AWS Security services - the 'must-have' list

Brett Gillett

AWS CloudTrail

While not directly a ‘security’ service, AWS CloudTrail should be running in every one of your AWS accounts in every region.
Essentially, CloudTrail records all API calls within your AWS account. All activities in your account are API calls, whether you’re using the AWS Management Console, the CLI, or one of the AWS SDKs, so I hope you see the importance of the CloudTrail service.

CloudTrail is enabled in all new AWS accounts by default, but you should finish the configuration by centralizing all the logs into a single AWS account. If you’re running a multi-account deployment, CloudTrail supports AWS Organizations, which will help streamline your setup.

Here’s our recommended deployment architecture

AWS CloudTrail reference architecture

AWS Config

Like AWS CloudTrail, AWS Config is not a ‘security service.’ It is still super important, though. I describe AWS Config as a ‘Configuration Management Database (CMDB)’ for AWS. Once enabled, it discovers and records changes to all supported AWS services in your accounts. So when you combine both CloudTrail and Config, you end up with complete pictures of the resources deployed in your AWS accounts and who (or what) has made changes to those resources.

AWS Config is a regional service, so at a minimum, you should enable it in each AWS region where you have resources deployed, in every AWS account. Additionally, AWS Config supports multi-account multi-region data aggregation, so that once configured, we can leverage a single AWS Config console to view resources across our AWS environment deployment.

Here’s our reference diagram AWS Config reference architecture

Amazon GuardDuty

GuardDuty is a fully managed AWS service that helps identify potential threats to AWS resources and AWS accounts. Once enabled, GuardDuty continuously analyzes your AWS accounts’ activity using several data sources to identify and prioritize potential threats.

You should enable GuardDuty in each AWS region where you have resources deployed so that it can provide insight into potential threats across your entire deployment.

Like CloudTrail and Config, GuardDuty is integrated with AWS Organizations to help you streamline the service deployment across multiple AWS accounts.

Here’s how we set up GuardDuty for our customers AWS GuardDuty reference architecture

Amazon Security Hub

Security Hub provides a centralized ‘single pane of glass’ for security-related events. Once enabled, it collects data from several AWS services and offers automated security checks using several industry best practices.

Like the other services we’ve highlighted so far, Security Hub is a regional service, so you should enable it in each AWS region where you have AWS resources deployed. AWS Organizations also supports Security Hub, and you can now aggregate Security Hub findings into a single AWS region to make the review process more straightforward.

Security Hub does rely on AWS Config to operate, so make sure you set up AWS Config before enabling Security Hub.

AWS Security Hub reference architecture

AWS IAM Access Analyzer

Proper configuration of the Identity and Access Management (IAM) service is essential for the overall security of your AWS environment. However, I did want to point out a specific feature of IAM - the IAM Access Analyzer. Once enabled, the service identifies entities from outside your ‘zone of trust’ - which can be a single AWS account or your AWS organization - that have access to resources in your account.

The IAM Access Analyzer service generates findings which you can review and then take action where appropriate. Like the other services I’ve mentioned, AWS Organizations will help you manage a multiple account deployment of the IAM Access Analyzer solution.

Access Analyzer for S3

Once you’ve enabled IAM Access Analyzer, you should enable S3 Access Analyzer as well. This feature of S3 provides information about external access to S3 buckets within your account.

Taking Action

This article highlighted what I consider to be the ‘must-have’ security services in every AWS deployment. However, the other important takeaway is that enabling these services is only the first step. You need to ensure you have tooling in place for remediation - ideally automated - and notifications where appropriate.

Brett Gillett


Like what you read? Why not subscribe to the weekly Orbit newsletter and get content before everyone else?