Security & Compliance

30% of exam • Largest domain - know this well!

🤝AWS Shared Responsibility Model

AWS = Security OF the Cloud | Customer = Security IN the Cloud

AWS Responsibility

  • • Physical data center security
  • • Hardware infrastructure
  • • Network infrastructure
  • • Virtualization layer
  • • Managed service operations

Customer Responsibility

  • • Data encryption
  • • IAM user permissions
  • • OS patching (EC2)
  • • Application security
  • • Network configuration (Security Groups)

Service Examples:

  • EC2: AWS = hardware, network. Customer = OS, apps, firewall, encryption
  • S3: AWS = infrastructure, replication. Customer = bucket policies, encryption, access control
  • RDS: AWS = OS patches, backups. Customer = DB user permissions, encryption at rest
👤IAM - Identity & Access Management

Control who can access AWS resources and what they can do

Users

Individual people or applications

Groups

Collections of users with shared permissions

Roles

Temporary credentials for AWS services or federated users

Policies

JSON documents defining permissions (what actions on which resources)

🔐AWS Security Services

Amazon GuardDuty

Intelligent threat detection service

  • • Monitors for malicious activity and unauthorized behavior
  • • Uses machine learning and threat intelligence
  • • Analyzes CloudTrail logs, VPC Flow Logs, DNS logs
  • Exam Tip: "Detect threats" = GuardDuty

Amazon Inspector

Automated vulnerability management

  • • Scans EC2 instances and container images for vulnerabilities
  • • Checks for software CVEs and network exposure
  • • Provides prioritized findings
  • Exam Tip: "Find vulnerabilities in workloads" = Inspector

Amazon Macie

Data security and privacy service

  • • Discovers and protects sensitive data in S3
  • • Uses machine learning to identify PII (Personally Identifiable Information)
  • • Monitors data access patterns
  • Exam Tip: "Find PII/sensitive data" = Macie

AWS Artifact

Compliance reports and agreements portal

  • • Access AWS security and compliance documents
  • • Download SOC reports, PCI reports, ISO certifications
  • • Review and accept AWS agreements (BAA, GDPR DPA)
  • Exam Tip: "Compliance reports/certifications" = Artifact

AWS WAF (Web Application Firewall)

Layer 7 (application layer) protection against web exploits

  • • Filters malicious HTTP/HTTPS traffic before it reaches your application
  • Protects against: SQL injection, XSS (cross-site scripting), bot traffic
  • • Create custom rules to allow/block requests based on IP, headers, body, URI
  • Works with: CloudFront, Application Load Balancer, API Gateway, AppSync
  • • Rate-based rules (e.g., block IP after 2,000 requests in 5 minutes)

Exam Tip: "Layer 7 protection" or "SQL injection/XSS" = WAF

AWS Shield

DDoS (Distributed Denial of Service) protection for network and transport layers

  • Shield Standard (Free):
    • ○ Automatic protection for ALL AWS customers
    • ○ Protects against common Layer 3/4 attacks (SYN/UDP floods)
    • ○ Available on CloudFront, Route 53
  • Shield Advanced ($3,000/month):
    • ○ Enhanced DDoS protection for EC2, ELB, CloudFront, Route 53
    • ○ 24/7 access to DDoS Response Team (DRT)
    • ○ Real-time attack notifications
    • ○ DDoS cost protection (credits for scaling costs during attack)

Exam Tip: "DDoS protection" = Shield

WAF vs Shield - Know the Difference!

AWS WAF

Layer 7 (Application layer)

Protects against web exploits (SQL injection, XSS, bad bots)

AWS Shield

Layer 3/4 (Network/Transport layer)

Protects against DDoS attacks (flooding, volumetric attacks)

Common together: Use WAF + Shield Advanced for comprehensive protection

🔒Encryption & Key Management

Protecting data at rest and in transit with encryption keys and secrets

🔑 AWS KMS (Key Management Service)

Managed service for creating and controlling encryption keys

  • Centralized key management: Create, rotate, disable, and audit encryption keys
  • Integrated with AWS services: S3, EBS, RDS, Lambda, Secrets Manager, etc.
  • Types of keys:
    • ○ AWS managed keys (free, automatic rotation)
    • ○ Customer managed keys (you control, manual rotation)
    • ○ Custom key stores (backed by CloudHSM)
  • Audit: All key usage logged in CloudTrail
  • Multi-tenant: Keys stored in AWS-managed hardware

Example: Encrypt EBS volumes and S3 buckets with centrally managed keys

🏦 AWS CloudHSM (Hardware Security Module)

Dedicated hardware security module for cryptographic operations

  • Single-tenant: Dedicated hardware device (you have exclusive access)
  • FIPS 140-2 Level 3 validated: Highest level of security for cryptographic modules
  • You manage keys: AWS has no visibility into your keys
  • Use cases: Regulatory compliance (HIPAA, PCI-DSS), contractual requirements for dedicated HSM
  • • Runs in your VPC
  • • More expensive than KMS

Example: Financial institution needs dedicated hardware for key management to meet regulatory compliance

KMS vs CloudHSM - Know the Difference!

AWS KMS

  • ✓ Multi-tenant (shared hardware)
  • ✓ AWS manages hardware
  • ✓ Integrated with AWS services
  • ✓ Lower cost
  • ✓ Free tier available
  • Use when: Standard encryption needs

AWS CloudHSM

  • ✓ Single-tenant (dedicated hardware)
  • ✓ You manage keys (AWS no access)
  • ✓ FIPS 140-2 Level 3 compliance
  • ✓ Higher cost
  • ✓ Runs in your VPC
  • Use when: Regulatory compliance requires dedicated HSM

🔐 AWS Secrets Manager

Rotate, manage, and retrieve database credentials, API keys, and secrets

  • Automatic rotation: Built-in for RDS, Redshift, DocumentDB (no code changes)
  • • Store database credentials, API keys, OAuth tokens
  • • Retrieve secrets via API calls (no hardcoded passwords)
  • • Encrypted using KMS
  • Cost: $0.40 per secret per month + API call charges

vs Parameter Store: Secrets Manager has automatic rotation, Parameter Store is free but manual rotation

Example: Automatically rotate RDS database passwords every 30 days without downtime

🌐Network Security

Security Groups

Virtual firewalls for EC2 instances (stateful)

  • • Controls inbound and outbound traffic
  • • Default: deny all inbound, allow all outbound

Network ACLs

Subnet-level firewalls (stateless)

  • • Controls traffic in and out of subnets
  • • Both allow and deny rules
💡Exam Tips - Security Domain Cheatsheet

Service Keyword Quick Reference:

GuardDuty: Threat detection - "Is someone attacking us?" / "Detect malicious activity"

Inspector: Vulnerability scanning - "Are our EC2/containers vulnerable?" / "Find CVEs"

Macie: Find sensitive data/PII in S3 - "Discover credit card numbers in S3"

Artifact: Download compliance reports/certifications - "Access SOC 2 report"

WAF: Layer 7 web protection - "Block SQL injection" / "Protect against XSS"

Shield: DDoS protection - "Protect against DDoS attacks"

KMS: Managed encryption keys - "Encrypt EBS volumes" / "Standard encryption"

CloudHSM: Dedicated hardware HSM - "FIPS 140-2 Level 3" / "Regulatory compliance"

Most Important Concepts:

  • Shared Responsibility Model: Know what AWS manages vs. what YOU manage for EC2, S3, RDS
  • IAM Best Practices: Use roles for applications, MFA for users, least privilege principle, no root account usage
  • GuardDuty vs Inspector vs Macie: Threats vs Vulnerabilities vs PII data discovery
  • KMS vs CloudHSM: Shared vs Dedicated, Standard vs Regulatory compliance
  • WAF vs Shield: Layer 7 application attacks vs Layer 3/4 DDoS attacks
  • Secrets Manager vs Parameter Store: Automatic rotation (paid) vs Manual (free)