Financial Services customers understand how AWS services operate so that you can incorporate AWS into your existing processes and security operations centers (SOCs). As soon as you create your first AWS account for your organization, you’re live in the cloud. So, from day one, you should be equipped with certain information: you should understand some basics about how our products and services work, you should know how to spot when something bad could happen and you should understand how to recover from that situation.

The principles don’t change as security is security. Many of the on-premises security processes that you have now can extend directly to an AWS deployment. For example, your processes for vulnerability management, security monitoring, and security logging can all be transitioned over. With that said, AWS is more than just infrastructure. Customers who are only thinking about the security of their AWS Virtual Private Clouds (VPCs), and about the Amazon Elastic Compute Cloud (EC2) instances running in those VPCs. Its traditional network security that remains quite standard. Customers questions that focus on other services they may be using. For example:

• How are you thinking about who has Database Administrator (DBA) rights for Amazon Aurora Serverless? Aurora Serverless is a managed database service that lets AWS do the heavy lifting for many DBA tasks.
• Do you understand how to configure (and monitor the configuration of) your Amazon Athena service? Athena lets you query large amounts of information that you’ve stored in Amazon Simple Storage Service (S3).
• How will you secure and monitor your AWS Lambda deployments? Lambda is a serverless platform that has no infrastructure for you to manage.

Understanding AWS security services

As a customer, it’s important to understand the information that’s available to you about the state of your cloud infrastructure. Typically, AWS delivers much of that information via the Amazon CloudWatch service. It is recommended to customers to get comfortable with CloudWatch, alongside our AWS security services.

The key services that any security team needs to understand include:

• Amazon GuardDuty, which is a threat detection system for the cloud. · AWS CloudTrail, which is the log of AWS API services.
• VPC Flow Logs, which enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
• AWS Config, which records all the configuration changes that your teams have made to AWS resources, allowing you to assess those changes.
• AWS Security Hub, which offers a “single pane of glass” that helps you assess AWS resources and collect information from across your security services. It gives you a unified view of resources per Region, so that you can more easily manage your security and compliance workflow. These tools make it much quicker for you to get up to speed on your cloud security status and establish a position of safety.