DEV Community

AWS Community Builders profile image Matheus Almeida Costa
Matheus Almeida Costa for AWS Community Builders

Posted on • Edited on

AWS Security Services Overview

#aws #security #cloud #cloudsec

AWS Security Services

This post provides a complete overview of AWS security services, serving as a resumed reference guide for professionals who work with Cloud Security.

The goal is to give a clear understanding of what each service does, how it fits into an AWS security strategy, and when it makes sense to use it in real environments.

Each section is grouped by category, with a short scenario and a few practical notes:

  • Identity & Access Management
    • AWS Identity and Access Management (IAM)
    • AWS IAM Access Analyzer
    • AWS IAM Identity Center
    • AWS Organizations
    • AWS Resource Access Manager (RAM)
    • Amazon Cognito
    • AWS Directory Service
  • Data Protection
    • AWS Secrets Manager
    • AWS Private Certificate Authority (Private CA)
    • AWS Certificate Manager (ACM)
    • Amazon Macie
    • AWS Key Management Service (KMS)
    • AWS CloudHSM
    • AWS Payment Cryptography
  • Network and Application Protection
    • AWS WAF
    • AWS Shield
    • AWS Network Firewall
    • AWS Firewall Manager
    • AWS Verified Access
    • Amazon VPC Lattice
  • Threat Detection & Monitoring
    • AWS CloudTrail
    • Amazon GuardDuty
    • AWS Security Hub
    • Amazon Detective
    • Amazon Inspector
    • Amazon Security Lake
    • AWS Security Incident Response
  • Application Security
    • AWS Systems Manager
    • AWS Signer
    • AWS Security Agent
    • Amazon Verified Permissions
  • Compliance & Governance
    • AWS Config
    • AWS Audit Manager
    • AWS Artifact

Identity & Access Management

AWS Identity and Access Management (IAM)

Description
IAM defines who can do what in an AWS account. It handles authentication (users, roles, federated identities) and authorization (policies) across every AWS service.

Scenario
A security team designs IAM roles so developers can deploy Lambda functions only in non-production accounts. Each role uses scoped permissions, and developers assume the role with temporary credentials instead of relying on long-term access keys.

Best Practices

  • Apply least privilege. Only grant what's actually needed.
  • Replace IAM users with roles and short-lived credentials wherever possible.
  • Enforce MFA on every privileged identity.
  • Run IAM Access Analyzer regularly to find unused permissions and external access. Since 2024 it also surfaces unused-access findings, which is useful for cleaning up over-permissive roles.

Pricing
Free.

AWS IAM Access Analyzer

Description
IAM Access Analyzer uses automated reasoning (what AWS calls "provable security") to find resources shared outside your trust boundary, identify unused permissions, and validate IAM policies before they ship. It runs across S3 buckets, IAM roles, KMS keys, Lambda functions, SQS queues, Secrets Manager, and others.

Scenario
A new feature ships with an S3 bucket policy that accidentally allows s3:GetObject from any account. Access Analyzer flags it within minutes as an external access finding, and the team rolls back the policy before any data leaves the account.

Best Practices

  • Enable both an external access analyzer and an unused access analyzer at the organization level.
  • Wire custom policy checks into CI/CD so policies that grant new access trigger an approval step before merge.
  • Treat findings like security tickets, not informational logs. Archive intentional ones and resolve the rest.

Pricing
External access analysis is free. Unused access analysis is per IAM role or user analyzed per month.

AWS IAM Identity Center

Description
IAM Identity Center (formerly AWS SSO) is the recommended way to manage human access across multiple AWS accounts. It connects to identity providers like Okta, Entra ID, or Google Workspace and centralizes permission sets per account.

Scenario
A company with 12 AWS accounts integrates Identity Center with Entra ID. Employees log in once with their corporate credentials and land on a portal that shows only the accounts and roles they're entitled to, mapped from their AD groups.

Best Practices

  • Assign access by group, not by individual user.
  • Map directory groups to AWS accounts and permission sets.
  • Enable MFA and reasonable session timeouts.

Pricing
Free.

AWS Organizations

Description
AWS Organizations lets you centrally manage multiple AWS accounts as a single entity. It's where you set up Organizational Units (OUs), Service Control Policies (SCPs), and the more recent Resource Control Policies (RCPs) to define guardrails across the whole environment.

Scenario
A platform team groups production accounts under a "Prod" OU and applies an SCP that blocks anyone (including admins) from disabling CloudTrail or operating outside approved regions. Even if a member account creates a role with AdministratorAccess, the SCP still wins.

Best Practices

  • Use OUs to reflect environments or business units, not just teams.
  • Combine SCPs (identity guardrails) with RCPs (resource-side guardrails) to build a data perimeter.
  • Enable trusted access for services like CloudTrail, Config, and GuardDuty so they can be managed organization-wide.

Pricing
Free.

AWS Resource Access Manager (RAM)

Description
RAM shares AWS resources like subnets, Transit Gateways, or Route 53 Resolver rules across accounts inside an Organization, without duplicating infrastructure.

Scenario
A central network account owns the Transit Gateway and shares it through RAM with workload accounts. Each team works in its own VPC but uses shared connectivity, keeping the network footprint consistent.

Best Practices

  • Share only what's needed, and only with the accounts that actually need it.
  • Audit shares regularly. Old ones tend to outlive the projects that created them.
  • Tag shared resources with an owner so accountability is clear.

Pricing
Free.

Amazon Cognito

Description
Cognito handles authentication and authorization for end-user applications. User pools manage sign-up and sign-in; identity pools issue temporary AWS credentials for federated users.

Scenario
A mobile app lets users sign in with Google or Apple ID. Cognito brokers the federation and hands back short-lived AWS credentials so the app can call backend APIs through API Gateway.

Best Practices

  • Enforce a strong password policy and enable MFA.
  • Use Cognito triggers (Lambda) when you need custom validation or extra checks at sign-up or sign-in.
  • Keep tokens out of insecure storage on the client side.

Pricing
Per monthly active user (MAU), with a free tier for the first 50,000 MAUs in most cases.

AWS Directory Service

Description
Directory Service provides managed Microsoft Active Directory in AWS, or connects AWS resources to an existing on-prem AD.

Scenario
A company migrates Windows workloads to EC2 and wants to keep the same group policies and authentication flow. AWS Managed Microsoft AD gives them a real AD domain in AWS, with a trust to the on-prem forest.

Best Practices

  • Pick Managed Microsoft AD when you need full AD features. AD Connector is enough if you only need to proxy authentication to on-prem.
  • Keep domain admin accounts separate from day-to-day accounts.
  • Send directory logs to CloudWatch for visibility into logins and policy changes.

Pricing
Per directory type and per hour.

Data Protection

AWS Secrets Manager

Description
Secrets Manager stores, rotates, and serves credentials, API keys, and other secrets, with native rotation support for RDS, Redshift, and DocumentDB.

Scenario
Instead of putting a database password in a Lambda environment variable, the function fetches it from Secrets Manager at runtime. A rotation Lambda swaps the password in RDS and updates the secret on a schedule, with no application changes required.

Best Practices

  • Turn on automatic rotation, especially for database credentials.
  • Scope IAM access down to the specific secret ARN. Wildcards on secretsmanager:GetSecretValue are a common mistake.
  • Encrypt secrets with a customer-managed KMS key when you want full control over who can decrypt them.

Pricing
Per secret per month, plus a small charge per 10,000 API calls.

AWS Private Certificate Authority (Private CA)

Description
AWS Private CA issues and manages private TLS certificates for internal services, IoT devices, and other workloads that don't need a publicly trusted CA.

Scenario
An internal platform issues short-lived certificates to microservices through Private CA, replacing long-lived self-signed certs scattered across containers.

Best Practices

  • Automate issuance and renewal. Manual cert management never scales.
  • Keep certificate lifetimes short to reduce blast radius if a key leaks.
  • Restrict who can issue certificates with IAM and CA-level permissions.

Pricing
Monthly fee per CA, plus a per-certificate fee that drops at higher volumes.

AWS Certificate Manager (ACM)

Description
ACM provisions, deploys, and renews public and private TLS certificates for AWS-integrated services like CloudFront, ALB, and API Gateway.

Scenario
A site behind CloudFront gets a free public ACM certificate validated via DNS. Renewal happens automatically, with no calendar reminders and no expired-cert pages.

Best Practices

  • Prefer DNS validation for fully automated renewal.
  • Use ACM for any AWS-integrated endpoint. Reach for Private CA only when you need certs outside that scope.
  • Pair with WAF in front of CloudFront or ALB for layered protection.

Pricing
Public certificates are free. Private certificates go through Private CA pricing.

Amazon Macie

Description
Macie uses ML and pattern matching to find sensitive data (PII, credentials, financial data) sitting in S3, and flags buckets that look risky.

Scenario
After Macie runs on a data lake, it surfaces a few buckets containing customer PII that nobody had classified. The findings feed into Security Hub and trigger remediation through Config.

Best Practices

  • Schedule recurring jobs on the buckets that actually matter. Running it on everything gets expensive fast.
  • Use managed data identifiers first, then add custom ones for company-specific patterns.
  • Send findings to Security Hub so they live alongside everything else.

Pricing
Per GB classified and per object monitored.

AWS Key Management Service (KMS)

Description
KMS creates and manages cryptographic keys used by AWS services and applications, with everything logged in CloudTrail.

Scenario
A finance team encrypts S3 and RDS with customer-managed keys (CMKs). Key policies restrict decryption to specific roles, and CloudTrail captures every Decrypt call for audit.

Best Practices

  • Use customer-managed keys for sensitive data. AWS-managed keys are fine for low-risk workloads but offer less control.
  • Enable automatic annual rotation.
  • Be careful with key policies. Locking yourself out of a CMK is a real (and painful) failure mode.

Pricing
Per key per month, plus per API request.

AWS CloudHSM

Description
CloudHSM gives you dedicated, FIPS 140-2 Level 3-validated Hardware Security Modules. Unlike KMS, the keys live in an HSM that only you control.

Scenario
A payments company processing card transactions needs full custody of the keys used for cryptographic operations. CloudHSM provides isolated HSMs in the customer's VPC, satisfying PCI DSS key-management requirements.

Best Practices

  • Use CloudHSM when regulation or contracts require exclusive key control. Otherwise KMS is usually enough.
  • Run an HSM cluster across multiple AZs for redundancy.
  • Consider a KMS custom key store backed by CloudHSM if you need both ecosystems.

Pricing
Hourly per HSM instance.

AWS Payment Cryptography

Description
Payment Cryptography provides managed cryptographic operations specifically for payment processing, including PIN translation, key exchange, and similar operations that traditionally required on-prem HSMs.

Scenario
A fintech replaces a legacy on-prem HSM setup with Payment Cryptography to handle PIN generation and key exchange with acquiring banks, while staying inside PCI PIN scope.

Best Practices

  • Pair with strict IAM conditions (e.g. source VPC, source IP) to limit who can call cryptographic operations.
  • Rotate keys on a defined schedule and document it for audit.
  • Keep CloudTrail logs of all operations as part of the compliance evidence chain.

Pricing
Per active key and per cryptographic API call.

Network and Application Protection

AWS WAF

Description
AWS WAF is a layer-7 firewall that protects HTTP(S) endpoints from common exploits like SQL injection, XSS, and bad bots. It integrates with CloudFront, ALB, API Gateway, AppSync, and App Runner.

Scenario
An API behind API Gateway is the front door for a retail app. WAF blocks requests with obvious injection patterns and rate-limits abusive clients before they reach the backend.

Best Practices

  • Start with AWS Managed Rule Groups (Core, Known Bad Inputs, OWASP-style sets) and tune from there.
  • Add rate-based rules to slow down brute-force and credential stuffing.
  • Send logs to CloudWatch, S3, or Kinesis Firehose so you can actually investigate when something is blocked, or when it isn't.
  • Keep separate Web ACLs for staging and production.

Pricing
Per Web ACL, per rule, and per million requests inspected.

AWS Shield

Description
Shield protects against DDoS attacks. Shield Standard is automatic and free; Shield Advanced adds higher-tier mitigations, cost protection, and access to the AWS Shield Response Team.

Scenario
A public API behind CloudFront sees a sudden traffic spike. Shield Standard absorbs the volumetric portion automatically. With Shield Advanced, the customer also gets detailed attack diagnostics and 24/7 escalation if mitigation needs human input.

Best Practices

  • Enable Shield Advanced for critical public-facing workloads where downtime has real financial impact.
  • Always pair with WAF for application-layer attacks. Shield alone won't stop a slow HTTP flood.
  • Run game days that simulate traffic surges so the team isn't learning the runbook during a real incident.

Pricing
Standard: free. Advanced: monthly subscription per organization, plus data transfer.

AWS Network Firewall

Description
Network Firewall is a managed stateful firewall and IPS for VPC traffic. It supports Suricata-compatible rules, so existing rule sets often port over with minimal changes.

Scenario
A central inspection VPC sits behind a Transit Gateway. All east-west and egress traffic flows through Network Firewall, where the security team enforces domain allowlists and Suricata IDS rules.

Best Practices

  • Centralize the firewall in a shared inspection VPC rather than deploying per-VPC instances.
  • Log everything to S3 or CloudWatch. Without logs, troubleshooting a blocked flow is guesswork.
  • Use domain-based stateful rules for egress filtering. They're much easier to maintain than IP lists.

Pricing
Per firewall endpoint hour, plus per GB processed.

AWS Firewall Manager

Description
Firewall Manager centrally manages WAF, Shield Advanced, Network Firewall, and security group policies across all accounts in an Organization.

Scenario
A security team defines a baseline WAF rule set that every CloudFront distribution in the org must have. Firewall Manager applies it automatically to new distributions as they're created.

Best Practices

  • Pair with AWS Organizations for org-wide reach.
  • Use resource tags to scope policies. For example, only enforce certain rules on resources tagged env=prod.
  • Treat Firewall Manager policies like infrastructure-as-code: version them, review changes, and avoid clicking around in the console.

Pricing
Per policy per region per month.

AWS Verified Access

Description
AWS Verified Access provides VPN-less access to internal applications. Each request is evaluated against identity (via an IdP), device posture (via integrations with Jamf, CrowdStrike, Zscaler, and others), and policy context before access is granted, which makes it a practical building block for zero-trust architectures.

Scenario
A company replaces its corporate VPN with Verified Access. An engineer accessing an internal Grafana dashboard is authenticated through Entra ID, has their device posture checked by CrowdStrike, and gets a short-lived session, with the whole evaluation logged for audit.

Best Practices

  • Define access policies per application instead of one broad policy. Sensitive apps get stricter device and identity requirements.
  • Require both identity and device trust providers. Identity alone misses compromised endpoints.
  • Send evaluation logs to S3 or OpenSearch so failed access attempts are visible during incident reviews.

Pricing
Per application per hour, plus per GB of data processed.

Amazon VPC Lattice

Description
VPC Lattice is an application networking service that connects services across VPCs and accounts without the usual peering or routing complexity. It includes IAM-based auth policies that gate service-to-service traffic, which is what makes it relevant in a security post.

Scenario
A microservices platform running across three accounts uses VPC Lattice to expose internal services. Auth policies require requests to come from a specific IAM role and carry a particular tag, blocking traffic from any other workload even if they're on the same network.

Best Practices

  • Treat VPC Lattice auth policies as part of your security model, not just networking config.
  • Combine with Verified Access for the user-to-service hop. Lattice handles service-to-service.
  • Share service networks through RAM rather than rebuilding per account.

Pricing
Per service per hour, per request, and per GB processed.

Threat Detection & Monitoring

AWS CloudTrail

Description
CloudTrail records API calls and management events across an AWS account. It's the foundation for auditing, forensics, and most compliance work.

Scenario
Someone accidentally makes an S3 bucket public. CloudTrail captures the PutBucketPolicy call, including the user identity, source IP, and timestamp, which is exactly what the security team needs to investigate and reverse it.

Best Practices

  • Set up an organization trail so every account is covered, including new ones.
  • Send logs to a dedicated logging account with restricted access. Production teams shouldn't be able to delete their own audit trail.
  • Turn on CloudTrail Insights for anomaly detection on API call patterns.
  • Enable data events selectively. They're powerful but can get expensive on busy S3 buckets.

Pricing
One management trail per region is free. Additional trails and data events are billed per 100,000 events.

Amazon GuardDuty

Description
GuardDuty is a managed threat detection service. It analyzes CloudTrail, VPC Flow Logs, DNS logs, EKS audit logs, S3 data events, RDS login activity, and EBS volumes for malware, using a mix of ML and threat intelligence.

Scenario
GuardDuty raises a finding that an EC2 instance is talking to a known crypto-mining domain. An EventBridge rule triggers a Lambda that detaches the instance role, isolates the security group, and creates a snapshot for forensics.

Best Practices

  • Enable it organization-wide. Turning it on per-account is a recipe for blind spots.
  • Enable the protection plans that match your stack (EKS, S3, RDS, Malware Protection, Lambda) rather than leaving them off by default.
  • Suppress known-benign findings instead of ignoring the inbox.

Pricing
Based on volume of logs analyzed and resources protected. Each protection plan adds its own usage charge.

AWS Security Hub

Description
Security Hub aggregates findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, Config, and dozens of partner products into a single place. It's split into Security Hub CSPM (the posture-management piece) and the broader Security Hub experience that consolidates detection findings.

Scenario
A compliance lead enables the AWS Foundational Security Best Practices and CIS standards in Security Hub CSPM. The dashboard immediately surfaces unencrypted S3 buckets, missing CloudTrail trails, and overly permissive security groups across every account.

Best Practices

  • Enable the standards that match the company's compliance scope. Don't enable all of them and drown in noise.
  • Use cross-account aggregation so one delegated administrator account holds the full picture.
  • Set up automated remediation for the highest-frequency findings (public S3, unencrypted volumes, etc.).

Pricing
Per finding ingested and per compliance check evaluated.

Amazon Detective

Description
Detective automatically pulls in CloudTrail, VPC Flow Logs, GuardDuty findings, and EKS audit logs, then builds a behavior graph you can pivot through during an investigation.

Scenario
A GuardDuty finding suggests a compromised IAM access key. Detective shows the affected role's activity over the past weeks, the resources it touched, and other identities behaving similarly, all without writing custom queries.

Best Practices

  • Enable Detective in the same accounts where GuardDuty is on. The two pair naturally.
  • Treat it as an investigation tool, not a real-time alerting system.
  • Default 12-month data retention is usually worth keeping for incident postmortems.

Pricing
Per GB of data ingested per month.

Amazon Inspector

Description
Inspector continuously scans EC2 instances, container images in ECR, and Lambda functions for known CVEs and unintended network exposure. Findings are scored using a contextual risk model.

Scenario
Inspector flags an outdated OpenSSL package on a running EC2 instance. The finding flows into Security Hub, opens a ticket in Jira, and gets patched in the next deployment cycle.

Best Practices

  • Enable it across the organization so new resources are covered automatically.
  • Pipe findings into the team's existing ticketing flow. Security tools that don't connect to engineering workflows tend to be ignored.
  • Use tags to exclude short-lived resources where scanning isn't useful.

Pricing
Per resource scanned per month.

Amazon Security Lake

Description
Security Lake centralizes security data from AWS and third-party sources into a customer-owned S3 data lake, normalized to the OCSF schema. Athena, OpenSearch, and most SIEMs can query it directly.

Scenario
A SOC pulls GuardDuty, CloudTrail, Route 53 logs, and EDR alerts into Security Lake, then runs cross-source Athena queries to correlate suspicious DNS lookups with API activity.

Best Practices

  • Define lifecycle policies up front. Security data accumulates fast.
  • Subscribe consumers (Athena, OpenSearch, SIEM) per data type rather than giving everyone access to everything.
  • Use OCSF normalization to your advantage when writing detections. Queries port between sources much more easily.

Pricing
Per GB ingested and per GB normalized. Underlying S3 storage is billed separately.

AWS Security Incident Response

Description
AWS Security Incident Response is a managed service that combines automation, tooling, and access to AWS Customer Incident Response Team (CIRT) experts to help triage and recover from security events.

Scenario
GuardDuty raises a high-severity finding outside business hours. The service triages it automatically, escalates only what matters, and gives the on-call engineer a direct line to AWS CIRT if expert help is needed.

Best Practices

  • Don't wait for an incident to set it up. Define runbooks, contacts, and access boundaries while things are calm.
  • Combine with Step Functions or Systems Manager Automation for repeatable response actions.
  • Run tabletop exercises at least once a year.

Pricing
Subscription-based. AWS service usage during a response is billed normally.

Application Security

AWS Systems Manager

Description
AWS Systems Manager is broad, but a few of its tools are core to workload security: Session Manager replaces SSH bastions with auditable, port-less access to instances; Patch Manager automates OS and application patching; Parameter Store holds configuration values and secrets, with SecureString parameters encrypted by KMS.

Scenario
A company removes inbound port 22 from every EC2 security group. Engineers connect through Session Manager instead, with every session logged to S3 and CloudWatch. Patch Manager runs weekly inside a maintenance window, and compliance data flows into Security Hub so unpatched fleets are visible at the org level.

Best Practices

  • Use Session Manager instead of SSH bastions. Stream session logs to S3 with object lock and to CloudWatch for real-time review.
  • Define custom patch baselines per OS, with auto-approval after a short test window for security and critical patches.
  • Store secrets in Parameter Store SecureString (with a customer-managed KMS key) for low-volume config secrets. Use Secrets Manager for credentials that need rotation.

Pricing
Session Manager and Parameter Store standard parameters are free. Advanced parameters, Patch Manager on hybrid nodes, and other features have their own usage charges.

AWS Signer

Description
AWS Signer provides managed code signing for Lambda, container images, and IoT firmware. Signed artifacts can be verified at deploy time or runtime.

Scenario
A CI/CD pipeline signs every Lambda deployment package with Signer. Lambda is configured to reject unsigned or tampered packages, so a malicious push to a build artifact bucket can't quietly become production code.

Best Practices

  • Make signing part of the pipeline, not a manual step.
  • Protect signing profiles with KMS and tight IAM.
  • Only sign artifacts that have actually passed tests and security checks.

Pricing
Per signing job.

AWS Security Agent

Description
AWS Security Agent, which went GA in April 2026, is an AI-driven security agent that performs continuous, context-aware penetration testing across cloud, multicloud, and on-prem environments. It's designed to behave like a human pentester rather than a static scanner.

Scenario
The agent runs continuously against a staging environment, finding a chain that combines an exposed metadata endpoint with a permissive IAM role into a privilege escalation path. It writes up the finding with reproduction steps, and the team fixes the chain before it reaches production.

Best Practices

  • Start in non-production to calibrate noise and false positives.
  • Connect findings to your existing vulnerability management workflow.
  • Treat it as a complement to Inspector and traditional SAST/DAST, not a replacement.

Pricing
Based on scope and scan frequency.

Amazon Verified Permissions

Description
Verified Permissions is a managed authorization service based on the Cedar policy language. It centralizes fine-grained permission decisions for application users, separate from IAM (which governs AWS resources).

Scenario
A banking app needs to decide whether a given user can view, edit, or close a specific account. Instead of scattering if user.role == "admin" checks throughout the codebase, the app calls Verified Permissions with the request context and gets a clean allow/deny back.

Best Practices

  • Keep policies in version control alongside code. Cedar is text and reviews well in pull requests.
  • Model policies on real business rules, not just technical roles.
  • Use Cognito or your IdP for authentication and Verified Permissions for the decisions that follow.

Pricing
Per authorization request.

Compliance & Governance

AWS Config

Description
Config records the configuration state of AWS resources over time and continuously evaluates them against rules. It's the backbone of most CSPM and compliance automation.

Scenario
A Config rule detects an S3 bucket that just had BlockPublicAccess disabled. An automatic remediation Lambda re-enables the setting and notifies the owning team via SNS.

Best Practices

  • Enable it in every account through Organizations and aggregate findings centrally.
  • Use Conformance Packs for frameworks like CIS, NIST, or PCI rather than building rules from scratch.
  • Be selective about which resource types you record. Recording everything in a busy account adds up quickly.

Pricing
Per configuration item recorded and per rule evaluation.

AWS Audit Manager

Description
Audit Manager automates evidence collection for compliance frameworks like SOC 2, ISO 27001, HIPAA, and PCI DSS. It maps AWS resource data to controls so audit prep is mostly continuous instead of a quarterly fire drill.

Scenario
A compliance officer creates an ISO 27001 assessment. Audit Manager pulls encryption settings, IAM data, and CloudTrail logs into structured evidence that's ready for the auditor, with no manual screenshots required.

Best Practices

  • Use prebuilt frameworks and customize them. Don't start from a blank page.
  • Assign control owners explicitly, otherwise everything ends up as "the security team's problem."
  • Review collected evidence in advance of audits, not the night before.

Pricing
Per active assessment per month.

AWS Artifact

Description
Artifact is the self-service portal for AWS's own compliance reports (SOC 1/2/3, ISO certifications, PCI attestations, and similar) plus customer-facing agreements like the BAA.

Scenario
A new enterprise customer asks for AWS's PCI DSS Attestation of Compliance during procurement. The security team pulls the latest report from Artifact instead of opening a support case.

Best Practices

  • Refresh reports each audit cycle so you're not handing out stale documents.
  • Restrict Artifact access to people who actually need it.

Pricing
Free.

This post covers all AWS security-related services as of April 2026.

Top comments (0)