory Services

AWS Directory Service for Microsoft Active Directory (Enterprise Edition), also known as AWS Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud

Network Access Controls L3/4:

Security Groups

Security Groups are sets of permissive (‘Allow’ only) inbound and outbound rules that are associated with instances. Whenever an instance is created within a VPC, it has to be associated with a Security Group.


A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.

AWS Shield

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations.

Network Access Controls L7


AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules.

Data Security

Encryption at rest KMS/Cloud HSM

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data

AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud

Encryption in transit: AWS Certificate Manager;

AWS Certificate Manager (ACM) Private Certificate Authority (CA) is a managed private CA service that helps you easily and securely manage the life-cycle of your private certificates.

Secret Manager

AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their life-cycle.


Management Plane: CloudTrail

With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. Primary use of Cloud Trail is to capture Management events which provide insight into management operations that are performed on resources in your AWS account. These are also known as control plane operations. Management events can also include non-API events that occur in your account.

Data Plane: CloudTrail

In addition, CloudTrail allows to capture some Data events: These events provide insight into the resource operations performed on or within a resource. These are also known as data plane operations.

Data Plane: Access Logs;

CloudTrail logs provide you with detailed API tracking for Amazon S3 bucket-level and object-level operations. Server Access Logging is similar to http server logging in the kind of information logged. It answers the general question, “Who is making what type of access to which objects?”

Data Plane: X-Ray

AWS X-Ray helps developers analyze and debug production, distributed applications, such as those built using a microservices architecture.

Network Logging: VPC Flow Logs

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.

Monitoring and Alerting:


CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, providing you with a unified view of AWS resources, applications, and services that run on AWS (and optionally on-premises servers.)

DLP — Macie

Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS.

Trusted Advisor

Trusted Advisor scans your AWS environment, compare it to AWS best practices available in 5 categories one of which is security

Access Advisor

AWS Identity and Access Management (IAM) access advisor uses data analysis to help you set permission by providing service last accessed information for your accounts. Trusted Advisor helps to control which services your developers and applications can access. By analyzing last accessed information, you can determine the services not used by IAM users and roles.

Guard Duty

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads.

Security Hub

AWS Security Hub is a service that gives you a comprehensive view of your high-priority security alerts and compliance status across AWS accounts. With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions.

Configuration and Compliance

AWS Config

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

In the next series, we will discuss Cloud Native Tools within Azure.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rhett Greenhagen

Rhett Greenhagen

“I am always ready to learn although I do not always like being taught.” — Winston Churchill