How-to guides

9 AWS security tools you should know about

For the final blog post in our series on native cloud security tools, here are nine tools for AWS that should form a key component of your cloud security program.

Roy Horev | August 24, 2021

AWS is one of the most popular cloud service providers among enterprises and SMBs for hosting mission-critical workloads. Like Azure and GCP, AWS follows a shared responsibility model for security in the cloud: As the cloud service provider, AWS manages and owns security of the platform, while customers are responsible for all application, infrastructure, and cloud security configurations—which can be achieved through a combination of native AWS security tools and third-party services. For the final blog post in our series on native cloud security, we’ll explore some of the most popular AWS security tools and services for implementing necessary security controls.

1. Web Application Firewall

Web applications exposed to the internet are easy targets for attackers. Evolving threat vectors often focus on exploiting known web layer security vulnerabilities as their entry point. AWS Web Application Firewall (WAF) provides specialized protection from such attacks for your web applications.

WAF is designed to identify and mitigate common web layer attacks like SQL injection and cross-site scripting (XSS). The service has built-in rules designed to prevent the OWASP top 10 security risks and allows customers to configure additional rules. Besides the OWASP risks, it also provides rules for protection from threats specific to content management systems (CMS) and the Common Vulnerabilities and Exposures (CVE). The WAF service can be integrated with all AWS services that receive incoming http traffic, such as Amazon CloudFront, ELB, and Amazon API Gateway.

2. Amazon GuardDuty

Amazon GuardDuty is AWS’ threat detection service for analyzing network activity, data access patterns, and API calls in order to detect anomalies and possible infiltrations. It is capable of analyzing events from multiple sources, such as Amazon VPC Flow Logs, DNS logs, and Amazon CloudTrail event logs. Using AI-powered threat detection, Amazon Guard Duty can detect malicious activities like cryptocurrency mining, credential thefts, unauthorized data access, API calls from malicious IPs, and more.

Amazon GuardDuty receives up-to-date threat intelligence from AWS and other feeds such as Crowdstrike and Proofpoint to keep your workloads protected from the latest threats. The service focuses on generating actionable insights for remediation. It can also be integrated with AWS Lambda and CloudWatch Events for automated remediation of security findings.

3. Amazon Inspector

With cloud sprawl on the rise, keeping track of adherence to security best practices throughout the resource lifecycle has become a major challenge for organizations. Third on our list of AWS security tools is one designed to tackle precisely this problem. Amazon Inspector helps prevent cloud sprawl by providing automated best practices and security vulnerability assessments for applications hosted in AWS.

The service’s built-in rules packages are aligned with AWS best practices and compliance standards and are always kept up to date. This makes for easy detection of common configuration errors such as exposed EC2 instances, remote root login access, or unsecured ports that could potentially be exploited by threat actors. Integrating Amazon Inspector with a comprehensive risk management solution for proper prioritization and remediation of vulnerabilities will give you the best threat protection.

4. AWS IAM Access Analyzer

The AWS IAM Access Analyzer tool helps identify AWS resources or IAM roles shared with external entities, such as another AWS account, AWS service, federated roles, or anonymous users. It generates findings that include information on the type of access and the account it is granted access to. Security administrators can then review this information to identify if the access is authorized and safe.

IAM access analyzer does a periodic analysis of all resource policies and tracks any additions or updates. It supports analysis of the following AWS resource types:

  • Amazon S3 buckets
  • KMS keys
  • Lambda functions
  • Amazon Simple Queue Service queues
  • Secrets Manager secrets
  • IAM roles

5. AWS CloudTrail

With identity emerging as the new security perimeter in the cloud, having control plane visibility is crucial for organizations so that impersonators and compromised user accounts can be tracked. This can be achieved through continuous monitoring of user account activity.

The AWS CloudTrail service helps with compliance management, governance, as well as operational and risk auditing of your AWS accounts. The service enables continuous monitoring of user account-related activities, including console access and API calls. CloudTrail can be integrated with Amazon CloudWatch logs to query the data and identify any anomalies or unexpected access patterns that could indicate infiltrations. The comprehensive history of events captured by CloudTrial helps with security troubleshooting and root cause analysis as well as operational issues.

6. AWS Shield

Distributed denial-of-service (DDoS) is a common cloud attack in which attackers send large volumes of bogus traffic to an application with the intent of overwhelming it, thereby leading to downtime. AWS Shield is the platform’s built-in DDoS protection service.

AWS Shield Standard DDoS protection is available at the platform level and protects all AWS services. Customers can also enable AWS Shield Advanced DDoS protection, which employs advanced resource-specific detection and mitigation techniques to protect against large-scale organized DDoS attacks. The service provides protection against attacks targeting EC2 instances, Amazon CloudFront, Amazon ELB instances, Amazon Route 53 charges, and AWS Global Accelerator. AWS Shield customers also enjoy support for manual mitigation of edge case attacks from the AWS Shield Response Team (SRT).

7. Amazon Macie

Amazon Macie is the AWS service for managing the security and privacy of sensitive data stored in Amazon S3 buckets. The discovery and protection of sensitive data is enabled by machine learning and pattern-matching techniques. The service is very useful for organizations bound by stringent security regulations such as HIPAA and GDPR.

Amazon Macie conducts autodiscovery of sensitive data such as personally identifiable information (PII). Customers also have the flexibility to define custom data types aligned with their business needs. The service also offers insights into data security posture through constant monitoring and evaluation of S3 buckets. Any security loopholes, such as publicly exposed or unencrypted buckets, are flagged by the service across multiple AWS accounts.

8. AWS Config

The AWS Config service assesses, audits, and evaluates your AWS resource configuration against a defined baseline. It tracks configuration changes and provides a detailed resource configuration history that can be used during security audits or for operational troubleshooting, change management, and more.

AWS Config also gives you the option to create conformance pack rule sets for configuring AWS resources for single-click deployment. Any deviation from these rules automatically triggers notifications and generates CloudWatch events so that appropriate action can be taken. AWS Config then summarizes the findings in a dashboard for full visibility so customers can quickly identify non-compliant resources.

9. AWS Security Hub

AWS Security Hub is the native cloud security posture management service, providing a bird’s eye view of workload security in AWS. It aggregates the security findings, alerts, and notifications from multiple AWS services, including AWS Inspector, Amazon Macie, AWS IAM, Access Analyzer, AWS Firewall Manager, and more. AWS Security Hub continuously monitors your AWS workloads against your organization’s defined security best practices and industry standards, flagging any anomalies for investigation.

AWS Security Hub ingests data from different sources and normalizes them into a common format, thereby eliminating overhead for customers. It also provides a secure score for different security standards based on the number of security controls that are successfully implemented. This helps quantify the overall security status of your workloads in AWS.

But security status reports are only the first step of cloud risk management. Specialized cyber risk-based remediation solutions for security posture management can provide an additional layer of security, especially if the workloads are deployed across heterogeneous multi-cloud environments.

Augmenting your AWS security tools with third-party integrations

As one of the leading cloud service platforms, AWS is a hot target for attackers. Moreover, today’s sophisticated cloud attack patterns demand advanced detection and mitigation capabilities. This is where traditional risk management solutions often fall short, as they may not offer these capabilities out of the box.

Securing your mission-critical applications hosted in AWS requires a more modern approach—a comprehensive risk-based cyber security solution that goes beyond threat detection alone by also prioritizing risks and automating the entire remediation process. 

The Vulcan Cyber® platform covers the entire risk lifecycle—from scan to fix—offering an extra layer of protection to the native AWS security tools.

Using automated processes, the Vulcan AWS connector inventories your AWS resources and mitigates identified vulnerabilities. Cross-Account access allows you to protect resources across multiple AWS accounts. It supports AWS EC2, AWS Inspector, AWS ECR, and AWS ECS. 

To enable the AWS connector, simply create a policy and specify the required actions for the resources to be covered. You can use the access key ID and secrets access key created while adding users to the policy to receive data from AWS and report on the associated vulnerabilities.

Vulcan Cyber provides end to end visibility into your organization’s cloud asset security posture no matter where the assets are deployed. Its organization-centric prioritization capabilities correlate data from various sources to deliver threat intelligence. The platform offers out-of-the-box integrations for operations, configuration management, and auto-remediation purposes through popular tools such as Jira, Chef, and Ansible. It also helps you analyze and fine-tune the risk remediation process by providing comprehensive reports.

Keep up with emerging vulnerabilities across your cloud environment. Get free access to thousands of vulnerabilities and own your risk with Vulcan Remedy Cloud or request access to Vulcan Free.

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy