Just studying with Claude here and got a little too excited about a cheat sheet . ...
No corporate speak. No filler. Just what these things do and when to reach for them.
๐ฅ AWS Config โ The Security Camera That Never Blinks
Imagine a security camera pointed at your AWS resources, taking a snapshot every time something changes. That's Config.
Your S3 bucket was private Monday, public Tuesday โ Config caught both states, logged the diff, and knows exactly who did it. You can add rules like "S3 buckets must never be public." Break the rule, get flagged as non-compliant.
This is called drift detection โ your resource wandered away from desired state, and Config is the auditor that noticed.
Config doesn't prevent changes (that's IAM and SCPs). It records and evaluates them.
| ๐ Exam trigger words |
| "audit resource changes over time" ยท "compliance rules" ยท "who changed this resource" ยท "configuration history" โ Config
|
| โ ๏ธ Common exam trap |
| Config tracks configuration drift and compliance history. It is NOT a real-time threat detection service. |
Config + Patch Manager
Patch Manager performs the patching.
Config tracks patch compliance history and evaluates compliance rules over time.
| ๐ Exam trigger words |
| "track patch compliance history" ยท "compliance status over time" โ AWS Config |
๐ก๏ธ Shield + WAF โ Three Guards, Three Completely Different Jobs
Shield Standard
The free bouncer at the door. Stops the most common brute-force network floods (L3/L4). Always on, you do nothing, costs nothing.
Shield Advanced
The paid security team with specialists. Handles sophisticated DDoS including application-layer attacks โ think HTTP floods that look like real traffic. You also get:
- A dedicated DDoS Response Team you can actually call
-
Cost protection if an attack causes runaway scaling costs
-
Real-time attack visibility
Commonly associated protected resources:
EC2, ELB, CloudFront, Route 53, Global Accelerator
API Gateway, Lambda, Elastic Beanstalk? Not covered.
| ๐ง Mnemonic โ Shield Advanced's 5 protected resources |
|
Every Elastic Cloud Runs Globally |
| EC2 ยท ELB ยท CloudFront ยท Route 53 ยท Global Accelerator |
| โ ๏ธ Common exam trap |
| Shield Advanced protects specific supported AWS services โ not every AWS service automatically. |
WAF โ A Completely Different Animal
WAF doesn't care about flood volume. It reads the content of HTTP/HTTPS requests and blocks based on rules you write:
- Specific IPs or IP ranges
- SQL injection patterns
- Requests from specific countries
- AWS Managed Rules (pre-built OWASP Top 10, bot protection, etc.)
Attaches to: CloudFront, ALB, API Gateway, AppSync โ not EC2 directly.
WAF only works for HTTP/HTTPS traffic.
๐ง WAF vs NACLs vs Security Groups
All three block traffic โ but at completely different layers of the stack.
|
WAF |
NACLs |
Security Groups |
| Primary job |
Filter malicious web requests |
Protect subnet boundaries |
Protect individual resources |
| OSI layer |
L7 (HTTP/HTTPS) |
L3/L4 (IP, port) |
L3/L4 (IP, port) |
| Understands |
URLs, headers, cookies, request body |
IPs, protocols, ports |
IPs, protocols, ports |
| Attached to |
CloudFront, ALB, API Gateway |
VPC subnets |
ENI-based resources (EC2, RDS, ECS, Lambda-in-VPC, etc.) |
| Traffic model |
Web requests only |
Broad subnet filtering |
Per-resource firewall |
| Rules |
Allow/block by request content |
Allow AND deny |
Allow only |
| Stateful? |
โ |
โ Stateless |
โ
Stateful |
| Valid source/destination values |
IPs, CIDRs |
IPs, CIDRs |
CIDRs, Security Group IDs, Prefix Lists |
| Supports deny rules? |
โ
|
โ
|
โ |
| โ ๏ธ Common exam trap |
| Security Groups and NACLs do NOT inspect HTTP request contents. Only WAF operates at Layer 7 and understands web requests. |
| ๐ก Mental model |
|
WAF inspects what is inside the HTTP request. NACLs guard the subnet boundary. Security Groups act like stateful firewalls protecting individual AWS resources inside the VPC. |
The mental model:
NACLs guard the neighborhood entrance.
Security Groups guard your front door.
WAF reads the letter someone is trying to hand you.
| โ ๏ธ Common Security Group exam trap |
| Inbound rules specify a source. Outbound rules specify a destination. Security Groups do not support hostnames or instance IDs in rules. |
Security Services โ Complete Picture
| Service |
One job |
Analogy |
| Shield Standard |
Free DDoS protection against common L3/L4 floods |
The free bouncer at the door |
| Shield Advanced |
Paid DDoS protection including L7, with response team |
The paid security team with specialists |
| WAF |
Reads HTTP content and blocks bad web requests |
Reads the letter before letting it through |
| GuardDuty |
ML-powered threat detection โ watches logs, finds suspicious behavior |
The burglar alarm |
| Inspector |
Scans EC2/containers for known CVE vulnerabilities |
The building safety inspector |
| Detective |
Investigates security alerts, finds root cause |
The detective called in after the alarm fires |
| Macie |
Finds sensitive data (PII, credentials) hiding in S3 |
The auditor who finds what shouldn't be there |
| Security Hub |
Aggregates findings from AWS security services into one dashboard |
The security operations dashboard |
The sequence: GuardDuty finds it โ Detective investigates it โ Inspector prevents it โ Macie finds the data exposure
| โ ๏ธ Common security distinction |
| Config answers "What changed?" GuardDuty answers "Is something malicious happening?" |
| ๐ง GuardDuty vs Inspector โ the most common mix-up |
|
GuardDuty watches behavior โ someone is doing something suspicious. Reactive/detective. |
|
Inspector scans compute workloads (EC2, containers, Lambda) for known vulnerabilities and exposure risks. Proactive/preventive. |
|
Macie trigger: any question mentioning "PII" or "sensitive data in S3" โ it's Macie, every time. |
GuardDuty finds it. Detective investigates it. Inspector prevents it.
| โ ๏ธ Common exam trap |
| GuardDuty detects suspicious behavior. Inspector scans for known vulnerabilities and CVEs. |
Amazon Detective vs GuardDuty
|
GuardDuty |
Detective |
| Job |
Detect threats |
Investigate threats |
| When it runs |
Continuously |
After an alert |
| Output |
Alerts and findings |
Root cause analysis |
| Trigger word |
"detect" "monitor" "suspicious activity" |
"investigate" "root cause" "analyze findings" |
GuardDuty DETECTS it
โ
Detective INVESTIGATES it
โ
Security Hub AGGREGATES it
โ
Inspector PREVENTED it (if you'd listened earlier)
โ
Macie found the exposed data that caused it
Monitoring & Observability Services
CloudTrail vs Config vs CloudWatch vs X-Ray
| Service |
Answers |
Trigger words |
| CloudTrail |
WHO did WHAT and WHEN โ AWS API/account activity history |
"audit" "API calls" "account activity" "who changed" |
| Config |
WHAT changed โ resource configuration history |
"compliance" "drift" "configuration history" "resource changed" |
| CloudWatch |
HOW systems are performing โ metrics, logs, alarms, dashboards |
"metrics" "alarms" "logs" "monitoring" "performance" |
| X-Ray |
WHY is it slow/broken โ end-to-end request tracing |
"trace" "distributed app" "microservices" "debug" "root cause of latency" |
โ๏ธ CloudTrail vs Config โ The Most Common Audit Mix-up
| Service |
Primary job |
| CloudTrail |
Logs API calls and account activity |
| Config |
Tracks resource configuration state over time |
| ๐ก Mental model |
| CloudTrail answers: "Who did something?"
|
| Config answers: "What changed?"
|
| โ ๏ธ Common audit trap |
| CloudTrail logs API activity ("who did it"). Config tracks resource state/configuration over time ("what changed"). |
Load Balancer Types
| Load Balancer |
Layer |
Use When |
| ALB |
L7 (HTTP/HTTPS) |
Path-based routing, host-based routing, WebSockets, microservices, Lambda targets |
| NLB |
L4 (TCP/UDP/TLS) |
Extreme performance, millions of requests/sec |
| Gateway LB |
L3/L4 |
Virtual appliances (firewalls, inspection tools) |
Exam trigger: "path-based routing" + "host-based routing" + "WebSockets" โ ALB every time
๐ง ELB vs Auto Scaling โ Different Jobs Entirely
| Service |
Main job |
| Elastic Load Balancer (ELB) |
Distributes traffic across targets |
| EC2 Auto Scaling |
Adds/removes EC2 instances based on demand |
| โ ๏ธ Common troubleshooting clue |
| If instances behind an ELB are not receiving traffic, first check the ELB Health Checks. Unhealthy targets receive no traffic. |
| ๐ก Mental model |
| ELB spreads traffic across servers. Auto Scaling changes how many servers exist. |
Messaging & Event Services
| Service |
Job |
Trigger Words |
| EventBridge |
Event bus, routes events between AWS services and SaaS apps |
"event-driven" "decouple" "react to events in real-time" "serverless event bus" |
| SQS |
Message queue, async decoupling between services |
"queue" "decouple microservices" "async" |
| SNS |
Pub/sub, fan-out notifications |
"notify" "publish/subscribe" "SMS" "fan-out" |
| Kinesis |
Real-time streaming data processing |
"streaming" "real-time analytics" "IoT data" "clickstreams" |
| Step Functions |
Serverless workflow orchestration between AWS services |
"workflow" "orchestrate" "state machine" "coordinate multiple services" |
Trick: "not Kafka" โ EventBridge
All AWS Gateways โ Organized by Job
"Connect my VPC to the internet"
| Gateway |
Does what |
Key detail |
| Internet Gateway |
Gives your VPC a door to the public internet |
Attach to VPC โ resources in public subnets can now send AND receive internet traffic |
| NAT Gateway |
Lets private subnet resources reach internet without being reachable back |
Lives in public subnet โ private resources call out through it, internet cannot call in |
Memory: Internet Gateway = two-way door. NAT Gateway = one-way cat flap.
"Connect my on-premises network to AWS"
| Gateway |
Does what |
Key detail |
| Virtual Private Gateway |
AWS end of a VPN tunnel |
Attaches to your VPC โ pairs with Customer Gateway on your side |
| Customer Gateway |
AWS's record of YOUR on-premises VPN device |
Not really an AWS device โ it's AWS representing your router |
| Direct Connect Gateway |
AWS end of a dedicated private physical line |
No internet involved โ physical cable from your data center to AWS |
Memory: VPN = secure tunnel over public internet (fast to set up, cheaper).
Direct Connect = your own private highway to AWS (weeks to set up, expensive, reliable).
They always need TWO endpoints โ one on each side.
"Connect multiple VPCs or networks together"
| Gateway |
Does what |
Key detail |
| Transit Gateway |
Central hub connecting many VPCs and on-premises networks |
One connection per network instead of mesh of connections between every pair |
| VPC Peering |
Direct connection between exactly two VPCs |
Simpler than Transit Gateway but doesn't scale โ need separate peering for every pair |
Memory: Two VPCs talking = Peering. Many VPCs talking = Transit Gateway.
| โ ๏ธ Common exam trap |
| VPC Peering does not scale well because every VPC pair needs its own connection. Transit Gateway acts as a centralized hub. |
"Completely different kind of gateway"
| Gateway |
Does what |
Key detail |
| API Gateway |
Create, publish, secure and manage APIs |
Layer 7 โ reads HTTP content, handles auth, throttling, versioning |
| Storage Gateway |
Makes AWS storage look like local storage to on-premises systems |
Virtual appliance in your data center โ your servers think they're writing locally |
Memory: API Gateway = manages your APIs. Storage Gateway = makes cloud storage feel local.
| โ ๏ธ Common exam trap |
| API Gateway exposes APIs to clients. AWS SDKs provide authenticated programmatic access TO AWS services from application code. |
VPN Connection โ How the pieces fit together
Memory trick: If it has "VPN" or "on-premises" in the question โ Virtual Private Gateway + Customer Gateway pair
Memory trick: NAT = No Access inbound, Traffic outbound only
Hybrid / Edge Infrastructure Services
| Service |
Main Use |
| AWS Outposts |
AWS-managed infrastructure on-premises |
| AWS Local Zones |
Low-latency AWS infrastructure near major metro areas |
| AWS Wavelength |
AWS compute inside telecom carrier 5G networks |
| ๐ Exam trigger words |
| "same AWS APIs on-prem" โ Outposts |
| "low-latency compute near city users" โ Local Zones |
| "ultra-low-latency mobile / 5G apps" โ Wavelength |
AWS Service Scope: Global vs Regional vs Zonal
| Scope |
Examples |
| Global |
IAM, Route 53, CloudFront, WAF, STS |
| Regional |
S3, RDS, EFS, Lambda, SQS, SNS, AWS Batch |
| Zonal |
EC2 instances, EBS volumes |
The trick: EC2 feels regional but it's zonal โ it lives in one AZ. EBS snapshots however are regional.
Route 53 can perform DNS failover routing to healthy endpoints using health checks.
CloudFront Edge Locations are globally distributed caching endpoints โ not Regions or AZs.
That's the whole picture. Bookmark it, share it, argue with it in the comments.
Top comments (0)