AWS Service Support
Created by Scott Piper of Summit Route, an independent AWS security consultant.
The goal of this page is to high-light the lack of coverage AWS provides for its services across different security factors. These limitations are not well-understood by many. Further, the "Y" fields are meant to indicate that this service has any capability for the relevant factor. In many cases, this is not full coverage for the service, or there are exceptions or special cases.
Last Update: 2019.01.06
- SLA: This column indicates if there is a Service Level Agreement. These are documented here. These aren't as great as you'd hope. They only guarantee some cost savings in the event of an outage if the service is down for more than a period of time (ie. you still pay when the service is down, just less if it is really bad). These do not cover every part of a service. For example, the SLA for RDS does not cover any of the Aurora flavors.
- CloudTrail: AWS is supposed to log all API calls to CloudTrail. This column indicates if the service logs at all to CloudTrail, as documented here. Note that new features of existing services often do not log to CloudTrail, for example, the boundary related APIs of IAM do not. Also, data level calls sometimes do not. In the case of S3 objects and Lambda invokes, you can specially configure CloudTrail to record these, but in some cases, such as the CloudWatch PutMetricData call, these are never recorded.
- Config: The AWS Config service is meant to give you a snapshot of how an account looks. The resources it records are documented here. Some services, such as EC2, contain a lot of resource types, and not all resources are recorded by AWS Config.
- Encryption at rest by default: In 2019, or really since maybe 2015 or earlier, you'd expect all data to be stored encrypted at rest by default. This is not the case with AWS. This column was researched manually by reviewing the docs. Some fields here need to be changed to "N/A" to account for the fact that they don't store any data.
- Runs in all regions: As new services are announced, they normally only run in a few regions initially. As new regions are announced, they normally don't support all services. Some services are likely to remain in only one specific region forever, such as Device Farm, which only runs in us-west-2. This column is only for the AWS partition regions and not China or GovCloud. This data was found here and running cat botocore/data/endpoints.json | jq -cr '.partitions.services | keys as $k | (.[$k] | .endpoints | keys as $e | [$k, $e])' | grep -v local | grep -v fips | grep -v sandbox | grep -v s3-external-1 | grep -v aws-global | sed 's/,.*//' | sort | uniq -c | grep 15.