Edit

Migrate security services from Amazon Web Services (AWS)

This article describes scenarios for migrating security services from Amazon Web Services (AWS) to Azure. Security services are part of the foundation for workload monitoring, threat detection, identity, secrets, and network protection. During migration, keep security coverage active in both clouds until you validate the Azure design and retire the AWS controls safely.

These scenarios cover security monitoring and SOC operations, cloud security posture and compliance, identity, secrets and keys, data security, and network protection.

Component comparison

Start by comparing the AWS security and identity services used by the workload with the closest Azure services. The goal is to identify which Azure services should own monitoring, posture management, identity, secrets, encryption keys, and traffic inspection after migration.

For identity and security comparisons, see Compare AWS and Azure identity management solutions. For AWS environments that still need Microsoft security coverage during transition, see Microsoft security solutions for AWS.

Note

This comparison doesn't cover every service capability. Validate service behavior, data formats, retention, access controls, and operational processes before you cut over production security operations.

Migration scenarios

Use this section as category navigation. Pick the security capability category and migration scenario first, and then follow the link to detailed Azure, Cloud Adoption Framework, Well-Architected Framework, or Azure Architecture Center guidance.

Inventory your current AWS security controls, then choose the matching scenario:

These Azure services cover the closest-fit capabilities, not every AWS feature. Keep security coverage active in both clouds, and validate behavior before you cut over and retire AWS controls. There are three distinct categories under the Microsoft Entra product family: workforce and directory identity, customer identity, and workload or application identity, including managed identities. Microsoft Entra External ID covers customer identity for consumer or business-facing apps. It doesn't replace AWS IAM for cloud resource access, which maps to workload identity. Use the linked identity comparison to choose the right Azure solution path for workforce, application, and resource access scenarios.

Category Scenario Where to go
Threat detection and SIEM/SOC Migrate security monitoring, detections, and SOC operations to a cloud-native SIEM. Microsoft Sentinel
Cloud security posture and compliance Assess multicloud posture and meet regulatory compliance requirements. Microsoft Defender for Cloud, posture management
Vulnerability and workload protection Move vulnerability assessment and workload protection for servers and containers. Microsoft Defender for Servers, Microsoft Defender for Containers
Customer identity Migrate customer identity and access management for consumer or business-facing apps. Microsoft Entra External ID
Workforce and directory identity Migrate workforce sign-in, directory, and access management from AWS, and plan identity governance and privileged access. Compare AWS and Azure identity management solutions
Workload and resource identity Replace AWS IAM roles used for workload and resource-to-resource access. Managed identities for Azure resources, Compare AWS and Azure identity management solutions
Application and API authentication Move application and API authentication from Amazon Cognito to the Microsoft identity platform. Compare AWS and Azure identity management solutions, Migrate from Amazon Cognito to Microsoft Entra External ID
Secrets and key management Move application secrets, encryption keys, and HSM-backed keys. Azure Key Vault, Azure Managed HSM
Data security and classification Discover and classify sensitive data across clouds. Microsoft Purview
Web application protection Protect web applications with a web application firewall. Azure Web Application Firewall on Azure Front Door or Azure Application Gateway
Network protection and inspection Inspect and filter network traffic. Azure Firewall

Security services make up only part of your cloud workload. Explore other components you might migrate:

Migrating security scenarios requires identity to be centralized. Compare AWS identity services used in the workload to their closest Azure counterparts.