Protect web applications from common web exploits and bots.
Allow users to control traffic access.

• Web ACL: Block IPs, geo-match...

A managed Distributed Denial of Service (DDoS) protection.

• Shield Standard: No cost.
• Shield Advanced: Premium protection & 24/7 support.

Protect the entire VPC, any direction, everything.

Manage all security rules across multiple accounts of an organization. Applies to security groups, WAF rules, AWS Shield, Network Firewall...

Allowed for a few services (EC2, RDS, CloudFront..).
Not allowed for some others (DDoS, Flooding..). You need to contact the security simulated event @ amazon.com

Manage keys for us. Used on many services. Software Level
Example: EBS volume encryption.. Sometimes automatically enabled.

A dedicated keystore hardware device to manage encryption keys.
It will manage encryption / decryption.

• Customer Managed Key: Created, Managed and Used by Customer.
• AWS Managed Key: Created, Managed and Used by AWS.
• AWS Owned Key: Owned by a service and used in many different account. Inaccessible.
• CloudHSM Key: Created by CloudHSM device for operation within the CloudHSM cluster.

Allow to manage and deploy SSL / TLS certificates.
Provide HTTPS encryption. TLS

Used to store secrets. Supports rotation.

• Artifact Reports: Download security and compliance reports.
• Artifact Agreements: Allow to review, accept and track agreements.

Uses ML to detect anomalies. Analyzes logs, events...
GuardDuty -> EventBridge -> SNS

Automated security assessments of your app settings.
Analyzes code in lambda functions, EC2 OS vulnerabilities with SSM and Container images only.
Gives a risk score.

Record, change and assess configuration changes over time. Per-region service.
Contains a set of recommended rules to verify.
"Is there unrestricted SSH access to my security group?"
"Does my bucket are accessible from the public?"

Uses ML to discover and protect sensitive data.
Can alert you if there's sensitive data such as Personally Identifiable Information.

Centralizes security alerts across all security services and compliance status.
Works across AWS accounts.

Used to find how an issue in GuardDuty, Macie happens. Uses ML and Graphs.
Processes logs and events to find the issue.

Report illegal & abusive usage of AWS.

He can do everything. Especially:

• Change account settings
• Close account
• Restore IAM permissions
• Change support plan
• Register as seller in the marketplace
• Enable MFA for S3 buckets
• Signup to govcloud..

Analyzes policies to identify resources that are shared with external entities.
Allow to define a zone of trust.