A guide to cloud security tools for AWS

How to choose the right tool for the job to protect your cloud applications from modern security threats

A guide to cloud security tools for AWS

How to choose the right tool for the job to protect your cloud applications from modern security threats

Browse capabilities:
Security scanning Endpoint & user security Traffic & application protection Incident prevention, management, & response Data security

The security domain when related to cloud-native deployments spans many different fronts and must be applied across the diverse layers that participate in the complex architecture of today’s applications.

Malicious actors are continuously looking to discover and exploit attack vectors, utilizing techniques of ever-increasing sophistication. These attack vectors can be found anywhere in the socio-technical system that now represents all organizations driven by digital transformation.

Improving the security posture of cloud-native applications requires a holistic and cross-functional approach that starts with shifting security “to the left” by making security a top concern for builders during design and development phases and validating the entirety of a deployed solution remains secure as releases are deployed onto higher environments.
It is important to contextualize the broad concept of security to each builder’s own scope of responsibility regardless of its nature. The domain of security spans and is applied to everything: from data, to applications, infrastructure and, ultimately, people, both internal as well as external.

Given this complex landscape and having full awareness of the stakes, finding the right tool among a rapidly changing and diverse landscape of products and services can be a daunting task. This guide from our developer advocates shares a selection of cloud security tools from AWS partners that cloud builders can try in AWS Marketplace and easily incorporate into their tech stack using AWS billing.

How to choose the right cloud security tools by capability

Diagram: Cloud security tools on AWS

Security scanning

Security scanning combines static and dynamic approaches to identify vulnerabilities throughout the application lifecycle. Static scanning integrates into CI/CD pipelines to analyze code before deployment, while dynamic scanning continuously probes live applications to simulate real-world threats. Both methods prioritize precision and efficiency, minimizing false positives while providing actionable results. This comprehensive approach ensures protection from development through production environments.

Static code security scanning

Finding bugs and security flaws early in the development process, long before releases are deployed or promoted across environments and into production, is one of the primary objectives of the “shift security left” mindset and is a critical cloud security tool capability.

Challenges:

  • Most applications today include more lines of code from dependencies and open-source libraries than new code written, which means scanning code goes beyond looking at the source code written by application developers, but also ensuring that all codebases that the application depends on—and those any dependencies depend on downstream—are secure. This complexity gets augmented by the sheer volume of vulnerabilities that are continuously found and that must be added with the same frequency to the databases used to check code against.
  • Integrating code scanning into the development lifecycle early requires tooling and integrations that make it effortless and efficient for builders to be able to identify and resolve issues found before their code gets merged in. To achieve this, integration into continuous integration and delivery pipelines becomes a must. Nevertheless, this must be achieved without impacting build times and while providing instant and clear insights to builders for them to remediate issues before code gets integrated.
  • Precision and efficiency must ensure that raised alerts are not false positives in order to maintain builder interest and commitment.

Key tools for the job

Static code security scanning diagram
Try Orca Security in AWS Marketplace 
Get started with AWS CodePipeline 

  • Orca Security

    • Orca is a cloud security tool that provides a unified platform that allows developers to identify vulnerabilities and security issues and DevSecOps teams to manage policies and integrate security scanning throughout the software development lifecycle. Orca can scan everything from infrastructure as code (IaC) to container images and application codebases and software composition and can be easily integrated into build and release pipelines.

    AWS CodePipeline

    • With AWS CodePipeline you can declare your build and release pipelines in code and execute them at scale without having to worry about managing any of the necessary infrastructure required for continuous integration (CI)/continuous delivery (CD). Integrating security scanning as part of the pipeline becomes as simple as triggering an Orca scan as a step in the process.

    Getting started

    • Sign up for Orca Security in AWS Marketplace using your AWS account.
    • Configure your AWS CodePipeline CI/CD pipeline to trigger scans from your Orca Security account.

     

Dynamic security scanning

Regardless of how much effort you take in ensuring the security of your releases through static code analysis and deploying protection across different tiers of your cloud architecture, cloud security should never be considered guaranteed and must be validated externally and using mechanisms that simulate and evolve as rapidly as those attempted by malicious actors. Dynamic security scanning aims to satisfy this need by continuously searching and probing for vulnerabilities in your deployed and running applications.

Challenges:
 
  • Ensuring your production deployment remains stable and reliable while being exposed to continuous external scanning is an important concern to keep in mind. Having granular ability to control the scanning processes so they’re efficient and effectively targeted is a key capability that will improve the results of running dynamic application security tests against your production environment.
  • Efficiency is also related to the time it takes for Dynamic Application Security Testing (DAST) operations to complete and the precision of the results. One common challenge is reducing false positives as well as getting results promptly and with enough data for them to be actionable.
     

Key tools for the job

Dynamic security scanning: Cloud security diagram
Try Rapid7 in AWS Marketplace 
Get started with AWS Lambda 

  • Rapid 7 InsightAppSec

    • With Rapid7 you can configure the various applications you want to scan from a centralized dashboard that allows you to see the scanning status for each of them. For each application you can choose the applicable authentication configuration so that the DAST can also test areas of your application that may be protected from unauthenticated access.

      Once you have configured your application and access you can choose one of a wide array of attack templates targeting common application stacks and endpoints, as well as commonly used standards such as Open Worldwide Application Security Project (OWASP). Templates can be created as well as customized to adjust to your specific needs.

      Scheduled and manual testing allows you to control the times in which DAST operations are safer and unlikely to produce undesired side effects to your user experience.

    AWS Lambda

    • With AWS Lambda your application can dynamically scale to handle the increased stress of a dynamic security testing process and by behaving as such reduces the infrastructure costs related to introducing dynamic security testing in your security toolkit.

      Functions as a service (FaaS) also simplify the remediation of discovered vulnerabilities by limiting the surface of those vulnerabilities to individual functions which can be fixed and deployed individually.

    Getting started

    • Sign up for Rapid7 in AWS Marketplace using your AWS account.
    • Configure in Rapid7 Control Panel your different applications running in AWS Lambda.
    • Run a manual test and explore the findings.

     

Endpoint and user security

Endpoint and user security integrates device protection with comprehensive identity management across cloud environments. This capability secures various entry points while managing identities ranging from internal users to service workloads, following least-privilege principles. The framework must balance automated protection and policy enforcement while maintaining user experience, protecting against threats like phishing and zero-day vulnerabilities. It also requires efficient management of credentials and access policies across decentralized architectures and multiple identity providers.

Endpoint security

Endpoints (laptops, workstations, mobiles and other similar devices) are the entry point to up to 70% of all successful breaches according to recent statistics. The high success rate of this type of attack has triggered a skyrocketing increase in attempts against organizations, with reports of up to 60% YoY increases in attempts targeting endpoints.

Phishing, ransomware, malware and exploits to vulnerable software are only a few of the full range of potential attack strategies that use endpoints, or their users, as a primary target.

Challenges:

  • Human errors and social engineering remain perhaps the largest attack surface in most of today’s organizations, and one that presents unique challenges in protecting. Building a security layer that enforces protection to the human vector of attacks requires a complex and balanced mix of automation, policy and continuous scanning, all while ensuring that users continue to experience high-performance and usability.
  • Zero-day vulnerabilities are very difficult to detect and defend against using traditional security measures and require advanced threat intelligence mechanisms deployed to be able to detect and respond quickly before they can be exploited.
  • User identity and patch management are also key concerns to consider when protecting endpoints from malicious actors.

Key tools for the job

Crowdstrike: Endpoint Protection diagram
Try Crowdstrike in AWS Marketplace 
Get started with Amazon WorkSpaces 

  • CrowdStrike Falcon Endpoint Protection

    • Next-Generation Antivirus (NGAV) cloud security tool with integrated threat intelligence analyzes all processes running in an endpoint and uses advanced detection methods to identify potential threats and trace them back to their origin.

      With agents available for Windows, MacOS, and Linux, this solution provides a common platform for all your different endpoints and their users, regardless of their role and user profile.

    Amazon WorkSpaces

    • With Amazon WorkSpaces your users can access powerful, cloud-based workstations with direct integration to Amazon Identity and Access Management (IAM) services and private access to cloud-hosted resources and applications. Using machine images and automation, your cloud-hosted workspaces can enforce endpoint protection by automatically installing and configuring the necessary agents to continuously monitor and respond to threats.

    Getting started

    • Spin up for Amazon WorkSpaces and install the CrowdStrike Endpoint Protection agent and save it as a your “golden image.”
    • Use that image to create the Amazon WorkSpace for your users.

     

Identity and access management (IAM)

There are many types of identities that relate to the operation of your cloud-native applications that require cloud-specific security tools. From internal user identities, namely developers and others working in building your application, to the identity of services, workloads, and third-party systems your application integrates with, to your end users. Managing all those identities and ensuring each of them follows the least-privilege principle is a non-trivial challenge to operate at production scale.

Challenges:

  • Centrally managing all the different types of entities that may access different services and interfaces of your systems is a complex task, particularly as architecture becomes decentralized and service-oriented and as users, both internal and external, may get their identity from third-party identity providers.
  • Each different identity type will surface unique requirements to credential rotation and access policies. Managing these requirements at scale is usually a complex task.
  • Providing identities to non-interactive entities such as workloads and services requires efficient means of handling them across environments.

Key tools for the job

Cloud security: Identity and access management (IAM) diagram
Try CyberArk in AWS Marketplace 
Try AWS Identity and Access Management 

  • CyberArk

    • CyberArk integrates tightly with IAM and enables continuous review and risk management of your IAM configuration in the cloud. It’s a cloud security tool that helps you optimize your IAM architecture while also enabling powerful features such as just-in-time roles for cloud resources access and attribute-based access controls.

    IAM

    • IAM provides a comprehensive framework to define role-based access controls that is tightly integrated with all AWS services. With CyberArk you will be able to extend role-based access control (RBAC) to attribute-based access control (ABAC) and enable powerful just-in-time and workload identity capabilities thanks to its tight IAM integration.

    Getting started

    • Sign up for CyberArk in AWS Marketplace using your AWS account.
    • Choose the integrations that you want to deploy in your AWS environment, such as AWS Security Token Service (AWS STS) console access for temporary access to consoles using AWS STS or deploy Privileged Access Management (PAM) capabilities.

     

Traffic and application protection

Traffic and application protection secures both internal service communication and external access in modern cloud environments. As applications adopt microservices architectures, it ensures security for east-west traffic using Zero Trust principles and mTLS authentication, while protecting web-based access from diverse threats like scraping and DDoS attacks. This capability emphasizes centralized security optimization across all services and applications, recognizing that each microservice presents its own attack surface while maintaining overall system performance.

East-west traffic filtering

East-west traffic refers to traffic between services and applications inside your cloud environment. As the architecture of most systems continues its transition to microservices and distributed services, the volume of this type of traffic has dramatically increased. Ensuring that all communication between services is safe and authorized becomes a mounting concern.

Challenges:

  • With distributed services and horizontal scalability, traditional firewalling with rules based on ports and source IP ranges become obsolete, and new patterns towards building rules and policies for controlling traffic must be adopted.
  • Strategies such as Zero Trust create an even further separation between cloud-native security best practices and traditional security patterns. Zero Trust implies that nothing should be implicitly trusted regardless of its running location and relies on authentication and workload identity as the primary way in which traffic is permitted.
  • Mutual TLS (Transport Layer Security), known as mTLS, has surfaced as one of the most efficient and secure ways to apply Zero-Trust security in cloud environments, providing a common and proven framework to mutually authenticate using battle-proven encryption protocols. The challenge here becomes effectively managing and assigning identities through certificates to workloads that are dynamically scaled and that can be moved around regions, clusters, or networks.
     

Key tools for the job

Cloud security diagram: East-west traffic filtering
Try Palo Alto Networks in AWS Marketplace 
Get started with AWS Certificate Manager 

  • Palo Alto Networks Cloud Next Generation Firewall (NGFW)

    • Palo Alto Networks Cloud Next Generation Firewall is a security tool offering a feature called AppID, which allows it to create rules and policies to manage traffic between source and destinations using the identity of the application. It can identify the application of the identity by using data in TLS certificates, guaranteeing a remarkable level of security.

    AWS Certificate Manager

    • With AWS Certificate Manager you can fully automate the generation, assignment, and lifecycle of your application’s TLS certificates used for mTLS authentication between services. You can fully automate the assignment of certificates to applications running in Amazon Elastic Kubernetes Service (Amazon EKS), Amazon Elastic Container Service (Amazon ECS) ,and even Amazon Elastic Compute Cloud (Amazon EC2) instances.

    Getting started

    • Configure AWS Certificate Manager to generate and assign certificates automatically to your AWS running workloads.
    • Create an AppID identifier in Cloud NGFW to match applications using data in the generated TLS certificate.
    • Create rules that allow or deny traffic using AppIDs as required.

     

“Man in the middle” attacks

For users to reach your web application or online service, there are many moving pieces between your application in the cloud and the user, wherever they are. From Domain Name System (DNS) resolution to internet service providers (ISPs), points-of-presence, and network service providers, the security of your cloud application may be impacted by vulnerabilities or attacks across any of those systems that lie between your application and its users.

Challenges:

  • Detecting a man-in-the-middle (MITM) attack is very complex, as there is usually no direct attack to your application or infrastructure, which means it must be identified externally or discovered through indirect analysis of your application traffic or usage patterns.
  • This type of attack targets systems that are managed and operated by other parties and to which you have no direct way to analyze or protect, which makes defending against MITM attacks particularly difficult.
  • Once an attack is ongoing, a corresponding range of potential application-side vulnerabilities may be exploited leveraging the data or intelligence acquired by the attacker from the first stage of the exploit. Identifying unusual user behavior and/or limiting the surface of the attack through internal security mechanisms is also an angle that can’t be overlooked.

Key tools for the job

Cloud security diagram: “Man in the middle” attacks
Try WebOrion in AWS Marketplace 
Get started with Amazon Route 53 

  • WebOrion Monitor

    • WebOrion works as an external observer to your web application, monitoring that content, headers, scripts and domain name details match what is expected of your legitimate applications. It works without the need to install any agents or make any modifications to your web application and uses advanced machine learning algorithms to detect attacks to your website, even those that could have been achieved through compromise of intermediary systems between your application and its users.

    Amazon Route 53

    • One of the most likely targets for man-in-the-middle attacks is your domain name. Amazon Route 53 has integrated support for DNS Security Extensions (DNSSEC), which enforces security in the identity and data exchanged between users of your web application and the domain name infrastructure. Implementing DNSSEC is one of the most fundamental ways in which you can protect your web presence and can be directly used by WebOrion Monitor to ensure the integrity of your web application.

    Getting started

    • Configure DNSSEC in your Route 53 hosted domains.
    • Configure WebOrion to point to your application in its various environments.
    • Configure rules and alerts on WebOrion as required.

     

Web application security

Most applications today rely on HTTP and web-based access for user access, which makes HTTP traffic analysis and security one the most critical and fundamental requirements to consider when deploying a production-ready web application.

Challenges:

  • There’s huge diversity to the types and scale of attacks that web-based applications are exposed to. Everything from scraping and defacement to massive scale distributed denial of service (DoS) attacks to exploiting vulnerabilities for data theft or unauthorized access.
  • Today, web applications are usually built on top of many different microservices, each exposing its own attack surface.
  • Optimizing security centrally in your architecture to protect all services from the wide range of potential services becomes a key strategy to ensure security and reliability.

Key tools for the job

Web app security: DataDome diagram
Try DataDome in AWS Marketplace 
Try Amazon CloudFront 

  • Datadome

    • DataDome offers a unique range of threat-detection capabilities backed by AI algorithms that enable signature-based, behavioral, reputational, and vulnerability detection mechanisms with a single implementation. You can modify and define custom rules using these various detection capabilities for highly dynamic and optimized criteria that matches specifically to your own application and environment.

    Amazon CloudFront

    • DataDome integrates directly with Amazon CloudFront using the AWS Lambda@Edge service. This simple integration provides real-time analysis of all the requests hitting your web application while leveraging the global and ultra-low-latency capabilities of Amazon CloudFront.

    Getting started

    • Sign up for DataDome in AWS Marketplace using your AWS account.
    • Use Lambda@Edge to run the DataDome agent for your Amazon CloudFront content delivery network (CDN) traffic.

     

Incident prevention, management and response

This capability focuses on managing security across complex cloud-native environments where data sources and compliance requirements continue to grow. It emphasizes the need for efficient platforms that enable central observation, identification, and reaction to threats while managing security incidents and events effectively across global-scale operations.

Security information and event management

As cloud-native solutions scale, data sources that require analysis towards ensuring security as well as the regulatory and compliance frameworks that must be satisfied grow in number and complexity. Having an efficient and intuitive platform that allows for centrally observing, identifying, and reacting to threats in this complex landscape is a must for organizations that operate cloud-native applications on a global scale, and this is the role of security incident and events-management platforms.

Challenges:

  • Integration and configuration cloud Security Information and Event Management (SIEM) tools is usually a complex task that requires integrating many different data sources and workflows. Identifying relevant data sources, understanding the regulatory landscape, and fine-tuning all these attributes to ensure alerts and correlations are effectively configured requires time, attention to detail, and a lot of cross-functional collaboration.
  • Having a view into the potential scale of the data and events that will flow through the platform is also critical to avoid scalability problems as the tools are rolled out.

Key tools for the job

Security information and event management (SIEM) diagram
Try Logz.io Cloud SIEM in AWS Marketplace 
Get started with Amazon CloudWatch 

  • Logz.io Cloud SIEM

    • The SIEM offering by Logz.io is uniquely powerful in its infinitely scaling cloud-native capabilities, something indispensable as new data sources get in the picture of your application landscape. It allows for cross-referencing and analyzing user behavior at scale and dramatically simplifies identifying and responding to threats across known frameworks such as MITRE ATT&CK. Ramp-up time is optimized through out-of-the-box dashboard and an ample range of available integrations.

    CloudWatch

    • Most AWS solutions ship telemetry to Amazon CloudWatch by default, making Amazon CloudWatch a simple and powerful source of data and insights into your entire cloud estate. With Logz.io AWS Lambda extensions you can easily ship all or some of your Amazon CloudWatch data to Logz.io Cloud SIEM for correlation and analysis.

    Getting started

    • Configure the Logz.io AWS Lambda function to ship your Amazon CloudWatch telemetry for Cloud SIEM analysis.
    • Explore your data in Cloud SIEM.

     

Data security

Securing data would likely merit a selection tool of its own (and we’ll likely release one sooner than later, so keep an eye out), but for all practical reasons we’ll focus in this guide on two specific cloud security tool categories that are cornerstones to data security and system reliability.

Backup-and-disaster recovery

Security is not just a concern that revolves around attacks and vulnerabilities. Achieving a secure deployment must also consider risks that derive from system failure, data corruption, and human error.

Challenges:

  • Getting data backed up is only half of the job; making sure that data can be restored and moved around as needed in the case of a disaster is just as important. Having the necessary cloud security tools to backup, validate, and restore that with flexibility are key concerns to satisfy in a backup-and-disaster recovery scenario.
  • Storing and moving data around can be costly, which means ensuring you are optimally using different storage tiers and reducing the total volume of data transferred at any given time is critical to keeping costs under control without negatively impacting the reliability your backup-and-recovery solution offers.

Key tools for the job

Backup-and-disaster recovery diagram
Try Clumio in AWS Marketplace 
Try Amazon DynamoDB 

  • Clumio Protect and Discover

    • Clumio offers an integrated solution to back up your Amazon Simple Storage Service (Amazon S3), Amazon Elastic Block Store (Amazon EBS), Amazon Relational Database Service (RDS), and Amazon DynamoDB data, providing a unified view into your data estate and providing consolidated information that can be used internally and externally (for example, by auditors, to ensure your compliance obligations are met). When used together with services like Amazon DynamoDB, Clumio provides a common plane to back up both your data together with other application components in a single management plane. If disaster strikes and recovery is necessary, Clumio’s massive parallelization capabilities make restore and rehydration efficient and seamless.

    Amazon DynamoDB

    • The architecture of data in Amazon DynamoDB lends itself to optimized backup and restore processes, thanks to its flexible primary and partition key definition capabilities and its massive table capacity.

    Getting started

    • Configure your various AWS data sources for backup.
    • Validate recovery and compliance.

     

Virus protection

Viruses have existed as threats to systems since as early as the late 1960s and remain one of the most pervasive and damaging risks to systems and their users. Viruses can act in many ways, directly disrupting system capabilities and, sometimes, hiding in plain sight, providing access to more advanced attack vectors.

Challenges:

  • Viruses leverage many ways to spread themselves and can serve many purposes, from acting as Trojan horses to acting as ransomware, and may be dormant in storage for long periods of time before executing malicious code.
  • Scanning for viruses, depending on the volume of data that must be scanned, can be a slow activity that negatively impacts the performance of services or applications that rely on the data being scanned.
  • Identifying virus signatures requires continuous updating of virus databases and ongoing rescanning of data to ensure newly discovered viruses are guarded against.

Key tools for the job

Virus protection diagram
Try Cloud Storage Security for Amazon S3 
Get started with Amazon S3 

  • Cloud Storage Security Antivirus for Amazon S3

    • This cloud security tool can scan all sorts of AWS sources including Amazon S3 but also Amazon Elastic File System (EFS) file systems, Amazon EBS volumes, and more. You can configure if for event-based, on-demand. or schedule scanning, giving you flexible control to ensure there is no impact to user experience or performance during scan processes. And, if using event-based scanning, that gives you the most optimized solution to only scan that which changed, when it changed. The solution runs inside your AWS environment, making sure data never leaves your account.

    Amazon S3

    • Using Amazon S3, whether for staging data or as final storage location, allows for efficient scanning regardless of your data pipelines and processes, and of course you get the absolute flexibility of the infinite scale of Amazon S3.

    Getting started

    • Configure your Amazon S3 buckets and other AWS resources as scan targets.
    • Configure scanning frequency and other configuration parameters.

     

Essential tools and guidance to help you build with AWS

About AWS Marketplace

AWS Marketplace makes it easy to find and add new tools from across the AWS partner community to your tech stack with the ability to try for free and pay-as-you-go using your AWS account.

AWS Marketplace and Salesforce: Data Cloud

Easily add new category-leading third-party solution capabilities into your AWS environment.

AWS Marketplace and Salesforce: Service Cloud

Avoid up front license fees and pay only for what you use, consolidating billing with your AWS account.

AWS Marketplace and Salesforce: Sales Cloud

Boost performance, security, scalability, and enable new user experiences.

Explore AWS Marketplace

Discover benefits

Review the features and advantages of using AWS Marketplace

Find software & solutions

Browse by industry or solution category

Browse all products

Filter through all products available in AWS Marketplace

Explore resources

Find webinars, whitepapers, implementation guides, and analyst reports

Speak to an expert

Speak with an AWS Marketplace expert to help choose and integrate software