ComputeCategory | Service | Description | Instances (Virtual machines) | EC2 | Provides secure, resizable compute capacity in the cloud. It makes web-scale cloud computing easier for developers. EC2 | | EC2 Spot | Run fault-tolerant workloads for up to 90% off. EC2Spot | | EC2 Autoscaling | Automatically add or remove compute capacity to meet changes in demand. EC2_AustoScaling | | Lightsail | Designed to be the easiest way to launch & manage a virtual private server with AWS. An easy-to-use cloud platform that offers everything need to build an application or website. Lightsail | | Batch | Enables developers, scientists, & engineers to easily & efficiently run hundreds of thousands of batch computing jobs on AWS. Fully managed batch processing at any scale. Batch | Containers | Elastic Container Service (ECS) | Highly secure, reliable, & scalable way to run containers. ECS | | Elastic Container Registry (ECR) | Easily store, manage, & deploy container images. ECR | | Elastic Kubernetes Service (EKS) | Fully managed Kubernetes service. EKS | | Fargate | Serverless compute for containers. Fargate | Serverless | Lambda | Run code without thinking about servers. Pay only for the compute time you consume. Lamda | Edge and hybrid | Outposts | Run AWS infrastructure & services on premises for a truly consistent hybrid experience. Outposts | | Snow Family | Collect and process data in rugged or disconnected edge environments. SnowFamily | | Wavelength | Deliver ultra-low latency application for 5G devices. Wavelenth | | VMware Cloud on AWS | Innovate faster, rapidly transition to the cloud, & work securely from any location. VMware_On_AWS | | Local Zones | Run latency sensitive applications closer to end-users. LocalZones |
StorageService | Description | AWS S3 | S3 is the storehouse for the internet i.e. object storage built to store & retrieve any amount of data from anywhere S3 | AWS Backup | AWS Backup is an externally-accessible backup provider that makes it easier to align & optimize the backup of data across AWS services in the cloud. AWS_Backup | Amazon EBS | Amazon Elastic Block Store is a web service that provides block-level storage volumes. EBS | Amazon EFS Storage | EFS offers file storage for the user’s Amazon EC2 instances. It's kind of blob Storage. EFS | Amazon FSx | FSx supply fully managed 3rd-party file systems with the native compatibility & characteristic sets for workloads. It's available as FSx for Windows server (Fully managed file storage built on Windows Server) & Lustre (Fully managed high-performance file system integrated with S3). FSx_Windows FSx_Lustre | AWS Storage Gateway | Storage Gateway is a service which connects an on-premises software appliance with cloud-based storage. Storage_Gateway | AWS DataSync | DataSync makes it simple & fast to move large amounts of data online between on-premises storage & S3, EFS, or FSx for Windows File Server. DataSync | AWS Transfer Family | The Transfer Family provides fully managed support for file transfers directly into & out of S3. Transfer_Family | AWS Snow Family | Highly-secure, portable devices to collect & process data at the edge, and migrate data into and out of AWS. Snow_Family |
Classification:
Object storage: S3
File storage services: Elastic File System, FSx for Windows Servers & FSx for Lustre
Block storage: EBS
Backup: AWS Backup
Data transfer:
Storage gateway --> 3 types: Tape, File, Volume.
Transfer Family --> SFTP, FTPS, FTP.
Edge computing and storage and Snow Family --> Snowcone, Snowball, Snowmobile
DatabasesDatabase type | Use cases | Service | Description | Relational | Traditional applications, ERP, CRM, e-commerce | Aurora, RDS, Redshift | RDS is a web service that makes it easier to set up, control, and scale a relational database in the cloud. Aurora RDS Redshift | Key-value | High-traffic web apps, e-commerce systems, gaming applications | DynamoDB | DynamoDB is a fully administered NoSQL database service that offers quick and reliable performance with integrated scalability. DynamoDB | In-memory | Caching, session management, gaming leaderboards, geospatial applications | ElastiCache for Memcached & Redis | ElastiCache helps in setting up, managing, and scaling in-memory cache conditions. Memcached Redis | Document | Content management, catalogs, user profiles | DocumentDB | DocumentDB (with MongoDB compatibility) is a quick, dependable, and fully-managed database service that makes it easy for you to set up, operate, and scale MongoDB-compatible databases. DocumentDB | Wide column | High scale industrial apps for equipment maintenance, fleet management, and route optimization | Keyspaces (for Apache Cassandra) | Keyspaces is a scalable, highly available, and managed Apache Cassandra–compatible database service. Keyspaces | Graph | Fraud detection, social networking, recommendation engines | Neptune | Neptune is a fast, reliable, fully managed graph database service that makes it easy to build and run applications that work with highly connected datasets. Neptune | Time series | IoT applications, DevOps, industrial telemetry | Timestream | Timestream is a fast, scalable, and serverless time series database service for IoT and operational applications that makes it easy to store and analyze trillions of events per day. Timestream | Ledger | Systems of record, supply chain, registrations, banking transactions | Quantum Ledger Database (QLDB) | QLDB is a fully managed ledger database that provides a transparent, immutable, and cryptographically verifiable transaction log owned by a central trusted authority. QLDB |
Developer ToolsService | Description | Cloud9 | Cloud9 is a cloud-based IDE that enables the user to write, run, and debug code. Cloud9 | CodeArtifact | CodeArtifact is a fully managed artifact repository service that makes it easy for organizations of any size to securely store, publish, & share software packages used in their software development process. CodeArtifact | CodeBuild | CodeBuild is a fully managed service that assembles source code, runs unit tests, & also generates artefacts ready to deploy. CodeBuild | CodeGuru | CodeGuru is a developer tool powered by machine learning that provides intelligent recommendations for improving code quality & identifying an application’s most expensive lines of code. CodeGuru | Cloud Development Kit | Cloud Development Kit (AWS CDK) is an open source software development framework to define cloud application resources using familiar programming languages. CDK | CodeCommit | CodeCommit is a version control service that enables the user to personally store & manage Git archives in the AWS cloud. CodeCommit | CodeDeploy | CodeDeploy is a fully managed deployment service that automates software deployments to a variety of compute services such as EC2, Fargate, Lambda, & on-premises servers. CodeDeploy | CodePipeline | CodePipeline is a fully managed continuous delivery service that helps automate release pipelines for fast & reliable app & infra updates. CodePipeline | CodeStar | CodeStar enables to quickly develop, build, & deploy applications on AWS. CodeStar | CLI | AWS CLI is a unified tool to manage AWS services & control multiple services from the command line & automate them through scripts. CLI | X-Ray | X-Ray helps developers analyze & debug production, distributed applications, such as those built using a microservices architecture. X-Ray |
Migration & Transfer servicesService | Description | Migration Evaluator | Build a data-driven business case for AWS. ME | Migration Hub | Migration Hub provides a single location to track the progress of app migrations across multiple AWS & partner solutions. MigrationHub | Application Discovery Service | Application Discovery Service helps enterprise customers plan migration projects by gathering information about their on-premises data centers. ADS | Server Migration Service (SMS) | SMS is an agentless service which makes it easier & faster to migrate thousands of on-premises workloads to AWS. SMS | Database Migration Service (DMS) | DMS helps migrate databases to AWS quickly & securely. DMS | CloudEndure Migration | CloudEndure Migration simplifies, expedites, & reduces the cost of cloud migration by offering a highly automated lift-&-shift solution. CloudEndure | VMware Cloud on AWS | Refer compute section. | DataSync | Refer storage section. | Transfer Family | Refer storage section. | Snow Family | Refer storage section. |
Cost ManagementUse cases | Capabilities | Service | Description | Organize | Construct cost allocation & governance foundation with your own tagging strategy | 1) Cost Allocation Tags 2) Cost Categories | Cost Categories is a feature within AWS Cost Management product suite that enables group cost & usage information into meaningful categories based on needs. CostAllocationTags CostCategories | Report | Raise awareness & accountability of your cloud spend with the detailed, allocable cost data | 1) Cost Explorer 2) Cost & Usage Report | Cost & Usage Report contains the most comprehensive set of AWS cost & usage data available, including additional metadata about AWS services, pricing, & reservations. CostExplorer CUR | Access | Track billing information across the organization in a consolidated view | 1) Consolidated Billing 2) Credits | | Control | Establish effective governance mechanisms with the right guardrails in place | 1) IAM 2) Organizations 3) Control Tower 4) Service Catalog | Organizations helps centrally govern environment as you grow & scale workloads on AWS. Control tower is the easiest way to set up & govern a new, secure multi-account AWS environment. ControlTower | Forecast | Estimate resource utilization & spend with forecast dashboards. | 1) Cost Explorer (Self-Service) 2) Budgets (Event-Driven) | A forecast is a prediction of how much you will use AWS services over the forecast time period that you selected, based on your past usage. Forecasting EventDrivenBudgets | Budget | Keep spend in check with custom budget threshold & auto alert notification | 1) Budgets 2) Budget Alerts via Chime & Slack 3) Service Catalog | | Purchase | Leverage free trials & programmatic discounts based on workload pattern & needs | 1) Free Tier 2) Reserved Instances 3) Savings Plans 4) Spot Instances 5) DynamoDB On-demand | | Elasticity | Scale & schedule services based on expected utilization pattern & needs | 1) Instance Scheduler 2) Redshift pause & resume 3) EC2 Auto Scaling 4) Trusted Advisor | | Rightsize | Align service allocation size to actual workload demand | 1) Cost Explorer Right Sizing Recommendations 2) Compute Optimizer 3) Redshift resize 4) S3 Intelligent Tiering | Compute Optimizer recommends optimal AWS Compute resources for your workloads to reduce costs & improve performance by using ML to analyze historical utilization metrics. CO | Inspect | Stay up-to-date with resource deployment & cost optimization opportunities | Cost Explorer | Cost Explorer has an easy-to-use interface that lets you visualize, understand, & manage AWS costs & usage over time. CostExplorer |
SDKs & ToolkitsService | Description | CDK | CDK uses the familiarity & expressive power of programming languages for modeling apps. CDK | Corretto | Corretto is a no-cost, multiplatform, production-ready distribution of the OpenJDK. Corretto | Crypto Tools | Cryptography is hard to do safely & correctly. The AWS Crypto Tools libraries are designed to help everyone do cryptography right, even without special expertise. Crypto Tools | Serverless Application Model (SAM) | SAM is an open-source framework for building serverless applications. It provides shorthand syntax to express functions, APIs, databases, & event source mappings. SAM | Tools for developing and managing applications on AWS | Complete list of tools can be found here: Tools |
| | Networking & Content DeliveryUse cases | Functionality | Service | Description | Build a cloud network | Define and provision a logically isolated network for your AWS resources | VPC | VPC lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. VPC | | Connect VPCs and on-premises networks through a central hub | Transit Gateway | Transit Gateway connects VPCs & on-premises networks through a central hub. This simplifies network & puts an end to complex peering relationships. TransitGateway | | Provide private connectivity between VPCs, services, and on-premises applications | PrivateLink | PrivateLink provides private connectivity between VPCs & services hosted on AWS or on-premises, securely on the Amazon network. PrivateLink | | Route users to Internet applications with a managed DNS service | Route 53 | Route 53 is a highly available & scalable cloud DNS web service. Route53 | Scale your network design | Automatically distribute traffic across a pool of resources, such as instances, containers, IP addresses, and Lambda functions | Elastic Load Balancing | Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as EC2's, containers, IP addresses, & Lambda functions. ElasticLoadBalancing | | Direct traffic through the AWS Global network to improve global application performance | Global Accelerator | Global Accelerator is a networking service that sends user’s traffic through AWS’s global network infrastructure, improving internet user performance by up to 60%. GlobalAccelerator | Secure your network traffic | Safeguard applications running on AWS against DDoS attacks | Shield | Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. Shield | | Protect your web applications from common web exploits | WAF | WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. WAF | | Centrally configure and manage firewall rules | Firewall Manager | Firewall Manager is a security management service which allows to centrally configure & manage firewall rules across accounts & apps in AWS Organization. link text | Build a hybrid IT network | Connect your users to AWS or on-premises resources using a Virtual Private Network | (VPN) - Client | VPN solutions establish secure connections between on-premises networks, remote offices, client devices, & the AWS global network. VPN | | Create an encrypted connection between your network and your Amazon VPCs or AWS Transit Gateways | (VPN) - Site to Site | Site-to-Site VPN creates a secure connection between data center or branch office & AWS cloud resources. site_to_site | | Establish a private, dedicated connection between AWS and your datacenter, office, or colocation environment | Direct Connect | Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. DirectConnect | Content delivery networks | Securely deliver data, videos, applications, and APIs to customers globally with low latency, and high transfer speeds | CloudFront | CloudFront expedites distribution of static & dynamic web content. CloudFront | Build a network for microservices architectures | Provide application-level networking for containers and microservices | App Mesh | App Mesh makes it accessible to guide & control microservices operating on AWS. AppMesh | | Create, maintain, and secure APIs at any scale | API Gateway | API Gateway allows the user to design & expand their own REST and WebSocket APIs at any scale. APIGateway | | Discover AWS services connected to your applications | Cloud Map | Cloud Map permits the name & handles the cloud resources. CloudMap |
Security, Identity, & ComplianceCategory | Use cases | Service | Description | Identity & access management | Securely manage access to services and resources | Identity & Access Management (IAM) | IAM is a web service for safely controlling access to AWS services. IAM | | Securely manage access to services and resources | Single Sign-On | SSO helps in simplifying, managing SSO access to AWS accounts & business applications. SSO | | Identity management for apps | Cognito | Cognito lets you add user sign-up, sign-in, & access control to web & mobile apps quickly and easily. Cognito | | Managed Microsoft Active Directory | Directory Service | AWS Managed Microsoft Active Directory (AD) enables your directory-aware workloads & AWS resources to use managed Active Directory (AD) in AWS. DirectoryService | | Simple, secure service to share AWS resources | Resource Access Manager | Resource Access Manager (RAM) is a service that enables you to easily & securely share AWS resources with any AWS account or within AWS Organization. RAM | | Central governance and management across AWS accounts | Organizations | Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS. Orgs | Detection | Unified security and compliance center | Security Hub | Security Hub gives a comprehensive view of security alerts & security posture across AWS accounts. SecurityHub | | Managed threat detection service | GuardDuty | GuardDuty is a threat detection service that continuously monitors for malicious activity & unauthorized behavior to protect AWS accounts, workloads, & data stored in S3. GuardDuty | | Analyze application security | Inspector | Inspector is a security vulnerability assessment service improves the security & compliance of the AWS resources. Inspector | | Record and evaluate configurations of your AWS resources | Config | Config is a service that enables to assess, audit, & evaluate the configurations of AWS resources. Config | | Track user activity and API usage | CloudTrail | CloudTrail is a service that enables governance, compliance, operational auditing, & risk auditing of AWS account. CloudTrail | | Security management for IoT devices | IoT Device Defender | IoT Device Defender is a fully managed service that helps secure fleet of IoT devices. IoTDD | Infrastructure protection | DDoS protection | Shield | Shield is a managed DDoS protection service that safeguards apps running. It provides always-on detection & automatic inline mitigations that minimize application downtime & latency. Shield | | Filter malicious web traffic | Web Application Firewall (WAF) | WAF is a web application firewall that helps protect web apps or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. WAF | | Central management of firewall rules | Firewall Manager | Firewall Manager eases the user AWS WAF administration & maintenance activities over multiple accounts & resources. FirewallManager | Data protection | Discover and protect your sensitive data at scale | Macie | Macie is a fully managed data (security & privacy) service that uses ML & pattern matching to discover & protect sensitive data. Macie | | Key storage and management | Key Management Service (KMS) | KMS makes it easy for to create & manage cryptographic keys & control their use across a wide range of AWS services & in your applications. KMS | | Hardware based key storage for regulatory compliance | CloudHSM | CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate & use your own encryption keys. CloudHSM | | Provision, manage, and deploy public and private SSL/TLS certificates | Certificate Manager | Certificate Manager is a service that easily provision, manage, & deploy public and private SSL/TLS certs for use with AWS services & internal connected resources. ACM | | Rotate, manage, and retrieve secrets | Secrets Manager | Secrets Manager assist the user to safely encode, store, & recover credentials for any user’s database & other services. SecretsManager | Incident response | Investigate potential security issues | Detective | Detective makes it easy to analyze, investigate, & quickly identify the root cause of potential security issues or suspicious activities. Detective | | Fast, automated, cost- effective disaster recovery | CloudEndure Disaster Recovery | Provides scalable, cost-effective business continuity for physical, virtual, & cloud servers. CloudEndure | Compliance | No cost, self-service portal for on-demand access to AWS’ compliance reports | Artifact | Artifact is a web service that enables the user to download AWS security & compliance records. Artifact |
| | Data Lakes & AnalyticsCategory | Use cases | Service | Description | Analytics | Interactive analytics | Athena | Athena is an interactive query service that makes it easy to analyze data in S3 using standard SQL. Athena | | Big data processing | EMR | EMR is the industry-leading cloud big data platform for processing vast amounts of data using open source tools such as Apache Spark, Hive, HBase,Flink, Hudi, & Presto. EMR | | Data warehousing | Redshift | The most popular & fastest cloud data warehouse. Redshift | | Real-time analytics | Kinesis | Kinesis makes it easy to collect, process, & analyze real-time, streaming data so one can get timely insights. Kinesis | | Operational analytics | Elasticsearch Service | Elasticsearch Service is a fully managed service that makes it easy to deploy, secure, & run Elasticsearch cost effectively at scale. ES | | Dashboards & visualizations | Quicksight | QuickSight is a fast, cloud-powered business intelligence service that makes it easy to deliver insights to everyone in organization. QuickSight | Data movement | Real-time data movement | 1) Amazon Managed Streaming for Apache Kafka (MSK) 2) Kinesis Data Streams 3) Kinesis Data Firehose 4) Kinesis Data Analytics 5) Kinesis Video Streams 6) Glue | MSK is a fully managed service that makes it easy to build & run applications that use Apache Kafka to process streaming data. MSK KDS KDF KDA KVS Glue | Data lake | Object storage | 1) S3 2) Lake Formation | Lake Formation is a service that makes it easy to set up a secure data lake in days. A data lake is a centralized, curated, & secured repository that stores all data, both in its original form & prepared for analysis. S3 LakeFormation | | Backup & archive | 1) S3 Glacier 2) Backup | S3 Glacier & S3 Glacier Deep Archive are a secure, durable, & extremely low-cost S3 cloud storage classes for data archiving & long-term backup. S3Glacier | | Data catalog | 1) Glue 2)) Lake Formation | Refer as above. | | Third-party data | Data Exchange | Data Exchange makes it easy to find, subscribe to, & use third-party data in the cloud. DataExchange | Predictive analytics && machine learning | Frameworks & interfaces | Deep Learning AMIs | Deep Learning AMIs provide machine learning practitioners & researchers with the infrastructure & tools to accelerate deep learning in the cloud, at any scale. DeepLearningAMIs | | Platform services | SageMaker | SageMaker is a fully managed service that provides every developer & data scientist with the ability to build, train, & deploy machine learning (ML) models quickly. SageMaker |
ContainersUse cases | Service | Description | Store, encrypt, and manage container images | ECR | Refer compute section | Run containerized applications or build microservices | ECS | Refer compute section | Manage containers with Kubernetes | EKS | Refer compute section | Run containers without managing servers | Fargate | Fargate is a serverless compute engine for containers that works with both ECS & EKS. Fargate | Run containers with server-level control | EC2 | Refer compute section | Containerize and migrate existing applications | App2Container | App2Container (A2C) is a command-line tool for modernizing .NET & Java applications into containerized applications. App2Container | Quickly launch and manage containerized applications | Copilot | Copilot is a command line interface (CLI) that enables customers to quickly launch & easily manage containerized applications on AWS. Copilot |
ServerlessCategory | Service | Description | Compute | | Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume. | | | Lambda@Edge is a feature of Amazon CloudFront that lets you run code closer to users of your application, which improves performance & reduces latency. | | | Refer containers section | Storage | | Refer storage section | | | Refer storage section | Data stores | | DynamoDB is a key-value & document database that delivers single-digit millisecond performance at any scale. | | | Aurora Serverless is an on-demand, auto-scaling configuration for Amazon Aurora (MySQL & PostgreSQL-compatible editions), where the database will automatically start up, shut down, & scale capacity up or down based on your application's needs. | | | RDS Proxy is a fully managed, highly available database proxy for RDS that makes applications more scalable, resilient to database failures, & more secure. | API Proxy | | API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, & secure APIs at any scale. | Application integration | | SNS is a fully managed messaging service for both system-to-system & app-to-person (A2P) communication. | | | SQS is a fully managed message queuing service that enables to decouple & scale microservices, distributed systems, & serverless applications. | | | AppSync is a fully managed service that makes it easy to develop GraphQL APIs by handling the heavy lifting of securely connecting to data sources like AWS DynamoDB, Lambda. | | | EventBridge is a serverless event bus that makes it easy to connect applications together using data from apps, integrated SaaS apps, & AWS services. | Orchestration | | Step Functions is a serverless function orchestrator that makes it easy to sequence Lambda functions & multiple AWS services into business-critical applications. | Analytics | | Kinesis makes it easy to collect, process, & analyze real-time, streaming data so one can get timely insights. | | | Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. |
Application IntegrationCategory | Service | Description | Messaging | | Reliable high throughput pub/sub, SMS, email, and mobile push notifications | | | Message queue that sends, stores, and receives messages between application components at any volume | | | Message broker for Apache ActiveMQ that makes migration easy and enables hybrid architectures | Workflows | | Coordinate multiple AWS services into serverless workflows so you can build and update apps quickly | API management | | Create, publish, maintain, monitor, & secure APIs at any scale for serverless workloads & web apps | | | Create a flexible API to securely access, manipulate, & combine data from one or more data sources | Event bus | | Build an event-driven architecture that connects application data from your own apps, SaaS, & AWS services | | | Automate the flow of data between SaaS applications & AWS services at nearly any scale, without code. |
Management & GovernanceCategory | Service | Description | Enable | Control Tower | The easiest way to set up and govern a new, secure multi-account AWS environment. ControlTower | | Organizations | Organizations helps centrally govern environment as you grow & scale workloads on AWS Organizations | | Well-Architected Tool | Well-Architected Tool helps review the state of workloads & compares them to the latest AWS architectural best practices. WATool | | Budgets | Budgets allows to set custom budgets to track cost & usage from the simplest to the most complex use cases. Budgets | | License Manager | License Manager makes it easier to manage software licenses from software vendors such as Microsoft, SAP, Oracle, & IBM across AWS & on-premises environments. LicenseManager | Provision | CloudFormation | CloudFormation enables the user to design & provision AWS infrastructure deployments predictably & repeatedly. CloudFormation | | Service Catalog | Service Catalog allows organizations to create & manage catalogs of IT services that are approved for use on AWS. ServiceCatalog | | OpsWorks | OpsWorks presents a simple and flexible way to create and maintain stacks and applications. OpsWorks | | Marketplace | Marketplace is a digital catalog with thousands of software listings from independent software vendors that make it easy to find, test, buy, & deploy software that runs on AWS. Marketplace | Operate | CloudWatch | CloudWatch offers a reliable, scalable, & flexible monitoring solution that can easily start. CloudWatch | | CloudTrail | CloudTrail is a service that enables governance, compliance, operational auditing, & risk auditing of AWS account. CloudTrail | | Config | | | Systems Manager | Systems Manager to plan, proctor, & automate administration tasks on the AWS resources. SystemsManager | | Cost & usage report | Refer cost management section | | Cost explorer | Refer cost management section | | Managed Services | | | X Ray | |
Recommend security best practicesTurn on multifactor authentication for the “root” account | Turn on CloudTrail log file validation. | Enable CloudTrail multi-region logging. | Integrate CloudTrail with CloudWatch. | Enable access logging for CloudTrail S3 buckets. | Enable access logging for Elastic Load Balancer (ELB). | Enable Redshift audit logging. | Enable Virtual Private Cloud (VPC) flow logging. | Require multifactor authentication (MFA) to delete CloudTrail buckets | Enable CloudTrail logging across all AWS. | Turn on multi-factor authentication for IAM users. | Enable IAM users for multi-mode access. | Attach IAM policies to groups or roles | Rotate IAM access keys regularly, and standardize on the selected number of days | Set up a strict password policy. | Set the password expiration period to 90 days and prevent reuseCustomer Visualforce pages with standard headers | Don’t use expired SSL/TLS certificates | User HTTPS for CloudFront distributions | Restrict access to CloudTrail bucket. | Encrypt CloudTrail log files at rest | Encrypt Elastic Block Store (EBS) database. | Provision access to resources using IAM roles. | Ensure EC2 security groups don’t have large ranges of ports open | Configure EC2 security groups to restrict inbound access to EC2. | Avoid using root user accounts. | Use secure SSL ciphers when connecting between the client and ELB. | Use secure SSL versions when connecting between client and ELB. | Use a standard naming (tagging) convention for EC2. | Encrypt RDS. | Ensure access keys are not being used with root accounts. | Use secure CloudFront SSL versions. | Enable the require_ssl parameter in all Redshift clusters. | Rotate SSH keys periodically. | Minimize the number of discrete security groups. | Reduce number of IAM groups. | Terminate unused access keys | Disable access for inactive or unused IAM users | Remove unused IAM access keys | Delete unused SSH Public Keys | Restrict access to AMIs. | Restrict access to EC2 security groups. | Restrict access to RDS instances. | Restrict access to Redshift clusters. | Restrict outbound access. | Disallow unrestricted ingress access on uncommon ports. | Restrict access to well-known ports such as CIFS, FTP, ICMP, SMTP, SSH, Remote desktop | Inventory & categorize all existing custom apps by the types of data stored, compliance requirements & possible threats they face. | Involve IT security throughout the development process. | Grant the fewest privileges as possible for application users | Enforce a single set of data loss prevention policies across custom applications and all other cloud services. | Encrypt highly sensitive data such as protected health information (PHI) or personally identifiable information (PII). |
|
Created By
Metadata
Favourited By
Comments
No comments yet. Add yours below!
Add a Comment
Related Cheat Sheets