Essential AWS Security Services to Safeguard Your AWS Cloud Workloads

Natalia Marek - Nov 7 - - Dev Community

With how fast things are changing in the digital world, securing your cloud setup is more important than ever. In my upcoming blog posts, I'll be focusing on security, exploring the AWS services you need to effectively protect your cloud environment.

I'm aiming to give an overview of each service—talking about why we should consider using them in AWS Organizations, especially with multi-account architectures in mind. We'll delve into the latest features, implementation strategies, and best practices.

AWS Security Hub

AWS Security Hub is a cloud security posture management service that provides a comprehensive view of your security state within AWS. It aggregates security data from across your AWS accounts and services like Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as supported third-party products (e.g., Sumo Logic, Snyk). By consolidating this information into a single dashboard, Security Hub enables you to analyse security trends and prioritise high-priority issues effectively.

The service supports multiple security standards and best practices frameworks, including AWS Foundational Security Best Practices, CIS, PCI DSS, Resource Tagging Standard and NIST. It continuously runs automated security checks against these standards, generating findings to help you assess compliance and calculate security scores.

Features worth mentioning:

  • Automated Response and Remediation: Security Hub can automate responses to findings by integrating with AWS Systems Manager and AWS Lambda, allowing for quicker mitigation.
  • Custom Insights and Dashboards: You can create custom insights to focus on specific types of findings and tailor dashboards to meet your organisation's needs.
  • Integration with AWS Organizations: Security Hub can be set up across multiple AWS accounts using AWS Organizations, simplifying centralised security management.

Amazon Inspector

Amazon Inspector is an automated security assessment service that identifies vulnerabilities and unintended network exposure in EC2 instances, Lambda functions, and container images in Amazon Elastic Container Registry (Amazon ECR). It can also be integrated into your CI/CD pipelines.

Similar to Security Hub, it provides a central place to monitor vulnerabilities for all the services mentioned above.

Features worth mentioning:

  • Continuous Scanning: Amazon Inspector offers continuous scanning of your workloads, providing near real-time insights into vulnerabilities.
  • Integration with AWS Security Hub: Findings from Amazon Inspector can be automatically forwarded to AWS Security Hub for centralised management.
  • Enhanced Scanning for Container Images: It supports enhanced scanning of container images, to identify vulnerabilities before deployment.
  • Support for AWS Lambda Layers: Inspector can assess vulnerabilities in Lambda layers

AWS Identity and Access Management (IAM) and IAM Identity Center (SSO)

AWS Identity and Access Management (IAM) is probably one of the most well-known AWS services, but we'll look at it from the perspective of securing organisational environments further anmd ensuring best practices are in place. IAM enables you to securely manage access to AWS resources by defining who can access what. IAM Identity Center (formerly AWS Single Sign-On) simplifies access management across multiple AWS accounts and applications, allowing centralised user and group permissions.

In our overview, we'll look at how to implement best practices for access management, utilising IAM Access Analyzer, Attribute-Based Access Control and how to use and implement permission boundaries.

Features worth mentioning:

  • IAM Access Analyzer: Helps identify resources in your organisation and accounts that are shared with an external entity.
  • Permission Boundaries: Allow you to set the maximum permissions that an IAM entity (user or role) can have, providing an extra layer of security.
  • Attribute-Based Access Control (ABAC): IAM now supports ABAC, which allows permissions based on tags attached to users and resources, simplifying permission management in large environments.

Amazon GuardDuty

Amazon GuardDuty is a near real-time threat detection service that monitors malicious activity and unauthorised behaviour by analysing AWS CloudTrail logs, DNS logs, and VPC Flow Logs as foundational data sources. It provides insights into potential threats affecting AWS resources. Similar to Security Hub, it allows us to aggregate findings from all accounts.

In addition to the foundational data source analysis mentioned above, GuardDuty now offers malware protection specifically for Amazon EKS, Amazon S3, EC2, RDS, and Lambda functions.

Features worth mentioning:

  • S3 Protection: GuardDuty can monitor and analyse data events from Amazon S3 to detect suspicious activities like unauthorised data access.
  • EKS Runtime Monitoring: It provides security monitoring for Amazon EKS clusters, detecting threats at the container and Kubernetes levels.
  • Integration with AWS Organisations: Enables centralised threat detection across multiple AWS accounts.

AWS Shield and AWS WAF (Web Application Firewall)

AWS Shield and AWS WAF (Web Application Firewall) work in tandem to protect web applications from a wide range of threats. AWS Shield provides managed protection against Distributed Denial of Service (DDoS) attacks, with Shield Standard offering basic DDoS protection at no additional cost and Shield Advanced delivering enhanced safeguards for applications running on EC2 instances, Elastic Load Balancers, Amazon Route 53, AWS Global Accelerator, and more.

In addition, AWS WAF protects your applications from common web exploits that can affect availability, compromise security, or consume excessive resources. It allows you to create custom rules to block common attack patterns such as SQL injection or cross-site scripting (XSS). Together, AWS Shield and AWS WAF can be deployed on services like Amazon CloudFront, Application Load Balancer, Amazon API Gateway, and AWS AppSync, providing a layered defence that secures your applications from both network-level DDoS attacks and application-level vulnerabilities.


We have highlighted some essential services that enhance security within your AWS Organization, it's important to remember that safeguarding your AWS accounts is an ongoing process. Exploring additional features like applying Service Control Policies, ensuring data encryption is in place, and utilising AWS Secrets Manager for managing secrets can further strengthen your security posture. We will also be looking into these. By making the most of AWS's security tools and best practices, you can build a strong and secure cloud environment that's just right for your organisation's needs.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .