Public Cloud Encyclopedia: Security, Identity and Compliance Products

Before AWS builds a data center, they are considering potential threats and designing, implementing, and testing controls to ensure the systems, technology, and people we deploy counteract risk.

AWS data centers are secure by design and our controls make that possible. Before we build a data center, we spend countless hours considering potential threats and designing, implementing, and testing controls to ensure the systems, technology, and people we deploy counteract risk. To help you fulfill your own audit and regulatory requirements, we are providing you with insight into some of our physical and environmental controls below.

Links:

• aws.amazon.com/compliance/data-center/controls
• d1.awsstatic.com/security-center/HighlightReel_smaller_2.7cacae03ffb4db9fc7cf590cc629e1000d988826.mp4
• aws.amazon.com/compliance/data-center/perimeter-layer
• aws.amazon.com/compliance/data-center/infrastructure-layer
• aws.amazon.com/compliance/data-center/data-layer

Azure data centers comply with key industry standards, such as ISO/IEC 27001:2013 and NIST SP 800-53, for security and reliability

Microsoft Azure runs in datacenters managed and operated by Microsoft. These geographically dispersed datacenters comply with key industry standards, such as ISO/IEC 27001:2013 and NIST SP 800-53, for security and reliability. The datacenters are managed, monitored, and administered by Microsoft operations staff. The operations staff has years of experience in delivering the world’s largest online services with 24 x 7 continuity.

Links:

• docs.microsoft.com/en-us/azure/security/fundamentals/infrastructure

Google Cloud physical security features a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors and biometrics.

Google’s focus on security and protection of data is a key design criteria. Our physical security features a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors and biometrics. The data center floor features laser beam intrusion detection. Our data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records and camera footage are available in case an incident occurs. Data centers are also routinely patrolled by experienced security guards who have undergone rigorous background checks and training (look closely and you can see a couple of them in this 360 degree data center tour). As you get closer to the data center floor, security measures increase. Access to the data center floor is only possible via a security corridor which implements multi-factor access control using security badges and biometrics. Only approved employees with specific roles may enter. Less than one percent of Google employees will ever set foot in one of our data centers.

We employ a very strict end-to-end chain of custody for storage, tracking everything from cradle to grave, from the first time a HD goes into a machine until it’s verified clean/erased or destroyed. Information security and physical security go hand-in-hand. Data is most vulnerable to unauthorized access as it travels across the Internet or within networks. For this reason, securing data in transit is a high priority for Google. Data traveling between a customer’s device and Google is encrypted using HTTPS/TLS (Transport Layer Security). Google was the first major cloud provider to enable HTTPS/TLS by default.

Links:

• cloud.google.com/security
• cloud.google.com/blog/products/gcp/google-shares-data-center-security-and-design-best-practices
• youtube.com/watch?v=zDAYZU4A3w0

Centrally configure and manage firewall rules across accounts and applications.

[AWS] Firewall Manager is a security management service which allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organization. As new applications are created, Firewall Manager makes it easy to bring new applications and resources into compliance by enforcing a common set of security rules. Now you have a single service to build firewall rules, create security policies, and enforce them in a consistent, hierarchical manner across your entire infrastructure.

Using AWS Firewall Manager, you can easily roll out AWS WAF rules for your Application Load Balancers, API Gateways, and Amazon CloudFront distributions. Similarly, you can create AWS Shield Advanced protections for your Application Load Balancers, ELB Classic Load Balancers, Elastic IP Addresses and CloudFront distributions. Finally, with AWS Firewall Manager, you can enable security groups for your Amazon EC2 and ENI resource types in Amazon VPCs.

Links:

• aws.amazon.com/firewall-manager

A managed, cloud-based network security service that protects Azure Virtual Network resources.

[Azure] Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

Links:

• docs.microsoft.com/en-us/azure/firewall/overview

Let you allow or deny traffic to and from your virtual machine (VM) instances based on a configuration that you specify.

[Google Cloud] firewall rules let you allow or deny traffic to and from your virtual machine (VM) instances based on a configuration that you specify. Enabled Google Cloud firewall rules are always enforced, protecting your instances regardless of their configuration and operating system, even if they have not started up.

Every Virtual Private Cloud (VPC) network functions as a distributed firewall. While firewall rules are defined at the network level, connections are allowed or denied on a per-instance basis. You can think of the Google Cloud firewall rules as existing not only between your instances and other networks, but also between individual instances within the same network.

Links:

• cloud.google.com/vpc/docs/firewalls

Managed DDoS protection.

[AWS] Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced.

All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge. AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications. When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks.

For higher levels of protection against attacks targeting your applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced. In addition to the network and transport layer protections that come with Standard, AWS Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall. AWS Shield Advanced also gives you 24x7 access to the AWS DDoS Response Team (DRT) and protection against DDoS related spikes in your Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 charges.

AWS Shield Advanced is available globally on all Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 edge locations. You can protect your web applications hosted anywhere in the world by deploying Amazon CloudFront in front of your application. Your origin servers can be Amazon S3, Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), or a custom server outside of AWS. You can also enable AWS Shield Advanced directly on an Elastic IP or Elastic Load Balancing (ELB) in the following AWS Regions - Northern Virginia, Ohio, Oregon, Northern California, Montreal, São Paulo, Ireland, Frankfurt, London, Paris, Stockholm, Singapore, Tokyo, Sydney, Seoul, and Mumbai.

Links:

• aws.amazon.com/shield

Protect your Azure resources from Distributed Denial of Service (DDoS) attacks.

Backed by the Microsoft global network, DDoS Protection brings massive DDoS mitigation capacity to every Azure region. Scrub traffic at the Azure network edge before it can impact the availability of your service.

Links:

• azure.microsoft.com/en-us/services/ddos-protection

Protect your services against denial of service and web attacks.

When you stand up applications on Google Cloud, you benefit from DDoS and web attack protection at Google-scale. Google Cloud Armor works with our global Cloud Load Balancing infrastructure and provides always-on attack detection and mitigation so you can run your business without interruption.

Links:

• cloud.google.com/armor

Protect your web applications from common web exploits.

[AWS] WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define. You can get started quickly using Managed Rules for AWS WAF, a pre-configured set of rules managed by AWS or AWS Marketplace Sellers. The Managed Rules for WAF address issues like the OWASP Top 10 security risks. These rules are regularly updated as new issues emerge. AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of security rules.

With AWS WAF, you pay only for what you use. The pricing is based on how many rules you deploy and how many web requests your application receives. There are no upfront commitments.

You can deploy AWS WAF on Amazon CloudFront as part of your CDN solution, the Application Load Balancer that fronts your web servers or origin servers running on EC2, or Amazon API Gateway for your APIs.

Links:

• aws.amazon.com/waf

A cloud-native web application firewall (WAF) service that provides powerful protection for web apps.

Help protect your web apps from malicious attacks and common web vulnerabilities, such as SQL injection and cross-site scripting. With the cloud-native Azure web application firewall (WAF) service, deploy in minutes and only pay for what you use.

Links:

• azure.microsoft.com/en-us/services/web-application-firewall

Protect your services against web attacks.

Google Cloud Armor offers a flexible rules language to help you customize your defenses and mitigate multivector attacks. It also provides predefined rules to defend against attacks such as cross-site scripting (XSS) and SQL injection (SQLi) attacks.

Links:

• cloud.google.com/armor

Securely manage access to AWS services and resources.

[AWS] Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

IAM is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your users.

To get started using IAM, or if you have already registered with AWS, go to the AWS Management Console and get started with these IAM Best Practices.

Links:

• aws.amazon.com/iam

Centrally manage single sign-on (SSO) access to multiple AWS accounts and business applications.

[AWS] Single Sign-On (SSO) makes it easy to centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place. With AWS SSO, you can easily manage SSO access and user permissions to all of your accounts in AWS Organizations centrally. SSO configures and maintains all the necessary permissions for your accounts automatically, without requiring any additional setup in the individual accounts. You can assign user permissions based on common job functions and customize these permissions to meet your specific security requirements. AWS SSO also includes built-in integrations to many business applications, such as Salesforce, Box, and Office 365.

With AWS SSO, you can create and manage user identities in AWS SSO’s identity store, or easily connect to your existing identity source including Microsoft Active Directory and Azure Active Directory (Azure AD).

It is easy to get started with AWS SSO. With just a few clicks in the AWS SSO management console you can connect AWS SSO to your existing identity source and configure permissions that grant your users access to their assigned AWS Organizations accounts and hundreds of pre-configured cloud applications, all from a single user portal.

Links:

• aws.amazon.com/single-sign-on

Simple, secure service to share AWS resources.

[AWS] Resource Access Manager (RAM) is a service that enables you to easily and securely share AWS resources with any AWS account or within your AWS Organization. You can share AWS Transit Gateways, Subnets, AWS License Manager configurations, and Amazon Route 53 Resolver rules resources with RAM.

Many organizations use multiple accounts to create administrative or billing isolation, and to limit the impact of errors. RAM eliminates the need to create duplicate resources in multiple accounts, reducing the operational overhead of managing those resources in every single account you own. You can create resources centrally in a multi-account environment, and use RAM to share those resources across accounts in three simple steps: create a Resource Share, specify resources, and specify accounts. RAM is available to you at no additional charge.

Links:

• aws.amazon.com/ram

Secure access to your resources with Azure identity and access management solutions.

Protect your applications and data at the front gate with Azure identity and access management solutions. Defend against malicious login attempts and safeguard credentials with risk-based access controls, identity protection tools, and strong authentication options—without disrupting productivity.

Links:

• azure.microsoft.com/en-us/product-categories/identity

Fine-grained access control and visibility for centrally managing cloud resources.

Cloud Identity and Access Management (IAM) lets administrators authorize who can take action on specific resources, giving you full control and visibility to manage Google Cloud resources centrally. For enterprises with complex organizational structures, hundreds of workgroups, and many projects, Cloud IAM provides a unified view into security policy across your entire organization, with built-in auditing to ease compliance processes.

Links:

• cloud.google.com/iam

Simple and Secure User Sign-Up, Sign-In, and Access Control.

Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0.

Links:

• aws.amazon.com/cognito

A highly available, global, identity management service for consumer-facing applications that scales to hundreds of millions of identities.

Manage customer, consumer, and citizen identity and access to your applications and web experiences. Connect with millions of users with the scalability and availability you need.

Links:

• azure.microsoft.com/en-us/services/active-directory-b2c

Backend services, easy-to-use SDKs, and ready-made UI libraries to authenticate users to your app (supports authentication using passwords, phone numbers, popular federated identity providers like Google, Facebook and Twitter).

Most apps need to know the identity of a user. Knowing a user's identity allows an app to securely save user data in the cloud and provide the same personalized experience across all of the user's devices. Firebase Authentication provides backend services, easy-to-use SDKs, and ready-made UI libraries to authenticate users to your app. It supports authentication using passwords, phone numbers, popular federated identity providers like Google, Facebook and Twitter, and more.

Firebase Authentication integrates tightly with other Firebase services, and it leverages industry standards like OAuth 2.0 and OpenID Connect, so it can be easily integrated with your custom backend.

Links:

• firebase.google.com/docs/auth

Managed Microsoft Active Directory in the AWS Cloud.

[AWS] Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud. AWS Managed Microsoft AD is built on actual Microsoft Active Directory and does not require you to synchronize or replicate data from your existing Active Directory to the cloud. You can use standard Active Directory administration tools and take advantage of built-in Active Directory features, such as Group Policy and single sign-on (SSO). With AWS Managed Microsoft AD, you can easily join Amazon EC2 and Amazon RDS for SQL Server instances to your domain, and use AWS Enterprise IT applications such as Amazon WorkSpaces with Active Directory users and groups.

Links:

• aws.amazon.com/directoryservice

Your universal platform to manage and secure identities.

The Azure Active Directory (Azure AD) enterprise identity service provides single sign-on and multi-factor authentication to help protect your users from 99.9 percent of cybersecurity attacks.

Links:

• azure.microsoft.com/en-us/services/active-directory

Your domain controller as a service.

Use Azure Active Directory Domain Services to join Azure virtual machines to a domain, without having to deploy domain controllers. Sign in to the virtual machines using their corporate Azure Active Directory credentials and seamlessly access resources. Use Group Policy to more securely administer domain-joined virtual machines—a familiar way to apply and enforce security baselines on all of your Azure virtual machines.

Links:

• azure.microsoft.com/en-us/services/active-directory-ds

Use a highly available, hardened service running actual Microsoft® Active Directory (AD).

Managed Service for Microsoft Active Directory (AD) is a highly available, hardened Google Cloud service running actual Microsoft AD that enables you to manage authentication and authorization for your AD-dependent workloads, automate AD server maintenance and security configuration, and connect your on-premises AD domain to the cloud.

Links:

• cloud.google.com/managed-microsoft-ad

Easily create and control the keys used to encrypt or digitally sign your data.

[AWS] Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.

Links:

• aws.amazon.com/kms

Easily rotate, manage, and retrieve database credentials, API keys, and other secrets through their lifecycle.

[AWS] Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hardcode sensitive information in plain text. Secrets Manager offers secret rotation with built-in integration for Amazon RDS, Amazon Redshift, and Amazon DocumentDB. Also, the service is extensible to other types of secrets, including API keys and OAuth tokens. In addition, Secrets Manager enables you to control access to secrets using fine-grained permissions and audit secret rotation centrally for resources in the AWS Cloud, third-party services, and on-premises.

Links:

• aws.amazon.com/secrets-manager

Safeguard cryptographic keys and other secrets used by cloud apps and services.

Secure key management is essential to protect data in the cloud. Use Azure Key Vault to encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). For more assurance, import or generate keys in HSMs, and Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). With Key Vault, Microsoft doesn’t see or extract your keys. Monitor and audit your key use with Azure logging—pipe logs into Azure HDInsight or your security information and event management (SIEM) solution for more analysis and threat detection.

Links:

• azure.microsoft.com/en-us/services/key-vault

Manage encryption keys on Google Cloud Platform.

Cloud KMS is a cloud-hosted key management service that lets you manage cryptographic keys for your cloud services the same way you do on-premises. You can generate, use, rotate, and destroy AES256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys. Cloud KMS is integrated with Cloud Identity and Access Management and Cloud Audit Logs so that you can manage permissions on individual keys and monitor how these are used. Use Cloud KMS to protect secrets and other sensitive data that you need to store in Google Cloud Platform.

Links:

• cloud.google.com/kms

Encrypt data with encryption keys that are stored and managed in a third-party key management system. Try it free

Cloud External Key Manager (Cloud EKM) lets you encrypt data in BigQuery and Compute Engine with encryption keys that are stored and managed in a third-party key management system that’s deployed outside Google’s infrastructure. External Key Manager allows you to maintain separation between your data at rest and your encryption keys while still leveraging the power of cloud for compute and analytics.

Links:

• cloud.google.com/ekm

Easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources.

[AWS] Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet as well as resources on private networks. AWS Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates.

With AWS Certificate Manager, you can quickly request a certificate, deploy it on ACM-integrated AWS resources, such as Elastic Load Balancers, Amazon CloudFront distributions, and APIs on API Gateway, and let AWS Certificate Manager handle certificate renewals. It also enables you to create private certificates for your internal resources and manage the certificate lifecycle centrally. Public and private certificates provisioned through AWS Certificate Manager for use with ACM-integrated services are free. You pay only for the AWS resources you create to run your application. With AWS Certificate Manager Private Certificate Authority, you pay monthly for the operation of the private CA and for the private certificates you issue.

Links:

• aws.amazon.com/certificate-manager

Links:

• docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate
• azure.github.io/AppService/2019/11/04/Announcing-Managed-Certificates.html

Certificates that Google Cloud obtains and manages for customer domains, renewing them automatically.

Google-managed SSL certificates are certificates that Google Cloud obtains and manages for your domains, renewing them automatically. These are Domain Validation (DV) certificates supporting multiple hostnames in each certificate.

Links:

• cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs
• cloud.google.com/load-balancing/docs/ssl-certificates
• cloud.google.com/kubernetes-engine/docs/how-to/managed-certs

A machine learning-powered security service to discover, classify, and protect sensitive data.

Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Amazon Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property, and provides you with dashboards and alerts that give visibility into how this data is being accessed or moved. The fully managed service continuously monitors data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks. Amazon Macie is available to protect data stored in Amazon S3.

Links:

• aws.amazon.com/macie

Standing watch, by your side. Intelligent security analytics for your entire enterprise.

See and stop threats before they cause harm, with SIEM reinvented for a modern world. Azure Sentinel is your birds-eye view across the enterprise. Put the cloud and large-scale intelligence from decades of Microsoft security experience to work. Make your threat detection and response smarter and faster with artificial intelligence (AI). Eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs—while reducing IT costs.

Links:

• azure.microsoft.com/en-us/services/azure-sentinel

Better protect your sensitive information—anytime, anywhere.

Control and help secure email, documents, and sensitive data that you share outside your company. From easy classification to embedded labels and permissions, enhance data protection at all times with Azure Information Protection—no matter where it’s stored or who it’s shared with.

Links:

• azure.microsoft.com/en-us/services/information-protection

A client-side encryption library (CLI, JS, Java, C, Python...).

The AWS Encryption SDK is a client-side encryption library designed to make it easy for everyone to encrypt and decrypt data using industry standards and best practices. It enables you to focus on the core functionality of your application, rather than on how to best encrypt and decrypt your data. The AWS Encryption SDK is provided free of charge under the Apache 2.0 license.

Links:

• docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html

A client-side encryption library that helps you to protect your table data before you send it to Amazon DynamoDB.

The Amazon DynamoDB Encryption Client is a client-side encryption library that helps you to protect your table data before you send it to Amazon DynamoDB. Encrypting your sensitive data in transit and at rest helps ensure that your plaintext data isn’t available to any third party, including AWS.

The DynamoDB Encryption Client is designed especially for DynamoDB applications. It encrypts the attribute values in each table item using a unique encryption key. It then signs the item to protect it against unauthorized changes, such as adding or deleting attributes or swapping encrypted values. After you create and configure the required components, the DynamoDB Encryption Client transparently encrypts and signs your table items when you add them to a table. It also verifies and decrypts them when you retrieve them.

The DynamoDB Encryption Client is developed in open source. It is available in Java and Python and the language implementations are interoperable. For example, you can encrypt your data with the Java library and decrypt it with the Python library.

Links:

• docs.aws.amazon.com/crypto/latest/userguide/awscryp-service-ddb-client.html

Managed hardware security module (HSM) on the AWS Cloud.

[AWS] CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs. CloudHSM offers you the flexibility to integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries.

CloudHSM is standards-compliant and enables you to export all of your keys to most other commercially-available HSMs, subject to your configurations. It is a fully-managed service that automates time-consuming administrative tasks for you, such as hardware provisioning, software patching, high-availability, and backups. CloudHSM also enables you to scale quickly by adding and removing HSM capacity on-demand, with no up-front costs.

Links:

• aws.amazon.com/cloudhsm/

Your hardware security module (HSM) in the cloud.

With Azure Dedicated HSM, you manage who in your organization can access your HSMs and the scope and assignment of their roles. You have full administrative and cryptographic control over your HSMs. Microsoft has no access to or visibility into the keys stored in them.

Links:

• docs.microsoft.com/en-us/azure/dedicated-hsm

Protect your cryptographic keys in a fully managed cloud-hosted hardware security module (HSM) service.

Cloud HSM is a cloud-hosted hardware security module (HSM) service on Google Cloud Platform. With Cloud HSM, you can host encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 certified HSMs. With this fully managed service, you can protect your most sensitive workloads without the need to worry about the operational overhead of managing an HSM cluster.

Links:

• cloud.google.com/hsm

Centrally view and manage security alerts and automate security checks.

[AWS] Security Hub gives you a comprehensive view of your high-priority security alerts and security posture across your AWS accounts. There are a range of powerful security tools at your disposal, from firewalls and endpoint protection to vulnerability and compliance scanners. But oftentimes this leaves your team switching back-and-forth between these tools to deal with hundreds, and sometimes thousands, of security alerts every day. With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, as well as from AWS Partner solutions. AWS Security Hub continuously monitors your environment using automated security checks based on the AWS best practices and industry standards that your organization follows. You can also take action on these security findings by investigating them in Amazon Detective or by using Amazon CloudWatch Event rules to send the findings to ticketing, chat, Security Information and Event Management (SIEM), Security Orchestration Automation and Response (SOAR), and incident management tools or to custom remediation playbooks. Get started with AWS Security Hub in just a few clicks in the Management Console and once enabled, Security Hub will begin aggregating and prioritizing findings and conducting security checks.

Links:

• aws.amazon.com/security-hub

Gain unmatched hybrid security management and threat protection.

Microsoft uses a wide variety of physical, infrastructure, and operational controls to help secure Azure—but there are additional actions you need to take to help safeguard your workloads. Turn on Security Center to quickly strengthen your security posture and protect against threats.

Links:

• azure.microsoft.com/en-us/services/security-center

A comprehensive security management and data risk platform for Google Cloud.

With visibility into what resources are in Google Cloud and their security state, Security Command Center makes it easier for you to prevent, detect, and respond to threats. Identify security misconfigurations in virtual machines, networks, applications, and storage buckets from a centralized dashboard. Take action on them before they can potentially result in business damage or loss. Built-in capabilities can quickly surface suspicious activity in your Cloud Logging security logs or indicate compromised virtual machines. Respond to threats by following actionable recommendations or exporting logs to your SIEM for further investigation.

Links:

• cloud.google.com/security-command-center

Extract signals from your security telemetry to find threats instantly.

Infinitely elastic: Built on core Google infrastructure, Chronicle gives you an infinitely elastic container for storing your enterprise security telemetry. Fixed pricing: Because we don’t charge based on data volume, you can afford to keep every bit of security data you generate. Unparalleled storage: In an investigation, access to years of telemetry can mean the difference between clear answers and hoping for the best. Easy to manage: Chronicle makes it easy to manage a multi-petabyte analytics system. Let us handle the scaling, backup, and performance tuning so you can focus on the bigger picture.

Links:

• chronicle.security/products/platform

Analyze and visualize security data to rapidly get to the root cause of potential security issues.

Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.

AWS security services like Amazon GuardDuty, Amazon Macie, and AWS Security Hub as well as partner security products can be used to identify potential security issues, or findings. These services are really helpful in alerting you when something is wrong and pointing out where to go to fix it. But sometimes there might be a security finding where you need to dig a lot deeper and analyze more information to isolate the root cause and take action. Determining the root cause of security findings can be a complex process that often involves collecting and combining logs from many separate data sources, using extract, transform, and load (ETL) tools or custom scripting to organize the data, and then security analysts having to analyze the data and conduct lengthy investigations.

Amazon Detective simplifies this process by enabling your security teams to easily investigate and quickly get to the root cause of a finding. Amazon Detective can analyze trillions of events from multiple data sources such as Virtual Private Cloud (VPC) Flow Logs, AWS CloudTrail, and Amazon GuardDuty, and automatically creates a unified, interactive view of your resources, users, and the interactions between them over time. With this unified view, you can visualize all the details and context in one place to identify the underlying reasons for the findings, drill down into relevant historical activities, and quickly determine the root cause.

Links:

• aws.amazon.com/detective

Automated security assessment service to help improve the security and compliance of applications deployed on AWS.

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

Amazon Inspector security assessments help you check for unintended network accessibility of your Amazon EC2 instances and for vulnerabilities on those EC2 instances. Amazon Inspector assessments are offered to you as pre-defined rules packages mapped to common security best practices and vulnerability definitions. Examples of built-in rules include checking for access to your EC2 instances from the internet, remote root login being enabled, or vulnerable software versions installed. These rules are regularly updated by AWS security researchers.

Links:

• aws.amazon.com/inspector

Protect your AWS accounts and workloads with intelligent threat detection and continuous monitoring.

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. With the cloud, the collection and aggregation of account and network activities is simplified, but it can be time consuming for security teams to continuously analyze event log data for potential threats. With GuardDuty, you now have an intelligent and cost-effective option for continuous threat detection in the AWS Cloud. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs. With a few clicks in the AWS Management Console, GuardDuty can be enabled with no software or hardware to deploy or maintain. By integrating with AWS CloudWatch Events, GuardDuty alerts are actionable, easy to aggregate across multiple accounts, and straightforward to push into existing event management and workflow systems.

Links:

• aws.amazon.com/guardduty

Gain visibility into who did what, when, and where for all user activity on Google Cloud Platform.

Cloud Audit Logs helps security teams maintain audit trails in Google Cloud Platform (GCP). With this tool, enterprises can attain the same level of transparency over administrative activities and accesses to data in Google Cloud Platform as in on-premises environments. Every administrative activity is recorded on a hardened, always-on audit trail, which cannot be disabled by any rogue actor. Data access logs can be customized to best suit your organization’s need around monitoring and compliance.

Links:

• cloud.google.com/audit-logs

Expand visibility and control over your cloud provider with near real-time logs and approval controls.

Access Transparency gives you near real-time logs when Google Cloud administrators access your content. Cloud Audit Logs already provide visibility into the actions of your own administrators. However, this audit trail typically stops once your cloud provider’s support or engineering team is engaged. For example, prior to Access Transparency logging, if you opened a ticket with Google support that would require data access, it would not have been reflected in a Cloud Audit Log. Access Transparency closes that gap, capturing near real-time* logs of manual, targeted accesses by either support or engineering.

At Google Cloud, we do not access customer data for any reason other than those necessary to fulfill our contractual obligations to you. Technical controls require valid business justifications for any access by support or engineering personnel to your content. Google also performs regular audits of accesses by administrators as a check on the effectiveness of our controls.

Links:

Uncover security threats in Google Cloud Platform environments.

Event Threat Detection automatically scans various types of logs for suspicious activity in your Google Cloud Platform environment. Using industry-leading threat intelligence, you can quickly detect high-risk and costly threats such as malware, cryptomining, unauthorized access to Google Cloud resources, outgoing DDoS attacks, and brute-force SSH. By distilling volumes of log data, security teams can quickly identify high-risk incidents and focus on remediation.

Links:

• cloud.google.com/event-threat-detection

All AWS Services are GDPR ready, and AWS offers services and resources to customers to help them comply with GDPR requirements.

The European Union’s General Data Protection Regulation (GDPR) protects European Union data subjects' fundamental right to privacy and the protection of personal data. It introduces robust requirements that will raise and harmonize standards for data protection, security, and compliance.

All AWS Services are GDPR ready. In addition to our own compliance, AWS is committed to offering services and resources to our customers to help them comply with GDPR requirements that may apply to their activities. New features are launched regularly, and AWS has 500+ features and services focused on security and compliance.

Links:

• aws.amazon.com/compliance/gdpr-center
• aws.amazon.com/blogs/security/all-aws-services-gdpr-ready

No cost, self-service portal for on-demand access to AWS’ compliance reports.

AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA).

Links:

• aws.amazon.com/artifact

Record and evaluate configurations of your AWS resources.

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.

Links:

• aws.amazon.com/config

Azure provides mechanisms and guidelines to help customers honor rights and fulfill obligations under the GDPR when using Microsoft products and services.

The General Data Protection Regulation (GDPR) introduces new rules for organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data for EU residents no matter where you or your enterprise are located. This document guides you to information to help you honor rights and fulfill obligations under the GDPR when using Microsoft products and services. A Recommended action plan for GDPR and Accountability Readiness Checklists provide additional resources for assessing and implementing GDPR compliance.

Links:

• microsoft.com/en-us/trust-center/privacy/gdpr-overview
• docs.microsoft.com/en-us/microsoft-365/compliance/gdpr?view=o365-worldwide

Compliance with the GDPR is a top priority for Google Cloud and our customers.

Compliance with the GDPR is a top priority for Google Cloud and our customers. The GDPR aims to strengthen personal data protection in Europe, and impacts the way we all do business. We’re sure you have many questions, and we’re here to help. Google Cloud takes a customer-centric approach on protection, control, and compliance, and we want to be a key facilitator on your GDPR journey.

Links:

• cloud.google.com/security/gdpr

A metadata inventory service that allows you to view, monitor, and analyze all your GCP and Anthos assets across projects and services.

Gaining visibility into resources and policies is essential for tasks like IT ops, security analytics, fleet management, auditing, and governance. Cloud Asset Inventory provides one place to easily see an aggregated view, monitor, analyze, and understand all these assets across projects and services.

Links:

• aws.amazon.com/artifact