Primary pillars of AWS security

Security, Identity, and Compliance are the three primary pillars of operating on AWS in a safe and secure way. Let’s look into what each of these pillars brings to the table.

IAM (Identity and Access Management)

It allows you to manage users and their levels of access to the AWS resources.


It is used for device authentication / OAuth service. This service provides end users temporary access to AWS resources. Imagine you have an app that lets users upload pictures onto your S3. You can do this by using cognito.

Guard Duty

It is used to monitor for malicious activity on your AWS account.


It is an agent installed on your virtual machine and you can run tests for security vulnerabilities etc.


It is used to check your entire suite of applications for personally identifiable information. It is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS.

Amazon Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property and provides you with dashboards and alerts that give visibility into how this data is being accessed or moved. This fully managed service continuously monitors data access activity for anomalies and generates detailed alerts when it detects the risk of unauthorized access or inadvertent data leaks.

Certificate Manager

It is used to give certificates to any domain you have registered via AWS/Routes 53. This also helps in maintaining and updating certificates that are about to expire.

Cloud HSMHardware Security Module

It is a dedicated hardware to store your hardware private and public keys, that are used to securely access your application/EC2 instances. You can also store a variety of exception keys.

Directory Services

It is used for integrating your Microsoft active directory services with AWS services.

WAF – Web Application Firewall

WAF sits in front of your web server and it mitigates against injection, cross-scripting. WAF primarily protects your application layer from any malicious attacks


You get this as a default for your load balancers, cloud front, as well as Route 53. This is basically a DDoS mitigation service that prevents DDoS Attacks.

Advance Shield

It is an AWS team that is in standby mode in the case of a DDOS attack. If you have advanced shield protection, then AWS will not charge you for any auto-scaling or added utilization of the AWS services during the attack.


It is used for compliance and audit. Artifact gives access to AWS SOC 1, 2, 3, PCI reports, etc. It is a central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security posture.

Get hands-on with 1200+ tech skills courses.