Security Services & Compliance
Difficulty: medium
Overview
AWS provides a broad set of security services to protect workloads, detect threats, and maintain compliance.
Threat Detection & Monitoring:
- Amazon GuardDuty — Intelligent threat detection using ML; analyzes CloudTrail, VPC Flow Logs, and DNS logs. No agents needed.
- Amazon Inspector — Automated vulnerability assessments for EC2 instances and container images (software vulnerabilities, unintended network exposure).
- AWS Security Hub — Central security dashboard; aggregates findings from GuardDuty, Inspector, Macie, and third-party tools.
Data Protection:
- AWS KMS (Key Management Service) — Create and manage encryption keys; integrates with most AWS services.
- AWS Secrets Manager — Store, rotate, and retrieve database credentials and API keys securely.
- Amazon Macie — Uses ML to discover and protect sensitive data (PII, credit cards) in S3 buckets.
Infrastructure Protection:
- AWS WAF (Web Application Firewall) — Protect web apps from common exploits (SQL injection, XSS). Works with CloudFront, ALB, API Gateway.
- AWS Shield Standard — Free DDoS protection automatically applied to all AWS customers.
- AWS Shield Advanced — Paid DDoS protection with 24/7 DDoS response team (DRT) and cost protection.
- AWS Network Firewall — Managed stateful firewall for VPCs.
Audit & Compliance:
- AWS CloudTrail — Records every API call in your account (who, what, when, where). Essential for security auditing.
- AWS Config — Records resource configuration changes over time; evaluates compliance against rules.
- AWS Artifact — Self-service portal to download AWS compliance reports (SOC, PCI, ISO) and agreements.
- AWS Audit Manager — Automates evidence collection for audits.
Practice Linked Questions
Q1. Which AWS service provides on-demand access to AWS compliance and security reports such as SOC, PCI, and ISO certifications?
Select one answer before revealing.
Q2. Which AWS service uses machine learning to continuously monitor your AWS account for malicious activity and unauthorized behavior by analyzing CloudTrail logs, VPC Flow Logs, and DNS logs?
Select one answer before revealing.
Q3. A company wants to protect its web application from SQL injection and cross-site scripting (XSS) attacks. Which AWS service should they use?
Select one answer before revealing.
Q4. Which AWS service provides automatic, free DDoS protection that is enabled by default for all AWS customers?
Select one answer before revealing.
Q5. A security team needs to discover and protect personally identifiable information (PII) stored in Amazon S3 buckets across the organization. Which service should they use?
Select one answer before revealing.
Q6. Which AWS service records every API call made in your AWS account, capturing who made the call, from where, and when — essential for security auditing and compliance?
Select one answer before revealing.
Q7. Which TWO AWS services help with ongoing security monitoring and compliance by continuously recording resource configuration history and evaluating resources against defined rules? (Select TWO — more than one answer may be correct)
Select one answer before revealing.
Q8. What is the difference between Amazon Inspector and Amazon GuardDuty?
Select one answer before revealing.