Skip to content



General Info
  • Security service which uses machine learning and NLP (natural language processing) to discover, classify and protect sensitive data stored in S3
  • Works directly with data stored in S3, but can also analyze CloudTrail logs
  • Monitors
    • Personally Identifiable Information (PII), Personal Health Information (PHI), regulatory documents (legal, financial), API keys and secret key material
    • Watches policy and ACL changes
    • Watches access patterns via CloudTrail
  • Data classifications
    • by Content Type (JSON, PDF, Excel, TAR/ZIP, source code, XML)
    • by Theme (AMEX/Visa/Mastercard card keywords, banking/financial keywords, hacker and web exploitation keywords)
    • by file extension (.bin, .c, .bat, .exe, .html, .sql)
    • by regular expression (aws_secret_key, RSA private key, SWIFT code, Cisco Router Config)

Audit Manager

  • Provides prebuilt frameworks for common industry standards and regulations, and automates the continual collection of evidence to help you in preparing for an audit

Control Tower

  • It helps you create new accounts and establish a security baseline for AWS accounts
  • This cannot be used if you already use AWS Organizations or if you previously used Landing Zone

Secrets Manager

Service which securely stores, encrypt and rotates DB credentials and other secrets
  • Encryption in transit and at rest using KMS
  • Automatically rotates credentials
  • Apps can make API calls to Secrets Manager to retrieve secrets programmatically
  • Apply fine grained access control using IAM policies:

    Policy Type Effect
    • You can grant access to many secrets for the same identity
    • Useful when setting up an IAM role that requires access to more than one secret
    • Grant access to multiple principals to a secret
  • Automatic secrets rotation:

    • The rotation process takes advantage of AWS Lambda functions to orchestrate the secret rotation process
    • The following database services support automatic secrets rotation:
      • RDS (Aurora, MySQL, PostgreSQL, Oracle, MariaDB, Microsoft SQL Server)
      • DocumentDB
      • Redshift

Comparison with Parameter Store:

Secrets Manager Parameter Store
Database credentials, API/SSH keys Password, DB strings, license codes, parameter values, config data
Built-in integration with RDS (MySQL, PostgreSQL, Aurora) User defined parameters
Built-in rotation of RDS secrets, support for non-RDS using Lambda Values may be clear text or encrypted
Charged: $0.40 secret/pcm + $0.05 per 10,000 API calls No additional charge
Integrated with Secrets Manager

Systems Manager (SSM)


Category Description
Operations Management
  • Understanding the current state of your environment and how its components are performing
  • Covers features such as Explorer, OpsCenter, CloudWatch Dashboard, and Personal Health Dashboard (PHD)
Application Management
  • Administration of applications that are distributed along several components and AWS accounts
  • Group resources of different types together based on a query (e.g. an application)
  • Inventory: applications, files, network configurations, Windows services, registries, etc.
  • Many features require the Agent installed (EC2 instances need an instance profile for a role that has the necessary permissions to allow the agent to interact with SSM)
Actions & Change Allows to specify a sequence of actions to be executed on your managed instances and how to control its execution
Instances & Nodes Manage instances and nodes at scale


Run Command
  • Manages a fleet of EC2 at scale, without having to login to each instance
  • Commands can be applied to a group of systems based on AWS instance tags or by selecting manually
  • SSM agent needs to be installed on all your managed instances
  • Integrations
    • Logs via CloudTrail
    • Can be triggered by CloudWatch Events
Session Manager
  • Browser based shell w/ IAM & CloudTrail
  • Can log session data to S3 and/or CloudWatch Logs
Parameter Store
  • Pass confidential information to EC2 as a bootstrap script
  • Types
    • String (plain text)
    • String List (plain text)
    • Secure String: encrypts data using KMS
  • Can be tagged + organized in a hierarchy
  • KMS for encryption (users need KMS permissions to use the corresponding CMK)
State Manager
  • Establishes the instance's desired state (via an association) and the actions to bring the instance to that desired state (OS configuration, rollout schedule, compliance reporting)
  • An association also defines which instances are covered by this desired state and a schedule to periodically execute the checks
  • Example: ensure that the antimalware is running → if it's not installed, State Manager will install it automatically, and if it's not running, State Manager will start the service
Patch Manager
  • Keeps instances and nodes in the desired state regarding OS and application patches
  • Patching configuration:
    • desired state for patching (a patch baseline with rules and definitions on which patches an instance should have)
    • target list of instances
    • schedule for patching
    • whether a specific maintenance window applies
  • To execute the patching actions
    • RunCommand (for a single execution)
    • MaintenanceWindows (when periodically scheduled)
Compliance Shows the current adherence status both for State Manager and Patch Manager
  • Aggregates operational issues, provides tools for diagnosis, and helps accelerate the resolution of those issues by allowing the automation of tasks through SSM automations
  • It's not recommended that you send security issues to OpsCenter to be centralized (you should use Security Hub instead)