One of the aspects that's key for any customer in a public cloud is to have the right security posture as per workloads and corporate governance policies. At times, it can be hard to map the controls from an on-premise environment to cloud, as it's not an apple to apple type of comparison. However, in recent times, AWS has innovated on many new services specifically in the security space, which aims to bring down this gap between on-premise controls to native AWS capabilities.

AWS has had the Amazon identity and access management (IAM) service for multiple years, using which you can manage your cloud-based users and groups and their access permissions on various AWS resources. With this service, you can enable fine-grained access controls (like, say, apply restrictions to specific API calls in your environment being allowed from specific IP address ranges), integrate with corporate directory to grant federated access, and even enable only multi-factor authentication (MFA) based actions on any service.

Now, IAM is a must-have service in order to operate in the AWS environment. However, a couple of other cloud-native services that are often missed but are highly useful for any type of environment are as follows:

• AWS Key Management Service: AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses hardware security modules (HSMs) to protect the security of your keys. AWS Key Management Service is integrated with several other AWS services to help you protect the data you store with these services. More details are available at https://aws.amazon.com/kms/.
• AWS CloudTrail: AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure. CloudTrail provides a history of AWS API calls for your account, including API calls made through the AWS Management Console, AWS SDKs, command-line tools, and other AWS services. More details are available at https://aws.amazon.com/Cloudtrail/.

Both of the preceding services are fully managed, integrated with various other AWS services, and super easy to use. In fact, with these type of easy to use and configurable services, the level of controls that any startup customer gets is the same as any enterprise customer using the AWS platform. This is the true power of democratization that cloud previous, wherein all the services or features are available to everyone, thereby making it a level playing field for innovation and new application models.

As a result of these cloud-native services, customers don't need to procure expensive key management appliances, buy, or build custom software packages to perform these must-enable functionalities for your deployments. Having said that, some of these services are only limited to cloud-based environments, so if you have a hybrid environment that includes on-premise infrastructure components, then having a single pane of glass to manage or monitor everything using these services becomes a little challenging.

Apart from the core capabilities that these services provide in terms of functionality, using advanced architectural patterns, one can also create self-learning or self-adapting security models as well. As an example, if you have enabled CloudTrail logging for your account, then based on the API activity logs that the service delivers in your Amazon S3 buckets, you may select to perform some specific actions dynamically if you find any unexpected activity or malicious usage of your AWS account resources. To orchestrate this entire use case, AWS Lambda can be pretty handy, wherein you can define your custom logic to not just detect but even react based on certain conditions. This can be further clubbed with advanced techniques such as machine learning or deep learning wherein instead of just reacting to specific conditions, you can actually build a model to train itself and pre-empt any conditions, even before they occur. Of course, this requires additional effort and greater expertise to create these types of self-adapting security systems, but with the type of service and building block that the cloud now provides, it's definitely possible to move in that direction.

Apart from AWS KMS and AWS CloudTrail, AWS has many other new security services that further help address specific use-cases:

• Amazon Inspector: Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports that are available via the Amazon Inspector console or API. More details are available at https://aws.amazon.com/inspector/.
• AWS Certificate Manager: AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer (SSL) / Transport Layer Security (TLS) certificates for use with AWS services. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the internet. AWS Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates.
• AWS WAF: AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. More details are available at https://aws.amazon.com/waf/.
• AWS Shield: AWS Shield is a managed distributed denial of service (DDoS) protection service that safeguards web applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. More details are available at https://aws.amazon.com/shield/.
• Amazon GuardDuty: Amazon GuardDuty is a managed threat detection service that provides you with a more accurate and easy way to continuously monitor and protect your AWS accounts and workloads. More details are available at https://aws.amazon.com/guardduty/.
• Amazon Macie: Amazon Macie is a machine learning-powered security service to discover, classify, and protect sensitive data. More details are available at https://aws.amazon.com/macie/.

The biggest benefit of all of the previously mentioned cloud-native services is that you can start to utilize them at any point in time, without having to worry about license procurement, complex configuration, and so on. However, as these services are still new as compared to some of the enterprise ISV software packages with comparable functionalities, for more complex use cases or deeper feature/functionalities, they may not fully meet the needs. For those kind of scenarios, AWS also offers an AWS Marketplace, where multiple ISV partners have cloud-optimized software packages available, which are quick and easy to deploy in the AWS environment. So, depending on the use cases as well as feature set requirements, it's always advised to first evaluate these AWS cloud-native services and then, if need be, look at other ISV solutions.