Cloud Security Services
WAF, Shield/DDoS Protection, GuardDuty, Security Hub, Defender for Cloud
Cloud providers offer managed threat detection, DDoS mitigation, and application-layer firewall services that integrate natively with the platform. AWS GuardDuty uses ML to detect threats (crypto-mining, credential exfiltration) from VPC Flow Logs, CloudTrail, and DNS logs; AWS Shield Advanced provides SLA-backed DDoS protection up to 1 Tbps; and AWS WAF filters HTTP/S traffic at the ALB/CloudFront layer using managed rule groups (OWASP Top 10, IP reputation). Azure's equivalents are Microsoft Defender for Cloud, Azure DDoS Protection Standard, and Azure WAF.
Key Points
- AWS GuardDuty pricing is based on data volume processed (~$4/million CloudTrail events) — enable in all accounts via AWS Organizations with a delegated administrator account.
- AWS Security Hub aggregates findings from GuardDuty, Inspector, Macie, Firewall Manager, and third-party tools into a unified dashboard with CIS AWS Foundations Benchmark scoring.
- AWS Inspector v2 continuously scans EC2 instances and Lambda functions for OS package CVEs and software vulnerabilities, integrating with ECR to scan container images on push.
- AWS Macie uses ML to discover and classify sensitive data (PII, credentials, financial data) in S3 buckets — critical for GDPR and PCI-DSS compliance programs.
- WAF Managed Rule Groups (AWS managed CRS, Bot Control, Account Takeover Prevention) are updated by AWS as new threats emerge — reduces the burden of manual rule maintenance.
- Shield Advanced includes DDoS response team (DRT) access 24/7, cost protection for scaling charges during DDoS events, and integration with Route 53 health checks for failover.
- Azure Defender for Servers integrates with Microsoft Threat Intelligence, detecting lateral movement and privilege escalation via behavioral analytics on Windows/Linux VMs.
- VPC Flow Logs (AWS) / NSG Flow Logs (Azure) provide L3/L4 traffic records — feed into SIEM (Splunk, Sentinel, Security Lake) for threat hunting and compliance audit.
Real-World Example
Twilio uses AWS GuardDuty + Security Hub across 200+ AWS accounts, with EventBridge routing high-severity findings to a Lambda that auto-isolates compromised EC2 instances by updating security group rules.