Compute
Category |
Service |
Description |
Instances (Virtual machines) |
EC2 |
Provides secure, resizable compute capacity in the cloud. It makes web-scale cloud computing easier for developers. EC2 |
| |
EC2 Spot |
Run fault-tolerant workloads for up to 90% off. EC2Spot |
| |
EC2 Autoscaling |
Automatically add or remove compute capacity to meet changes in demand. EC2_AustoScaling |
| |
Lightsail |
Designed to be the easiest way to launch & manage a virtual private server with AWS. An easy-to-use cloud platform that offers everything need to build an application or website. Lightsail |
| |
Batch |
Enables developers, scientists, & engineers to easily & efficiently run hundreds of thousands of batch computing jobs on AWS. Fully managed batch processing at any scale. Batch |
Containers |
Elastic Container Service (ECS) |
Highly secure, reliable, & scalable way to run containers. ECS |
| |
Elastic Container Registry (ECR) |
Easily store, manage, & deploy container images. ECR |
| |
Elastic Kubernetes Service (EKS) |
Fully managed Kubernetes service. EKS |
| |
Fargate |
Serverless compute for containers. Fargate |
Serverless |
Lambda |
Run code without thinking about servers. Pay only for the compute time you consume. Lamda |
Edge and hybrid |
Outposts |
Run AWS infrastructure & services on premises for a truly consistent hybrid experience. Outposts |
| |
Snow Family |
Collect and process data in rugged or disconnected edge environments. SnowFamily |
| |
Wavelength |
Deliver ultra-low latency application for 5G devices. Wavelenth |
| |
VMware Cloud on AWS |
Innovate faster, rapidly transition to the cloud, & work securely from any location. VMware_On_AWS |
| |
Local Zones |
Run latency sensitive applications closer to end-users. LocalZones |
Storage
Service |
Description |
AWS S3 |
S3 is the storehouse for the internet i.e. object storage built to store & retrieve any amount of data from anywhere S3 |
AWS Backup |
AWS Backup is an externally-accessible backup provider that makes it easier to align & optimize the backup of data across AWS services in the cloud. AWS_Backup |
Amazon EBS |
Amazon Elastic Block Store is a web service that provides block-level storage volumes. EBS |
Amazon EFS Storage |
EFS offers file storage for the user’s Amazon EC2 instances. It's kind of blob Storage. EFS |
Amazon FSx |
FSx supply fully managed 3rd-party file systems with the native compatibility & characteristic sets for workloads. It's available as FSx for Windows server (Fully managed file storage built on Windows Server) & Lustre (Fully managed high-performance file system integrated with S3). FSx_Windows FSx_Lustre |
AWS Storage Gateway |
Storage Gateway is a service which connects an on-premises software appliance with cloud-based storage. Storage_Gateway |
AWS DataSync |
DataSync makes it simple & fast to move large amounts of data online between on-premises storage & S3, EFS, or FSx for Windows File Server. DataSync |
AWS Transfer Family |
The Transfer Family provides fully managed support for file transfers directly into & out of S3. Transfer_Family |
AWS Snow Family |
Highly-secure, portable devices to collect & process data at the edge, and migrate data into and out of AWS. Snow_Family |
Classification:
Object storage: S3
File storage services: Elastic File System, FSx for Windows Servers & FSx for Lustre
Block storage: EBS
Backup: AWS Backup
Data transfer:
Storage gateway --> 3 types: Tape, File, Volume.
Transfer Family --> SFTP, FTPS, FTP.
Edge computing and storage and Snow Family --> Snowcone, Snowball, Snowmobile
Databases
Database type |
Use cases |
Service |
Description |
Relational |
Traditional applications, ERP, CRM, e-commerce |
Aurora, RDS, Redshift |
RDS is a web service that makes it easier to set up, control, and scale a relational database in the cloud. Aurora RDS Redshift |
Key-value |
High-traffic web apps, e-commerce systems, gaming applications |
DynamoDB |
DynamoDB is a fully administered NoSQL database service that offers quick and reliable performance with integrated scalability. DynamoDB |
In-memory |
Caching, session management, gaming leaderboards, geospatial applications |
ElastiCache for Memcached & Redis |
ElastiCache helps in setting up, managing, and scaling in-memory cache conditions. Memcached Redis |
Document |
Content management, catalogs, user profiles |
DocumentDB |
DocumentDB (with MongoDB compatibility) is a quick, dependable, and fully-managed database service that makes it easy for you to set up, operate, and scale MongoDB-compatible databases. DocumentDB |
Wide column |
High scale industrial apps for equipment maintenance, fleet management, and route optimization |
Keyspaces (for Apache Cassandra) |
Keyspaces is a scalable, highly available, and managed Apache Cassandra–compatible database service. Keyspaces |
Graph |
Fraud detection, social networking, recommendation engines |
Neptune |
Neptune is a fast, reliable, fully managed graph database service that makes it easy to build and run applications that work with highly connected datasets. Neptune |
Time series |
IoT applications, DevOps, industrial telemetry |
Timestream |
Timestream is a fast, scalable, and serverless time series database service for IoT and operational applications that makes it easy to store and analyze trillions of events per day. Timestream |
Ledger |
Systems of record, supply chain, registrations, banking transactions |
Quantum Ledger Database (QLDB) |
QLDB is a fully managed ledger database that provides a transparent, immutable, and cryptographically verifiable transaction log owned by a central trusted authority. QLDB |
Developer Tools
Service |
Description |
Cloud9 |
Cloud9 is a cloud-based IDE that enables the user to write, run, and debug code. Cloud9 |
CodeArtifact |
CodeArtifact is a fully managed artifact repository service that makes it easy for organizations of any size to securely store, publish, & share software packages used in their software development process. CodeArtifact |
CodeBuild |
CodeBuild is a fully managed service that assembles source code, runs unit tests, & also generates artefacts ready to deploy. CodeBuild |
CodeGuru |
CodeGuru is a developer tool powered by machine learning that provides intelligent recommendations for improving code quality & identifying an application’s most expensive lines of code. CodeGuru |
Cloud Development Kit |
Cloud Development Kit (AWS CDK) is an open source software development framework to define cloud application resources using familiar programming languages. CDK |
CodeCommit |
CodeCommit is a version control service that enables the user to personally store & manage Git archives in the AWS cloud. CodeCommit |
CodeDeploy |
CodeDeploy is a fully managed deployment service that automates software deployments to a variety of compute services such as EC2, Fargate, Lambda, & on-premises servers. CodeDeploy |
CodePipeline |
CodePipeline is a fully managed continuous delivery service that helps automate release pipelines for fast & reliable app & infra updates. CodePipeline |
CodeStar |
CodeStar enables to quickly develop, build, & deploy applications on AWS. CodeStar |
CLI |
AWS CLI is a unified tool to manage AWS services & control multiple services from the command line & automate them through scripts. CLI |
X-Ray |
X-Ray helps developers analyze & debug production, distributed applications, such as those built using a microservices architecture. X-Ray |
Migration & Transfer services
Service |
Description |
Migration Evaluator |
Build a data-driven business case for AWS. ME |
Migration Hub |
Migration Hub provides a single location to track the progress of app migrations across multiple AWS & partner solutions. MigrationHub |
Application Discovery Service |
Application Discovery Service helps enterprise customers plan migration projects by gathering information about their on-premises data centers. ADS |
Server Migration Service (SMS) |
SMS is an agentless service which makes it easier & faster to migrate thousands of on-premises workloads to AWS. SMS |
Database Migration Service (DMS) |
DMS helps migrate databases to AWS quickly & securely. DMS |
CloudEndure Migration |
CloudEndure Migration simplifies, expedites, & reduces the cost of cloud migration by offering a highly automated lift-&-shift solution. CloudEndure |
VMware Cloud on AWS |
Refer compute section. |
DataSync |
Refer storage section. |
Transfer Family |
Refer storage section. |
Snow Family |
Refer storage section. |
Cost Management
Use cases |
Capabilities |
Service |
Description |
Organize |
Construct cost allocation & governance foundation with your own tagging strategy |
1) Cost Allocation Tags 2) Cost Categories |
Cost Categories is a feature within AWS Cost Management product suite that enables group cost & usage information into meaningful categories based on needs. CostAllocationTags CostCategories |
Report |
Raise awareness & accountability of your cloud spend with the detailed, allocable cost data |
1) Cost Explorer 2) Cost & Usage Report |
Cost & Usage Report contains the most comprehensive set of AWS cost & usage data available, including additional metadata about AWS services, pricing, & reservations. CostExplorer CUR |
Access |
Track billing information across the organization in a consolidated view |
1) Consolidated Billing 2) Credits |
|
Control |
Establish effective governance mechanisms with the right guardrails in place |
1) IAM 2) Organizations 3) Control Tower 4) Service Catalog |
Organizations helps centrally govern environment as you grow & scale workloads on AWS. Control tower is the easiest way to set up & govern a new, secure multi-account AWS environment. ControlTower |
Forecast |
Estimate resource utilization & spend with forecast dashboards. |
1) Cost Explorer (Self-Service) 2) Budgets (Event-Driven) |
A forecast is a prediction of how much you will use AWS services over the forecast time period that you selected, based on your past usage. Forecasting EventDrivenBudgets |
Budget |
Keep spend in check with custom budget threshold & auto alert notification |
1) Budgets 2) Budget Alerts via Chime & Slack 3) Service Catalog |
|
Purchase |
Leverage free trials & programmatic discounts based on workload pattern & needs |
1) Free Tier 2) Reserved Instances 3) Savings Plans 4) Spot Instances 5) DynamoDB On-demand |
|
Elasticity |
Scale & schedule services based on expected utilization pattern & needs |
1) Instance Scheduler 2) Redshift pause & resume 3) EC2 Auto Scaling 4) Trusted Advisor |
|
Rightsize |
Align service allocation size to actual workload demand |
1) Cost Explorer Right Sizing Recommendations 2) Compute Optimizer 3) Redshift resize 4) S3 Intelligent Tiering |
Compute Optimizer recommends optimal AWS Compute resources for your workloads to reduce costs & improve performance by using ML to analyze historical utilization metrics. CO |
Inspect |
Stay up-to-date with resource deployment & cost optimization opportunities |
Cost Explorer |
Cost Explorer has an easy-to-use interface that lets you visualize, understand, & manage AWS costs & usage over time. CostExplorer |
SDKs & Toolkits
Service |
Description |
CDK |
CDK uses the familiarity & expressive power of programming languages for modeling apps. CDK |
Corretto |
Corretto is a no-cost, multiplatform, production-ready distribution of the OpenJDK. Corretto |
Crypto Tools |
Cryptography is hard to do safely & correctly. The AWS Crypto Tools libraries are designed to help everyone do cryptography right, even without special expertise. Crypto Tools |
Serverless Application Model (SAM) |
SAM is an open-source framework for building serverless applications. It provides shorthand syntax to express functions, APIs, databases, & event source mappings. SAM |
Tools for developing and managing applications on AWS |
Complete list of tools can be found here: Tools |
|
|
Networking & Content Delivery
Use cases |
Functionality |
Service |
Description |
Build a cloud network |
Define and provision a logically isolated network for your AWS resources |
VPC |
VPC lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. VPC |
| |
Connect VPCs and on-premises networks through a central hub |
Transit Gateway |
Transit Gateway connects VPCs & on-premises networks through a central hub. This simplifies network & puts an end to complex peering relationships. TransitGateway |
| |
Provide private connectivity between VPCs, services, and on-premises applications |
PrivateLink |
PrivateLink provides private connectivity between VPCs & services hosted on AWS or on-premises, securely on the Amazon network. PrivateLink |
| |
Route users to Internet applications with a managed DNS service |
Route 53 |
Route 53 is a highly available & scalable cloud DNS web service. Route53 |
Scale your network design |
Automatically distribute traffic across a pool of resources, such as instances, containers, IP addresses, and Lambda functions |
Elastic Load Balancing |
Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as EC2's, containers, IP addresses, & Lambda functions. ElasticLoadBalancing |
| |
Direct traffic through the AWS Global network to improve global application performance |
Global Accelerator |
Global Accelerator is a networking service that sends user’s traffic through AWS’s global network infrastructure, improving internet user performance by up to 60%. GlobalAccelerator |
Secure your network traffic |
Safeguard applications running on AWS against DDoS attacks |
Shield |
Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. Shield |
| |
Protect your web applications from common web exploits |
WAF |
WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. WAF |
| |
Centrally configure and manage firewall rules |
Firewall Manager |
Firewall Manager is a security management service which allows to centrally configure & manage firewall rules across accounts & apps in AWS Organization. link text |
Build a hybrid IT network |
Connect your users to AWS or on-premises resources using a Virtual Private Network |
(VPN) - Client |
VPN solutions establish secure connections between on-premises networks, remote offices, client devices, & the AWS global network. VPN |
| |
Create an encrypted connection between your network and your Amazon VPCs or AWS Transit Gateways |
(VPN) - Site to Site |
Site-to-Site VPN creates a secure connection between data center or branch office & AWS cloud resources. site_to_site |
| |
Establish a private, dedicated connection between AWS and your datacenter, office, or colocation environment |
Direct Connect |
Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. DirectConnect |
Content delivery networks |
Securely deliver data, videos, applications, and APIs to customers globally with low latency, and high transfer speeds |
CloudFront |
CloudFront expedites distribution of static & dynamic web content. CloudFront |
Build a network for microservices architectures |
Provide application-level networking for containers and microservices |
App Mesh |
App Mesh makes it accessible to guide & control microservices operating on AWS. AppMesh |
| |
Create, maintain, and secure APIs at any scale |
API Gateway |
API Gateway allows the user to design & expand their own REST and WebSocket APIs at any scale. APIGateway |
| |
Discover AWS services connected to your applications |
Cloud Map |
Cloud Map permits the name & handles the cloud resources. CloudMap |
Security, Identity, & Compliance
Category |
Use cases |
Service |
Description |
Identity & access management |
Securely manage access to services and resources |
Identity & Access Management (IAM) |
IAM is a web service for safely controlling access to AWS services. IAM |
| |
Securely manage access to services and resources |
Single Sign-On |
SSO helps in simplifying, managing SSO access to AWS accounts & business applications. SSO |
| |
Identity management for apps |
Cognito |
Cognito lets you add user sign-up, sign-in, & access control to web & mobile apps quickly and easily. Cognito |
| |
Managed Microsoft Active Directory |
Directory Service |
AWS Managed Microsoft Active Directory (AD) enables your directory-aware workloads & AWS resources to use managed Active Directory (AD) in AWS. DirectoryService |
| |
Simple, secure service to share AWS resources |
Resource Access Manager |
Resource Access Manager (RAM) is a service that enables you to easily & securely share AWS resources with any AWS account or within AWS Organization. RAM |
| |
Central governance and management across AWS accounts |
Organizations |
Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS. Orgs |
Detection |
Unified security and compliance center |
Security Hub |
Security Hub gives a comprehensive view of security alerts & security posture across AWS accounts. SecurityHub |
| |
Managed threat detection service |
GuardDuty |
GuardDuty is a threat detection service that continuously monitors for malicious activity & unauthorized behavior to protect AWS accounts, workloads, & data stored in S3. GuardDuty |
| |
Analyze application security |
Inspector |
Inspector is a security vulnerability assessment service improves the security & compliance of the AWS resources. Inspector |
| |
Record and evaluate configurations of your AWS resources |
Config |
Config is a service that enables to assess, audit, & evaluate the configurations of AWS resources. Config |
| |
Track user activity and API usage |
CloudTrail |
CloudTrail is a service that enables governance, compliance, operational auditing, & risk auditing of AWS account. CloudTrail |
| |
Security management for IoT devices |
IoT Device Defender |
IoT Device Defender is a fully managed service that helps secure fleet of IoT devices. IoTDD |
Infrastructure protection |
DDoS protection |
Shield |
Shield is a managed DDoS protection service that safeguards apps running. It provides always-on detection & automatic inline mitigations that minimize application downtime & latency. Shield |
| |
Filter malicious web traffic |
Web Application Firewall (WAF) |
WAF is a web application firewall that helps protect web apps or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. WAF |
| |
Central management of firewall rules |
Firewall Manager |
Firewall Manager eases the user AWS WAF administration & maintenance activities over multiple accounts & resources. FirewallManager |
Data protection |
Discover and protect your sensitive data at scale |
Macie |
Macie is a fully managed data (security & privacy) service that uses ML & pattern matching to discover & protect sensitive data. Macie |
| |
Key storage and management |
Key Management Service (KMS) |
KMS makes it easy for to create & manage cryptographic keys & control their use across a wide range of AWS services & in your applications. KMS |
| |
Hardware based key storage for regulatory compliance |
CloudHSM |
CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate & use your own encryption keys. CloudHSM |
| |
Provision, manage, and deploy public and private SSL/TLS certificates |
Certificate Manager |
Certificate Manager is a service that easily provision, manage, & deploy public and private SSL/TLS certs for use with AWS services & internal connected resources. ACM |
| |
Rotate, manage, and retrieve secrets |
Secrets Manager |
Secrets Manager assist the user to safely encode, store, & recover credentials for any user’s database & other services. SecretsManager |
Incident response |
Investigate potential security issues |
Detective |
Detective makes it easy to analyze, investigate, & quickly identify the root cause of potential security issues or suspicious activities. Detective |
| |
Fast, automated, cost- effective disaster recovery |
CloudEndure Disaster Recovery |
Provides scalable, cost-effective business continuity for physical, virtual, & cloud servers. CloudEndure |
Compliance |
No cost, self-service portal for on-demand access to AWS’ compliance reports |
Artifact |
Artifact is a web service that enables the user to download AWS security & compliance records. Artifact |
|
|
Data Lakes & Analytics
Category |
Use cases |
Service |
Description |
Analytics |
Interactive analytics |
Athena |
Athena is an interactive query service that makes it easy to analyze data in S3 using standard SQL. Athena |
| |
Big data processing |
EMR |
EMR is the industry-leading cloud big data platform for processing vast amounts of data using open source tools such as Apache Spark, Hive, HBase,Flink, Hudi, & Presto. EMR |
| |
Data warehousing |
Redshift |
The most popular & fastest cloud data warehouse. Redshift |
| |
Real-time analytics |
Kinesis |
Kinesis makes it easy to collect, process, & analyze real-time, streaming data so one can get timely insights. Kinesis |
| |
Operational analytics |
Elasticsearch Service |
Elasticsearch Service is a fully managed service that makes it easy to deploy, secure, & run Elasticsearch cost effectively at scale. ES |
| |
Dashboards & visualizations |
Quicksight |
QuickSight is a fast, cloud-powered business intelligence service that makes it easy to deliver insights to everyone in organization. QuickSight |
Data movement |
Real-time data movement |
1) Amazon Managed Streaming for Apache Kafka (MSK) 2) Kinesis Data Streams 3) Kinesis Data Firehose 4) Kinesis Data Analytics 5) Kinesis Video Streams 6) Glue |
MSK is a fully managed service that makes it easy to build & run applications that use Apache Kafka to process streaming data. MSK KDS KDF KDA KVS Glue |
Data lake |
Object storage |
1) S3 2) Lake Formation |
Lake Formation is a service that makes it easy to set up a secure data lake in days. A data lake is a centralized, curated, & secured repository that stores all data, both in its original form & prepared for analysis. S3 LakeFormation |
| |
Backup & archive |
1) S3 Glacier 2) Backup |
S3 Glacier & S3 Glacier Deep Archive are a secure, durable, & extremely low-cost S3 cloud storage classes for data archiving & long-term backup. S3Glacier |
| |
Data catalog |
1) Glue 2)) Lake Formation |
Refer as above. |
| |
Third-party data |
Data Exchange |
Data Exchange makes it easy to find, subscribe to, & use third-party data in the cloud. DataExchange |
Predictive analytics && machine learning |
Frameworks & interfaces |
Deep Learning AMIs |
Deep Learning AMIs provide machine learning practitioners & researchers with the infrastructure & tools to accelerate deep learning in the cloud, at any scale. DeepLearningAMIs |
| |
Platform services |
SageMaker |
SageMaker is a fully managed service that provides every developer & data scientist with the ability to build, train, & deploy machine learning (ML) models quickly. SageMaker |
Containers
Use cases |
Service |
Description |
Store, encrypt, and manage container images |
ECR |
Refer compute section |
Run containerized applications or build microservices |
ECS |
Refer compute section |
Manage containers with Kubernetes |
EKS |
Refer compute section |
Run containers without managing servers |
Fargate |
Fargate is a serverless compute engine for containers that works with both ECS & EKS. Fargate |
Run containers with server-level control |
EC2 |
Refer compute section |
Containerize and migrate existing applications |
App2Container |
App2Container (A2C) is a command-line tool for modernizing .NET & Java applications into containerized applications. App2Container |
Quickly launch and manage containerized applications |
Copilot |
Copilot is a command line interface (CLI) that enables customers to quickly launch & easily manage containerized applications on AWS. Copilot |
Serverless
Category |
Service |
Description |
Compute |
|
Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume. |
| |
|
Lambda@Edge is a feature of Amazon CloudFront that lets you run code closer to users of your application, which improves performance & reduces latency. |
| |
|
Refer containers section |
Storage |
|
Refer storage section |
| |
|
Refer storage section |
Data stores |
|
DynamoDB is a key-value & document database that delivers single-digit millisecond performance at any scale. |
| |
|
Aurora Serverless is an on-demand, auto-scaling configuration for Amazon Aurora (MySQL & PostgreSQL-compatible editions), where the database will automatically start up, shut down, & scale capacity up or down based on your application's needs. |
| |
|
RDS Proxy is a fully managed, highly available database proxy for RDS that makes applications more scalable, resilient to database failures, & more secure. |
API Proxy |
|
API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, & secure APIs at any scale. |
Application integration |
|
SNS is a fully managed messaging service for both system-to-system & app-to-person (A2P) communication. |
| |
|
SQS is a fully managed message queuing service that enables to decouple & scale microservices, distributed systems, & serverless applications. |
| |
|
AppSync is a fully managed service that makes it easy to develop GraphQL APIs by handling the heavy lifting of securely connecting to data sources like AWS DynamoDB, Lambda. |
| |
|
EventBridge is a serverless event bus that makes it easy to connect applications together using data from apps, integrated SaaS apps, & AWS services. |
Orchestration |
|
Step Functions is a serverless function orchestrator that makes it easy to sequence Lambda functions & multiple AWS services into business-critical applications. |
Analytics |
|
Kinesis makes it easy to collect, process, & analyze real-time, streaming data so one can get timely insights. |
| |
|
Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. |
Application Integration
Category |
Service |
Description |
Messaging |
|
Reliable high throughput pub/sub, SMS, email, and mobile push notifications |
| |
|
Message queue that sends, stores, and receives messages between application components at any volume |
| |
|
Message broker for Apache ActiveMQ that makes migration easy and enables hybrid architectures |
Workflows |
|
Coordinate multiple AWS services into serverless workflows so you can build and update apps quickly |
API management |
|
Create, publish, maintain, monitor, & secure APIs at any scale for serverless workloads & web apps |
| |
|
Create a flexible API to securely access, manipulate, & combine data from one or more data sources |
Event bus |
|
Build an event-driven architecture that connects application data from your own apps, SaaS, & AWS services |
| |
|
Automate the flow of data between SaaS applications & AWS services at nearly any scale, without code. |
Management & Governance
Category |
Service |
Description |
Enable |
Control Tower |
The easiest way to set up and govern a new, secure multi-account AWS environment. ControlTower |
| |
Organizations |
Organizations helps centrally govern environment as you grow & scale workloads on AWS Organizations |
| |
Well-Architected Tool |
Well-Architected Tool helps review the state of workloads & compares them to the latest AWS architectural best practices. WATool |
| |
Budgets |
Budgets allows to set custom budgets to track cost & usage from the simplest to the most complex use cases. Budgets |
| |
License Manager |
License Manager makes it easier to manage software licenses from software vendors such as Microsoft, SAP, Oracle, & IBM across AWS & on-premises environments. LicenseManager |
Provision |
CloudFormation |
CloudFormation enables the user to design & provision AWS infrastructure deployments predictably & repeatedly. CloudFormation |
| |
Service Catalog |
Service Catalog allows organizations to create & manage catalogs of IT services that are approved for use on AWS. ServiceCatalog |
| |
OpsWorks |
OpsWorks presents a simple and flexible way to create and maintain stacks and applications. OpsWorks |
| |
Marketplace |
Marketplace is a digital catalog with thousands of software listings from independent software vendors that make it easy to find, test, buy, & deploy software that runs on AWS. Marketplace |
Operate |
CloudWatch |
CloudWatch offers a reliable, scalable, & flexible monitoring solution that can easily start. CloudWatch |
| |
CloudTrail |
CloudTrail is a service that enables governance, compliance, operational auditing, & risk auditing of AWS account. CloudTrail |
| |
Config |
|
| |
Systems Manager |
Systems Manager to plan, proctor, & automate administration tasks on the AWS resources. SystemsManager |
| |
Cost & usage report |
Refer cost management section |
| |
Cost explorer |
Refer cost management section |
| |
Managed Services |
|
| |
X Ray |
|
Recommend security best practices
Turn on multifactor authentication for the “root” account |
Turn on CloudTrail log file validation. |
Enable CloudTrail multi-region logging. |
Integrate CloudTrail with CloudWatch. |
Enable access logging for CloudTrail S3 buckets. |
Enable access logging for Elastic Load Balancer (ELB). |
Enable Redshift audit logging. |
Enable Virtual Private Cloud (VPC) flow logging. |
Require multifactor authentication (MFA) to delete CloudTrail buckets |
Enable CloudTrail logging across all AWS. |
Turn on multi-factor authentication for IAM users. |
Enable IAM users for multi-mode access. |
Attach IAM policies to groups or roles |
Rotate IAM access keys regularly, and standardize on the selected number of days |
Set up a strict password policy. |
Set the password expiration period to 90 days and prevent reuseCustomer Visualforce pages with standard headers |
Don’t use expired SSL/TLS certificates |
User HTTPS for CloudFront distributions |
Restrict access to CloudTrail bucket. |
Encrypt CloudTrail log files at rest |
Encrypt Elastic Block Store (EBS) database. |
Provision access to resources using IAM roles. |
Ensure EC2 security groups don’t have large ranges of ports open |
Configure EC2 security groups to restrict inbound access to EC2. |
Avoid using root user accounts. |
Use secure SSL ciphers when connecting between the client and ELB. |
Use secure SSL versions when connecting between client and ELB. |
Use a standard naming (tagging) convention for EC2. |
Encrypt RDS. |
Ensure access keys are not being used with root accounts. |
Use secure CloudFront SSL versions. |
Enable the require_ssl parameter in all Redshift clusters. |
Rotate SSH keys periodically. |
Minimize the number of discrete security groups. |
Reduce number of IAM groups. |
Terminate unused access keys |
Disable access for inactive or unused IAM users |
Remove unused IAM access keys |
Delete unused SSH Public Keys |
Restrict access to AMIs. |
Restrict access to EC2 security groups. |
Restrict access to RDS instances. |
Restrict access to Redshift clusters. |
Restrict outbound access. |
Disallow unrestricted ingress access on uncommon ports. |
Restrict access to well-known ports such as CIFS, FTP, ICMP, SMTP, SSH, Remote desktop |
Inventory & categorize all existing custom apps by the types of data stored, compliance requirements & possible threats they face. |
Involve IT security throughout the development process. |
Grant the fewest privileges as possible for application users |
Enforce a single set of data loss prevention policies across custom applications and all other cloud services. |
Encrypt highly sensitive data such as protected health information (PHI) or personally identifiable information (PII). |
|
Created By
Metadata
Favourited By
Comments
No comments yet. Add yours below!
Add a Comment
Related Cheat Sheets