Encryption at Rest

AWS services support encrypting stored data using keys managed by AWS Key Management Service (KMS) or customer-provided keys. Examples: EBS volume encryption, S3 server-side encryption (SSE-S3, SSE-KMS, SSE-C), RDS encryption at rest.

Encryption in Transit

Use TLS/HTTPS to encrypt data moving between clients and AWS services. AWS Certificate Manager (ACM) provisions and manages SSL/TLS certificates for free.

AWS Shield & WAF

• AWS Shield Standard — automatically protects all AWS customers from common DDoS attacks at no additional charge.
• AWS Shield Advanced — enhanced DDoS protection, 24/7 DDoS Response Team, cost protection against scaling charges.
• AWS WAF — Web Application Firewall to protect against common web exploits (SQL injection, XSS) using configurable rules.

AWS Compliance Programmes

AWS maintains compliance with major programmes including: PCI DSS, HIPAA, SOC 1/2/3, ISO 27001, FedRAMP, GDPR. Use AWS Artifact to download compliance reports and agreements on demand.

AWS Trusted Advisor

Provides real-time guidance across five pillars: Cost Optimisation, Performance, Security, Fault Tolerance, and Service Limits. Some checks are free; full access requires Business or Enterprise Support.

AWS Config

Continuously monitors and records your AWS resource configurations and allows you to automate evaluation of recorded configurations against desired configurations (compliance rules).

AWS CloudTrail

Records API calls made in your AWS account. Provides governance, compliance, and operational and risk auditing. Logs are stored in S3. Essential for security investigation and auditing.