Security and Compliance

Protecting workloads and data

Shared Responsibility Model (EXAM CRITICAL)

AWS – Security of the cloud

  • Physical data centers
  • Hardware & networking
  • Hypervisor
  • Managed service infrastructure

Customer – Security in the cloud

  • IAM (users, roles, permissions)
  • Data encryption
  • OS & patching (EC2)
  • Application security
  • Network configuration

🧠 If AWS manages the service β†’ AWS handles more security

Identity & Access Management (IAM)

IAM controls who can do what on which resources

Key components:

  • Users – individual identities
  • Groups – collection of users
  • Roles – temporary permissions (preferred)
  • Policies – JSON documents defining permissions

Best practices:

  • Least privilege
  • Use roles instead of long-term credentials
  • Enable MFA

AWS Security Services

IAM

  • Centralized access control
  • Free service
  • Global (not region-specific)

AWS Organizations

  • Manage multiple AWS accounts
  • Centralized billing
  • Apply Service Control Policies (SCPs)

AWS Shield

  • Managed DDoS protection
  • Shield Standard – automatic, free
  • Shield Advanced – paid, enhanced protection

AWS WAF (Web Application Firewall)

  • Protects web apps from common attacks
  • Filters HTTP/HTTPS traffic
  • Works with CloudFront, ALB, API Gateway

Amazon GuardDuty

  • Intelligent threat detection
  • Analyzes logs (CloudTrail, VPC Flow Logs, DNS)
  • Uses machine learning

Amazon Inspector

  • Automated security assessments
  • Finds vulnerabilities in:
    • EC2 instances
    • Container images

AWS CloudTrail

  • Records API calls and account activity
  • Used for auditing and compliance
  • Enabled by default

AWS Config

  • Tracks configuration changes
  • Compliance auditing
  • Resource inventory

Data Protection

Encryption

  • At rest – S3, EBS, RDS encryption
  • In transit – TLS / HTTPS
  • Customer-managed keys or AWS-managed keys

AWS Key Management Service (KMS)

  • Create and manage encryption keys
  • Integrated with most AWS services
  • Centralized key control

AWS Secrets Manager

  • Store secrets securely
  • Automatically rotate credentials
  • Used for DB passwords, API keys

Network Security

Security Groups

  • Virtual firewalls for EC2
  • Stateful
  • Allow rules only

Network ACLs

  • Subnet-level firewalls
  • Stateless
  • Allow and deny rules

Compliance & Governance

AWS supports major compliance standards:

  • ISO
  • SOC
  • PCI-DSS
  • HIPAA
  • GDPR

🧠 AWS is compliant β€” you must configure compliance

Exam Pattern Cheats

If the question mentions:

  • Who did what, when β†’ CloudTrail
  • Threat detection β†’ GuardDuty
  • DDoS protection β†’ Shield
  • Web attacks β†’ WAF
  • Permissions β†’ IAM
  • Configuration drift β†’ Config
  • Vulnerability scanning β†’ Inspector

Final Reality Check

  • IAM + Shared Responsibility = huge exam weight
  • Managed services reduce security burden
  • If it’s about access, it’s IAM
  • If it’s about logging, it’s CloudTrail
  • If it’s about compliance, it’s Config
Back to AWS