AWS · Software · YoctoIT tech page

Security

Security built with cloud services: granular identities, managed threat detection and your posture in a single score.

FOCUS · IDENTITY & POSTURELeast privilege for real and threats detected by AWS machine learning
YoctoIT material for clients and partners · AWS e i nomi dei servizi sono marchi di Amazon.com, Inc.
01 · What it is

IAM, GuardDuty & Security Hub, made clear.

IAM governs who can do what, down to the single API; Organizations and SCPs set guardrails at the group level. GuardDuty analyzes logs and traffic with ML to flush out threats; Security Hub aggregates everything into a posture measurable against standards (CIS, AWS Best Practices).

Least privilege
permissions to the bare minimum: fine-grained IAM + Access Analyzer
ML-based
GuardDuty: threat detection without probes to install
1 score
Security Hub: the cloud posture, measured against standards
Icona ufficiale AWS — IAM, GuardDuty & Security Hub
OFFICIAL AWS ICON · Security
Console AWS
REAL AWS CONSOLE · SECURITY HUB DASHBOARD · SOURCE: AWS BLOG
02 · How to use it well

The things that make the difference.

Defense in layers

Organizations & SCPthe group guardrails
IAM & Identity Center
KMS · encryption
WAF & Shield
identity · keys · perimeter
GuardDuty · detectionthreats found by ML
Security Hubthe aggregated posture, with priorities
From identity to response

IAM Identity Center

Single sign-on across AWS accounts: people enter with the corporate identity, permissions by role.

KMS

Encryption keys managed and tracked: data encrypted by default, everywhere.

GuardDuty

Stolen credentials, mining, exfiltrations: malicious patterns recognized in your logs.

Response automation

Findings that open tickets and actions: remediation that starts on its own, under supervision.

03 · In depth

Identity, detection and posture

The perimeter is IAM: least-privilege policies, roles instead of keys, Identity Center for federated SSO and permission boundaries to delegate safely. Detection is GuardDuty (ML on CloudTrail, DNS and flows), Security Hub aggregates and prioritizes (CIS/FSBP standards), Inspector scans EC2/ECR, Macie finds sensitive data on S3. Organizations and SCPs set guardrails no account can bypass.

  • SCP — service control policies: the 'not allowed' that applies to admins too
  • Identity Center — federated SSO with the corporate IdP: the end of long-lived keys
  • GuardDuty — managed threat detection on logs and flows: switch it on, it works
  • Security Hub — one score and one queue: findings prioritized by CIS/FSBP
  • Inspector — CVEs on instances and ECR containers, continuously
  • CloudTrail Lake — the queryable audit: who did what, in SQL
04 · Numbers and lifecycle

The numbers that matter.

0
long-lived IAM keys in our standard: only roles and SSO
CIS
the posture standard measured by Security Hub
100%
of accounts under Organizations and SCPs
24/7
critical findings in our NOC's flow
AWS security is continuous posture: a landing zone with guardrails, detection on and findings in our 24/7 watch.
05 · Use cases

Where it really pays off.

Account hardening

From root with MFA to SCPs: the security baseline every account should have from day zero.

SOC on the cloud

GuardDuty and Security Hub inside our watch: cloud threats seen by people who respond 24/7.

Provable compliance

The CIS posture measured over time: improvement documented, not declared.

Cloud security is a craft of configurations: we set them right and watch them always — NIS2 and ISO included.