freshidea - Fotolia


Top AWS security features organizations need to know about

As cloud security becomes more essential, Amazon security features become more important. Expert Matthew Pascucci takes a look at specific AWS security products available today.

The cloud is continually growing in popularity and Amazon's EC2 offering is leading the way in the industry, not...

only in cloud adoption, but in its ability to push the envelope with new AWS security features. Amazon has rightfully realized that its AWS success is proportional to how secure it can make the infrastructure. One of the biggest, if not the largest, fears that customers harbor with cloud adoption is how to secure it. Amazon has not only done a good job at securing its back-end systems, but it has made tangible cloud security services to allow customers the ability to manage security of their own infrastructure. Since customers have the ability to secure their environment in the cloud using a holistic approach without worrying about holes in their security posture, there is additional adoption of AWS services. Here are some new AWS security features that continue its overall security approach to include all systems being brought into the cloud.


With the CloudTrail feature, Amazon allows clients to monitor systems by logging the API request that's used to manage deployments of SDKs, command lines, management consoles, services and accounts. This means the client can identify what services and accounts are making calls to the API and start focusing on what activity they've performed. This allows admins to review and keep a log for seven days of all activity the APIs have requested for auditing and alerting. This service is also being implemented throughout other Amazon security service offerings -- like WAF and CloudHSM -- to bring security context into one pane of glass.


Amazon is slowly squelching the concerns organizations had about moving to the cloud.

Many customers host web applications on AWS to run agile deployments. One of the downfalls in the past was that many customers had physical WAFs but would lose the ability to protect their applications without moving to a third-party cloud-based WAF. Amazon realized this and created the AWS WAF to protect web applications hosted on its platform. With the WAF, customers can incorporate web application security into their security posture, whereas before it may not have been possible. AWS WAF will protect applications from common attacks like XSS and SQL injection, as well as custom rules created by the client. These alerts and logs can also be sent to CloudTrail for logging of the events for security response and incident review.


The Amazon security infrastructure is DDoS resilient by design, but the web applications and services that an organization hosts on top of Amazon might not be. CloudFront is Amazon's content delivery network that can be used to protect web applications from DDoS attacks targeted against an organization's applications. This AWS security service allows for the resiliency and uptime of applications to continue while under a DDoS attack. Depending on the configuration and services used, Amazon recommends particular configuration changes to assist with mitigating these risks.

Amazon Inspector

Of all the new AWS security features, one of the most security-centric services Amazon has deployed is Amazon Inspector. This service allows security assessments of applications living on customer's instances. Organizations can use this vulnerability management service as an assessment tool to find security risks in their applications. Amazon Inspector also gives organizations the option to implement this service into their current operations to increase security during deployments, reduce risk in the environment by defining security standards and satisfy compliance reporting from auditors.

Amazon Cognito

Amazon Cognito handles identity management. Organizations can use Cognito as a way to allow authentication to occur through Amazon, and funnel requests through their platform to search for fraud and brute force authentication to applications. The service has also federated with other providers -- Facebook, Google and Microsoft Active Directory Federation Services, for example -- so that the authentication for the customers applications can be validated by another party if needed. Lastly, Amazon Cognito also provides multifactor authentication for additional security if needed.


One of the biggest concerns when moving to the cloud is the storage and manageability of encryption keys. Amazon created CloudHSM to allow organizations the option to use dedicated hardware security modules (HSM) within their AWS cloud. In the past, organizations that wanted additional security around their crypto keys would limit the systems being deployed to the cloud. With CloudHSM, Amazon has a dedicated HSM instance in the cloud that the customer will utilize, and only have access to, without having to be concerned with connectivity, security or performance. CloudHSM is integrated into other Amazon security services and allows for a full audit via CloudTrail, high availability options and secure access for the customer.


Cloud security has been a top concern for enterprises looking to move their IT operations off premises and leverage more affordable and flexible cloud services. Amazon security is slowly squelching the concerns organizations had about moving to the cloud by establishing services within its offerings to remediate risk, and in many instances, enhance security from a holistic approach. The AWS security features Amazon has introduced recently have not only helped strengthen the company's dominant position in the cloud market but also made it a force in the cloud security space.

Next Steps

Find out which AWS tools are available to help security data and resources

Learn how the AWS Directory Services helps enterprise security

Discover more about AWS security best practices

Dig Deeper on Cloud Security Services: Cloud-Based Vulnerability Scanning and Antivirus