AWS Shield Standard (DDoS Mitigation)Protection against the most common DDoS Attacks (such as SYN/UDP Floods, Reflection Attacks. Layer 3 and 4). Available to all the customers without additional cost, activated by default. Detection and mitigation are automatic. https://aws.amazon.com/shield/
Identity and Access Management of the AWS infrastructure, granular control, and enabling virtual MFA is free.
IAM Access AnalyzerAWS offers free of charge this tool that uses Automated Reasoning to detect human mistakes in the configuration of policies, such as external actors (Principals) with permissions granted by resource policies such as Bucket Policies, Key Policies, etc.
AWS Organizations allows you to generate a Multi-Account structure with centralized billing and gives the organization the possibility to limit the maximum permissions available for the whole organization, for a particular Business Unit, or for a specific account (with Service Control Policies)
AWS IAM Identity Center (succesor to AWS Single Sign-On)AWS IAM Identity Center (succesor to AWS Single Sign-On) is a service that allows to centralize the access to multiple accounts offering a portal that allows accessing to multiple AWS Accounts with different roles and other 3rd party corporate applications. Allows the usage of an internal user repository or you can use an external directory such as AWS Directory Services, AD on-prem, or an external identity provider such as Okta, PingIdentity, OneLogin, AzureAD. AWS IAM Identity Center (succesor to AWS Single Sign-On) allows access to the AWS Console and to the AWS CLI and grants temporary credentials (according to best practices).
S3 Block Public AccessThe Amazon S3 Block Public Access feature provides settings for access points, buckets, and accounts to help you manage public access to Amazon S3 resources. By default, new buckets, access points, and objects don’t allow public access.
AWS Systems Manager: Patch ManagerNote: it’s free for EC2 Instances in the AWS Cloud, for servers on-prem or multi-cloud it has associated costs. Patch Manager, a capability of AWS Systems Manager, automates the process of patching managed nodes with both security related and other types of updates. You can use Patch Manager to apply patches for both operating systems and applications.
AWS Systems Manager: Session Manager
The service allows you to connect to Linux or Windows instances (powershell) to manage them through a command interface. It does not require the opening of security groups to management ports or the use of bastions. Optionally, it allows to record the executed commands and their response in text files. By integrating with AWS Console Authentication, it enables configuration of MFA for instance access.
AWS Systems Manager: Fleet Manager
The service allows you to manage instances running on AWS or on-prem servers, through a unified interface that allows you to see the health and performance of your server fleet from a console. It also allows you to collect information from the nodes to solve problems or management tasks directly from the AWS console. It includes the ability to connect to Windows instances using Remote Desktop Protocol (RDP), view folder and file contents, manage the windows registry, manage operating system users, and more.
AWS Trusted Advisor
AWS Trusted Advisor is an online tool that provides real-time guidance to help provision resources according to AWS best practices. Trusted Advisor checks help you optimize your AWS infrastructure, increase security and performance, reduce overall costs, and monitor service limits. Whether establishing new workflows, developing applications, or being part of continuous improvements, leverage the recommendations provided regularly by Trusted Advisor to help you maintain optimal provisioning of solutions.
EC2 Image Builder (Golden Images)
(the service is free, only the generated infrastructure incurs in costs)
EC2 Image Builder simplifies the creation, maintenance, validation, sharing, and deployment of Linux or Windows Server images for use on Amazon EC2 and on-prem. Keeping server images up to date can be time consuming, resource intensive, and error prone. EC2 Image Builder significantly reduces the effort of keeping images up-to-date and secure by providing a simple graphical interface, built-in automation, and AWS-provided security settings. With Image Builder, there are no more manual steps to update an image and you don’t need to create your own automation pipelines.
AWS CloudFormation (Infrastructure as Code)(the service is free, only the generated infrastructure incurs in costs) AWS CloudFormation provides an easy way to model a collection of related AWS and third-party resources, provision it quickly and consistently, and manage its entire lifecycle by treating infrastructure as code. A CloudFormation template describes the desired resources and their dependencies so that you can start and configure them together as a stack. You can use a template to create, update, and delete an entire stack as a single unit, as many times as you like, instead of managing resources individually.
AWS Well Architected Tool (which has a Security pillar)Service to assess your workload against the Well-Architected best practices through a questionnaire that produces recommendations based on your answers.