CLF-C02 Security and Compliance

Security and Compliance Detailed Explanation

Security is one of the most important topics when using the cloud. AWS follows strict security practices to ensure that your data, applications, and systems are safe.

2.1 AWS Shared Responsibility Model

The Shared Responsibility Model explains that security in the cloud is shared between AWS and the customer (you). It’s like AWS and you are on the same team, and both have responsibilities to keep your systems secure.

1. AWS Responsibility: Security “OF” the Cloud

AWS takes care of everything related to the cloud infrastructure, which you don’t see or manage.

What AWS Secures:

• Physical Security:

  • AWS secures its data centers. Think of it like a highly secure bank vault.
  • AWS uses guards, cameras, fingerprint scanners, and locked rooms to protect its servers.

• Global Infrastructure:

  • AWS manages all the hardware (like servers and networking cables) that powers the cloud.
  • AWS ensures redundancy (backup systems) in case of failure.

• Virtualization Layer:

  • This is the software that allows AWS to create virtual machines and manage resources.

2. Customer Responsibility: Security “IN” the Cloud

You are responsible for securing everything that you put in the cloud. Think of it as securing your apartment after renting it.

What You Need to Secure:

1. Operating Systems and Applications:

• If you run a virtual server (like EC2), you need to install updates and patches.
• AWS won’t update your operating system because it doesn’t have access to it.

2. Data:

• It’s your responsibility to protect sensitive data. You can encrypt it (hide it with a secret code).

3. Identity and Access:

• You control who can access your resources using IAM (Identity and Access Management).
• If you don’t set proper permissions, someone could access your systems without authorization.

Analogy: Renting a Building

• AWS Responsibility: AWS is like the landlord of an apartment building. They secure the building foundation, elevators, and entry points.
• Customer Responsibility: You (the tenant) are responsible for locking your apartment door, protecting your belongings, and deciding who can enter.

Table of Responsibilities

Responsibility	AWS Responsibility	Customer Responsibility
Physical Security	Y	N
Infrastructure Security	Y	N
Operating System Updates	N	Y
Data Encryption	N	Y
IAM and Permissions	N	Y

2.2 AWS Identity and Access Management (IAM)

IAM (Identity and Access Management) is the most important tool for managing who can access your AWS resources and what they can do.

What is IAM?

IAM allows you to:

1. Create and manage users who need access to AWS.
2. Define permissions to control what users can and cannot do.
3. Secure access using advanced methods like Multi-Factor Authentication (MFA).

Key IAM Concepts

1. Users:

• Individuals (like employees or developers) or applications needing access.
• Each user has their own username and password.

Example: If you have a team of developers, each one gets a separate IAM user account.

2. Groups:

• A collection of users with the same permissions.
• Instead of giving permissions to each user, assign them to a group.

Example: All developers can belong to the “Developers” group, which has access to EC2 and S3.

3. Roles:

• Temporary permissions that can be assigned to AWS services or applications.
• Useful when applications need to access other AWS resources.

Example: An application running on an EC2 server can assume a role to access an S3 bucket.

4. Policies:

• JSON documents that define permissions.
• Policies say, "This user can do X but cannot do Y."
• Managed Policies: Predefined by AWS.
• Inline Policies: Custom policies specific to a user, group, or role.

Best Practices for IAM

1. Apply the principle of least privilege:

• Give users the minimum permissions they need to do their jobs.

2. Use Multi-Factor Authentication (MFA):

• Add an extra layer of security by requiring a password and a code from a mobile app.

3. Rotate access keys regularly:

• Access keys are like passwords for applications. Regularly rotate them to keep your system secure.

4. Monitor IAM activity:

• Use AWS CloudTrail to track who did what in your AWS account.

Analogy: A Building Key System

• Users are like employees. Each employee gets their own key.
• Groups are like departments. A key that works for the entire marketing department.
• Roles are like temporary passes for visitors.
• Policies are the rules: “This key can open Room 101 but not Room 102.”

Real-World Example

1. Create a user for a developer.
2. Add the user to the "Developers" group.
3. Use policies to allow the group access to EC2 instances and S3 buckets.
4. Enable MFA for added security.

2.3 Data Protection in AWS

In AWS, protecting your data is critical. There are two main types of data you need to secure:

1. Data at Rest: Data that is stored in AWS (e.g., files in S3 or databases in RDS).
2. Data in Transit: Data that is moving from one place to another (e.g., between your laptop and AWS servers or between AWS services).

AWS provides tools and features to ensure your data remains private, secure, and protected from unauthorized access.

Data at Rest

Data at rest is data that sits on a disk or database. To protect this data, AWS provides encryption, which is like putting your data in a locked box.

1. Server-Side Encryption (SSE)

With Server-Side Encryption (SSE), AWS encrypts your data for you when you upload it. It’s like storing your files in a secure vault where AWS locks and protects them.

There are three types of Server-Side Encryption:

1. SSE-S3:

• AWS manages the encryption keys for you.
• You don’t need to worry about creating or managing the keys.

Example: You upload a photo to an S3 bucket. AWS encrypts the photo with a key, stores it securely, and decrypts it when you access it.

2. SSE-KMS (Key Management Service):

• AWS encrypts the data, but you control and manage the encryption keys using AWS KMS.
• You can monitor and audit how these keys are used.

Analogy: It’s like putting your valuables in a bank vault where you keep the key, but the bank protects the vault.

3. SSE-C (Customer-Provided Keys):

• You provide the encryption keys. AWS encrypts the data but doesn’t store the keys.
• If you lose the key, AWS cannot help you access the data.

Analogy: You lock your valuables in a vault and keep the only copy of the key.

2. AWS Key Management Service (KMS)

AWS KMS is a service that allows you to manage and control encryption keys.

• Centralized Key Management: KMS provides a single place to create, manage, and rotate encryption keys.
• Auditing: You can see who used the keys and when they were used (via AWS CloudTrail).

Example:
You upload customer data to an S3 bucket and use KMS to encrypt it. You monitor who accessed the encryption key and ensure no unauthorized access occurs.

3. Client-Side Encryption

With Client-Side Encryption, you encrypt the data before you upload it to AWS.

• AWS does not handle the encryption; you use your own tools and keys.
• Only you can decrypt the data because you hold the key.

Analogy: Imagine you put your files in a locked box before handing them over to AWS. AWS stores the box but cannot open it.

Summary: Server-Side vs. Client-Side Encryption

Type	Who Manages the Keys?	Where is the Data Encrypted?
SSE-S3	AWS	AWS (when storing the data)
SSE-KMS	AWS (you control via KMS)	AWS
SSE-C	Customer (you provide keys)	AWS
Client-Side	Customer (you encrypt data)	Before sending it to AWS

Data in Transit

Data in transit is data that is being transferred or moved across a network. For example:

• From your laptop to an AWS S3 bucket.
• From one AWS service to another (e.g., EC2 to RDS).

To protect this data, AWS uses encryption protocols like SSL/TLS.

What is SSL/TLS?

• SSL/TLS are protocols that secure communication between two systems.
• SSL (Secure Sockets Layer) and TLS (Transport Layer Security) ensure that the data being transferred cannot be read or altered by unauthorized parties.

How It Works:

1. You connect to a website or upload a file to AWS using HTTPS.
2. SSL/TLS encrypts the data before sending it.
3. Only the receiver can decrypt and read the data.

Example:
When you log in to a website (like an online bank), HTTPS secures your username, password, and other sensitive information.

Summary of Data Protection

1. Data at Rest:

• Encrypt your data using Server-Side Encryption (SSE) or Client-Side Encryption.
• Use AWS KMS to manage encryption keys.

2. Data in Transit:

• Use SSL/TLS to encrypt data during transfer.

Why is Data Protection Important?

1. Prevents Unauthorized Access: If someone gets access to your data, encryption ensures they cannot read it.
2. Compliance: Many industries (e.g., healthcare, finance) require strong data protection for legal reasons.
3. Security Best Practice: Protecting data ensures your customers’ trust.

Real-World Example of Data Protection

Let’s say you run an e-commerce website:

1. Data at Rest:

• Customer orders and payment details are stored in an Amazon S3 bucket. You enable SSE-KMS encryption so the data is secure.

2. Data in Transit:

• When a customer checks out, the payment data travels from their browser to your AWS backend over HTTPS (SSL/TLS).

3. Client-Side Encryption:

• You encrypt highly sensitive files (like tax documents) on your computer before uploading them to AWS.

By combining these protections, you ensure that no one—whether hackers or unauthorized employees—can access your data.

2.4 AWS Security Services

AWS offers a wide range of security services to help you protect your applications, infrastructure, and data. These services help you:

1. Prevent security threats (e.g., DDoS attacks, unauthorized access).
2. Detect suspicious activities (e.g., malware or unauthorized API calls).
3. Monitor compliance (ensuring your resources follow security policies).

1. AWS Shield – Protection Against DDoS Attacks

What is a DDoS Attack?

• A Distributed Denial of Service (DDoS) attack floods your application with so much traffic that it becomes unavailable to users.
• Think of it like a massive crowd blocking the entrance to a store, making it impossible for real customers to get in.

What AWS Shield Does:

• AWS Shield protects your applications from DDoS attacks and ensures they stay online.

Types of AWS Shield:

1. AWS Shield Standard:

• Free and automatically enabled for all AWS customers.
• Protects against common DDoS attacks (e.g., basic network floods).

2. AWS Shield Advanced:

• Provides enhanced protection for high-traffic or mission-critical applications.
• Includes advanced monitoring and 24/7 support.

Example:
If someone tries to overwhelm your website with fake traffic, AWS Shield detects and blocks the attack, keeping your site available for real users.

2. AWS WAF (Web Application Firewall) – Protecting Your Web Applications

What is AWS WAF?

• AWS WAF protects your web applications from common threats, like:
  • SQL Injection: An attack where someone tries to manipulate your database.
  • Cross-Site Scripting (XSS): Injecting harmful scripts into your website.

How it Works:

• You create rules in AWS WAF to filter traffic based on conditions like:
  • IP addresses
  • HTTP request size
  • Bad patterns in requests

Example:

• You set a rule to block all traffic from a specific IP address or requests containing suspicious scripts.

3. Amazon GuardDuty – Detecting Threats

What is GuardDuty?

• Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activities or unusual behavior.

What GuardDuty Detects:

1. Unauthorized access (e.g., someone using stolen credentials).
2. Suspicious API calls (e.g., repeated failed login attempts).
3. Malware or unusual data transfers.

How It Works:

• GuardDuty analyzes data from AWS CloudTrail, VPC Flow Logs, and DNS logs.
• If it finds a threat, it generates an alert so you can take action.

Example:
If GuardDuty detects someone trying to access an S3 bucket repeatedly without permission, it sends you a warning.

4. AWS Config – Monitoring Resource Compliance

What is AWS Config?

• AWS Config tracks the configuration of your AWS resources and checks if they comply with security policies.

Key Features:

1. Tracks changes to your resources (e.g., when someone modifies an S3 bucket or EC2 instance).
2. Ensures compliance with security standards (e.g., no public S3 buckets).
3. Provides a history of resource configurations.

Example:
If you accidentally make an S3 bucket public, AWS Config detects the change and alerts you.

5. Amazon Inspector – Automated Security Assessments

What is Amazon Inspector?

• Amazon Inspector is a service that scans your EC2 instances for security vulnerabilities.

How it Works:

1. Inspector automatically checks your instances for issues like:

• Outdated software
• Missing patches
• Security misconfigurations

2. It generates a report with findings and recommendations.

Example:
You run Amazon Inspector, and it discovers that one of your EC2 instances has an outdated operating system. It recommends updating it to stay secure.

6. AWS CloudTrail – Auditing and Monitoring Activity

What is AWS CloudTrail?

• CloudTrail logs all API activity in your AWS account. It tells you who did what, when, and where.

Key Features:

1. Tracks user actions, such as creating resources or deleting data.
2. Provides detailed logs for auditing and troubleshooting.
3. Integrates with Amazon S3 to store logs for long-term analysis.

Example:
If someone deletes an S3 bucket, CloudTrail records:

• Who did it (username or IAM role).
• When it happened (date and time).
• What was deleted.

7. AWS Trusted Advisor – Recommendations for Security and Optimization

What is Trusted Advisor?

• AWS Trusted Advisor analyzes your AWS environment and provides recommendations in five areas:
  1. Security: Checks for vulnerabilities like public S3 buckets or unused IAM keys.
  2. Performance: Identifies opportunities to improve resource performance.
  3. Cost Optimization: Finds underutilized resources to save money.
  4. Fault Tolerance: Ensures your system can recover from failures.
  5. Service Limits: Alerts you when you’re approaching AWS service limits.

Example:
Trusted Advisor might detect that your S3 bucket is publicly accessible and recommend restricting access.

Summary of AWS Security Services

Here’s a quick summary of the key AWS security services:

Service	Purpose	Example Use Case
AWS Shield	Protects against DDoS attacks.	Prevent fake traffic from overwhelming a website.
AWS WAF	Protects web applications.	Block SQL injection or malicious scripts.
Amazon GuardDuty	Detects threats and unusual activity.	Monitor for stolen credentials or malware.
AWS Config	Tracks resource configurations.	Alert if an S3 bucket is made public.
Amazon Inspector	Scans for security vulnerabilities.	Find outdated software on EC2 instances.
AWS CloudTrail	Logs all API activity for auditing.	Track who deleted a resource.
AWS Trusted Advisor	Provides security and cost recommendations.	Identify public S3 buckets or unused resources.

Why Use AWS Security Services?

1. Prevention: Stop threats like DDoS and hacking before they happen (AWS Shield and WAF).
2. Detection: Identify suspicious activities and vulnerabilities quickly (GuardDuty and Inspector).
3. Compliance: Ensure you follow security policies and regulations (AWS Config).
4. Visibility: Gain clear insight into your AWS environment (CloudTrail and Trusted Advisor).

2.5 Network Security

In AWS, network security ensures that data sent between systems (like servers or applications) is protected from unauthorized access, interception, or modification. AWS provides tools to create secure networks, control traffic flow, and monitor connections.

2.5.1 Amazon Virtual Private Cloud (VPC)

A Virtual Private Cloud (VPC) is a private network you create in AWS. Think of it as your own secure, isolated space in the cloud where you can deploy servers, databases, and applications.

What is a VPC?

• A VPC allows you to control how your AWS resources (like EC2 instances) communicate with each other and with the internet.
• It’s like setting up a private room in a shared office building: the room is yours, and only you decide who can enter or exit.

Key Components of a VPC

1. Subnets:

• A VPC is divided into subnets (small networks within the VPC).
• Subnets can be public (connected to the internet) or private (no internet access).

Example: You can place your web servers in a public subnet and your databases in a private subnet for better security.

2. Route Tables:

• Define how traffic is routed within your VPC.
• You control which subnet can access the internet or other subnets.

Example: You can route traffic from your public subnet to the internet, but block access to the private subnet.

3. Internet Gateway:

• Allows resources in a public subnet to connect to the internet.

4. NAT Gateway (Network Address Translation):

• Allows resources in a private subnet to access the internet (e.g., for software updates) but blocks incoming traffic from the internet.

5. VPC Peering:

• Connects two VPCs so they can communicate with each other securely.

Example: If you have one VPC for your e-commerce site and another for your accounting systems, VPC peering allows them to talk to each other without using the public internet.

Why Use a VPC?

1. Isolation: Keeps your network private and secure.
2. Control: You decide who can access your resources and how they interact.
3. Customization: Create public and private subnets for different needs.

2.5.2 Security Groups

A Security Group is like a virtual firewall for your AWS resources. It controls the traffic that is allowed to and from your resources (like EC2 instances).

How Security Groups Work

1. Inbound Rules: Control what traffic can enter your resource (e.g., allow HTTP traffic on port 80).
2. Outbound Rules: Control what traffic can leave your resource (e.g., allow all outgoing traffic).

Key Points:

• Security groups are stateful: If traffic is allowed in, the response is automatically allowed out.
• Default behavior: All traffic is denied unless you explicitly allow it.

Example of Security Groups

Imagine you have a web server running on an EC2 instance. Your security group rules might look like this:

Rule Type	Protocol	Port	Source	Action
Inbound	HTTP	80	Anywhere (0.0.0.0/0)	Allow
Inbound	SSH	22	Your IP Address	Allow
Outbound	All	All	Anywhere	Allow

• HTTP (port 80) allows anyone on the internet to visit your website.
• SSH (port 22) allows only you to connect for server administration.
• All outbound traffic is allowed by default.

Analogy: A Security Guard

• Security groups act like a security guard at a door:
  • Only people on the "allowed list" can enter.
  • Everyone else is blocked.

2.5.3 Network Access Control Lists (NACLs)

A Network ACL (NACL) is another firewall-like tool that controls traffic at the subnet level. It’s like a second layer of defense for your VPC.

How NACLs Work

1. Stateless: Unlike security groups, NACLs are stateless.

• If you allow incoming traffic, you must also explicitly allow the response traffic.

2. Rules:

• Rules are evaluated in number order (lowest first).
• Rules can allow or deny traffic.

Example of NACL Rules:

Rule #	Type	Protocol	Port	Source	Action
100	HTTP	TCP	80	0.0.0.0/0	Allow
200	All	All	All	0.0.0.0/0	Deny

• Rule 100 allows HTTP traffic (port 80).
• Rule 200 blocks all other traffic.

NACLs vs. Security Groups

Feature	Security Groups	NACLs
Level	Instance level	Subnet level
Stateful/Stateless	Stateful	Stateless
Default Behavior	Deny all inbound traffic	Allow all inbound traffic
Rules Order	Evaluates all rules	Evaluates in order

Analogy: Neighborhood vs. House Guard

• A NACL is like a neighborhood gate controlling who can enter or leave.
• A Security Group is like a house guard, protecting specific resources.

2.5.4 AWS Direct Connect

What is AWS Direct Connect?

• AWS Direct Connect provides a private connection between your on-premises network (your data center) and AWS.

Benefits:

1. Private and Secure: No traffic goes over the public internet.
2. Faster Performance: Provides low latency and high bandwidth.
3. Cost Savings: Reduces the cost of transferring large amounts of data.

Example:
If you run a business with large databases in your office, you can use AWS Direct Connect to transfer data quickly and securely to AWS.

2.5.5 Virtual Private Network (VPN)

What is a VPN?

• A VPN creates an encrypted tunnel between your on-premises network and AWS.
• It allows you to securely access AWS resources over the internet.

When to Use VPN:

• If you need secure access to AWS but don’t want to use Direct Connect.

Example:
You’re working from home and need secure access to your company’s AWS VPC. You connect to a VPN that encrypts all the data traveling between your laptop and AWS.

Summary of Network Security

Here’s a recap of AWS network security tools:

Tool	Purpose	Use Case
VPC	Creates an isolated private network.	Run applications securely.
Security Groups	Firewall at the instance level.	Allow HTTP traffic to web servers.
NACLs	Firewall at the subnet level.	Block all traffic except HTTP.
Direct Connect	Private, high-speed AWS connection.	Transfer large data securely.
VPN	Secure internet connection to AWS.	Remote secure access to AWS VPC.

2.6 Compliance and Governance

Compliance refers to following rules, laws, and regulations that apply to your industry or business. For example:

• Healthcare companies need to follow HIPAA rules to protect patient data.
• Financial organizations must comply with PCI DSS to secure payment card transactions.

AWS helps you meet these compliance requirements through:

1. Compliance programs: AWS follows global security standards and provides certifications.
2. AWS Artifact: A portal to access compliance reports and certifications.
3. Governance tools: Services like AWS Config to monitor your resources and ensure compliance.

2.6.1 AWS Compliance Programs

AWS complies with a wide range of international and industry-specific standards. These certifications ensure that AWS data centers, infrastructure, and operations meet global security requirements.

Key Compliance Programs

1. ISO Certifications

• ISO 27001: Security management.
• ISO 27017: Cloud security best practices.
• ISO 27018: Protection of personal data in the cloud.
• Example: If your business stores personal customer data, ISO 27018 ensures AWS protects it securely.

2. SOC Reports (System and Organization Controls)

• SOC 1: Focuses on financial reporting controls.
• SOC 2/3: Focuses on security, availability, and confidentiality.
• Example: If your company undergoes an audit, SOC 2 reports prove that AWS maintains strong security and privacy controls.

3. PCI DSS (Payment Card Industry Data Security Standard)

• Ensures the secure handling of credit card information.
• Example: If you run an e-commerce store and process credit card payments, PCI DSS compliance is essential.

4. GDPR (General Data Protection Regulation)

• GDPR is a European Union law to protect the privacy of personal data.
• AWS provides tools (like encryption) to help you comply with GDPR.

5. HIPAA (Health Insurance Portability and Accountability Act)

• A U.S. law that protects sensitive healthcare data.
• Example: If you store patient health information on AWS, HIPAA compliance ensures the data is secure.

Analogy: AWS Compliance = A Certified Building

Think of AWS as a highly certified building:

• The building (AWS) has certifications like ISO, SOC, and PCI to show it’s secure.
• If you rent a space (use AWS services), you can tell customers that your business meets compliance requirements because AWS is already certified.

2.6.2 AWS Artifact

AWS Artifact is a self-service portal where you can access AWS compliance reports and certifications.

What Can You Do with AWS Artifact?

1. Download Reports: Get audit reports like SOC, ISO, and PCI DSS.
2. Review Certifications: Prove to auditors or customers that your AWS environment meets compliance standards.

Example: If a client asks for proof that your systems comply with PCI DSS, you can download the PCI DSS report from AWS Artifact and share it with them.

2.6.3 Governance with AWS Config

AWS Config helps you govern your AWS resources by monitoring and tracking their configurations. It ensures your resources comply with security and business rules.

How AWS Config Works

1. Configuration Tracking: AWS Config monitors the configuration of your resources (e.g., EC2, S3, RDS).
2. Compliance Checks: You can define rules to ensure your resources meet security policies.

• Example rules:
  • “No S3 bucket should be public.”
  • “IAM users must have MFA enabled.”

3. Resource History: AWS Config records a history of changes to your resources, so you can see who made what changes.

Example of AWS Config

Let’s say you set a rule: "All S3 buckets must not allow public access".

• AWS Config will continuously monitor your S3 buckets.
• If someone accidentally makes an S3 bucket public, AWS Config flags it as “non-compliant” and alerts you.

Benefits of AWS Config

1. Visibility: Tracks changes to your AWS resources.
2. Compliance: Ensures your resources follow security rules.
3. Auditing: Provides a history of resource configurations for audits.

2.6.4 Why Compliance and Governance Are Important

1. Legal Requirements: Many businesses must follow compliance rules like GDPR or HIPAA.
2. Customer Trust: Proving compliance helps gain customer confidence.
3. Security: Compliance programs ensure your resources follow best security practices.

Real-World Example

Imagine you are a company that stores sensitive health information for patients:

1. Compliance: You need to comply with HIPAA to ensure the data is secure.
2. AWS Certification: AWS already has HIPAA compliance, which simplifies your audit.
3. AWS Artifact: You download AWS’s HIPAA compliance report from AWS Artifact.
4. AWS Config: You set up AWS Config to monitor and ensure your resources (e.g., S3 buckets) follow HIPAA rules.

By leveraging AWS compliance programs and governance tools, you ensure that your resources meet legal and security standards.

Summary of Compliance and Governance

Feature	Purpose	Example Use Case
Compliance Programs	AWS follows global standards like ISO, SOC, PCI, and HIPAA.	Healthcare companies use AWS for HIPAA compliance.
AWS Artifact	Provides access to compliance reports and certifications.	Download SOC 2 reports for an audit.
AWS Config	Tracks resource configurations and checks compliance.	Ensure no S3 buckets are public.

Key Takeaways

1. AWS complies with global security standards like ISO, SOC, PCI DSS, GDPR, and HIPAA.
2. AWS Artifact provides easy access to compliance reports and certifications.
3. AWS Config helps you monitor resources and enforce security rules to ensure compliance.

2.7 Security Best Practices

Security best practices are recommendations that help you keep your AWS environment secure, compliant, and protected from threats. AWS provides a variety of tools, features, and guidelines to ensure the safety of your resources, data, and applications.

Here are the most important best practices you should follow:

1. Implement Multi-Factor Authentication (MFA)

What is MFA?

• Multi-Factor Authentication (MFA) adds an extra layer of security to your AWS accounts.
• Users need to provide two factors to log in:
  1. Password (something they know).
  2. One-Time Code (something they have, usually generated by a mobile app or sent via SMS).

Why Use MFA?

1. Even if someone steals your password, they cannot access your account without the second factor (the MFA code).
2. It protects against unauthorized access to your AWS resources.

How to Set Up MFA:

1. Go to the AWS Management Console and enable MFA for the root account and all IAM users.
2. Use a mobile app like Google Authenticator or Authy to generate MFA codes.

Example:
If you log in to AWS, you first enter your password. Then, you open the Google Authenticator app on your phone to enter the 6-digit code. Without the code, no one can log in.

2. Enable AWS CloudTrail for All Accounts

What is AWS CloudTrail?

• AWS CloudTrail tracks every API call made in your AWS account.
• It tells you:
  • Who performed an action.
  • When it happened.
  • What resources were affected.

Why Use CloudTrail?

1. It provides a record of activity for security audits and investigations.
2. You can monitor for suspicious actions like unauthorized access or data deletion.

Example Use Case:

If someone deletes an S3 bucket, CloudTrail logs the details:

• Who deleted the bucket.
• The time of the action.
• The IP address and region of the request.

3. Use Amazon S3 Bucket Policies to Restrict Public Access

Why Secure S3 Buckets?

• By default, S3 buckets are private. However, accidental misconfiguration can make them public.
• Public S3 buckets can expose sensitive data to the internet.

Best Practices for S3 Security:

1. Block Public Access: Use the S3 Block Public Access feature to prevent accidental public sharing.
2. Bucket Policies: Define rules for who can access your S3 data.
3. Encryption: Enable Server-Side Encryption (SSE) to secure your data.

Example:
You set a Bucket Policy that allows only users from your company to access an S3 bucket. Even if someone outside tries to access it, they will be blocked.

4. Regularly Review IAM Roles and Permissions

Why Review IAM Roles?

• Permissions can change over time, and unnecessary permissions can create security risks.
• Users and roles should only have permissions they need (principle of least privilege).

Steps to Follow:

1. Audit IAM Policies regularly.
2. Remove unused users, roles, and access keys.
3. Use IAM Access Analyzer to identify resources shared outside your account.

Example:

If a developer moves to another team, review their IAM role and remove permissions they no longer need.

5. Monitor Resources with Amazon CloudWatch and GuardDuty

Amazon CloudWatch:

• What it does: Monitors AWS resources and applications.
• Use it to:
  • Set alarms for unusual activity.
  • Track performance metrics like CPU usage, storage, or network traffic.

Example: Set up an alarm if an EC2 instance's CPU usage is too high, which could indicate an attack or malfunction.

Amazon GuardDuty:

• What it does: Monitors your AWS environment for suspicious activities.
• GuardDuty can detect:
  • Unauthorized access.
  • Malware or unusual traffic patterns.

Example: GuardDuty alerts you if someone tries to access your account with stolen credentials.

6. Use VPC Flow Logs to Monitor Network Traffic

What are VPC Flow Logs?

• VPC Flow Logs capture information about the IP traffic going to and from your Virtual Private Cloud (VPC).

Why Use VPC Flow Logs?

1. Monitor Traffic: Identify unusual or unauthorized network traffic.
2. Troubleshooting: Debug issues with network connectivity.
3. Security Audits: Detect malicious activity.

Example:
You notice unexpected traffic coming from a suspicious IP address. VPC Flow Logs help you identify the source and take action.

7. Enable Automatic Backups

Why Backups Are Important:

• Backups ensure that you can recover your data in case of:
  • Accidental deletion.
  • Data corruption.
  • Security breaches or ransomware attacks.

How to Enable Backups:

• Use Amazon S3 Versioning to keep multiple versions of objects.
• Use AWS Backup to automate backups for EC2, RDS, and EFS.

Summary of Security Best Practices

Here’s a recap of the most critical best practices:

Best Practice	What It Does	Example
Enable MFA	Adds an extra layer of security.	Protects AWS accounts from stolen passwords.
Use AWS CloudTrail	Tracks all API activity for auditing.	Monitors who deleted or modified resources.
Secure S3 Buckets	Prevents accidental public access.	Ensures sensitive data is private.
Review IAM Roles and Permissions	Enforces least privilege access.	Removes unnecessary permissions for users.
Monitor with CloudWatch/GuardDuty	Detects performance issues and security threats.	Alerts you to suspicious activities.
Use VPC Flow Logs	Monitors network traffic.	Identifies unusual traffic patterns.
Enable Automatic Backups	Ensures data recovery in case of failure.	Automates backups of EC2 and databases.

Key Takeaways

1. Enable MFA to protect your AWS accounts from unauthorized access.
2. Use AWS CloudTrail and VPC Flow Logs to monitor activities and network traffic.
3. Secure your S3 buckets by blocking public access and enabling encryption.
4. Follow the principle of least privilege when assigning IAM permissions.
5. Use GuardDuty and CloudWatch to detect unusual behavior and potential threats.
6. Always have automatic backups to recover from data loss or corruption.

Security and Compliance (Additional Content)

1. IAM Access Analyzer

IAM Access Analyzer is a relatively new AWS service that helps you identify resources shared with external entities. While earlier we discussed reviewing IAM permissions, Access Analyzer automates the detection of overly permissive configurations, especially in IAM roles and policies.

Key Features:

• Identifies IAM roles that can be assumed by external accounts.

• Detects S3 buckets, KMS keys, and other resources shared outside your organization.

• Helps enforce least privilege access by flagging unintentional exposure.

Example: If a developer mistakenly creates a policy that allows public access to an S3 bucket, Access Analyzer will alert you immediately.

Exam Tip: Know that Access Analyzer helps detect unintended access to your AWS resources, making it a detection-focused tool within the IAM service family.

2. Service Control Policies (SCPs) in AWS Organizations

Service Control Policies (SCPs) are a governance mechanism used in AWS Organizations. While IAM policies manage permissions within an account, SCPs manage what services and actions member accounts can perform, at the organizational level.

Why SCPs Matter:

• Apply guardrails to ensure member accounts cannot exceed allowed permissions, even if their IAM permissions allow it.

• SCPs don’t grant permissions but restrict them.

Example: If an SCP denies access to ec2:*, then even if an IAM user has ec2:StartInstances permission, they won’t be able to use EC2 in that account.

Quick Note: While SCPs are advanced, it’s helpful to remember their role in organization-wide control, especially for enterprise-level governance.

3. Categorizing AWS Security Services by Function

You've already covered AWS security services like AWS Shield, AWS WAF, Amazon GuardDuty, etc. For exam readiness, it's useful to organize them by function. Below is a text-form summary (not a table, per your request):

Prevention:

• AWS WAF – Blocks common web attacks.

• AWS Shield – Protects against DDoS attacks.

• IAM – Controls user and service access.

• SCPs – Apply service-level access restrictions across accounts.

Detection:

• Amazon GuardDuty – Detects suspicious activity (e.g., stolen credentials).

• AWS Config – Tracks resource changes and compliance.

• IAM Access Analyzer – Flags resources shared with external entities.

Response and Monitoring:

• AWS CloudTrail – Logs API activity.

• Amazon CloudWatch – Monitors metrics and creates alarms.

• AWS Inspector – Scans for vulnerabilities on EC2 and containers.

Tip: Recognizing the function of each service helps answer scenario-based exam questions more easily.

4. Root Account Usage Best Practices

A classic security best practice — and a frequent exam topic — is related to the root user account.

Important Rules About the Root Account:

• Never use the root account for daily operations.

• Enable MFA for the root account.

• Use the root account only when absolutely necessary, such as:

  • Changing account settings.

  • Closing an AWS account.

  • Managing certain billing functions.

Example Exam Question:

Which of the following is a best practice related to the root account in AWS?
Correct answer: "Enable MFA and avoid using it for routine tasks."

This aligns directly with the AWS shared responsibility model — you are responsible for securing credentials, especially the most powerful one.

Summary of Key Additions for Security and Compliance:

• IAM Access Analyzer: Detects unintended resource sharing.

• SCPs: Restrict what member accounts in an organization can do.

• Security Service Classification: Know which tools prevent, detect, or monitor.

• Root Account Best Practices: Use rarely, protect with MFA, and never for daily tasks.