A practitioner map of the AWS security service ecosystem — from GuardDuty threat detection to IAM identity controls to Shield DDoS protection — with cross-provider equivalents for Azure and GCP.
Sign in to mark this article as read and track your progress.
Before any workload goes live on AWS, these five services must be active:
These five together provide the minimum viable security baseline. Everything else builds on top of them.
| Service | Purpose | Key Use Case |
|---|---|---|
| IAM | Manage users, roles, groups, and policies | Fine-grained access control to all AWS services |
| AWS STS | Issue temporary security credentials | Assume roles; federated access; cross-account access |
| AWS Organizations + SCPs | Centralised account governance | Prevent member accounts from disabling GuardDuty or CloudTrail |
| IAM Identity Center (SSO) | Single sign-on across accounts | Federated access with SAML/OIDC; JIT privilege elevation |
| Amazon Cognito | User identity for applications | Customer-facing auth with MFA and social login |
| Service | What It Detects | Input Sources |
|---|---|---|
| GuardDuty | Threats and malicious behaviour | CloudTrail, VPC Flow Logs, DNS logs, EKS audit logs |
| Amazon Inspector | Vulnerabilities in EC2 and container images | EC2 agent, ECR image scanner |
| AWS Macie | Sensitive data (PII) in S3 | S3 object content classification |
| Security Hub | Aggregated findings + compliance posture | GuardDuty, Inspector, Macie, Config, third-party integrations |
| Amazon Detective | Security investigation and root cause analysis | GuardDuty findings, CloudTrail, VPC Flow Logs |
GuardDuty generates findings with severity ratings (Low/Medium/High) across categories:
UnauthorizedAccess:EC2/SSHBruteForce — SSH brute force against EC2Recon:IAMUser/NetworkPermissions — IAM credential used to probe network accessBackdoor:EC2/C&CActivity.B — EC2 communicating with known C2 serverCryptoCurrency:EC2/BitcoinTool.B!DNS — cryptomining activity detectedUnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS — SSRF-to-IMDS credential theft| Service | Function |
|---|---|
| AWS WAF | Web Application Firewall; OWASP rule groups; rate limiting |
| AWS Shield Standard | Always-on DDoS protection for all AWS resources (free) |
| AWS Shield Advanced | Enhanced DDoS with 24/7 DRT, cost protection, $3,000/month |
| Security Groups | Stateful EC2-level firewall; instance-level traffic control |
| Network ACLs | Stateless subnet-level firewall; explicit allow and deny |
| AWS Network Firewall | Managed stateful firewall for VPC; IDS/IPS capability |
| Service | Function |
|---|---|
| AWS KMS | Managed key management; AES-256; FIPS 140-2 Level 2 |
| AWS CloudHSM | Dedicated HSM hardware; FIPS 140-2 Level 3 |
| AWS Secrets Manager | Secrets storage with automatic rotation |
| AWS Certificate Manager | Free TLS certificates; auto-renewal for managed resources |
| Amazon Macie | PII discovery and classification in S3 |
| Service | Function |
|---|---|
| AWS Config | Configuration history and compliance rules |
| AWS Control Tower | Multi-account AWS environment with guardrails |
| Service Control Policies (SCPs) | Organisation-wide permission guardrails |
| AWS Audit Manager | Continuous audit evidence collection for frameworks |
| AWS CloudFormation StackSets | Deploy security baselines across all accounts |
| Security Function | AWS | Azure | GCP |
|---|---|---|---|
| Threat detection | GuardDuty | Defender for Cloud | Security Command Center |
| Vulnerability management | Inspector | Defender for Servers | Security Command Center |
| Identity governance | IAM + Identity Center | Entra ID + PIM | Cloud IAM + PAM |
| WAF | AWS WAF | Azure WAF | Cloud Armor |
| CSPM | Security Hub | Defender for Cloud | Security Command Center |
| Key management | KMS + CloudHSM | Key Vault | Cloud KMS + HSM |
| Secrets management | Secrets Manager | Key Vault | Secret Manager |
| Compliance reporting | Security Hub | Compliance Manager | Compliance Reports |
AWS security is an ecosystem, not a single tool. GuardDuty for detection, IAM and SCPs for identity and governance, WAF and Shield for network protection, KMS and Secrets Manager for data protection, and Config and Security Hub for continuous compliance. Knowing the equivalent in Azure and GCP lets you work effectively across any environment.