Security Services & Compliance
AWS provides a defense-in-depth security model with layered services for threat detection (GuardDuty, Inspector, Security Hub), data protection (KMS, Secrets Manager, Macie), infrastructure protection (WAF, Shield, Network Firewall), and compliance auditing (CloudTrail, Config, Artifact). Knowing what each service does and when to use it is heavily tested on CLF-C02.
1. AWS Security: Defense in Depth
AWS security is layered — multiple independent controls protect workloads at every level:
2. Threat Detection & Monitoring
Amazon GuardDuty
- What it does: Intelligent threat detection using machine learning and anomaly detection
- Data sources analyzed: CloudTrail event logs, VPC Flow Logs, DNS logs, S3 data events
- No agents to install — works entirely from existing AWS log sources
- Detects: Compromised EC2 instances, cryptocurrency mining, credential theft, port scanning, unusual API calls from new locations
- Regional service — must be enabled per region; 30-day free trial
Amazon Inspector
- What it does: Automated vulnerability assessments
- Targets: EC2 instances (software vulnerabilities, unintended network exposure) and container images in ECR
- Generates findings with severity scores based on CVSS (Common Vulnerability Scoring System)
- Automatically rescans when new CVEs are published
AWS Security Hub
- What it does: Central security posture dashboard aggregating findings from multiple services
- Aggregates from: GuardDuty, Inspector, Macie, IAM Access Analyzer, Firewall Manager, and third-party tools
- Checks compliance against standards: CIS AWS Foundations Benchmark, PCI DSS, AWS Foundational Security Best Practices
- Single pane of glass for security across your AWS environment
GuardDuty vs Inspector vs Security Hub:
| Service | Detects | How |
|---|---|---|
| GuardDuty | Active threats and anomalous behavior | Analyzes log streams with ML |
| Inspector | Known software vulnerabilities in your resources | Scans EC2 and container images against CVE database |
| Security Hub | Aggregated security findings and compliance gaps | Collects from GuardDuty, Inspector, Macie, and others |
3. Data Protection
AWS KMS (Key Management Service)
- What it does: Create, manage, and control encryption keys used to encrypt AWS data
- Key types: AWS-managed keys (free, auto-managed) or customer-managed keys ($1/key/month, full control)
- Integrates with: S3, EBS, RDS, DynamoDB, Lambda, Secrets Manager, and 100+ other services
- Envelope encryption: Data encrypted with a data key; data key itself encrypted with a KMS key
AWS Secrets Manager
- What it does: Securely store, rotate, and retrieve secrets (DB credentials, API keys, OAuth tokens)
- Automatic rotation: Natively integrates with RDS, Redshift, DocumentDB to rotate passwords automatically
- Access control: IAM policies and resource policies control who can retrieve each secret
- Costs money — charged per secret per month plus per 10,000 API calls
Amazon Macie
- What it does: Uses ML to discover and protect sensitive data stored in S3
- Detects: PII (names, addresses, SSNs, passport numbers), financial data (credit card numbers), health records
- Generates findings when sensitive data is found in publicly accessible or unprotected buckets
- Helps meet compliance requirements (GDPR, HIPAA, PCI DSS)
AWS Certificate Manager (ACM)
- What it does: Provision, manage, and auto-renew SSL/TLS certificates
- Free for certificates used with AWS services (CloudFront, ALB, API Gateway)
- Eliminates the manual effort of certificate renewal
4. Infrastructure Protection
AWS WAF (Web Application Firewall)
- Protects web applications from common exploits: SQL injection, cross-site scripting (XSS), bad bots
- Attaches to: CloudFront, ALB, API Gateway, AppSync
- Uses Web ACLs with rules (block by IP, geography, rate limiting, AWS managed rule groups)
AWS Shield
| Feature | Shield Standard | Shield Advanced |
|---|---|---|
| Cost | Free — automatic for all customers | $3,000/month |
| DDoS protection | Layer 3 and 4 (volumetric, SYN flood) | Layer 3, 4, and 7 (application layer) |
| DDoS Response Team (DRT) | No | 24/7 access to AWS DRT |
| Cost protection | No | Yes — AWS reimburses scaling costs caused by DDoS |
| Best for | All customers automatically | High-risk internet-facing workloads |
AWS Network Firewall
- Managed stateful firewall for VPCs — inspects traffic entering and leaving the VPC
- Deep packet inspection, intrusion prevention system (IPS), domain-based filtering
- Use when you need more than Security Groups and NACLs provide
AWS Firewall Manager
- Centrally manage WAF rules, Shield Advanced, and Network Firewall across multiple AWS accounts in Organizations
- Automatically applies security policies to new accounts joining the organization
5. Audit, Compliance & Governance
AWS CloudTrail
- Records every API call made in your AWS account
- Captures: WHO made the call, WHAT action, WHEN, from WHERE (IP), and the response
- Event History is enabled by default (free, 90 days); create a Trail to store logs long-term in S3
- Essential for: security auditing, incident investigation, compliance, troubleshooting
AWS Config
- Tracks resource configuration history — records what your resources look like over time
- Evaluates resources against compliance rules (e.g., "are all EBS volumes encrypted?")
- Provides a configuration timeline showing every configuration change to a resource
- Can send alerts via SNS when non-compliant resources are found
CloudTrail vs Config:
| Service | Tracks | Answers |
|---|---|---|
| CloudTrail | API calls and user actions | Who changed this? When? From where? |
| Config | Resource configuration state | What does this resource look like now vs before? |
AWS Artifact
- Self-service portal to download AWS compliance reports and legal agreements
- Reports available: SOC 1, SOC 2, SOC 3, PCI DSS, ISO 27001, FedRAMP, HIPAA eligibility letters
- Agreements: Business Associate Addendum (BAA) for HIPAA, GDPR Data Processing Addendum (DPA)
- Free service — create an account and download reports or sign agreements instantly
AWS Audit Manager
- Automates evidence collection for audit frameworks (PCI DSS, HIPAA, GDPR, CIS, SOC 2)
- Continuously gathers evidence from AWS services without manual screenshots or exports
- Generates audit-ready assessment reports
6. Additional Security Services
| Service | Purpose |
|---|---|
| Amazon Cognito | User sign-up, sign-in, and access control for web and mobile apps |
| AWS Directory Service | Managed Microsoft Active Directory in AWS |
| IAM Access Analyzer | Identifies resources (S3 buckets, IAM roles) shared outside your account |
| AWS Firewall Manager | Centrally manage WAF, Shield, Network Firewall across accounts |
| Amazon Detective | Investigate security findings using ML and graph analysis |
7. CLF-C02 Quick Reference
| Service | One-Line Purpose |
|---|---|
| GuardDuty | ML threat detection analyzing CloudTrail, VPC Flow Logs, DNS — no agents |
| Inspector | Vulnerability scanning for EC2 instances and container images |
| Security Hub | Central dashboard aggregating security findings across services |
| Macie | ML-based PII and sensitive data discovery in S3 |
| KMS | Encryption key creation and management; integrates with most AWS services |
| Secrets Manager | Secure storage and automatic rotation of credentials and API keys |
| ACM | Free SSL/TLS certificate provisioning and auto-renewal |
| WAF | Block web exploits (SQL injection, XSS); attaches to CloudFront, ALB, API Gateway |
| Shield Standard | Free automatic DDoS protection for all customers |
| Shield Advanced | Paid DDoS protection with 24/7 DRT support and cost protection |
| Network Firewall | Managed stateful VPC firewall with deep packet inspection |
| CloudTrail | API call logging — who did what, when, and from where |
| Config | Resource configuration history and compliance rule evaluation |
| Artifact | Download AWS compliance reports (SOC, PCI, ISO) and sign agreements |
| Audit Manager | Automate evidence collection for compliance audits |
Practice Questions8
Q1. Which AWS service provides on-demand access to AWS compliance and security reports such as SOC, PCI, and ISO certifications?
Select one answer before revealing.
Q2. Which AWS service uses machine learning to continuously monitor your AWS account for malicious activity and unauthorized behavior by analyzing CloudTrail logs, VPC Flow Logs, and DNS logs?
Select one answer before revealing.
Q3. A company wants to protect its web application from SQL injection and cross-site scripting (XSS) attacks. Which AWS service should they use?
Select one answer before revealing.
Q4. Which AWS service provides automatic, free DDoS protection that is enabled by default for all AWS customers?
Select one answer before revealing.
Q5. A security team needs to discover and protect personally identifiable information (PII) stored in Amazon S3 buckets across the organization. Which service should they use?
Select one answer before revealing.
Q6. Which AWS service records every API call made in your AWS account, capturing who made the call, from where, and when — essential for security auditing and compliance?
Select one answer before revealing.
Q7. Which TWO AWS services help with ongoing security monitoring and compliance by continuously recording resource configuration history and evaluating resources against defined rules? (Select TWO — more than one answer may be correct)
Select one answer before revealing.
Q8. What is the difference between Amazon Inspector and Amazon GuardDuty?
Select one answer before revealing.