AWS SAA-C03 Study Guide: Chapter 9 – Cloud Security

AWS Certified Solutions Architect – Associate

Study Guide: Chapter 9 – AWS Cloud Security

🤝 The Shared Responsibility Model

Security in the cloud is a partnership. Think of it like a secure apartment building.

Customer: Security IN the Cloud

  • Data Protection: Encryption (Client & Server side).
  • Identity: IAM Users, Groups, Roles, MFA.
  • Network: Security Groups, ACLs, VPC configuration.
  • OS: Patching the Guest OS (EC2).

AWS: Security OF the Cloud

  • Physical: Data center access, hardware security.
  • Infrastructure: Compute, Storage, Networking, Database.
  • Global: Regions, Availability Zones, Edge Locations.
  • Managed Services: Patching RDS, S3, DynamoDB.
Edge Protection

🛡️ AWS Shield

Standard: Free. Protects against common Layer 3/4 DDoS attacks (SYN floods, UDP reflection).

Advanced: Paid ($3k/mo). 24/7 access to SRT (DDoS Response Team), cost protection, and sophisticated Layer 7 mitigation.

App Layer Security

🧱 AWS WAF

Protects web applications from common exploits (Layer 7).

  • Blocks SQL Injection and Cross-Site Scripting (XSS).
  • Monitors HTTP/HTTPS requests.
  • Uses “Web ACLs” to allow/block specific traffic.
Encryption

🔑 AWS KMS

Managed service to create and control encryption keys.

  • Symmetric: Same key for Encrypt/Decrypt.
  • Asymmetric: Public/Private key pair.
  • HMAC: Verify data authenticity/integrity.

Intelligent Threat Detection

🕵️ GuardDuty

Threat Detection: Uses Machine Learning to monitor CloudTrail, VPC Flow Logs, and DNS Logs for malicious activity.

🔍 Inspector

Vulnerability Management: Automatically scans EC2 instances, ECR images, and Lambda functions for software vulnerabilities.

📂 Macie

Data Privacy: Uses ML to discover and protect sensitive data (PII like SSNs, Credit Cards) in Amazon S3.

⚖️ KMS vs. Secrets Manager

Feature KMS Secrets Manager
Primary Purpose Encryption Keys Application Secrets (Passwords/API Keys)
Rotation Rotates key material Rotates actual passwords (Lambda integration)
Usage Encrypting EBS, S3, RDS DB Credentials, API Tokens

🏢 AWS Organizations

SCPs (Service Control Policies): Guardrails that define maximum permissions for accounts. Even Root users are restricted by SCPs.

📜 AWS Artifact

Self-service portal to download AWS compliance reports (ISO, PCI, SOC) and manage agreements (NDA, BAA).

Audit Manager

Continuously audits your AWS usage to simplify how you assess risk and compliance with regulations (GDPR, HIPAA).

🚀 Exam “Cheat Sheet”

  • Need to investigate root cause? Use Amazon Detective.
  • Need to manage SSL/TLS certificates? Use AWS Certificate Manager (ACM).
  • Need to share resources across accounts? Use AWS RAM (Resource Access Manager).
  • Need a hardware-based key store? Use CloudHSM (FIPS 140-2 Level 3).
  • Need a centralized security dashboard? Use Security Hub.
  • Need to block specific IPs at the VPC edge? Use Network Firewall.
  • Need automated best practices for security/cost? Use Trusted Advisor.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top