SSM Parameter Store
- Part of System Manager
- Provides encryption of parameters
- Stores parameter in a hierarchy (e.g. /MyApp/db/connection , /MyApp/db/user )
- Has 3 data types:
- String (Un-encrypted)
- SecureString (Encrypted)
- StringList – a CSV separated string
- Has 2 tiers:
- Standard
- Free (but API calls has a cost)
- Stores up to 10,000 parameters
- Max size of the parameter is 4KB
- Has NO parameter policy
- Advanced
- Charges apply (API calls has a cost)
- Stores up to 100,000 parameters
- Max size of the parameter is 8KB
- Has parameter policy (i.e. ca specify TTL or expiration)
- Standard
Shield
- Managed DDOS service
- 2 Types:
- Standard
- Enabled for all customers
- Free of charge
- Receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks when used with AWS Global Accelerator, Route53 and CloudFront
- Advance
- With cost
- Provide higher levels of protection against attack on:
- EC2
- ELB
- Route53
- CloudFront
- Global Accelerator
- Can integrate with WAF
- Standard
Macie
- Fully managed data security and data privacy service
- Uses machine learning to analyze S3 buckets for sensitive data such as personally identifiable information (PII).
- Can integrate with CloudWatch Event/Event Bridge to notify any findings
WAF
- Protect your web applications or APIs against common web exploits and bots
- Works on Layer 7 only
- Protects only the following AWS Services:
- CloudFront
- ALB
- API Gateway
- Uses WACL (Web Access Control List) for fine-grained control over all of the HTTP(S) web requests. WACL can inspect
- Country of Origin
- Source IP
- HTTP Body, Query String, URI, method
- XSS
- SQL injection
- Occurrence of events (Rate-based rule) – some kind of DDOS protection
- Can integrate with Firewall Manager to centrally manage all firewall rules.
Inspector
- Automated vulnerability management service
- This is only for EC2, ECR Container Images, and deployed Lambda functions. It scans EC2 OS and container workloads for software vulnerabilities and unintended network exposure.
- Can send assessment report to SNS for notification
- 2 Types of Assessment:
- Host Assessment
- requires an agent to be installed on the EC2.
- scan from inside (e.g. OS, running application)
- uses CVE and CIS
- Network Assessment
- agentless
- probe from outside i.e. network reachability, open ports
- Host Assessment
- Findings sent to Security Hub or Event Bridge (Risk Score)
- Looks for
- Package vulns (Database of CVE)
- Network Reachability
Guard Duty
- A threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
- Uses machine learning.
- Analyzes Logs:
- DNS logs- e.g. compromised e
- CloudTrail logs – e.g. unusual API calls
- VPC Flow logs – e.g. unusual traffic
- EKS Audit logs – e.g. suspicious activities or EKS cluster compromise
- Malware Protection for:
- EC2
- S3
- Detect Threats on:
- RDS
- Lambda
- Can integrate with CloudWatch Event/Event Bride to notify any findings.
- Can protect against CryptoCurrency queries – i.e. an EC2 instance is querying a domain name or IP address that is associated with cryptocurrency-related activity
- Disabling the service will delete all remaining data, including your findings and configurations before relinquishing the service permissions and resetting the service
Detective
- helps you analyze, investigate, and quickly identify the root cause of security findings or suspicious activities.
- automatically collects log data from your AWS resources.
- uses machine learning, statistical analysis, and graph theory to generate visualizations that help you to conduct faster and more efficient security investigation
Secret Manager
- Protect secrets needed to access your applications, services, and IT resources
- Rotate, manage, and retrieve :
- RDS credentials
- Document DB credentials
- Redshift Credentials
- General Key/Value pair parameter e.g. API Key, OAuth token
- Tight integration with Lambda and RDS