* * *

[[_TOC_]]

* * *

**Identity Services**
---------------------

Define, enforce, and audit user permissions across AWS services, actions, and resources.

| State | Service | Description |
| --- | --- | --- |
| Current | [AWS Organizations](https://aws.amazon.com/organizations/)  | AWS Organizations offers policy-based management for multiple AWS accounts. With Organizations, you can create groups of accounts and then apply policies to those groups. Organizations enables you to centrally manage policies across multiple accounts, without requiring custom scripts and manual processes.      Using AWS Organizations, you can create Service Control Policies (SCPs) that centrally control AWS service use across multiple AWS accounts. You can also use Organizations to help automate the creation of new accounts through APIs. Organizations helps simplify the billing for multiple accounts by enabling you to setup a single payment method for all the accounts in your organization through consolidated billing. AWS Organizations is available to all AWS customers at no additional charge. |
| Current | [AWS IAM](https://aws.amazon.com/iam/) | AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. It is a Well-Architected best practice to regularly audit credentials, through a credential report and access advisor, or through an automated mechanism. |
| Designed | [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) | AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hardcode sensitive information in plain text. |
| Designed | [AWS Directory Service](https://aws.amazon.com/directoryservice/) | AWS Directory Service is a managed service that allows you to connect your AWS resources with an existing on-premises Microsoft Active Directory or to set up a new, stand-alone directory in the AWS Cloud. Connecting to an on-premises directory is easy and once this connection is established, all users can access AWS resources and applications with their existing corporate credentials. You can also launch managed, Samba-based directories in a matter of minutes, simplifying the deployment and management of Windows workloads in the AWS Cloud. |
| Designed | [AWS Single Sign-On](https://aws.amazon.com/single-sign-on/)  | AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications. It enables users to sign in to a user portal with their existing corporate credentials and access all of their assigned accounts and applications from one place. With AWS SSO, you can easily manage SSO access and user permissions to all of your accounts in AWS Organizations centrally. Further, by using the AWS SSO application configuration wizard, you can create Security Assertion Markup Language (SAML) 2.0 integrations and extend SSO access to any of your SAML-enabled applications. AWS SSO also includes built-in SAML integrations to many business applications, such as Salesforce, Box, and Office 365. With just a few clicks, you can enable a highly available SSO service without the upfront investment and on-going maintenance costs of operating your own SSO infrastructure. |
| Future | [Amazon Cognito](https://aws.amazon.com/cognito/)  | Amazon Cognito lets you add user sign-up/sign-in and access control to your web and mobile apps quickly and easily. Cognito scales to millions of users, and supports sign-in with social identity providers such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0.  |
| Future | [Amazon Cloud Directory](https://aws.amazon.com/cloud-directory/)  | Amazon Cloud Directory is a cloud-native, highly scalable, high-performance, multi-tenant directory service that provides web-based directories to make it easy for you to organize and manage all your application resources such as users, groups, locations, devices, and policies, and the rich relationships between them. Cloud Directory is a foundational building block for developers to create directory-based solutions easily and without having to worry about deployment, global scale, availability, and performance. |

**Detective Control Services**
------------------------------

Use these tools to gain the visibility you need to spot issues before they impact the business, improve your security posture, and reduce the risk profile of your environment.

| State | Service | Description |
| --- | --- | --- |
| Current | [AWS CloudTrail](https://aws.amazon.com/cloudtrail/) | AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting. |
| Designed | [AWS Config](https://aws.amazon.com/config/) | AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting. |
| Designed | [VPC Flow Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html) | VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. |
| Designed | [Amazon GuardDuty](https://aws.amazon.com/guardduty/)  | Amazon GuardDuty is an AWS threat detection service that continuously monitors for malicious or unauthorized behavior to help customers protect their AWS accounts and workloads. It can be enabled through the AWS Management Console in a few clicks and immediately begin analyzing billions of events across a customer’s AWS accounts, identifying suspected attackers through integrated threat intelligence feeds and using machine learning to detect anomalies in account and workload activity. It monitors for activity such as unusual API calls or unauthorized deployments that indicate a customer’s accounts may have been compromised, as well as direct threats like compromised instances or reconnaissance by attackers. When a threat is detected, the service delivers a detailed security alert to the Amazon GuardDuty console and AWS CloudWatch Events, making alerts actionable and easy to integrate into existing event management and workflow systems. There are no upfront costs, no software to deploy, and no threat intelligence feeds required. |
| Designed | [AWS SecurityHub](https://aws.amazon.com/security-hub/) | AWS Security Hub gives you a comprehensive view of your high-priority security alerts and compliance status across AWS accounts - it aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions. Your findings are visually summarized on integrated dashboards with actionable graphs and tables. You can also continuously monitor your environment using automated compliance checks based on the AWS best practices and industry standards your organization follows.  |
| Designed | [AWS CloudWatch](https://aws.amazon.com/cloudwatch/) | CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, providing you with a unified view of AWS resources, applications, and services that run on AWS and on-premises servers. You can use CloudWatch to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications   running smoothly. |
| Designed | [Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html) | AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk.  |

**Infrastructure Security Services**
------------------------------------

Reduce surface area to manage and increase privacy for and control of your overall infrastructure in AWS.

| State | Service | Description |
| --- | --- | --- |
| Current | [AWS VPC](https://aws.amazon.com/vpc/) | Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.  |
| Current | [AWS Shield](https://aws.amazon.com/shield/)  | AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced. |
| Designed | [AWS Shiel](https://aws.amazon.com/shield/)[d Advanced](https://aws.amazon.com/shield/) | AWS Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall. AWS Shield Advanced also gives you 24x7 access to the AWS DDoS Response Team (DRT) and protection against DDoS related spikes in your Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 charges. |
| Designed | [AWS WAF](https://aws.amazon.com/waf/) | AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules. |
| Designed | [AWS Firewall Manager](https://aws.amazon.com/firewall-manager/) |   AWS Firewall Manager is a security management service which allows you to centrally configure and manage firewall rules across your accounts and applications in [AWS Organization](https://aws.amazon.com/organizations/). Using AWS Firewall Manager, you can easily roll out AWS WAF rules for your Application Load Balancers, API Gateways, and Amazon CloudFront distributions. Similarly, you can create AWS Shield Advanced protections for your Application Load Balancers, ELB Classic Load Balancers, Elastic IP Addresses and CloudFront distributions. Finally, with AWS Firewall Manager, you can enable security groups for your Amazon EC2 and ENI resource types in Amazon VPCs.   |
| Designed | [Amazon Systems Manager](https://aws.amazon.com/systems-manager/) | AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources.  Systems Manager also provides a centralized store to manage your configuration data, whether its plain text, such as database strings, or secrets, such as passwords. This allows you to separate your secrets and configuration data from code. |
| Designed | [Amazon Inspector](https://aws.amazon.com/inspector/) | Amazon Inspector is a service that analyzes your EC2 instances to identify potential security and configuration issues. Inspector assesses your security posture by looking at the versions, patch levels, configurations, and operating behavior of operating systems and applications and evaluates these against thousands of common vulnerabilities and exposures. Inspector not only identifies where your environments may be vulnerable, but prioritizes these findings by severity level, and provides recommendations on how to fix these to secure your environment. Amazon Inspector can be easily set up to test the security of your applications in all your environments, throughout your continuous integration and continuous deployment (CI/CD) cycles. |

**Data Protection Services**
----------------------------

In addition to our automatic data encryption and management services, employ more features for data protection (including data management, data security, and encryption key storage).

| State | Service | Description |
| --- | --- | --- |
| Current | [AWS Certificate Manager](https://aws.amazon.com/certificate-manager/)  | AWS Certificate Manager (ACM) lets you easily provision, manage and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with specific AWS services. Certificates are used to secure network communications and establish the identity of websites over the Internet. ACM removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates. With ACM, you can quickly request a certificate, deploy it on AWS resources such as Elastic Load Balancers or Amazon CloudFront distributions, and let ACM handle certificate renewals. SSL/TLS certificates provisioned through AWS Certificate Manager are free. You pay only for the AWS resources you create to run your application. |
| Designed | [AWS KMS](https://aws.amazon.com/kms/) | AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys. AWS Key Management Service is integrated with several other AWS services to help you protect the data you store with these services. AWS Key Management Service is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs. |
| Designed | [Amazon Macie](https://aws.amazon.com/macie/)  | Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Amazon Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property, and provides you with dashboards and alerts that give visibility into how this data is being accessed or moved. The fully managed service continuously monitors data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks. Today, Amazon Macie is available to protect data stored in Amazon S3, with support for additional AWS data stores coming later this year. |
| Future | [AWS CloudHSM](https://aws.amazon.com/cloudhsm/)  | AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs. CloudHSM offers you the flexibility to integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries. CloudHSM is also standards-compliant and enables you to export all of your keys to most other commercially-available HSMs. It is a fully-managed service that automates time-consuming administrative tasks for you, such as hardware provisioning, software patching, high-availability, and backups. CloudHSM also enables you to scale quickly by adding and removing HSM capacity on-demand, with no up-front costs. |

**Incident Response Services**
------------------------------

During an incident, containing the event and returning to a known good state are important elements of a response plan. AWS provides the following tools to automate aspects of this best practice.

| State | Service | Description |
| --- | --- | --- |
| Designed | [AWS Config](https://aws.amazon.com/config/) | AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting. |
| Designed | [AWS SNS](https://aws.amazon.com/sns/) | Amazon Simple Notification Service (SNS) is a highly available, durable, secure, fully managed pub/sub messaging service that enables you to decouple microservices, distributed systems, and serverless applications. Amazon SNS provides topics for high-throughput, push-based, many-to-many messaging.  |

**Compliance**
--------------

| State | Service | Description |
| --- | --- | --- |
| Current | [AWS Artifact](https://aws.amazon.com/artifact/)  | AWS Artifact provides on-demand downloads of AWS security and compliance documents, such as FedRAMP certifications, AWS ISO certifications, Payment Card Industry (PCI), and Service Organization Control (SOC) reports. You can submit the security and compliance documents (also known as _audit artifacts_) to your auditors or regulators to demonstrate the security and compliance of the AWS infrastructure and services that you use. You can also use these documents as guidelines to evaluate your own cloud architecture and assess the effectiveness of your company's internal controls. AWS Artifact provides documents about AWS only. AWS customers are responsible for developing or obtaining documents that demonstrate the security and compliance of their companies. |
| Current | [AWS CloudFormation](https://aws.amazon.com/cloudformation/) | AWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment. CloudFormation allows you to use a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts. This file serves as the single source of truth for your cloud environment. |
| Designed | [AWS CodePipeline](https://aws.amazon.com/codepipeline/)  | AWS CodePipeline is a fully managed [continuous delivery](https://aws.amazon.com/devops/continuous-delivery/) service that helps you automate your release pipelines for fast and reliable application and infrastructure updates. CodePipeline automates the build, test, and deploy phases of your release process every time there is a code change, based on the release model you define.  |
| Designed | [AWS Systems Manager](https://aws.amazon.com/systems-manager/)  | AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources. With Systems Manager, you can group resources, like Amazon EC2 instances, Amazon S3 buckets, or Amazon RDS instances, by application, view operational data for monitoring and troubleshooting, and take action on your groups of resources. Systems Manager simplifies resource and application management, shortens the time to detect and resolve operational problems, and makes it easy to operate and manage your infrastructure securely at scale. |
| Future | [AWS OpsWorks](https://aws.amazon.com/opsworks/) | AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments. OpsWorks has three offerings, AWS Opsworks for Chef Automate, AWS OpsWorks for Puppet Enterprise, and AWS OpsWorks Stacks. |
| Future | [AWS Service Catalog](https://aws.amazon.com/servicecatalog/) | AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS. These IT services can include everything from virtual machine images, servers, software, and databases to complete multi-tier application architectures. AWS Service Catalog allows you to centrally manage commonly deployed IT services, and helps you achieve consistent governance and meet your compliance requirements, while enabling users to quickly deploy only the approved IT services they need.  |

 **Attachments:**