1 Introduction
As businesses continue embracing the cloud to achieve better agility and innovation, faster time to market for their digital services and eliminate the costs of maintaining their own infrastructures, more and more corporate data migrates to the cloud, including highly sensitive information like intellectual property, financial transactions or personal information (PII).
Unfortunately, while most companies enjoy such benefits of the cloud as increased scalability and reduced management overhead, they often overlook the additional security and compliance risks that arise from it. Many tend to believe that it is a part of the cloud service provider’s responsibility to ensure the safety of their customer’s data, however, this isn’t so. According to the shared responsibility model, cloud service providers are responsible for managing and securing the underlying infrastructure, while customers retain full responsibility for security and compliance of the services and data they own and manage.
The number and scale of well-publicized data breaches that involve cloud services indicate that even some of the largest enterprises can struggle with the growing complexity of their cloud infrastructures, lack of visibility into their current security posture and, last but not least, overwhelming amounts of alerts to investigate and mitigate. While large corporations that can afford running their own security operations centers (SOCs) have an option to bring these cloud-generated alerts into their security information and event management (SIEM) systems, this alone does not reduce the number of incidents to deal with and does not provide the much-needed context information for prioritizing the mitigation actions.
A much better approach to cloud infrastructure and service security, however, is to harden them proactively by identifying potential vulnerabilities and deviations form industry standards and best practices in advance. This not only helps avoid data breaches before they occur but also substantially improves regulatory compliance. With the growing number of regulatory frameworks, both industry-specific like PCI or geography-based like GDPR, and massive financial and reputational losses for violating them, automating compliance checks is something every business should be looking into.
Amazon Web Services, Inc. (AWS) is a multinational cloud service provider headquartered in Seattle, USA. A subsidiary of the American retail giant Amazon.com, the AWS platform was launched in 2006 with the vision of offering on-demand access to a centrally managed computing infrastructure to customers on a subscription basis, thus essentially making the company the first major player in the cloud computing market. Over the years, AWS has managed to remain a leader of this rapidly growing market, in terms of the size of its global cloud infrastructure as well as by yearly revenue. Serving over a million enterprise customers, the company offers a broad range of cloud services: from low-level computing and storage components to artificial intelligence and quantum computing.
AWS has substantially and continuously invested in security and compliance services for its cloud infrastructure over the years. Amazon GuardDuty, released back in 2017, was the company’s first dedicated security analytics tool. In 2019, AWS launched Security Hub, a service that provides a central view over its comprehensive suite of services to monitor for threats, misconfigurations and compliance violations across its portfolio. AWS Security Hub, an open cloud security and compliance management platform, aggregates all security alerts and organizes and prioritizes them across multiple accounts and services.