Security Services
WAF · ACM · CloudHSM · Shield · GuardDuty · Inspector · Macie
Seven essential AWS security services that protect your applications at the network, certificate, hardware, DDoS, threat-detection, vulnerability-scanning, and data-discovery layers. One chapter each — what they do, when to use them, how they fit together.
AWS WAF is a Layer 7 (HTTP/HTTPS) firewall that filters malicious web traffic before it reaches your application. It protects against SQL injection, cross-site scripting (XSS), bot attacks, and custom-defined threats.
| Component | What It Does | Example |
|---|---|---|
| Web ACL | Container for rules. One Web ACL = one set of protections attached to a resource. | prod-web-acl attached to ALB |
| Rule | A single condition + action (Allow, Block, Count, CAPTCHA) | Block if request matches SQLi pattern |
| Rule Group | Reusable collection of rules | AWS Managed: AWSManagedRulesCommonRuleSet |
| Managed Rules | Pre-built rule sets maintained by AWS or marketplace vendors | OWASP Top 10 protections, Bot Control |
| Rate-Based Rule | Blocks IPs exceeding a request threshold | Block if >2000 requests in 5 minutes from same IP |
Rules in a Web ACL are processed in order of priority (lowest number = highest priority). The first rule that matches determines the action — subsequent rules are NOT evaluated.
| Priority | Rule | Action | Why This Order |
|---|---|---|---|
| 0 | Rate-based rule (2000 req/5min) | Block | Must see ALL traffic to count rates |
| 10 | IP allowlist (office VPN) | Allow | Trusted IPs skip all blocking rules |
| 20 | AWSManagedRulesCommonRuleSet | Block | OWASP Top 10 protections |
| 30 | AWSManagedRulesSQLiRuleSet | Block | SQL injection patterns |
| 1000 | Default action | Allow | Everything else passes through |
Put rate-based rules first (they need to see all traffic to count). Put Allow exceptions (IP allowlists) before blocking rules. Set default action based on your security posture: Allow (permissive) or Block (strict).
When to Use WAF
- Public-facing web applications
- APIs exposed to the internet
- Need to block specific countries/IPs
- Compliance requiring web app firewall
- Bot mitigation (scrapers, credential stuffing)
Pricing Model
- $5/month per Web ACL
- $1/month per rule
- $0.60 per million requests inspected
- Managed rule groups: $1–$30/month each
- Bot Control: $10/month + per-request
For most web apps: attach WAF to your ALB or CloudFront, enable AWSManagedRulesCommonRuleSet (free with WAF) + AWSManagedRulesSQLiRuleSet + a rate-based rule (2000 req/5min). This covers OWASP Top 10 out of the box.
Security Groups/NACLs = Layer 3/4 (IP and port filtering). WAF = Layer 7 (HTTP content inspection). They complement each other — SGs block unwanted ports, WAF blocks malicious HTTP payloads.
WAF is your Layer 7 shield. It inspects HTTP traffic for malicious patterns (SQLi, XSS, bots) and blocks them before they reach your app. Attach to CloudFront or ALB, enable managed rules, add rate limiting. Done.
ACM provides free public TLS/SSL certificates and automates their lifecycle — provisioning, renewal, and deployment. It solves the operational burden of manually managing certificates for HTTPS.
| Service | Region Requirement | Notes |
|---|---|---|
| CloudFront | Certificate must be in us-east-1 | Global distribution, but cert must be in N. Virginia |
| ALB / NLB | Same region as load balancer | Most common use case for HTTPS termination |
| API Gateway | Same region (or us-east-1 for edge) | Custom domain names with TLS |
| Elastic Beanstalk | Same region | Environment HTTPS configuration |
| EC2 directly | ✗ NOT supported | Cannot export ACM public certs. Use Let's Encrypt or import. |
ACM public certificates cannot be installed on EC2 instances directly — you cannot export the private key. They only work with integrated services (ALB, CloudFront, API GW). For EC2, use a third-party cert or ACM Private CA.
| Aspect | ACM Public | ACM Private CA |
|---|---|---|
| Cost | Free | $400/month per CA + $0.75/cert |
| Validation | Domain (DNS/email) | Your approval (you control issuance) |
| Trust | All browsers (public trust) | Only clients you configure |
| Use case | Internet-facing HTTPS | Internal mTLS, IoT, microservices |
| Export | Cannot export private key | Can export private keys |
mTLS between microservices, IoT device certificates, internal services needing TLS, Kubernetes cert management, or issuing certs to non-AWS resources. Common pattern: Public ACM for internet TLS + Private CA for internal service mesh authentication.
✅ ACM Best Practices
- Always use DNS validation (auto-renews)
- Request wildcard: *.example.com + example.com
- CloudFront certs MUST be in us-east-1
- Use ACM for all HTTPS termination (free)
- Monitor CertificateExpiration CloudWatch metric
❌ Common Mistakes
- Using email validation (breaks auto-renewal)
- Forgetting us-east-1 for CloudFront
- Trying to export public cert to EC2
- Not adding naked domain (example.com) alongside wildcard
- Letting Route 53 CNAME records get deleted
ACM = free TLS certificates + automatic renewal + zero-touch deployment to ALB/CloudFront. Always use DNS validation. Remember: CloudFront requires us-east-1, and you cannot export public certs to EC2.
CloudHSM provides dedicated, single-tenant Hardware Security Modules in the AWS cloud. Unlike KMS (shared, managed HSMs), CloudHSM gives you full control over the hardware and cryptographic operations.
| Aspect | AWS KMS | AWS CloudHSM |
|---|---|---|
| Tenancy | Multi-tenant (shared HSM fleet) | Single-tenant (your dedicated HSMs) |
| FIPS 140-2 | Level 2 | Level 3 |
| Management | AWS manages everything | You manage users, keys, operations |
| Access | AWS APIs (kms:Encrypt, etc.) | Industry standard APIs (PKCS#11, JCE, CNG) |
| Integration | 100+ AWS services natively | Custom apps, Oracle TDE, SSL offload |
| Cost | $1/key/month + API calls | ~$1.50/hour per HSM (~$1,100/month) |
| HA | Automatic (multi-AZ) | You deploy 2+ HSMs across AZs |
| Key export | Keys never leave KMS | You control keys — can export |
Use CloudHSM When
- Regulatory requires FIPS 140-2 Level 3
- Need single-tenant HSM (no shared hardware)
- Must use PKCS#11, JCE, or CNG APIs
- Oracle TDE (Transparent Data Encryption)
- SSL/TLS offloading at web server level
- Custom cryptographic operations
Stick with KMS When
- Standard AWS service encryption (S3, EBS, RDS)
- Don't need FIPS Level 3
- Want managed service (no HSM admin)
- Cost-sensitive ($1/key vs $1,100/month)
- Don't need custom crypto APIs
- 99% of workloads → KMS is sufficient
CloudHSM clusters live in your VPC. You deploy HSMs across AZs for HA (minimum 2 recommended). KMS can use CloudHSM as a Custom Key Store — giving you KMS API convenience + CloudHSM hardware isolation.
With CloudHSM, you own key management. If you lose your HSM credentials and haven't backed up keys, they are gone forever. AWS cannot recover them. KMS handles this for you automatically.
CloudHSM = dedicated HSM hardware you fully control. Use it only when regulations demand FIPS Level 3 or single-tenant HSMs. For everything else, KMS is simpler, cheaper, and integrated with all AWS services.
AWS Shield protects your applications against Distributed Denial of Service (DDoS) attacks. It comes in two tiers: Standard (free, automatic) and Advanced (paid, with response team and financial protection).
| Feature | Shield Standard | Shield Advanced |
|---|---|---|
| Cost | Free (automatic for all AWS accounts) | $3,000/month + data transfer fees |
| Protection | Layer 3/4 (network/transport) | Layer 3/4/7 (+ application layer) |
| What it covers | SYN floods, UDP reflection, amplification | All Standard + HTTP floods, DNS query floods, sophisticated L7 |
| Response Team | ✗ No | ✓ 24/7 Shield Response Team (SRT) |
| Cost Protection | ✗ No | ✓ DDoS cost protection (credits for scaling charges) |
| Visibility | Basic metrics | Real-time attack dashboards, detailed diagnostics |
| WAF Integration | Separate | ✓ Free WAF for Shield-protected resources |
| Health Checks | ✗ | ✓ Route 53 health-check integration for faster detection |
Eligible Resources
- CloudFront distributions
- Route 53 hosted zones
- Application Load Balancers
- Elastic IPs (EC2, NLB)
- Global Accelerator
What SRT Does
- Analyzes attack in real-time
- Creates custom WAF rules
- Applies mitigations proactively
- Provides post-attack analysis
- Available 24/7 via support
Cost Protection
- DDoS causes scaling → higher bill
- Shield Advanced provides credits
- Covers: EC2, ELB, CloudFront, Route 53
- Must have proper auto-scaling
- Request within 15 days of attack
✓ Eligible for Shield Advanced
- CloudFront distributions (any region)
- Route 53 hosted zones
- Application Load Balancers
- Network Load Balancers
- Elastic IP addresses (EC2, NLB)
- AWS Global Accelerator
✗ NOT Directly Eligible
- EC2 instances (must use EIP or put behind ALB)
- API Gateway (only via CloudFront)
- S3 static websites (only via CloudFront)
- Lambda function URLs
- Direct-connect endpoints
Put your application behind CloudFront even if you don't need caching — it gives you full DDoS protection + Shield Advanced eligibility + WAF attachment point. Cost: $3,000/month covers up to 1,000 protected resources.
| Aspect | WAF | Shield Standard | Shield Advanced |
|---|---|---|---|
| What it does | Inspects HTTP content | Filters network floods | All + L7 + response team |
| Attack type | SQLi, XSS, bots, rate abuse | SYN/UDP floods, amplification | All DDoS types |
| Layer | Layer 7 (HTTP) | Layer 3/4 (network) | Layers 3/4/7 |
| Cost | $5/ACL + usage | Free | $3,000/month (incl. WAF) |
Key insight: They complement each other. Shield Standard blocks volumetric network floods. WAF blocks targeted HTTP attacks. You need both for full protection. Shield Advanced includes WAF at no extra cost.
For most applications, Shield Standard + CloudFront + WAF rate rules provides excellent DDoS protection at low cost. Shield Advanced is for high-value targets (financial services, gaming, governments) where $3K/month is justified by the 24/7 SRT and cost protection.
Every AWS account has Shield Standard automatically — you don't need to enable it. It protects against the most common volumetric attacks (SYN/UDP floods) at the network edge. No additional cost.
Shield Standard = free, automatic Layer 3/4 DDoS protection for all AWS accounts. Shield Advanced = $3K/month for Layer 7 protection, 24/7 response team, cost protection credits, and WAF included. Most apps need Standard + WAF rate rules only.
GuardDuty is an intelligent threat detection service that continuously monitors your AWS accounts for malicious activity and unauthorized behavior. It uses machine learning, anomaly detection, and threat intelligence to identify threats — with zero infrastructure to deploy.
| Data Source | What It Analyzes | Threats Detected |
|---|---|---|
| CloudTrail Events | API calls across your account | Unusual API patterns, credential compromise, privilege escalation |
| VPC Flow Logs | Network traffic metadata | Crypto mining, data exfiltration, C2 communication, port scanning |
| DNS Logs | DNS query patterns | Communication with known malicious domains, DNS tunneling |
| S3 Data Events | S3 API calls | Unusual access patterns, public exposure, data theft |
| EKS Audit Logs | Kubernetes control plane | Suspicious container activity, privilege escalation in k8s |
| Lambda Network | Lambda invocation patterns | Malicious Lambda activity, credential abuse from functions |
GuardDuty pricing is based on volume of data analyzed, NOT on findings generated:
| Data Source | Pricing | Typical Small Account |
|---|---|---|
| CloudTrail Events | $1.00 per 1M events | ~$0.50–$2.00/month |
| VPC Flow Logs | $0.10 per GB analyzed | ~$1.00–$10.00/month |
| DNS Logs | $0.10 per 1M queries | ~$0.10–$2.00/month |
| S3 Data Events | $0.25 per 1M events | ~$0 (unless high-volume S3) |
| EKS Audit Logs | $0.10 per 1M events | ~$0 (unless large cluster) |
Typical monthly cost: $5–$20/month for a small-to-medium account. 30-day free trial. No commitment. Well worth the threat detection coverage.
High Severity
- EC2 communicating with known C2 server
- Credentials used from known malicious IP
- S3 bucket policy made public maliciously
- Crypto mining detected on EC2
Medium Severity
- Unusual API calls from an IAM user
- EC2 port probe from unusual source
- DNS queries to bitcoin-related domains
- Unusual instance launch in new region
Low Severity
- SSH brute force attempt
- API called from Tor exit node
- Unusual login time for IAM user
- DNS query to low-reputation domain
GuardDuty has zero deployment overhead (no agents, no config), a 30-day free trial, and costs ~$1–4/million events after that. It catches threats that no amount of good IAM policies can prevent (compromised credentials, insider threats, zero-days). Enable it in every region, every account.
Detection → Response Pipeline
- GuardDuty generates finding
- EventBridge rule matches finding type
- Lambda function triggered automatically
- Isolates compromised resource (SG change)
- Sends alert via SNS/PagerDuty
Common Auto-Responses
- Quarantine EC2 (restrictive SG)
- Disable compromised IAM credentials
- Block malicious IP in WAF
- Snapshot EC2 for forensics
- Notify security team immediately
GuardDuty = one-click threat detection using ML + threat intel. Zero infrastructure. Monitors CloudTrail, VPC Flow, DNS, S3, EKS. Generates findings you can automate responses for via EventBridge + Lambda. Enable in every account, every region. No reason not to.
AWS Inspector is a continuous, automated vulnerability assessment service that scans your workloads — EC2 instances, container images in ECR, and Lambda functions — for software vulnerabilities (CVEs) and unintended network exposure.
Inspector v2 (launched 2021) replaced the original Inspector. It provides continuous scanning rather than one-shot assessments, deeper integration with Security Hub and ECR, and supports EC2, Lambda, and container images in a single service.
| Target | What Is Checked | How It Works |
|---|---|---|
| EC2 Instances | OS and application package CVEs, network reachability, open ports exposed to internet | SSM Agent (required) delivers findings in real time |
| ECR Container Images | OS layer + application library CVEs at image push time and continuously | Agentless โ Inspector integrates with ECR directly |
| Lambda Functions | Application package dependencies (npm, pip, Maven, etc.) for known CVEs | Agentless โ scans function deployment package |
Critical / High CVE
- CVSS score 7.0โ10.0
- Remote code execution vulnerabilities
- Privilege escalation exploits
- Patch or replace immediately
Network Reachability
- Port exposed to 0.0.0.0/0 or ::/0
- No patching needed โ fix Security Groups
- Common: port 22 (SSH) or 3389 (RDP) open
- Inspector maps the full VPC path
Software Vulnerabilities
- OS packages (yum, apt) with known CVEs
- App libraries (log4j, openssl, etc.)
- Container image layer vulnerabilities
- Lambda dependency CVEs
| Resource Type | Pricing | Notes |
|---|---|---|
| EC2 Instances | ~$0.11 per instance/month | Requires SSM Agent; prorated by hours running |
| ECR Container Images | ~$0.09 per image re-scan/month | Initial push scan free; continuous re-scanning billed |
| Lambda Functions | ~$0.30 per function/month | Per function, not per invocation |
Typical cost: Small account with 10 EC2 instances + 20 ECR images + 5 Lambda functions โ $5–$10/month. 15-day free trial on first enable.
| Aspect | Inspector | GuardDuty |
|---|---|---|
| What it finds | Vulnerabilities before exploitation (CVEs, misconfigs) | Active threats during or after exploitation |
| When to use | Shift-left security โ find issues before attackers do | Runtime detection โ catch what slips through |
| Data source | Package metadata, CVE databases, network config | CloudTrail, VPC Flow Logs, DNS, runtime logs |
| Action | Patch / update / fix SGs | Quarantine / alert / investigate |
| Analogy | Pre-flight safety check | Black box recorder + mid-flight alert |
Use Inspector and GuardDuty together: Inspector prevents exploitation by finding CVEs early (shift-left); GuardDuty detects exploitation attempts at runtime. They are complementary, not competing.
AWS Inspector = continuous automated CVE scanning for EC2, ECR, and Lambda. Enable it to find vulnerabilities before attackers do. Zero infrastructure for ECR and Lambda; SSM Agent required for EC2. Costs ~$5–$10/month for a typical account. Always pair with GuardDuty for runtime detection.
AWS Macie is a fully managed data security service that uses machine learning to automatically discover, classify, and protect sensitive data stored in Amazon S3. It identifies personally identifiable information (PII), financial data, credentials, and other sensitive content โ and alerts when S3 buckets are at risk of unintended exposure.
Sensitive Data Types (Managed)
- PII: names, addresses, SSNs, passport numbers
- Financial: credit card numbers, bank account numbers
- Medical: health record identifiers (PHI/HIPAA)
- Credentials: AWS IAM access keys, private keys, passwords in files
- Network: IP addresses, MAC addresses
Custom Data Identifiers
- Define your own regex patterns
- Match employee IDs, internal project codes, proprietary formats
- Add keywords to reduce false positives
- Combine with managed types in the same job
| Finding Category | Example | Action |
|---|---|---|
| Policy: Public Access | S3 bucket has Block Public Access disabled | Enable S3 Block Public Access |
| Policy: Encryption Disabled | Default encryption not configured on bucket | Enable SSE-S3 or SSE-KMS |
| Policy: Shared Externally | Bucket policy grants access to external account | Review and tighten bucket policy |
| Sensitive Data: PII | SSNs found in customer_data.csv | Encrypt, restrict access, audit lineage |
| Sensitive Data: Credentials | AWS access key found in app_config.json | Rotate keys immediately, scan source code |
| Sensitive Data: Financial | Credit card numbers in payment_logs.txt | Encrypt + restrict + review compliance |
| Component | Cost | Notes |
|---|---|---|
| S3 Bucket Inventory & Monitoring | $1.00 per bucket/month (first 1M) | Evaluated even without running jobs |
| Sensitive Data Discovery | $1.00 per GB analyzed | Based on object bytes analyzed in jobs |
Typical cost: An account with 50 buckets and 100 GB of data analyzed per month โ $50 + $100 = $150/month. 30-day free trial. Bucket inventory is the fixed ongoing cost; discovery job cost scales with data volume.
| Service | Finds | Where It Looks | When to Enable |
|---|---|---|---|
| Macie | Sensitive data (PII, credentials) + bucket misconfigs | S3 only | Any account storing personal/financial data |
| Inspector | Software vulnerabilities (CVEs) + network exposure | EC2, ECR, Lambda | Any account running compute workloads |
| GuardDuty | Active threats (compromised creds, malware, exfiltration) | CloudTrail, VPC Flow, DNS, S3, EKS, Lambda | Every account, every region, always |
Macie is the go-to service for GDPR, HIPAA, and PCI-DSS compliance work in AWS. Use it to prove you know where personal data lives, ensure it is encrypted and access-controlled, and generate evidence for audits. Without it, you may be storing PII you don’t know about.
AWS Macie = ML-powered PII and sensitive data discovery for S3. It tells you what sensitive data you have, where it is, and whether it’s at risk of exposure. Pair with S3 Block Public Access, KMS encryption, and GuardDuty for a complete S3 security posture. Essential for any compliance-regulated workload.
Shield Standard (free) + GuardDuty ($5–20/mo) + ACM (free) + WAF (if public-facing, ~$10–30/mo). Total: under $50/month for excellent security coverage. Add Shield Advanced and CloudHSM only when compliance or risk demands it.
E-Commerce (Public Web)
- CloudFront (edge caching)
- Shield Standard (auto DDoS)
- WAF (SQLi + XSS + rate limit + bot)
- ACM cert on CloudFront
- GuardDuty (all accounts)
- Cost: ~$30–50/mo
Internal API (Corporate)
- ALB (internal-facing)
- WAF with IP allowlist only
- ACM cert on ALB (internal TLS)
- No Shield Advanced needed
- GuardDuty (catch credential abuse)
- Cost: ~$15–25/mo
Regulated (PCI/HIPAA)
- CloudFront + Shield Advanced
- WAF (OWASP + custom rules)
- ACM + CloudHSM (FIPS L3)
- KMS Custom Key Store
- GuardDuty + Security Hub + auto-response
- Cost: ~$4,200+/mo
| Service | Layer | Protects Against | Cost |
|---|---|---|---|
| WAF | Layer 7 (HTTP) | SQLi, XSS, bots, rate abuse | $5/ACL + $0.60/M requests |
| ACM | Transport (TLS) | Expired certs, unencrypted traffic | Free (public certs) |
| CloudHSM | Cryptographic | Regulatory non-compliance, key exposure | ~$1,100/month per HSM |
| Shield | Layer 3/4 (+ 7 Advanced) | DDoS attacks (volumetric + application) | Free (Standard) / $3K/mo (Advanced) |
| GuardDuty | Account-wide intelligence | Compromised credentials, malware, exfiltration | ~$1–4/M events |
| Inspector | Workload vulnerability | CVEs in EC2/ECR/Lambda, unintended network exposure | ~$0.11/EC2 + $0.09/ECR image/mo |
| Macie | Data security (S3) | PII exposure, unencrypted sensitive data, bucket misconfigs | $1/bucket/mo + $1/GB analyzed |
- "Block SQL injection" → WAF (Layer 7 inspection)
- "Free HTTPS certificate" → ACM (DNS validation, auto-renewal)
- "FIPS 140-2 Level 3" → CloudHSM (not KMS which is Level 2)
- "DDoS protection with response team" → Shield Advanced
- "Detect compromised EC2 instance" → GuardDuty
- "Certificate for CloudFront" → ACM in us-east-1
- "Crypto mining detection" → GuardDuty
- "Rate limit API requests" → WAF rate-based rule
- "Cost protection during DDoS" → Shield Advanced
- "Scan EC2 or containers for CVEs" → Inspector
- "Find vulnerabilities before exploitation" → Inspector (not GuardDuty)
- "Discover PII in S3" or "find sensitive data in buckets" → Macie
- "GDPR / HIPAA / PCI data discovery" → Macie
- "Bucket policy made public" → Macie (policy finding) + GuardDuty
- "How services work together" → Shield + WAF + CloudFront + GuardDuty + Inspector + Macie = layered defense