# Domains of the security and compliance workstream
<a name="domains"></a>

This section describes, in detail, the domains that the security and compliance workstream is responsible for. During the mobilize phase of your migration project, these domains help accelerate the planning and implementation of security and compliance on AWS:
+ [Security discovery and alignment](discovery-and-alignment.md)
+ [Security framework mapping](mapping.md)
+ [Security implementation, integration, and validation](implementation-integration-and-validation.md)
+ [Security documentation](documentation.md)
+ [Security and compliance cloud operations](cloud-operations.md)

It is important to address these domains during the mobilize phase in order to secure migration activities during the subsequent migration and modernize phase.

# Security discovery and alignment
<a name="discovery-and-alignment"></a>

When mobilizing a migration project, the first domain for the security and compliance workstream is *security discovery and alignment*. This domain is intended to help your organization achieve the following goals:
+ Train the security and compliance workstream about the AWS security services, capabilities, and compliance adherence
+ Discover your security and compliance requirements and current practices. Consider these requirements from an infrastructure and operations standpoint, including:
  + Security challenges and drivers for the target end state
  + Cloud security team skillset
  + Security risk and compliance policies, configurations, controls, and guardrails
  + Security risk appetite and baseline
  + Existing and prospective security tooling

## Immersion day workshops
<a name="immersion-day-workshops"></a>

To align on these goals, use security and compliance immersion days. *Immersion days* are workshops that cover a range of security-related topics, such as:
+ [AWS shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/)
+ [AWS security services](https://aws.amazon.com/products/security/)
+ [AWS Security Reference Architecture (AWS SRA)](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/)
+ [AWS compliance](https://aws.amazon.com/compliance/)
+ [Security Pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html) of the AWS Well-Architected Framework

The immersion day workshops help establish a knowledge baseline for your security team. It trains them about AWS security services and security and compliance best practices. AWS Solution Architects, AWS Professional Services, and AWS Partners can help you perform these interactive workshops. They use standard presentation decks, AWS labs, and whiteboard activities to help prepare your teams.

## Discovery workshops
<a name="discovery-workshops"></a>

After the immersion day workshops, you perform multiple deep-dive security and compliance discovery workshops. These help your teams discover the current security, risk, and compliance (SRC) requirements of the infrastructure, applications, and operations. You analyze these requirements through the following perspectives: people, process, and technology. The following are the areas of discovery for each perspective.

### People perspective
<a name="people-perspective"></a>
+ **Organizational structure **– Understand the current security and compliance workstream structure and responsibilities.
+ **Capabilities and skillsets **– Have practical knowledge and skillsets for AWS services and for cloud security and compliance capabilities. This includes discovery, planning, implementation, and operations.
+ **Responsible, accountable, consulted, informed (RACI) matrix** – Define the roles and responsibilities for current security and compliance activities within the organization.
+ **Culture **– Understand the current security and compliance culture. Prioritize security and compliance as part of build, design, implementation, and operation phases. Introduce Development Security Operations (DevSecOps) into the cloud security and compliance culture.

### Process perspective
<a name="process-perspective"></a>
+ **Practices** – Define and document the current security and compliance processes to build, design, implement, and operate. Processes include:
  + Identity access and management
  + Incident detection controls and response
  + Infrastructure and network security
  + Data protection
  + Compliance
  + Business continuity and recovery
+ **Implementation documentation **– Document security and compliance policies, control configurations, tooling documentation, and architecture documentation. These documents are required to cover security and compliance from the infrastructure, network, applications, databases, and deployment areas.
+ **Risk documentation** – Create information security risk documentation that outlines the risk appetite and threshold.
+ **Validations **– Create internal and external security validation and audit requirements.
+ **Runbooks** – Develop operational runbooks that cover the current, standard implementation and governance processes for security and compliance.

### Technology perspective
<a name="technology-perspective"></a>
+ **Services and tools** – Use tools to validate your security and compliance posture and to enforce and govern the current IT landscape. Establish tooling for the following categories:
  + Identity access and management
  + Incident detection controls and response
  + Infrastructure and network security
  + Data protection
  + Compliance
  + Business continuity and recovery

During the AWS security discovery workshop, you use standardized data collection templates and questionnaires to collect data. In scenarios where you are unable to provide the information due to lack of data clarity or obsolete data, you can use a migration discovery tool to collect application and infrastructure-level security information. For a list of discovery tools that you can use, see [Discovery, planning, and recommendation migration tools](https://aws.amazon.com/prescriptive-guidance/migration-tools/migration-discovery-tools/) on AWS Prescriptive Guidance. The list provides details about each tool's discovery capabilities and usage. It also compares tools to help you choose the best tool to meet your IT landscape requirements and constraints.

During the initial security assessment, we highly recommend that you start with threat modeling. This helps you identify possible threats and existing measures that are in place. There might also be predefined and documented requirements for security, compliance and risk. For more information, see the [Threat modeling for builders workshop](https://explore.skillbuilder.aws/learn/course/external/view/elearning/13274/threat-modeling-the-right-way-for-builders-workshop) (AWS training) and see [How to approach threat modeling](https://aws.amazon.com/blogs/security/how-to-approach-threat-modeling/) (AWS blog post). This This approach helps you reconsider your security and compliance strategies for deployment, implementation, and governance in the AWS Cloud.

# Security framework mapping
<a name="mapping"></a>

After completing the security discovery and alignment domain, the next step is to complete the *security framework mapping domain*. This domain is a workshop process that maps the discovered security and compliance requirements to AWS Cloud security services. It also aligns your architecture and operations to AWS security and compliance best practices. The workshop maps all requirements from the people, process and technology perspective in order to cover the following:
+ AWS infrastructure
  + AWS account, infrastructure, and network protection
  + Data protection
  + Compliance
  + Incident detection and response
  + Identity and access management
  + Business continuity and recovery
+ Application on AWS
  + Following best practices for AWS services to help protect your application
  + Access control for applications, databases, operating systems, and data
  + Operating system protection
  + Application, database and data protection
  + Incident detection and response
  + Compliance
  + Application business continuity and recovery

As you complete the security framework mapping domain, consider the defined risk appetite, team structure, team skillset and capability, security processes, security policies, security controls, tooling, security operations, and other security requirements and constraints. Overall, security framework mapping provides organizations with a systematic approach to managing security risks, maintaining compliance, and continuously improving their security posture, according to industry standards and best practices.

The security framework mapping process uses the [AWS Security Reference Architecture (AWS SRA)](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/), the [Security Pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html) of the AWS Well-Architected Framework, the [Migration Lens](https://docs.aws.amazon.com/wellarchitected/latest/migration-lens/security.html) of the AWS Well-Architected Framework, and the [Introduction to AWS Security](https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/welcome.html) whitepaper. These documents act as guiding references to help you follow AWS best practices for cloud security and compliance.

By using standardized mapping templates in the workshop, you map the requirement to the target end state. You highlight the tools, AWS services, processes, policies, controls, and changes that are required to achieve the target end state.

When running the security framework mapping workshop, you can use AWS Professional Services, AWS Security Solution Architects, or AWS Partners. These resources can help you accelerate and facilitate the workshop. Security framework mapping workshops can be included as part of an [Experience-Based Acceleration (EBA) party](https://aws.amazon.com/blogs/mt/level-up-your-cloud-transformation-with-experience-based-acceleration-eba/), which is led by AWS Solution Architects, AWS Customer Solution Managers, or AWS Partners. The EBA party acts as an accelerator to help you build a strong AWS Cloud foundation that follows AWS migration and modernization best practices.

# Security implementation, integration, and validation
<a name="implementation-integration-and-validation"></a>

After mapping out your security, risk, and compliance requirements, the next domain is *security implementation, integration, and validation*. Based on the identified requirements, choose appropriate security controls and measures to mitigate risks effectively. This might include encryption, access controls, intrusion detection systems, or firewalls. Integrate security solutions, such as intrusion detection and prevention systems, endpoint protection, and identity management, into the existing IT infrastructure in order to provide comprehensive security coverage. Conduct regular security assessments, including vulnerability scanning, penetration testing, and code reviews, to validate the effectiveness of security controls and identify weaknesses or gaps. By focusing on security implementation, integration, and validation, organizations can strengthen their security posture, reduce the likelihood of security breaches, and demonstrate compliance with regulatory requirements and industry standards.

## Implementation
<a name="implementation"></a>

First, update the documentation for your current security, risk and compliance threshold or appetite. This allows you to implement the planned security and compliance requirements, controls, policies, and tooling in the cloud. This step is needed only if you have an existing risk register and appetite defined, which would have been identified during the discovery workshops.

Next, you implement the planned security and compliance requirements, controls, policies, and tooling in the cloud. We recommend that you implement these in the following order: infrastructure, AWS services, operating system, and then application or database. Use the information in the following table to make sure that you've addressed all required areas of security and compliance.


|  |  | 
| --- |--- |
| **Area** | **Security and compliance requirements** | 
| Infrastructure |   AWS account    Landing zone   Preventative controls   Detective controls     Network segmentation    Access control    Encryption    Logging, monitoring, and alerting   | 
| AWS services |   AWS service configuration    Instances   Storage   Network     Access control    Encryption    Updates and patches    Logging, monitoring, and alerting   | 
| Operating system |   Antivirus    Malware and worm protection    Configuration    Network protection    Access control    Encryption    Updates and patches    Logging, monitoring, and alerting   | 
| Application or database |   Configuration    Code and schema    Access control    Encryption    Updates and patches    Logging, monitoring, and alerting   | 

## Integration
<a name="integration"></a>

Security implementation often requires integration with the following:
+ **Networking** – Networking within and external to the AWS Cloud
+ **Hybrid IT landscape **– IT environments other than the AWS Cloud, such as on premises, public clouds, private clouds, and colocations
+ **External software or services **– Software and services that are managed by independent software vendors (ISVs) and are not hosted in your environment.
+ **Cloud operating model services** – AWS cloud operating model services that provide DevSecOps capabilities.

During the assess phase of your migration project, use discovery tools, existing documentation, or application interview workshops to identify and confirm these security integration points. When designing and implementing the workloads in the AWS Cloud, establish these integrations according to the security and compliance policies and processes that you defined during the mapping workshops.

## Validation
<a name="validation"></a>

After implementation and integration, the next activity is to validate the implementation. You make sure that the setup is aligned to AWS best practices for security and compliance. We recommend that you validate security from two coverage areas:
+ **Workload-specific vulnerability assessment and penetration testing **- Validate the operating system, application, database or network security of workloads that run on AWS services. In order to conduct these validations, use existing tools and test scripts. It is important to comply to the [AWS penetration testing customer support policy](https://aws.amazon.com/security/penetration-testing/) when carrying out these assessments.
+ **AWS** **security best practice validation** - Validate whether your AWS implementation complies to the AWS Well Architected Framework and other selected benchmarks, such as the Center for Internet Security (CIS). For this validation, you can use tools and services such as [AWS Trusted Advisor](https://docs.aws.amazon.com/awssupport/latest/user/getting-started.html), [Prowler](https://github.com/prowler-cloud/prowler/#requirements-and-installation) (GitHub), [AWS Service Screener](https://github.com/aws-samples/service-screener-v2) (GitHub), or [AWS Self-Service Security Assessment](https://github.com/awslabs/aws-security-assessment-solution) (GitHub).

It is important to document and communicate all security and compliance findings to the security team and leaders. Standardize reporting templates and use them to facilitate the communication to the respective security stakeholder. Document all exceptions made during finding remediation and make sure that the respective security stakeholders sign off.

# Security documentation
<a name="documentation"></a>

When mobilizing security and compliance during a migration, it is essential to define and document how you implement security and compliance in the cloud. The documentation should include the following:
+ **Security and compliance implementation documentation** – Create one or more documents that detail your security and compliance definition, process, policies, controls, configurations, and tools. Make sure these documents address these aspects from an AWS Cloud perspective. Include the following in this documentation:
  + Identity access and management
  + Incident detection controls and response
  + Infrastructure and network security
  + Data protection
  + Compliance
  + Business continuity and recovery
+ **Security and compliance runbooks** – Create a security and compliance operational runbooks that guide the cloud operations team. They should detail how to complete security and compliance tasks, activities, and changes in the cloud as part of operational requirements. This includes security and compliance monitoring, incident management, validation, and continuous improvement. Make sure that your runbooks address the requirements that you identified during the security discovery and alignment domain.
+ **Cloud security RACI matrix** – Create a responsible, accountable, consulted, informed (RACI) matrix that defines security and compliance responsibilities and stakeholders for the following areas:
  + Design and development
  + Deployment and implementation
  + Operations

# Security and compliance cloud operations
<a name="cloud-operations"></a>

The final domain is *security and compliance cloud operations*. This is a continuous activity where you use the defined security and compliance operational runbooks to govern cloud operations. You also build a security cloud operating model to determine responsibilities for security and compliance in your organization.

## Security and compliance cloud operating model
<a name="cloud-operating-model"></a>

In this domain, you define a [cloud operating model](apg-gloss.md#glossary-com) for security. Your cloud operating model should address the requirements you identified during the discovery workshops and later defined as runbooks. You can design the security and compliance cloud operating model in one of three ways:
+ **Centralized** – A more traditional model, where SecOps is responsible for identifying and remediating security events across the business. This can include reviewing general security posture findings for the business, such as patching and security configuration issues.
+ **Decentralized** – Responsibility for responding to and remediating security events across the business has been delegated to the application owners and individual business units, and there is no central operations function. Typically, there is still an overarching security governance function that defines policies and principles.
+ **Hybrid** – A mix of both approaches, where SecOps still has a level of responsibility and ownership for identifying and orchestrating the response to security events and the responsibility for remediation is owned by the application owners and individual business units.

It is important to select the right operating model based on your security and compliance requirements, organization maturity, and constraints. The security and compliance requirements and constraints were identified during the discovery workshop. Organization maturity, on the other hand, defines the level of operational security practices. The following is an example of a maturity range:
+ **Low** – Logging is local, and some or sporadic actions are taken.
+ **Intermediate **– Logs from different sources are correlated, and automated alerting is established.
+ **High** – Detailed playbooks exist and contain details about standardized process responses.  Operationally and technically, the majority of the alert responses are automated.

To further understand the security and compliance cloud operating model and assist in the selection of an appropriate design, see [Considerations for security operations in the cloud](https://aws.amazon.com/blogs/security/considerations-for-security-operations-in-the-cloud/) (AWS blog post). In scenarios where there are no predefined requirements, we recommend that you set up a Security Operations Center (SOC) as part of the cloud operating model. This is typically a centralized operating model practice. With this approach, you can direct events from multiple sources to a centralized team, which can then trigger actions and responses. This standardizes security governance through cloud operations. AWS and AWS Partners have the capability can help you build an SOC and define and implement Security Orchestration, Automation, and Response (SOAR). AWS and AWS Partners use professional services consultations, defined templates, AWS services, and third-party tools from AWS Partners.

## Ongoing security operations
<a name="ongoing-security-operations"></a>

In this domain, perform the following tasks on an ongoing basis by using your defined security and compliance operations runbooks:
+ **Security and compliance monitoring** – Perform centralized monitoring of security events and threats by using your defined AWS services, tools, metrics, criteria, and frequency. The operations team or the SOC administer this continuous monitoring, depending on your organization's structure. Security monitoring involves analysis and correlation of large amounts of logs and data. Log data comes from endpoints, networks, AWS services, infrastructure, and applications and is stored in a centralized repository, such as [Amazon Security Lake](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html) or a security information and event management (SIEM) system. It is important to configure alerts so that you can manually or automatically respond to events in a timely fashion.
+ **Incidents management** – Define your baseline security posture. When a deviation from a preset baseline occurs, either through misconfiguration or external factors, record an incident. Make sure that an assigned team responds to these incidents. The foundation of a successful incident response program in the cloud is to have people, process and tooling integrated into each stage of the incident response program (preparation, operations, and post-incident activity). Education, training, and experience are vital to a successful cloud incident response program. Ideally, these are implemented well in advance of having to handle a possible security incident. For more information about setting up an effective security incident response program, see the [AWS Security Incident Response Guide](https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/introduction.html).
+ **Security validation** – Security validation involves running vulnerability assessment, penetration testing, and chaos security simulated event testing. Security validation should continue to be run periodically, especially for the following scenarios:
  + Software updates and releases
  + Newly identified threats, such as malware, viruses, or worms
  + Internal and external audit requirements
  + Security breaches

  It is important to document the security validation process and highlight the people, process, schedule, tooling, and templates for data collection and reporting. This standardizes security validations. Continue to comply to the [AWS customer support policy for penetration testing](https://aws.amazon.com/security/penetration-testing/) when running security validations in the cloud.
+ **Internal and external audits** – Conduct internal and external audits to validate that security and compliance configurations meet regulatory or internal policy requirements. Perform audits periodically based on a predefined schedule. Internal audits are normally conducted by an internal security and risk team. External audits are conducted by relevant agencies or standard officials. You can use AWS services, such as [AWS Audit Manager](https://docs.aws.amazon.com/audit-manager/latest/userguide/what-is.html) and [AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/what-is-aws-artifact.html), to facilitate the audit process. These services can provide relevant evidence rfor security IT audit reports. They can also simplify risk and compliance management with regulatory and industry standards by automating evidence collection. This helps you assess whether the policies, procedures, and activities known as *controls *are operating effectively. It is also important to align audit requirements with your managed service partners to ensure compliance.

**Security architecture review** – Complete a periodic review and update of your AWS architecture from a security and compliance standpoint. Review the architecture on a quarterly basis or when there are architecture changes. AWS continues to release updates and improvements to the security and compliance features and services. Use the [AWS Security Reference Architecture](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/welcome.html) and AWS Well Architected Tool to facilitate these architecture reviews. It is important to document your security and compliance implementation and recommended changes after the review process.

## AWS security services for operations
<a name="aws-security-services"></a>

You share responsibility with AWS for security and compliance in the AWS Cloud. This relationship is described in detail in the [AWS shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/). While AWS manages security *of* the cloud, you are responsible for security *in* the cloud. You are responsible for protecting your own content, infrastructure, applications, systems, and networks, no differently than you would for an on-premises data center. Your responsibilities for security and compliance in the AWS Cloud vary depending on the services you use, how you integrate those services into your IT environment, and applicable laws and regulations.

An advantage of the AWS Cloud is that it allows you to scale and innovate by using AWS best practices and security and compliance services. This helps you maintain a secure environment while paying only for the services you use. You also have access to the same AWS security and compliance services that highly secured enterprise organizations use to secure their cloud environments.

Building a cloud architecture on a sound and secure foundation is the first and the best step to ensure cloud security and compliance. However, your AWS resources are only as secure as you configure them to be. An effective security and compliance posture is achieved only through continuous, strict adherence at an operational level. Security and compliance operations can be broadly grouped into five categories:
+ Data protection
+ Identity access and management
+ Network and application protection
+ Threat detection and continuous monitoring
+ Compliance and data privacy

AWS security and compliance services map to these categories to help you meet a comprehensive set of requirements. Grouped into these categories, the following are the AWS security and compliance core services and their capabilities. These services can help you build and enforce cloud security governance.

### Data protection
<a name="data-protection"></a>

AWS provides the following services that can help you protect your data, accounts, and workloads from unauthorized access:
+ [AWS Certificate Manager](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html) – Provision, manage, and deploy SSL/TLS certificates for use with AWS services.
+ [AWS CloudHSM](https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html) – Manage your hardware security modules (HSMs) in the AWS Cloud.
+ [AWS Key Management Service (AWS KMS)](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) – Create and control the keys used to encrypt your data.
+ [Amazon Macie](https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html) – Discover, classify, and help protect sensitive data with machine learning-powered security features.
+ [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) – Rotate, manage, and retrieve database credentials, API keys, and other secrets through their lifecycle.

### Identity and access management
<a name="identity"></a>

The following AWS identity services help you to securely manage identities, resources, and permissions at scale:
+ [Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) – Add user sign-up, sign-in, and access control to your web and mobile applications.
+ [AWS Directory Service](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html) – Use managed Microsoft Active Directory in the AWS Cloud.
+ [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) – Centrally manage single sign-on (SSO) access to multiple AWS accounts and business applications.
+ [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) – Securely control access to AWS services and resources.
+ [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) – Implement policy-based management for multiple AWS accounts.
+ [AWS Resource Access Manager (AWS RAM)](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html) – Share AWS resources across your accounts.

### Network and application protection
<a name="network-app-protection"></a>

This category of services helps you to enforce fine-grained security policy at network control points across your organization. The following AWS services help you inspect and filter traffic to help prevent unauthorized resource access at the host-level, network-level, and application-level boundaries:
+ [AWS Firewall Manager](https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html) – Configure and manage AWS WAF rules across AWS accounts and applications from a central location.
+ [AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html) – Deploy essential network protections for your virtual private clouds (VPCs).
+ [Amazon Route 53 Resolver DNS Firewall](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall.html) – Help protect your outbound DNS requests from your VPCs.
+ [AWS Shield](https://docs.aws.amazon.com/waf/latest/developerguide/shield-chapter.html) – Safeguard your web applications with managed DDoS protection.
+ [AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html) – Configure and manage Amazon Elastic Compute Cloud (Amazon EC2) and on-premises systems to apply OS patches, create secure system images, and configure operating systems.
+ [Amazon Virtual Private Cloud (Amazon VPC)](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html) – Provision a logically isolated section of AWS where you can launch AWS resources in a virtual network that you define.
+ [AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) – Help protect your web applications from common web exploits.

### Threat detection and continuous monitoring
<a name="detection-monitoring"></a>

The following AWS monitoring and detection services help you identify potential security incidents within your AWS environment:
+ [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) – Track user activity and API usage to enable governance and operational and risk auditing of your AWS account.
+ [AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html) – Record and evaluate the configurations of your AWS resources to help you audit compliance, track resource changes, and analyze resource security.
+ [AWS Config rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) – Create rules that automatically act in response to changes in your environment, such as isolating resources, enriching events with additional data, or restoring a configuration to a known-good state.
+ [Amazon Detective](https://docs.aws.amazon.com/detective/latest/adminguide/what-is-detective.html) – Analyze and visualize security data to rapidly get to the root cause of potential security issues.
+ [Amazon GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html) – Help protect your AWS accounts and workloads with intelligent threat detection and continuous monitoring.
+ [Amazon Inspector](https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html) – Automate security assessments to help improve the security and compliance of your applications that are deployed on AWS.
+ [AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) – Run code without provisioning or managing servers so that you can scale your programmed, automated response to incidents.
+ [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) – View and manage security alerts and automate compliance checks from a central location.

### Compliance and data privacy
<a name="compliance"></a>

The following AWS services provide a comprehensive view of your compliance status. They continuously monitor your environment by using automated compliance checks that are based on AWS best practices and industry standards:
+ [AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/what-is-aws-artifact.html) – Get on-demand access to AWS security and compliance reports and select online agreements.
+ [AWS Audit Manager](https://docs.aws.amazon.com/audit-manager/latest/userguide/what-is.html) – Continuously audit your AWS usage to simplify how you manage risk and maintain compliance with regulations and industry standards.