AWS Service Comparisons
Side-by-side decision guides with security analysis, pricing breakdowns, and architectural recommendations. Updated for re:Invent 2025.
By Toc Consulting - AWS Security & Cloud Architecture
vs
vs
vs
GuardDuty vs Inspector vs Macie vs Security Hub
Which AWS security service do you actually need?
Four AWS security services that everyone confuses. GuardDuty detects threats, Inspector finds vulnerabilities, Macie discovers sensitive data, and Security Hub aggregates it all. Here is exactly when to use each - and why you probably need all four.
vs
vsSCPs vs IAM Policies vs Permission Boundaries
The three layers of AWS access control, decoded
AWS has three distinct mechanisms to control access: Service Control Policies at the organization level, IAM policies at the account level, and Permission Boundaries at the principal level. Understanding how they intersect - and the September 2025 SCP overhaul - is critical for any multi-account architecture.
vs
vs
vsWAF vs Network Firewall vs Security Groups vs NACLs
AWS defense in depth - four layers explained
AWS provides four distinct network security layers operating at different OSI levels. Security Groups and NACLs are free and instance/subnet-level. Network Firewall provides VPC-wide IDS/IPS with Suricata rules. WAF protects HTTP/HTTPS traffic at Layer 7. Understanding which does what - and how they stack - is defense in depth.
vs
vs
Secrets Manager vs Parameter Store vs Vault
Where should your secrets live?
Three approaches to secrets management on AWS: Secrets Manager with built-in rotation, Parameter Store with a generous free tier, and HashiCorp Vault for multi-cloud dynamic secrets. Most teams overpay - Parameter Store Standard is free for up to 10,000 parameters.
vsvs
KMS vs CloudHSM vs ACM
AWS encryption services - keys, HSMs, and certificates
Three AWS encryption services that solve different problems: KMS for managed key management, CloudHSM for dedicated hardware security modules, and ACM for TLS certificate management. KMS protects data at rest, ACM protects data in transit, and CloudHSM provides single-tenant HSMs with full key control.
vsvsTransit Gateway vs VPC Peering vs PrivateLink
How to connect VPCs without exposing your network
Three ways to connect VPCs on AWS - each with different tradeoffs for cost, complexity, and security. VPC Peering is simple and cheap, Transit Gateway scales to thousands of VPCs, and PrivateLink exposes specific services without network-level access.
vsvsCloudFormation vs Terraform vs CDK
Infrastructure as Code in 2025 - what changed
The IaC landscape shifted in 2025. Terraform moved to Business Source License (no longer open source), HashiCorp deprecated CDKTF in December 2025, and AWS CDK continues to mature. Here is the updated comparison with security implications for each approach.
vs
vs
vs
ECS vs EKS vs Lambda vs App Runner
AWS compute - from zero management to full control
Four ways to run code on AWS, from fully serverless (Lambda) to fully managed Kubernetes (EKS). The right choice depends on your team size, operational maturity, workload patterns, and security requirements. We include the security implications most comparison articles ignore.
Missing a Comparison?
We are constantly adding new AWS service comparisons. Contact us to suggest topics or request custom architectural guidance.
Get in Touch