Published on Sep 1, 2024
AWS cloud security is one of the most critical responsibilities for any team running workloads in the cloud. AWS provides a powerful set of native security services — but knowing which ones to use, how they interact, and what you are responsible for configuring is what separates a hardened environment from a vulnerable one. This article covers 12 essential AWS security services, how they protect your infrastructure, and how they map to real compliance requirements like SOC 2, HIPAA, and GDPR.
Before choosing any security service, you need to understand who is responsible for what. AWS operates on a shared responsibility model: AWS secures the underlying cloud infrastructure — physical hardware, data centres, networking, and core managed service operations. You are responsible for securing everything you put inside that infrastructure: your data, your applications, your IAM configuration, your network settings, and how you use AWS services.
This means AWS being SOC 2 certified at the infrastructure level does not automatically make your environment compliant. Your application layer — access controls, logging, encryption, and how services are configured — remains entirely your responsibility. Understanding this boundary is the starting point for every AWS cloud security decision.
If you are unsure where your current environment stands, an AWS Cloud Assessment is a practical way to identify gaps before they become incidents.
IAM is the foundation of AWS cloud security. It controls who and what can access your AWS resources, and under what conditions. Every permission in your AWS account flows through IAM — users, roles, groups, and policies all define the access boundaries for your environment.
Key capabilities include least-privilege permission policies, role-based access for services and applications, MFA enforcement, federated SSO integration, and detailed credential reports for auditing. Misconfigured IAM is consistently one of the leading causes of cloud security incidents, making it the first service to get right.
What to configure: Apply least-privilege policies across all users and roles. Lock away the root account, enforce MFA, and use roles with temporary credentials rather than long-lived access keys wherever possible.
Hardcoded credentials in source code or configuration files are a common and costly mistake. Secrets Manager eliminates that risk by providing a centralised, encrypted store for database passwords, API keys, OAuth tokens, and other sensitive values. It integrates with AWS KMS for encryption and supports automatic secret rotation on a configurable schedule.
What to configure: Replace any hardcoded secrets in your codebase or environment variables with Secrets Manager references. Enable automatic rotation for database credentials and audit access using CloudTrail logs.
KMS manages the encryption keys that protect your data at rest across AWS services. It integrates natively with S3, RDS, DynamoDB, Lambda, EBS, and many other services, giving you centralised control over who can use which keys and a full audit trail of key usage.
KMS supports both AWS-managed keys and customer-managed keys (CMKs), giving you flexibility depending on your compliance requirements. For regulated workloads — HIPAA, PCI DSS, or SOC 2 — CMKs with tight key policies are typically expected.
What to configure: Enable encryption at rest for all data stores using KMS. Define key policies that restrict usage to specific roles and services. Review key usage logs in CloudTrail regularly.
AWS WAF sits in front of your web applications and APIs, filtering HTTP/S traffic based on rules you define. It protects against common exploits including SQL injection, cross-site scripting (XSS), and bot abuse. WAF can be attached to CloudFront, Application Load Balancers, API Gateway, and AppSync.
AWS provides managed rule groups — maintained by AWS and AWS Marketplace partners — that cover OWASP Top 10 vulnerabilities, known bad IPs, and platform-specific threats. These give you a strong baseline without starting from scratch.
What to configure: Start with AWS Managed Rules as a baseline, then add custom rules for your application's specific traffic patterns. Enable WAF logging to CloudWatch or S3 for visibility and tuning.
AWS Shield provides DDoS protection for applications running on AWS. Shield Standard is enabled automatically for all AWS accounts at no extra cost and defends against common network and transport layer attacks: SYN floods, UDP reflection, DNS query floods, and HTTP floods.
Shield Advanced extends this with enhanced detection, near-real-time attack visibility, cost protection during DDoS events, and access to the AWS Shield Response Team (SRT) for assistance during active attacks. It applies to resources including CloudFront, Route 53, Elastic IPs, and ALBs.
What to configure: For public-facing applications with high availability requirements, evaluate Shield Advanced. Ensure Route 53 and CloudFront are in your protection scope, as they are common DDoS targets.
Macie uses machine learning to automatically discover, classify, and protect sensitive data stored in S3 buckets. It identifies personally identifiable information (PII), financial data, credentials, and other sensitive content, then alerts on public exposure, misconfigured bucket policies, and unusual access patterns.
For teams working toward HIPAA or GDPR compliance, Macie provides automated evidence that sensitive data is being monitored and protected — a requirement auditors frequently check.
What to configure: Enable Macie across all S3 buckets in your account. Review findings by severity and remediate public exposure issues immediately. Use Macie findings as automated evidence in your compliance tool (Vanta, Drata, etc.).
Inspector is a vulnerability management service that continuously scans EC2 instances, Lambda functions, and ECR container images for software vulnerabilities and unintended network exposures. Unlike a point-in-time scan, Inspector runs continuously and re-evaluates findings as new CVEs are published.
It prioritises findings using a risk score that factors in exploitability and network reachability, helping your team focus on what matters most rather than working through low-priority noise.
What to configure: Enable Inspector at the AWS Organizations level to cover all accounts. Integrate findings with Security Hub for centralised visibility. Set up EventBridge rules to alert on critical findings automatically.
GuardDuty is AWS's core threat detection service. It analyses CloudTrail logs, VPC Flow Logs, DNS query logs, and S3 data events using machine learning and threat intelligence to identify suspicious activity — unusual API calls, compromised credentials, cryptocurrency mining, unauthorised deployments, and more.
GuardDuty requires no agents and no infrastructure changes. It runs continuously in the background and generates findings that can be routed to Security Hub, EventBridge, or your SIEM. It is one of the highest-value services to enable in any AWS account.
What to configure: Enable GuardDuty in every AWS region you operate in, including regions where you have no active workloads. Enable S3 Protection and EKS Runtime Monitoring if applicable.
When GuardDuty or Security Hub surfaces a finding, Detective helps you investigate it. It automatically ingests and correlates data from CloudTrail, VPC Flow Logs, and GuardDuty findings, then builds visual graphs that show the sequence of events, affected resources, and related activity around a security incident.
Rather than manually joining logs across services to trace an attack path, Detective does the correlation for you, significantly reducing investigation time.
What to configure: Enable Detective and connect it to your GuardDuty findings. Use it during incident response to trace the root cause of findings rather than querying raw logs manually.
Security Hub aggregates findings from GuardDuty, Inspector, Macie, IAM Access Analyser, Firewall Manager, and supported third-party tools into a single centralised view. It automatically runs continuous checks against the AWS Foundational Security Best Practices standard, CIS AWS Benchmarks, and PCI DSS controls.
For teams working toward SOC 2 or ISO 27001, Security Hub's compliance checks provide automated evidence collection and a clear view of your control posture at any point in time. Our AWS Security & Compliance service includes configuring Security Hub as part of audit preparation.
What to configure: Enable Security Hub with the AWS Foundational Security Best Practices standard as a minimum. Add CIS or PCI standards relevant to your compliance framework. Suppress findings that are accepted risks with documented justification.
CloudTrail records every API call made in your AWS account — who made it, from where, on which resource, and when. It is the primary audit log for your AWS environment and is required by virtually every compliance framework: SOC 2 (availability and security monitoring), HIPAA (audit controls), GDPR (access logging), and ISO 27001 (event logging).
Without CloudTrail, you cannot investigate incidents, demonstrate access controls to auditors, or detect unusual account activity reliably.
What to configure: Enable CloudTrail in all regions with log file integrity validation turned on. Store logs in a dedicated S3 bucket with restricted access and an appropriate retention policy. Enable CloudTrail Insights to detect unusual API activity automatically.
While CloudTrail records actions, AWS Config records the state of your AWS resources over time. It tracks configuration changes — who changed a security group, when a public S3 bucket was created, whether encryption was disabled on an EBS volume — and evaluates those configurations against rules you define.
Config is essential for compliance audits because it provides a continuous record of your environment's configuration history. Auditors can see not just current settings but historical evidence that controls were in place throughout the audit period.
What to configure: Enable AWS Config in all active regions. Use AWS-managed Config rules for common checks (MFA enabled, S3 bucket not public, root account MFA, encryption at rest). Integrate Config findings with Security Hub for unified visibility.
AWS's native security services map directly onto the requirements of major compliance frameworks. The table below shows which services are typically required or strongly recommended for each framework.
Enabling these services is the first step. Configuring them correctly to meet auditor expectations is where most teams need support. We offer AWS Security & Compliance setup that covers everything from IAM hardening to audit-ready evidence collection. See how we helped a London-based fintech achieve compliance and cut costs through a Well-Architected Review.
AWS provides the tools to build a genuinely robust security posture — but they need to be deliberately enabled, correctly configured, and monitored continuously. The 12 services above form a complete AWS cloud security stack: identity and access control (IAM, Secrets Manager), data protection (KMS, Macie), perimeter defence (WAF, Shield), vulnerability and threat detection (Inspector, GuardDuty, Detective), and compliance visibility (Security Hub, CloudTrail, Config).
If you are preparing for a SOC 2, HIPAA, or ISO 27001 audit and want to make sure your AWS environment is configured correctly, talk to our team .
Anastasiia Tokareva
Software Engineer
85%
Reduction in form creation time
3×
Faster grant application completion
3
months full platform delivery
Perfsys built four AI services for EPIRA.ai on AWS Bedrock, automating grant form creation (80–90% faster) and pre-application eligibility scoring. Delivered in 3 months by 2 engineers with a fully serverless, scalable architecture.
4
Sub-brands unified under one login
2–3×
Faster onboarding of new products
35%
Fewer login-related support requests
Perfsys designed and implemented a customized Keycloak SSO solution aligned with the client's AWS architecture and business requirements. The customer gained a secure, reliable identity management setup that improved access control, simplified authentication, and supported efficient cloud operations.
Need to move fast? Our cloud team is ready to scale, secure, and optimize your systems. Get serverless expertise, 24/7 support, and seamless CI/CD pipelines when you need it most.
