A comprehensive guide where Maya (Security Expert) helps Alex (Software Engineer) navigate the AWS security landscape
Table of Contents
- Introduction: The Security Conversation Begins
- The Big Picture: Security Layers in AWS
- Identity & Access Management (IAM)
-
Network Security Services
- AWS WAF & Shield
- VPC Security Groups & NACLs
-
Threat Detection & Monitoring
- Amazon GuardDuty
- AWS Security Hub
- Amazon Detective
-
Compliance & Configuration
- AWS Config
- AWS CloudTrail
-
Data Protection Services
- AWS KMS
- AWS Secrets Manager
- Amazon Macie
-
Application Security
- Amazon Inspector
- Amazon Cognito
- How They All Work Together
- Service Summary Reference
AWS Security Services by OSI Layer
| OSI Layer | Layer Name | AWS Security Services | Primary Function |
|---|---|---|---|
| Layer 7 | Application | β’ AWS WAF β’ AWS Shield Advanced β’ Amazon CloudFront β’ API Gateway β’ Amazon Cognito β’ Amazon Macie β’ AWS GuardDuty |
β’ Web application firewall β’ DDoS protection (application layer) β’ Content filtering β’ API authentication/authorization β’ Identity management β’ Data discovery and protection β’ Threat detection |
| Layer 6 | Presentation | β’ AWS Certificate Manager (ACM) β’ AWS KMS β’ AWS CloudHSM |
β’ SSL/TLS certificate management β’ Encryption key management β’ Hardware security module β’ Data encryption/decryption |
| Layer 5 | Session | β’ AWS IAM β’ AWS STS β’ AWS Secrets Manager β’ Amazon Cognito |
β’ Session management β’ Temporary credentials β’ Secret rotation β’ User session handling |
| Layer 4 | Transport | β’ Network Load Balancer (NLB) β’ AWS Shield Standard β’ AWS Network Firewall β’ Security Groups (stateful) |
β’ TCP/UDP traffic filtering β’ DDoS protection (transport layer) β’ Port-based filtering β’ Connection tracking |
| Layer 3 | Network | β’ Security Groups β’ Network ACLs (NACLs) β’ AWS Network Firewall β’ Route 53 Resolver DNS Firewall β’ AWS Transit Gateway β’ VPC Flow Logs |
β’ IP packet filtering β’ Subnet-level security β’ Routing control β’ DNS filtering β’ Network segmentation β’ Traffic monitoring |
| Layer 2 | Data Link | β’ AWS PrivateLink β’ VPC Peering β’ Elastic Network Interface (ENI) |
β’ Private connectivity β’ MAC-level isolation β’ Virtual network interfaces |
| Layer 1 | Physical | β’ AWS Direct Connect (with MACsec) β’ AWS Managed Infrastructure |
β’ Physical link encryption β’ Dedicated network connections β’ Physical security (AWS responsibility) |
Additional Cross-Layer Security Services
| Service | Description |
|---|---|
| AWS Security Hub | Centralized security findings across all layers |
| Amazon Inspector | Vulnerability scanning (Layers 3-7) |
| AWS Config | Configuration compliance across all layers |
| AWS CloudTrail | API activity logging across all services |
| Amazon Detective | Security investigation across multiple layers |
Note: Many AWS services operate across multiple OSI layers. This table categorizes them by their primary security function.
Introduction: The Security Conversation Begins
Alex: Hey Maya! I've been tasked with improving our application's security posture on AWS, and honestly, I'm overwhelmed. There are so many security services! Where do I even start?
Maya: laughs I hear that a lot! AWS security can feel like alphabet soup at first - IAM, WAF, KMS, GuardDuty... But here's the thing: each service has a specific purpose, and they're actually designed to work together like puzzle pieces.
Alex: That's reassuring. Can we start with the big picture? Like, which service does what?
Maya: Absolutely! That's the best place to start. Let me grab my coffee, and we'll walk through this together.
The Big Picture: Security Layers in AWS
Maya: Think of AWS security services as layers of protection, kind of like security in a building. You have:
- The front gate (network security)
- ID badges (identity and access)
- Security cameras (monitoring and detection)
- Locks on sensitive doors (data protection)
- Security audit logs (compliance and logging)
Let me show you a quick breakdown:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AWS SECURITY LAYERS β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Identity & Access: IAM, Organizations, Cognito β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Network Security: WAF, Shield, Security Groups β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Threat Detection: GuardDuty, Security Hub, β β
β β Detective β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Data Protection: KMS, Secrets Manager, Macie β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Compliance & Audit: Config, CloudTrail β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Alex: Okay, that's already much clearer! So it's not about picking one service, but using multiple services for different security needs?
Maya: Exactly! And the beauty is that they integrate with each other. For example, GuardDuty can send findings to Security Hub, which can trigger automated responses. But let's not get ahead of ourselves. Let's go layer by layer.
Identity & Access Management (IAM)
Alex: Alright, let's start with the first layer. I use IAM every day, but I feel like I might be missing some best practices.
Maya: IAM is your foundation - literally everything in AWS security starts here. Think of it as your master key system. Let me break down the key components:
| IAM Component | What It Is | When to Use It |
|---|---|---|
| Users | Individual identities for people | Rarely! Prefer federation or IAM Identity Center |
| Groups | Collections of users | When you need to manage permissions for multiple IAM users |
| Roles | Temporary credentials for services/apps | Most of the time! EC2, Lambda, ECS should use roles |
| Policies | JSON documents defining permissions | Always - attached to users, groups, or roles |
| Identity Center | SSO solution (formerly AWS SSO) | For employee access across multiple accounts |
Alex: Wait, you said "rarely" for IAM users? I thought that was the standard way?
Maya: Common misconception! Here's the modern approach:
OLD WAY (β):
Developer β IAM User with Long-term Credentials β AWS Resources
NEW WAY (β
):
Developer β Identity Center/Federation β Temporary Credentials β AWS Resources
Application β IAM Role β AWS Resources
Maya: Long-term credentials are security risks. They can be leaked, they don't expire, and they're hard to rotate. Roles provide temporary credentials that automatically rotate.
Alex: That makes sense. What about policies? I always struggle with those JSON documents.
Maya: Let me show you the anatomy of a policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
}
]
}
Maya: The key parts are:
- Effect: Allow or Deny
- Action: What operations are permitted
- Resource: Which AWS resources this applies to
- Condition: Optional - when this policy applies
Alex: And there's like a hierarchy of denies and allows, right?
Maya: Yes! Remember this rule: Explicit Deny β Explicit Allow β Default Deny
- If there's an explicit DENY anywhere, access is denied (game over)
- If there's an explicit ALLOW and no deny, access is granted
- If there's nothing, access is denied by default
Key IAM Best Practices:
β
Enable MFA for all human access
β
Use roles instead of long-term credentials
β
Follow principle of least privilege
β
Use policy conditions to restrict access (IP, time, MFA)
β
Regularly audit permissions with IAM Access Analyzer
β
Use service control policies (SCPs) in Organizations for guardrails
Alex: IAM Access Analyzer? What's that?
Maya: Great question! It's a tool that analyzes your resources to find which ones are shared with external entities. It helps you answer: "Did I accidentally make my S3 bucket public?" or "Who has access to this KMS key?"
Network Security Services
Alex: Okay, IAM makes more sense now. What about network security? We have a web application that faces the internet.
Maya: Perfect use case! Let's talk about your network defense layer. You've got several tools here:
AWS WAF (Web Application Firewall) & Shield
Maya: Think of WAF as a bouncer at your application's front door, inspecting HTTP/HTTPS requests.
Internet Users
β
βββββββββββββββββββ
β AWS Shield β β DDoS Protection (Layer 3/4)
βββββββββββββββββββ
β
βββββββββββββββββββ
β AWS WAF β β Application Layer Protection (Layer 7)
βββββββββββββββββββ
β
βββββββββββββββββββ
β CloudFront/ALB β
β API Gateway β
βββββββββββββββββββ
β
Your Application
Alex: What's the difference between WAF and Shield?
Maya: Great question!
| Feature | AWS Shield Standard | AWS Shield Advanced | AWS WAF |
|---|---|---|---|
| Cost | Free | $3,000/month | Pay per rule + requests |
| Protection | Layer 3/4 DDoS | Enhanced DDoS + cost protection | Layer 7 filtering |
| What It Blocks | Network/transport attacks | Large-scale DDoS | SQL injection, XSS, bot traffic, rate limiting |
| Automatic | Yes | Yes + DDoS Response Team | No, you configure rules |
Alex: So Shield is automatic, and WAF is customizable?
Maya: Exactly! Shield Standard is automatically enabled on all AWS accounts - it protects against common DDoS attacks. Shield Advanced is for enterprise protection with 24/7 support.
WAF is where you define rules. Let me show you some common use cases:
Common WAF Rules:
βββ Rate Limiting
β βββ Block IPs making >2000 requests in 5 minutes
βββ Geo Blocking
β βββ Block traffic from specific countries
βββ SQL Injection Protection
β βββ Inspect query strings for malicious SQL
βββ XSS Protection
β βββ Block cross-site scripting attempts
βββ IP Reputation Lists
β βββ Block known malicious IPs
βββ Bot Control
βββ Distinguish between good bots and bad bots
Alex: Can you give me a practical example?
Maya: Sure! Here's a real-world scenario:
Problem: E-commerce site getting hit with credential stuffing attacks
Solution:
- WAF Rule 1: Rate limiting - max 5 login attempts per IP in 5 minutes
- WAF Rule 2: Geo-blocking - site only serves US customers, block other countries
- WAF Rule 3: Bot control - allow Google/Bing bots, block others
- Shield Standard: Automatically protecting against network DDoS
Alex: That's practical! What about internal network security?
VPC Security Groups & Network ACLs
Maya: Now we're talking about security within your VPC. You have two main tools:
| Feature | Security Groups | Network ACLs (NACLs) |
|---|---|---|
| Level | Instance/ENI level | Subnet level |
| State | Stateful (return traffic auto-allowed) | Stateless (must allow both ways) |
| Rules | Allow rules only | Allow and Deny rules |
| Evaluation | All rules evaluated | Rules processed in order |
| Default | Deny all inbound, allow all outbound | Allow all traffic |
Alex: Stateful vs stateless - can you explain that?
Maya: Sure! Let's use an example:
Scenario: Web server receiving request on port 443
SECURITY GROUP (Stateful):
βββββββββββββββββββββββββββββββββββββββββββ
β Inbound: Allow port 443 from 0.0.0.0/0 β
β β
β Outbound: (automatic) Return traffic β
β allowed even if not explicitly β
β defined β
βββββββββββββββββββββββββββββββββββββββββββ
NACL (Stateless):
βββββββββββββββββββββββββββββββββββββββββββ
β Inbound: Allow port 443 from 0.0.0.0/0 β
β Outbound: Allow ephemeral ports β
β (1024-65535) for return β
β traffic - must be explicit! β
βββββββββββββββββββββββββββββββββββββββββββ
Alex: So Security Groups are smarter because they track connections?
Maya: Exactly! That's why Security Groups are your primary control, and NACLs are your backup defense layer. Here's the best practice:
Security Group Strategy:
Internet (0.0.0.0/0)
β
[ALB Security Group]
βββ Allow: 443 from 0.0.0.0/0
βββ Allow: 80 from 0.0.0.0/0 (redirect to 443)
β
[Web Server Security Group]
βββ Allow: 80 from ALB Security Group
βββ Allow: 443 from ALB Security Group
β
[Database Security Group]
βββ Allow: 3306 from Web Server Security Group
Alex: I love that you can reference other security groups! So much cleaner than IP addresses.
Maya: Right! And it automatically adjusts when instances scale. If you add more web servers with that security group, the database automatically allows them.
Threat Detection & Monitoring
Alex: Okay, so we've locked things down with IAM and network security. But how do we know if someone's actually attacking us?
Maya: Now we're getting into the detective controls! This is where AWS really shines. Let's talk about the threat detection trio: GuardDuty, Security Hub, and Detective.
Amazon GuardDuty
Maya: GuardDuty is your 24/7 security guard. It continuously monitors for malicious activity and unauthorized behavior.
Alex: How does it work?
Maya: It analyzes billions of events from multiple data sources:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AMAZON GUARDDUTY β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Data Sources: β
β βββ VPC Flow Logs β
β βββ CloudTrail Event Logs β
β βββ DNS Logs β
β βββ Kubernetes Audit Logs β
β βββ S3 Data Events β
β βββ EBS Volume Data β
β β
β β β
β β
β Machine Learning + Threat Intelligence β
β β
β β β
β β
β Security Findings: β
β βββ Reconnaissance (port scanning, unusual API) β
β βββ Instance Compromise (malware, crypto mining) β
β βββ Account Compromise (leaked credentials) β
β βββ Bucket Compromise (suspicious S3 access) β
β βββ Malicious IP Communication β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Alex: So I don't need to configure log collection? It just works?
Maya: Exactly! That's the beauty. You enable it with one click (per region), and it starts analyzing. No agents to install, no logs to manage.
Real-World Finding Example:
Finding: Unauthorized API Call
Severity: HIGH
Description: EC2 instance i-1234567890abcdef0 is making API
calls with temporary credentials that don't match
the instance's assigned role.
Possible Causes:
- Instance may be compromised
- Stolen credentials being used
- Legitimate but misconfigured application
Recommended Action:
1. Isolate the instance (change security group)
2. Snapshot for forensics
3. Review CloudTrail logs for all actions taken
4. Rotate credentials
Alex: Those findings look really actionable. Can I automate responses?
Maya: Absolutely! That's where EventBridge comes in. Common pattern:
GuardDuty Finding
β
EventBridge Rule
β
[Choose your response]
βββ SNS β Email security team
βββ Lambda β Isolate compromised instance
βββ Step Functions β Full remediation workflow
βββ Security Hub β Aggregate with other findings
Alex: Wait, Security Hub? Is that different from GuardDuty?
AWS Security Hub
Maya: Yes! GuardDuty is specialized threat detection. Security Hub is your central security dashboard that aggregates findings from multiple services.
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AWS SECURITY HUB β
β (Central Security Dashboard) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Findings Sources: β
β βββ GuardDuty (threat detection) β
β βββ Inspector (vulnerability scanning) β
β βββ Macie (sensitive data discovery) β
β βββ IAM Access Analyzer β
β βββ Firewall Manager β
β βββ Detective β
β βββ 50+ Partner Integrations (Palo Alto, etc.) β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Security Standards Compliance: β
β βββ CIS AWS Foundations Benchmark β
β βββ PCI DSS β
β βββ AWS Foundational Security Best Practices β
β βββ Custom compliance frameworks β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Outputs: β
β βββ Unified dashboard β
β βββ Automated remediation β
β βββ Cross-region aggregation β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Alex: So it's like a SIEM (Security Information and Event Management) tool?
Maya: Sort of! It's AWS's cloud-native SIEM. Instead of managing log collectors and correlation rules, you just enable it, and it starts giving you a comprehensive security score and actionable insights.
Example Security Hub Dashboard:
| Priority | Count | Category |
|---|---|---|
| π΄ Critical | 3 | Publicly accessible RDS instance with weak password |
| π High | 15 | S3 buckets without encryption |
| π‘ Medium | 42 | Security groups allowing 0.0.0.0/0 on non-standard ports |
| π’ Low | 127 | CloudTrail log validation not enabled |
Security Score: 67/100
Alex: That's really useful for getting a holistic view. What about when you need to investigate an incident deeper?
Amazon Detective
Maya: That's exactly what Detective is for! If GuardDuty says "this looks suspicious," Detective helps you answer "what actually happened?"
Investigation Timeline:
1. GuardDuty: "EC2 instance is communicating with known
malicious IP"
β
2. Security Hub: Aggregates finding with context
β
3. Detective: Open investigation
β
Visualization shows:
βββ Timeline: What happened before and after?
βββ Resource interactions: What did this instance touch?
βββ IP analysis: Where else has this IP been seen?
βββ API call patterns: What API calls were unusual?
βββ Related findings: Are other resources affected?
Maya: Detective uses machine learning to build a graph database of your AWS environment, making it easy to see relationships and patterns.
Alex: So the workflow is: GuardDuty detects β Security Hub aggregates β Detective investigates?
Maya: Perfect summary! Though you don't always need all three. But together, they're powerful.
Best Practices for Threat Detection:
| Service | Enable When | Cost Consideration |
|---|---|---|
| GuardDuty | Always! First line of defense | ~$5/month for small account, scales with usage |
| Security Hub | When you have multiple security tools | $0.001 per finding + compliance check costs |
| Detective | When you need investigation capabilities | $2/GB of data ingested |
Compliance & Configuration
Alex: This is great, but my manager keeps asking about compliance. We need to prove we're following security best practices.
Maya: Ah, the audit question! This is where Config and CloudTrail come in. Let me explain the difference - people often confuse them.
AWS CloudTrail
Maya: CloudTrail answers: "WHO did WHAT and WHEN?"
βββββββββββββββββββββββββββββββββββββββββββ
β AWS CLOUDTRAIL β
β (Audit Log of API Calls) β
βββββββββββββββββββββββββββββββββββββββββββ€
β β
β Records: β
β βββ Who made the request? β
β βββ When was it made? β
β βββ What action was performed? β
β βββ What resource was affected? β
β βββ Where from (IP address)? β
β βββ Was it successful or denied? β
β β
β Example Log Entry: β
β { β
β "eventName": "PutBucketPublicAccess",β
β "userIdentity": { β
β "userName": "alex@company.com" β
β }, β
β "eventTime": "2024-01-15T10:30:00Z", β
β "sourceIPAddress": "203.0.113.42", β
β "requestParameters": { β
β "bucketName": "my-app-data" β
β } β
β } β
β β
βββββββββββββββββββββββββββββββββββββββββββ
Alex: So it's like a security camera recording everything?
Maya: Exactly! Every API call - whether from the console, CLI, SDK, or other services - gets logged. This is crucial for:
- Compliance audits: "Show me all changes to S3 permissions in Q4"
- Security investigations: "Who deleted this critical resource?"
- Troubleshooting: "Why did this deployment fail?"
CloudTrail Best Practices:
β
Enable in all regions (even those you don't use)
β
Enable log file validation (proves logs haven't been tampered with)
β
Store logs in a dedicated security account
β
Enable S3 and Lambda data events for sensitive resources
β
Set up CloudWatch Logs integration for real-time alerting
β
Never turn it off in production!
AWS Config
Maya: Config answers: "What is the STATE of my resources, and did it comply with my rules?"
βββββββββββββββββββββββββββββββββββββββββββ
β AWS CONFIG β
β (Configuration Management) β
βββββββββββββββββββββββββββββββββββββββββββ€
β β
β Tracks: β
β βββ Resource inventory β
β βββ Configuration history β
β βββ Change tracking β
β βββ Compliance checking β
β β
β Timeline View: β
β Jan 10: S3 bucket created β
β βββ Encryption: disabled β β
β βββ Versioning: disabled β β
β β
β Jan 15: Configuration changed β
β βββ Encryption: enabled β
β
β βββ Versioning: disabled β β
β β
β Jan 20: Configuration changed β
β βββ Encryption: enabled β
β
β βββ Versioning: enabled β
β
β β
β Compliance Rules: β
β βββ S3 must have encryption β
β
β βββ S3 must have versioning β
β
β βββ Overall Status: COMPLIANT β
β β
βββββββββββββββββββββββββββββββββββββββββββ
Alex: So CloudTrail is the "who and when," and Config is the "what and compliance"?
Maya: Perfect! Let me show you how they work together:
Scenario: Someone made an S3 bucket public
CloudTrail tells you:
βββ WHO: sarah@company.com
βββ WHEN: 2024-01-15 14:23:45 UTC
βββ ACTION: PutBucketPolicy
βββ FROM: IP 203.0.113.50
Config tells you:
βββ BEFORE: Bucket was private
βββ AFTER: Bucket is now public
βββ COMPLIANCE: VIOLATION of rule "s3-bucket-public-read-prohibited"
βββ RELATED CHANGES: Shows the exact policy change
Alex: That's powerful! Can Config automatically fix violations?
Maya: Yes! Through Config Remediation Actions. Here's a real example:
Config Rule: "All EBS volumes must be encrypted"
Remediation Action:
- Config detects non-encrypted EBS volume
- Automatically triggers SSM Automation document
- Creates encrypted snapshot
- Creates new encrypted volume from snapshot
- (Optionally) Notifies team about the change
Alex: What are some essential Config rules I should enable?
Maya: Great question! Here's my starter pack:
| Category | Config Rule | What It Checks |
|---|---|---|
| IAM | iam-root-access-key-check | Root user has no access keys |
| iam-user-mfa-enabled | All IAM users have MFA | |
| S3 | s3-bucket-public-read-prohibited | No public read access |
| s3-bucket-server-side-encryption | Encryption enabled | |
| EC2 | ec2-security-group-restricted-ssh | SSH not open to 0.0.0.0/0 |
| ec2-instance-managed-by-ssm | Instances use Systems Manager | |
| RDS | rds-encryption-enabled | Databases are encrypted |
| rds-multi-az-support | Production DBs have multi-AZ | |
| Network | vpc-flow-logs-enabled | Flow logs are enabled |
CloudTrail vs Config Summary:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β CLOUDTRAIL CONFIG β
β (Activity Log) (Configuration DB) β
β β
β API calls vs Resource state β
β Who did what vs What's configured β
β Historical actions vs Current compliance β
β Audit trail vs Drift detection β
β β
β Use together for complete picture! β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Data Protection Services
Alex: We've covered a lot! What about protecting the actual data? We have sensitive customer information.
Maya: Excellent question! Let's talk about the data protection trio: KMS, Secrets Manager, and Macie.
AWS KMS (Key Management Service)
Maya: KMS is your encryption key management system. Think of it as a super-secure vault for your encryption keys.
Alex: Why can't I just generate my own keys and store them in environment variables?
Maya: winces Oh no, please don't do that! Here's why KMS is critical:
β BAD: DIY Key Management
βββ Keys stored in code or environment variables
βββ Keys might be committed to Git
βββ No audit trail of who used keys
βββ Keys never rotated
βββ Keys same in dev/staging/prod
βββ If leaked, manual rotation nightmare
β
GOOD: KMS
βββ Keys never leave AWS HSM (Hardware Security Module)
βββ Every key usage is logged in CloudTrail
βββ Automatic rotation available
βββ Fine-grained access control via IAM
βββ Keys can be disabled/deleted
βββ Integrated with most AWS services
Alex: What's the actual workflow?
Maya: Here's how it works:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β KMS ENCRYPTION WORKFLOW β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β 1. You create a KMS Customer Master Key (CMK) β
β β
β 2. Application needs to encrypt data: β
β βββββββββββββββ β
β β Your App β β
β ββββββββ¬βββββββ β
β β "Encrypt this data" β
β β β
β βββββββββββββββ β
β β KMS API β β
β ββββββββ¬βββββββ β
β β Checks IAM permissions β
β β Uses CMK to encrypt β
β β Logs to CloudTrail β
β β β
β Returns: Encrypted data β
β β
β 3. To decrypt, same process in reverse β
β (must have kms:Decrypt permission) β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
KMS Key Types:
| Key Type | Control | Use Case | Cost |
|---|---|---|---|
| AWS Managed Keys | AWS controls | S3, RDS default encryption | Free |
| Customer Managed Keys | You control (recommended) | Production data, compliance | $1/month + usage |
| AWS Owned Keys | AWS controls (invisible to you) | Some services use internally | Free |
| CloudHSM Keys | You control in dedicated HSM | Highest security requirements | $1+/hour |
Maya: For most applications, Customer Managed Keys are the sweet spot.
Alex: How do I actually use this with S3 or RDS?
Maya: It's usually just a checkbox or parameter:
S3 Example:
aws s3api put-object \
--bucket my-bucket \
--key sensitive-data.txt \
--body data.txt \
--server-side-encryption aws:kms \
--ssekms-key-id arn:aws:kms:us-east-1:123456789012:key/abc-123
RDS Example:
aws rds create-db-instance \
--db-instance-identifier my-database \
--storage-encrypted \
--kms-key-id arn:aws:kms:us-east-1:123456789012:key/abc-123
Maya: Most AWS services are KMS-integrated, so it's seamless!
AWS Secrets Manager
Alex: Okay, so KMS handles encryption keys. What about passwords, API keys, database credentials - where do those go?
Maya: That's exactly what Secrets Manager is for! It's built on top of KMS but designed specifically for secrets like:
- Database credentials
- API keys
- OAuth tokens
- Any sensitive configuration
What makes Secrets Manager special:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SECRETS MANAGER FEATURES β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β β
Automatic rotation (with Lambda) β
β βββ RDS/Aurora: Built-in rotation β
β βββ DocumentDB: Built-in rotation β
β βββ Custom: Your own rotation logic β
β β
β β
Encrypted at rest (using KMS) β
β β
β β
Fine-grained access control (IAM policies) β
β β
β β
Versioning (can retrieve previous versions) β
β β
β β
Audit trail (every access logged in CloudTrail) β
β β
β β
Cross-region replication β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Real-World Example:
Old Way (β):
# Hardcoded in code or environment variable
DB_PASSWORD = "MyP@ssw0rd123" # NEVER DO THIS!
conn = connect(
host="database.example.com",
user="admin",
password=DB_PASSWORD
)
New Way (β
):
import boto3
import json
def get_secret():
client = boto3.client('secretsmanager')
response = client.get_secret_value(SecretId='prod/database/credentials')
secret = json.loads(response['SecretString'])
return secret
# Usage
secret = get_secret()
conn = connect(
host=secret['host'],
user=secret['username'],
password=secret['password'] # Retrieved securely
)
Alex: What about automatic rotation? How does that work?
Maya: Great question! Here's the flow for RDS:
Rotation Schedule: Every 30 days
Day 1: Secret created: password = "OldPassword123"
Day 30: Rotation triggered
βββ Secrets Manager calls Lambda function
βββ Lambda creates new DB user with new password
βββ Lambda tests new credentials
βββ Lambda updates secret: password = "NewPassword456"
βββ Lambda marks old version as deprecated
βββ Applications automatically get new password
Day 31: Old credentials still work (grace period)
Day 32: Old credentials deactivated
Alex: Wait, applications automatically get the new password?
Maya: They do if you retrieve secrets at runtime instead of caching them permanently. Best practice:
# β BAD: Retrieve once at startup
secret = get_secret() # Cached for entire application lifetime
# β
GOOD: Retrieve and cache with TTL
secret = get_secret_cached(ttl=300) # Cache for 5 minutes
# β
BETTER: Use connection handler that refreshes
conn = get_db_connection() # Handles rotation automatically
Secrets Manager vs Systems Manager Parameter Store:
| Feature | Secrets Manager | Parameter Store |
|---|---|---|
| Cost | $0.40/secret/month | Free (Standard), $0.05 (Advanced) |
| Rotation | Built-in with Lambda | Manual |
| Cross-region | Yes, automatic | Manual replication |
| Best for | Sensitive secrets needing rotation | Configuration values, less sensitive |
| Version limit | ~100 versions | 100 versions |
Alex: When would I use Parameter Store over Secrets Manager?
Maya: Parameter Store is great for configuration:
- Feature flags
- Environment-specific settings
- Non-rotating API keys
- Configuration values
Use Secrets Manager when:
- You need automatic rotation
- It's highly sensitive (database passwords)
- You need cross-region replication
- Compliance requires regular rotation
Amazon Macie
Alex: Alright, I understand KMS and Secrets Manager. What's Macie?
Maya: Macie is your sensitive data detective for S3. It uses machine learning to automatically discover and protect sensitive data.
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AMAZON MACIE β
β (Sensitive Data Discovery) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β What It Finds: β
β βββ PII (Personally Identifiable Information) β
β β βββ Names, addresses, phone numbers β
β β βββ Social Security numbers β
β β βββ Passport numbers β
β βββ Financial Data β
β β βββ Credit card numbers β
β β βββ Bank account numbers β
β βββ Health Information (PHI) β
β βββ Credentials β
β βββ API keys β
β βββ AWS keys β
β βββ Private keys β
β β
β How It Works: β
β 1. Scans your S3 buckets β
β 2. Identifies sensitive data β
β 3. Generates findings β
β 4. Provides recommendations β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Example Macie Finding:
Finding: Multiple files containing credit card numbers
Severity: HIGH
Location: s3://customer-uploads/2024/01/
Details:
βββ Files scanned: 1,247
βββ Files with CCNs: 23
βββ Total CCNs found: 156
βββ Bucket encryption: DISABLED β οΈ
Recommendations:
1. Enable S3 bucket encryption
2. Enable S3 bucket versioning
3. Review bucket access policies
4. Consider moving to a dedicated sensitive data bucket
5. Implement lifecycle policy to delete old data
Alex: So Macie is like an auditor going through all our S3 buckets?
Maya: Exactly! It's especially valuable when:
- You have large amounts of S3 data
- You're not sure where sensitive data lives
- You need to comply with GDPR, PCI-DSS, HIPAA
- You want to prevent data leaks
Common Use Cases:
- Data Discovery: "Where is all our customer PII stored?"
- Compliance: "Prove we're properly protecting sensitive data"
- Migration Safety: "Make sure we don't migrate sensitive data to wrong environment"
- Incident Response: "What sensitive data was in that publicly exposed bucket?"
Application Security
Alex: We're really cooking now! What about security at the application level?
Maya: Let's talk about Inspector and Cognito - they handle different aspects of application security.
Amazon Inspector
Maya: Inspector is your automated vulnerability scanner for workloads.
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AMAZON INSPECTOR β
β (Automated Vulnerability Management) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β What It Scans: β
β βββ EC2 Instances β
β β βββ OS vulnerabilities β
β β βββ Installed packages β
β β βββ Network exposure β
β βββ Container Images (ECR) β
β β βββ Base image vulnerabilities β
β β βββ Application dependencies β
β βββ Lambda Functions β
β βββ Code vulnerabilities β
β βββ Package dependencies β
β β
β When It Scans: β
β βββ Continuously (always on) β
β βββ When instances launch β
β βββ When images pushed to ECR β
β βββ When Lambda deployed β
β βββ When new CVE published β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Alex: So it's like a vulnerability scanner that I don't have to manage?
Maya: Exactly! No agents to manage, no scan schedules to configure. Just enable it and it works.
Example Inspector Finding:
Finding ID: CVE-2024-12345
Resource: EC2 i-1234567890abcdef0
Severity: HIGH (CVSS 8.5)
Package: openssl-1.1.1k
Description: Buffer overflow in OpenSSL allows remote code execution
Path to Exposure:
βββ Instance has public IP: Yes
βββ Security group allows port 443: Yes
βββ Risk: Externally exploitable
Remediation:
βββ Update to openssl-1.1.1w or later
βββ Command: sudo yum update openssl
βββ Estimated fix time: 5 minutes
Alex: Does it integrate with CI/CD?
Maya: Yes! Here's a common DevOps workflow:
Developer commits code
β
CI/CD Pipeline
β
Build container image
β
Push to Amazon ECR
β
Inspector automatically scans βββ Finds vulnerabilities
β β
No issues Issues found
β β
Deploy to production Block deployment
β
Create ticket
β
Notify team
Alex: Can I configure it to block deployments with high-severity vulnerabilities?
Maya: Absolutely! Here's a typical policy:
| Severity | Action |
|---|---|
| π΄ Critical (9.0-10.0) | Block deployment, page on-call |
| π High (7.0-8.9) | Block deployment, create ticket |
| π‘ Medium (4.0-6.9) | Allow with warning, create ticket |
| π’ Low (0.1-3.9) | Allow, log for review |
Amazon Cognito
Alex: What about user authentication? We're building a web app and need to handle user logins.
Maya: Don't build your own authentication! Use Cognito. Seriously, custom authentication is where most security vulnerabilities come from.
Cognito has two main components:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AMAZON COGNITO β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β 1. USER POOLS β
β (Your own user directory) β
β βββ Sign-up and sign-in β
β βββ MFA support β
β βββ Password policies β
β βββ Email/phone verification β
β βββ Custom authentication flows β
β β
β 2. IDENTITY POOLS β
β (Federated identities β AWS credentials) β
β βββ User Pool users β AWS access β
β βββ Social login (Google, Facebook) β
β βββ SAML identity providers β
β βββ Anonymous guest access β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Alex: What's the difference between User Pools and Identity Pools?
Maya: Great question! This confuses everyone at first:
USER POOLS: Authentication (Who are you?)
βββ "I'm Alex, here's my username and password"
βββ Returns: JWT tokens for your application
IDENTITY POOLS: Authorization (What AWS resources can you access?)
βββ "I'm authenticated via User Pool/Google/Facebook"
βββ Returns: Temporary AWS credentials (STS tokens)
Common Architecture:
Mobile/Web App
β
βββββββββββββββββββ
β User Pool β β Authentication
β "Who are you?" β
ββββββββββ¬βββββββββ
β JWT Token
β
βββββββββββββββββββ
β Identity Pool β β Authorization
β "What can you β
β access?" β
ββββββββββ¬βββββββββ
β AWS Credentials
β
Access S3/DynamoDB/API Gateway directly from app
Alex: Can you give me a real-world example?
Maya: Sure! Photo sharing app:
1. User signs up
βββ User Pool creates account
βββ Sends verification email
βββ Stores encrypted password
2. User logs in
βββ User Pool validates credentials
βββ Returns JWT tokens
βββ App stores tokens
3. User uploads photo
βββ App uses JWT to call API Gateway
βββ API Gateway validates token
βββ Lambda processes upload
βββ Stores in S3
4. User wants to access their photos directly
βββ App exchanges JWT for AWS credentials (Identity Pool)
βββ Identity Pool returns STS credentials with policy:
β "Allow s3:GetObject on s3://photos/${cognito-identity-id}/*"
βββ App accesses S3 directly (no backend needed!)
Cognito Security Features:
| Feature | Purpose |
|---|---|
| MFA | SMS, TOTP, or software tokens |
| Advanced Security | Risk-based authentication, bot detection |
| Password Policies | Complexity requirements, rotation |
| Account Takeover Protection | Detect unusual sign-in activity |
| Compromise Credentials | Check against known breached passwords |
| Custom Authentication | Lambda triggers for custom logic |
Alex: This is way better than rolling our own auth!
Maya: Right? And it's compliant with SOC, PCI DSS, ISO, and other standards out of the box.
How They All Work Together
Alex: Okay, my head is spinning with all these services. How do they actually work together in a real application?
Maya: Let me show you a complete architecture that uses everything we've discussed!
Complete Secure Architecture Example
Scenario: E-commerce application with web frontend, API backend, and database
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β USERS (Internet) β
βββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ
β
βββββββββββββΌβββββββββββ
β AWS Shield β DDoS Protection (Layer 3/4)
β (Standard) β
βββββββββββββ¬βββββββββββ
β
βββββββββββββΌβββββββββββ
β CloudFront β CDN + Edge security
β + AWS WAF β SQL injection/XSS protection
βββββββββββββ¬βββββββββββ
β
βββββββββββββββββββββΌββββββββββββββββββββ
β β
βββββββββΌβββββββββ ββββββββββββΌβββββββββ
β Static Assets β β Application β
β (S3 + KMS) β β Load Balancer β
β β β (ALB) β
ββββββββββββββββββ ββββββββββββ¬ββββββββββ
β
ββββββββββββΌββββββββββ
β ECS/Fargate β
β (Containers) β
β + IAM Roles β
ββββββββββββ¬ββββββββββ
β
ββββββββββββββββββββββββββββββββΌβββββββββββββββββββ
β β β
βββββββββΌβββββββββ ββββββββββββΌβββββββ ββββββββββΌβββββββ
β RDS (Aurora) β β Secrets β β DynamoDB β
β + KMS β β Manager β β + KMS β
β + Encryption β β (DB creds) β β + Encryptionβ
ββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SECURITY SERVICES LAYER β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β GuardDuty β β Inspector β β Macie β β
β β (Threats) β β (Vulns) β β (Data) β β
β ββββββββ¬ββββββββ ββββββββ¬ββββββββ ββββββββ¬ββββββββ β
β β β β β
β ββββββββββββββββββββΌβββββββββββββββββββ β
β β β
β ββββββββββΌβββββββββ β
β β Security Hub β Central dashboard β
β ββββββββββ¬βββββββββ β
β β β
β ββββββββββΌβββββββββ β
β β EventBridge β Automated response β
β ββββββββββ¬βββββββββ β
β β β
β ββββββββββΌβββββββββ β
β β Lambda β Remediation β
β βββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β CloudTrail β β Config β β VPC Flow β β
β β (Audit) β β (Compliance)β β Logs β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β IDENTITY & ACCESS LAYER β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Application Users βββββ Cognito User Pool βββββ Cognito Identity β
β Pool β
β Employees βββββββββββββ IAM Identity Center β
β Applications ββββββββββ IAM Roles β
β Cross-Account βββββββββ IAM Roles + AssumeRole β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Security Event Flow Example
Maya: Let me show you what happens when there's a security event:
INCIDENT: Compromised EC2 instance detected
Timeline:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
T+0 seconds:
βββ GuardDuty detects unusual API calls from EC2 instance
βββ Finding: "Compromised EC2 instance making unauthorized API calls"
T+5 seconds:
βββ GuardDuty sends finding to Security Hub
βββ Security Hub aggregates with other findings
βββ Security Hub sends event to EventBridge
βββ CloudTrail logs all API calls for investigation
T+10 seconds:
βββ EventBridge triggers Lambda function
βββ Lambda executes automated response:
β βββ 1. Snapshot EBS volume (forensics)
β βββ 2. Change security group to isolate instance
β βββ 3. Revoke IAM role credentials
β βββ 4. Tag instance as "compromised"
βββ SNS sends notification to security team
T+30 seconds:
βββ Security team receives alert
βββ Opens AWS Detective to investigate
βββ Detective shows:
βββ Timeline of API calls
βββ Resources accessed
βββ Network connections made
βββ Related findings
T+5 minutes:
βββ Security team determines root cause
βββ Config shows instance was launched without:
β βββ SSM agent (no patch management)
β βββ Inspector scanning (vulnerability)
βββ Inspector finding shows unpatched CVE
βββ Incident documented
T+1 hour:
βββ New Config rule deployed:
β "All EC2 instances must have SSM agent"
βββ Inspector continuous scanning enabled
βββ Lambda function updated with new response logic
Alex: Wow, so the services really do orchestrate together!
Maya: Exactly! And here's the key insight: Each service is a specialist, but together they form a comprehensive defense.
Integration Patterns
Maya: Here are the common integration patterns you should know:
Pattern 1: Detective β Alerting
GuardDuty/Inspector/Macie
β
Security Hub
β
EventBridge
β
SNS/Slack/PagerDuty
Pattern 2: Detective β Automated Response
GuardDuty detects threat
β
EventBridge rule triggers
β
Lambda executes remediation
β
Systems Manager runs automation
β
SNS sends confirmation
Pattern 3: Compliance Monitoring
Config evaluates resources
β
Non-compliant resource detected
β
Security Hub aggregates finding
β
EventBridge triggers remediation
β
Config re-evaluates
β
Compliance restored
Pattern 4: Access Management
User authenticates (Cognito)
β
Receives JWT token
β
API Gateway validates token
β
Lambda assumes IAM role (limited permissions)
β
Retrieves secrets (Secrets Manager)
β
Accesses data (encrypted with KMS)
β
All actions logged (CloudTrail)
Maturity Model
Alex: This is a lot to implement. Where should I start?
Maya: Great question! Here's a maturity model:
| Level | Stage | Services to Implement | Time Frame |
|---|---|---|---|
| 1 | Foundation | IAM, Security Groups, CloudTrail | Week 1 |
| 2 | Basic Protection | WAF, Shield, KMS | Week 2-3 |
| 3 | Detection | GuardDuty, Config | Week 4 |
| 4 | Aggregation | Security Hub, Inspector | Month 2 |
| 5 | Automation | EventBridge + Lambda responses | Month 3 |
| 6 | Advanced | Detective, Macie, Custom automations | Month 4+ |
Level 1: Foundation (Start here!)
Week 1 Checklist:
β Enable MFA on root account
β Create IAM admin users (no root account usage)
β Enable CloudTrail in all regions
β Create security groups with least privilege
β Enable VPC Flow Logs
β Document what you have
Level 2: Basic Protection
Week 2-3 Checklist:
β Enable S3 encryption (default)
β Enable RDS encryption
β Set up KMS customer managed keys
β Deploy WAF on public-facing apps
β Review and restrict security groups
β Set up AWS Organizations (if multi-account)
Level 3: Detection
Week 4 Checklist:
β Enable GuardDuty in all regions
β Enable AWS Config
β Deploy essential Config rules
β Set up SNS topics for alerts
β Create runbooks for common findings
Alex: So I don't need to enable everything on day one?
Maya: Absolutely not! Start with the foundation and build up. Each level makes the next easier.
Service Summary Reference
Alex: This has been incredibly helpful! Can we create a quick reference summary?
Maya: Of course! Here's your cheat sheet:
Complete AWS Security Services Reference
| Service | Category | Primary Function | Key Use Cases | Cost Model |
|---|---|---|---|---|
| IAM | Identity | Access management for users, roles, policies | Authentication, authorization | Free |
| IAM Identity Center | Identity | SSO for employees across AWS accounts | Multi-account access | Free |
| Cognito | Identity | User authentication for applications | Mobile/web app auth | Pay per MAU |
| Organizations | Identity | Multi-account management | Account structure, SCPs | Free |
| Security Groups | Network | Virtual firewall at instance level | EC2, RDS, ALB access control | Free |
| NACLs | Network | Subnet-level firewall | Additional network layer | Free |
| WAF | Network | Web application firewall | Protect against OWASP Top 10 | Per rule + requests |
| Shield Standard | Network | DDoS protection | Automatic layer 3/4 protection | Free |
| Shield Advanced | Network | Enhanced DDoS protection | Enterprise DDoS defense | $3,000/month |
| GuardDuty | Detection | Intelligent threat detection | Malicious activity monitoring | Pay per GB analyzed |
| Security Hub | Detection | Centralized security dashboard | Aggregate all security findings | Per finding + checks |
| Detective | Detection | Security investigation | Incident analysis | Per GB ingested |
| Inspector | Detection | Vulnerability scanning | CVE detection in EC2/containers | Per scan |
| Macie | Detection | Sensitive data discovery | Find PII in S3 | Per GB scanned |
| CloudTrail | Compliance | API call logging | Audit trail | First trail free, then pay per event |
| Config | Compliance | Resource configuration tracking | Compliance monitoring | Per config item + rule evaluation |
| KMS | Data Protection | Encryption key management | Encrypt data at rest | $1/key/month + usage |
| Secrets Manager | Data Protection | Secrets storage & rotation | Store passwords, API keys | $0.40/secret/month |
| Systems Manager Parameter Store | Data Protection | Configuration & secrets storage | App config, simple secrets | Free (standard) |
| VPC Flow Logs | Logging | Network traffic logs | Network troubleshooting | CloudWatch Logs pricing |
Quick Decision Tree
Maya: Here's how to choose the right service:
What are you trying to do?
ββ Manage who can access AWS?
β ββ Employees β IAM Identity Center
β ββ Applications β IAM Roles
β ββ Customers β Cognito
ββ Protect against attacks?
β ββ Network/DDoS β Shield + WAF
β ββ Application vulnerabilities β Inspector
β ββ Malicious activity β GuardDuty
ββ Protect data?
β ββ Encrypt at rest β KMS
β ββ Store secrets β Secrets Manager
β ββ Find sensitive data β Macie
ββ Monitor & detect?
β ββ Threats β GuardDuty
β ββ Compliance β Config
β ββ Central dashboard β Security Hub
β ββ Investigate β Detective
ββ Audit & compliance?
ββ Who did what? β CloudTrail
ββ Configuration history β Config
ββ Generate reports β Security Hub
Service Relationships (How They Work Together)
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β DATA SOURCES β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β CloudTrail β VPC Flow β DNS Logs β Config β Inspector β β
β Logs β Logs β β Rules β Scans β β
ββββββββ¬βββββββββββ¬ββββββββββββ¬βββββββ¬βββββββββββ¬βββββββββββββ
β β β β β
ββββββββββββ΄ββββββββββββ΄βββββββ΄βββββββββββ
β
βββββββββββββββββΌββββββββββββββββ
β β β
ββββββΌβββββ ββββββΌβββββ ββββββΌβββββ
βGuardDutyβ β Config β βInspectorβ
β β β Rules β β β
ββββββ¬βββββ ββββββ¬βββββ ββββββ¬βββββ
β β β
ββββββββββββββββΌβββββββββββββββ
β
ββββββββΌβββββββ
β Security Hubβ β Central aggregation
ββββββββ¬βββββββ
β
ββββββββββββββΌβββββββββββββ
β β β
ββββββΌβββββ βββββΌβββββ βββββΌβββββββ
βDetectiveβ βEventBridgeβ βReportsβ
β(Investigate)β (Automate) β (Comply)β
βββββββββββ βββββ¬βββββ βββββββββββ
β
ββββββΌβββββ
β Lambda β
β(Remediate)
βββββββββββ
Cost Optimization Tips
Alex: One last question - how do I keep costs under control?
Maya: Smart question! Here are my tips:
| Service | Cost Optimization Strategy |
|---|---|
| GuardDuty | β Enable (cost is justified), consider S3 Protection selectively |
| Security Hub | β Enable, disable unused standards, use aggregation regions |
| Detective | β οΈ Enable when needed for investigation (can be turned off) |
| Inspector | β Always on for containers/Lambda, continuous for EC2 |
| Macie | β οΈ Run periodic scans instead of continuous for cost savings |
| Config | β οΈ Be selective with resources tracked, use aggregator |
| CloudTrail | β One trail per region free, use data events selectively |
| WAF | β οΈ Consolidate rules, use managed rule groups |
| Secrets Manager | β οΈ Use Parameter Store for non-rotated secrets |
Maya's Golden Rules:
- Start with free tier: CloudTrail, Shield Standard, IAM
- Enable critical detection: GuardDuty is non-negotiable
- Be strategic with scanning: You don't need to scan everything everywhere
- Use managed rules: AWS managed rules are often cheaper than custom
- Monitor your costs: Set up AWS Budgets for security services
Implementation Checklist
Maya: Here's your final implementation checklist:
Week 1: Foundation
β Create AWS Organization structure
β Enable IAM Identity Center for employee access
β Remove long-term credentials, use roles
β Enable MFA on all accounts
β Enable CloudTrail (all regions)
β Create logging S3 bucket (encrypted, versioned)
β Document your account structure
Week 2: Network Security
β Review and tighten security groups
β Enable VPC Flow Logs
β Deploy WAF on public-facing resources
β Configure WAF rate limiting rules
β Test WAF rules in count mode first
β Document network architecture
Week 3: Data Protection
β Create KMS customer managed keys
β Enable S3 default encryption
β Enable RDS/EBS encryption
β Migrate secrets to Secrets Manager
β Set up rotation for database credentials
β Review S3 bucket policies
Week 4: Detection & Monitoring
β Enable GuardDuty (all regions)
β Enable AWS Config
β Deploy foundational Config rules
β Enable Security Hub
β Configure Security Hub standards
β Set up SNS topics for alerts
β Create runbooks for incident response
Month 2: Automation & Improvement
β Enable Inspector
β Integrate Inspector with CI/CD
β Create EventBridge rules for automated response
β Deploy remediation Lambda functions
β Enable Macie (if needed)
β Test incident response runbooks
β Conduct tabletop security exercise
Month 3: Advanced & Optimization
β Enable Detective
β Fine-tune alerting (reduce noise)
β Optimize costs
β Implement advanced automation
β Create security dashboards
β Schedule regular reviews
β Document everything
Final Thoughts
Alex: Maya, this has been amazing. I feel like I can actually tackle AWS security now!
Maya: That's great! Remember these key principles:
π Key Takeaways:
- Defense in Depth: Use multiple layers of security
- Least Privilege: Grant minimal permissions needed
- Automation: Automate security responses where possible
- Monitoring: You can't protect what you can't see
- Encryption: Encrypt data at rest and in transit
- Assume Breach: Plan for incidents, not just prevention
- Continuous Improvement: Security is a journey, not a destination
Alex: What's the single most important thing to remember?
Maya: If I had to pick one thing: Identity is your foundation. Get IAM right, and everything else becomes easier. Get it wrong, and nothing else matters.
Also, remember: Security is everyone's responsibility, not just the security team's. Make security easy and automatic for developers, and they'll follow best practices.
Alex: Thanks, Maya! Time to implement all this.
Maya: Good luck! And remember - start small, build incrementally, and don't try to do everything at once. Feel free to ping me when you have questions!
Additional Resources
Documentation:
- AWS Security Documentation: https://docs.aws.amazon.com/security/
- AWS Well-Architected Security Pillar: https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/
- AWS Security Blog: https://aws.amazon.com/blogs/security/
Training:
- AWS Security Fundamentals (free digital course)
- AWS Certified Security - Specialty certification
- AWS Security workshops: https://workshops.aws/
Tools:
- AWS Security Reference Architecture: Pre-built security patterns
- IAM Policy Simulator: Test IAM policies before deploying
- Access Analyzer: Find unintended resource access
- Trusted Advisor: Automated security recommendations
This conversation-based guide covers the core AWS security services. For specific implementation details, always refer to the official AWS documentation and consider your organization's specific compliance and security requirements.
Top comments (0)