1. Cost
    1. In the AWS Cloud, security services are significantly more cost-effective than on-premise solutions.
      1. Examples
        1. WAF - Web Application Firewall (Pricing page in link)
        2. GuardDuty (Anomaly detection - UEBA, Network Behavior Anomaly detection - NBAD, Threat intelligence feeds, and native rules to detect threats) (Pricing page in link)
        3. AWS Security Hub (Security Posture Manager) (Pricing page in link)
    2. Many security services are free, or offer a free tier, or a free trial
      1. AWS IAM Access Analyzer is a free service that uses Automated Reasoning to detect human error in configuring resource policies that allow external access
      2. AWS Shield Standard - DDoS Attack Mitigation service (layer 4) - Free and Enabled by default for everyone
      3. Amazon Cognito has a free tier of 50,000 monthly active users, so if you have 50,001 users you only pay for 1 user, and if you have less, you pay nothing.
      4. Services with free trial that allows you to estimate the cost of the service in your infrastructure the following month
        1. Amazon GuardDuty
        2. AWS Security Hub
        3. Amazon Detective
        4. Audit Manager
        5. etc.
      5. AWS Systems Manager Patch Manager is free for cloud instances
  2. Integrity
    1. In the cloud, operator access to the infrastructure requires two person control, it has auditing and multiple interfaces were built to minimize access and keep humans away from the data.
  3. Availability
    1. The availability of the cloud (Uptime) is public and historically is much higher than that of on-prem data centers
    2. Specialized hardware developed by AWS for AWS such as mini UPSs in each rack in addition to the Data Center UPSs
    3. Example: KMS SLA: 99.999% KMS actual availability in the past 8 years: 99.99999%
  4. Compliance
    1. Shared responsibility: Much of the responsibility remains with AWS, so customers only have to submit AWS reports or perform a GAP assessment to prove that their workloads are also compliant. You can download reports using AWS Artifact
    2. In the cloud they have a service called AWS Audit Manager that helps them automatically collect evidence to simplify the construction of the audit report.
  5. Vulnerability Management
    1. AWS Responsibility: For managed services, AWS takes care of applying the necessary patches and applying the configurations for the hardening of the services. More information available on the Security Bulletins page (linked) When a new zero-day vulnerability like Log4jRCE is discovered, AWS teams quickly patch and apply mitigation measures to the infrastructure to avoid being vulnerable.
    2. Customer Responsibility: For your instances (IaaS) or containers, you can use Amazon Inspector to simplify the detection and prioritization of vulnerabilities or deviations to OS hardening best practices.
  6. Physical Security
    1. Data Center Perimeter: In AWS datacenters, access controls are among the strictest in the world, with multi-factor access controls at three different points: the entrance to the premises, the entrance to the datacenter, and the entrance to the area where the data centers are located. customer data.
    2. Security controls in the Data Centers: When AWS implements a control at the request of a customer with strict security requirements such as a bank or military, it is baselined for all data centers and all customers benefit from those controls.
    3. Controls are audited by third party auditors
    4. No data storage medium leaves the datacenter without being destroyed INSIDE the datacenter. If a drive fails, AWS destroys it in the datacenter instead of sending it to the manufacturer.
    5. Security cameras around the perimeter and interior with 7x24 monitoring
    6. To access the datacenter, in addition to presenting your badge and pin, a security officer behind armored glass verifies the person's need to access and grants permission with using his/her badge.
  7. Personnel
    1. Validated - Background Checks
    2. There are no subcontractors, and everyone who enters the datacenter, even AWS employees, must have a justification.
    3. Trained and certified staff manage the cloud
    4. 24x7 security teams monitoring the infrastructure and notifying customers when detecting anomalies/abuse, or exfiltrated credentials
    5. Customer Incident Response Team: Free assistance during active security incidents.
  8. Resiliency
    1. Each region has multiple Availability Zones (AZ), which are sets of datacenters that are typically 100km-60miles apart to prevent a disaster from affecting more than one AZ, while staying close enough for synchronous replication without latency.
    2. Example: Amazon S3: 99.99999999% durability
    3. Cross Region Disaster Recovery - The regions have strong isolation and independence so that DR is not affected in any circumstance by the failure of the primary region
  9. Secure by Default
    1. When creating a Security Group it does not allow inbound access on any port
    2. When creating a new account, public access to S3 buckets is blocked by default at the account level.
    3. Creating a bucket blocks public access at the bucket level.
  10. Privacy
    1. Isolation Layers
      1. At Account Level
      2. At VPC Level
      3. At Subnet Level (Network ACLs)
      4. At Instance Level (Security Groups)
    2. Encryption
      1. In Transit
        1. All AWS services that transmit data to on-prem, or to the end user, offer the option of encryption in transit (TLS or VPN)
      2. At Rest
        1. KMS allows you to generate keys managed by the client, and is integrated into the services so it can be configured in minutes
        2. Services offer the option to encrypt with keys managed by AWS
  11. Security Services
    1. AWS cloud security services are activated with one or a few clicks, are cost efficient and have a low operating workload. Many of them are integrated into Security Hub to simplify the management of security findings.