Overview of AWS Security Services — Protecting your AWS resources and meeting compliance requirements.
What Are AWS Security Services?
AWS Security Services provide comprehensive security capabilities for your AWS environment — from threat detection and vulnerability scanning to compliance automation and data protection.
Key Insight : Security is a shared responsibility . AWS secures the cloud (infrastructure), you secure what’s IN the cloud (your data, applications, configurations).
The Security Services Landscape
flowchart TB
subgraph Security["AWS Security Services"]
direction TB
subgraph Identity["Identity"]
direction LR
IAM["IAM"]
IIC["IAM Identity Center"]
Cognito["Cognito"]
end
subgraph Network["Network"]
direction LR
Shield["Shield"]
WAF["WAF"]
NFW["Network Firewall"]
VPC["VPC Security Controls"]
end
subgraph Data["Data"]
direction LR
KMS["KMS"]
HSM["CloudHSM"]
Macie["Macie"]
end
subgraph Threat["Threat Detection"]
direction LR
GD["GuardDuty"]
SH["Security Hub"]
Inspector["Inspector"]
Detective["Detective"]
end
subgraph Governance["Governance"]
direction LR
Config["Config"]
CT["CloudTrail"]
AM["Audit Manager"]
Artifact["Artifact"]
TA["Trusted Advisor"]
end
end
Categories shown: Identity & Access, Network Security, Data Security, Threat Detection & Response, and Compliance & Governance.
Security Services Overview
Identity & Access Management
Service Purpose Key Capability IAM Core identity service Users, Groups, Policies, Roles IAM Identity Center Single sign-on Multi-account SSO Cognito User authentication App user sign-up/sign-in
Network Security
Service Purpose Key Capability Shield DDoS protection Standard (free) + Advanced (paid) WAF Web application firewall HTTP/S traffic filtering Network Firewall Managed network firewall Stateful inspection VPC Network isolation Security Groups, NACLs
Data Security
Service Purpose Key Capability KMS Encryption key management Customer-managed keys CloudHSM Hardware security modules Dedicated HSMs Macie Data discovery Sensitive data detection in S3
Threat Detection & Response
Service Purpose Key Capability GuardDuty Threat detection ML-powered anomaly detection Security Hub Centralized findings Aggregate security alerts Inspector Vulnerability scanning Compute + container scanning Detective Security investigation Visualize attack paths
Compliance & Governance
Service Purpose Key Capability Config Configuration tracking Compliance rules, change history CloudTrail Audit logging API call tracking Audit Manager Compliance automation Evidence collection, reports Artifact Compliance docs AWS audit reports, agreements Trusted Advisor Best practices Cost, security, performance checks
The Security Workflow
flowchart TD
Ops["Security Operations Lifecycle"]
P["Prevent<br/>IAM Policies, Security Groups, WAF, KMS"]
D["Detect<br/>GuardDuty, Config, Macie, Inspector"]
R["Respond<br/>Security Hub, Detective, EventBridge"]
C["Comply<br/>Audit Manager, Artifact, Config"]
Ops --> P
P --> D --> R --> C
C -. Continuous improvement .-> P
Security Services Quick Reference
Config — Configuration Tracking
What : Monitors and records AWS resource configurationsWhy : Compliance auditing, change management, security posturePricing : $0.003 per configuration item (limited free tier for new users)
What : Logs all AWS API callsWhy : Security analysis, compliance, forensicsPricing : Management events free; Data events $0.10 per 100K events
Inspector — Vulnerability Scanning
What : Scans EC2, ECR, Lambda for vulnerabilitiesWhy : Find CVEs before they’re exploitedPricing : Per resource; 15-day free trialImportant : Inspector Classic ends May 20, 2026
Macie — Data Discovery
What : Discovers sensitive data in S3 (PII, PHI, credentials)Why : GDPR/HIPAA compliance, data loss preventionPricing : Per GB evaluated; 30-day free trial
Artifact — Compliance Documentation
What : Repository for AWS compliance documentsWhy : Provide auditors with AWS certificationsPricing : Free
What : Automates evidence collection for complianceWhy : Streamline SOC 2, PCI DSS, HIPAA auditsPricing : Available through AWS Support plans
What : Recommendations for cost, security, performanceWhy : Optimize AWS environmentPricing : 7 core checks free; 100+ with Business/Enterprise support
How Security Services Work Together
Scenario Services Used Detect unauthorized access GuardDuty + CloudTrail + Security Hub Find sensitive data exposure Macie + Config + Security Hub Prove compliance Config + CloudTrail + Audit Manager + Artifact Scan for vulnerabilities Inspector + ECR + Security Hub Prevent data breaches IAM + KMS + Macie + WAF
Security Best Practices
Practice Service(s) Enable MFA on root IAM Enable CloudTrail CloudTrail Enable Config rules Config Scan for vulnerabilities Inspector Find sensitive data Macie Monitor threats GuardDuty + Security Hub Use VPC with private subnets VPC Encrypt data at rest KMS Follow Trusted Advisor recommendations Trusted Advisor
TL;DR
Security Services = Comprehensive AWS security capabilitiesCategories = Identity/Access, Network, Data, Threat Detection, ComplianceConfig = Configuration tracking ($0.003/item)CloudTrail = API call logging (management events free)Inspector = Vulnerability scanning (15-day trial)Macie = Sensitive data discovery in S3 (30-day trial)Artifact = AWS compliance documents (free)Audit Manager = Compliance automationTrusted Advisor = Best practices (7 free, 100+ paid)Shared Responsibility = AWS secures cloud; you secure what’s in cloud
Quick Links