Cybersecurity remains a hot topic nowadays. More data is being collected and more solutions are being digitalized. Technologies make our lives simpler, and at the same time, vulnerable to different hacker attacks.
As any system gets more complex, protecting its data also becomes challenging. Having a data leak is a nightmare for any business.
That’s why we see how cloud providers invest in data security and protection. Every year, Amazon introduces new services that help to protect data and applications.
So what exactly does Amazon offer these days to make your system safer?
Secrets Manager
To start with a simple service, we go through the Secrets Manager. Whenever you need to persist access keys, passwords, or credentials, think about this service. That is a dedicated service for this; don’t confuse it with Parameter Store.
It offers an encrypted place to store your data securely. Well-grained access rights help to protect the data from unauthorized access. But the main feature of this service is an automatic key rotation that helps your systems to stay compliant.
When to use: to store any application secrets securely.
AWS Config
If you build a system with strict compliance rules, you want to ensure that none of them is breached. The service AWS Config is designed to run regular audits of your configurations.
Config monitors all configuration changes you make and validates them with the rules. That can be either AWS-provided rules or you can create custom rules.
For example, by mistake, the EC2 instances become available to the public because of the modifications in the security group. Config will identify this violation and notify you about that.
When to use: to audit the system for compliance.
Amazon Inspector
Many applications in the cloud use computational resources. That can be EC2 or Lambda. With plenty of third-party dependencies, it is easy to introduce a vulnerability in your software.
AWS has a dedicated service for that, it is Amazon Inspector. It observes EC2 instances and Lambda functions if there are any known issues. All scanning results are later passed to other services such as EventBridge.
When to use: scan computational resources for vulnerabilities and unwanted network exposure.
Amazon GuardDuty
The service Amazon GuardDuty is somewhat similar to the service Inspector. Yet the difference is that it scans for any threats in your system not limited to computational resources.
GuardDuty uses machine learning under the hood. It can check if your databases face any attack threats. It can check if there is any suspicious activity with your S3 buckets or Lambda functions. It scans logs from different places to identify malware.
When to use: to scan your system for known malicious and unauthorized activity.
Amazon Detective
When you want to take control of the details of each vulnerability, Amazon Detective can help you with that. That service analyzes logs by applying graph theory and machine learning.
It analyzes events from various services such as VPC, CloudTrail, EKS, etc. Then it passes the findings to other services for inspection, like GuardDuty. Also, it visualizes the findings and hints at potential problems and the impact they can have.
When to use: to analyze logs from different services to spot issues.
AWS Security Hub
We already talked about a few Amazon services that help protect solutions and systems. But now we want to have a centralized place with all discoveries and a general health status.
The service AWS Security Hub stands exactly for what its name says. It aggregates and streamlines security checks in the system. Security Hub is a central place for system protection and inspection reports. It keeps all findings and alerts together, helping to apply security best practices.
When to use: to streamline all security findings and alerts in one place.
AWS WAF
If you are looking for a proper firewall, there is a dedicated service for it. AWS WAF covers known vulnerabilities of every application on the web.
The main feature of the Web Application Firewall is to filter traffic by applying different rules. That can be denying requests from a specific IP address, requests with suspicious content, or requests based on certain patterns. It integrates well with the load balancers, CloudFront, and API Gateway. WAF will help you to guard the entry point to your application.
When to use: to protect applications from known web exploits.
AWS Shield
At this point, you can think that the service WAF also protects from DDoS attacks. Unfortunately, that is not correct.
If you need to deal with DDoS events, you should use AWS Shield. That is a dedicated service to fight against undesirable massive requests. AWS Shield will identify DDoS attempts and mitigate their impact, keeping your application responsive. It integrates and complements the firewall.
When to use: to protect applications from DDoS attacks.
Amazon Macie
Data protection for customers is not a feature of every application, but rather a mandatory compliance. If you store a customer’s private data, you want to keep it secure. Especially when it comes to Personal Identifiable Information (PII) such as name, email, and address.
Amazon developed a service Macie that uses machine learning to crawl over the data and discover sensitive information. It constantly monitors the objects in the S3 bucket. Later, it sends the findings to the other services to notify stakeholders and initiate automatic remediation.
When to use: to track if there is PII data present in S3 buckets.
Trusted Advisor
The service AWS Trusted Advisor takes care of your spending on the cloud infrastructure. It checks your current setup and then delivers insights on how to optimize the costs.
Apart from cost optimization, Trusted Advisor gives various advice like a personal support specialist. The report includes how to optimize performance, enhance security, and maximize the results from each service.
When to use: to receive extended reports with advice and best practices for used services.
Cybersecurity is a topic that will only continue growing. As we can see, Amazon puts a huge effort into helping businesses protect their data. Persisting data in the cloud is safe when the proper tools are applied. You need to know well the capabilities of your cloud provider to improve the security of your applications.
Looking for how to grow as a software developer?
Do you want to learn the essential principles of a successful engineer?
Are you curious about how to achieve the next level in your career?
My book Unlock the Code offers a comprehensive list of steps to boost
your professional life. Get your copy now!