Understand WAF, Shield, KMS, GuardDuty, Inspector, and the Shared Responsibility Model. Security is heavily tested in SAA-C03.
AWS Security Services — Protect Everything
Security is EVERYONE's responsibility on AWS. AWS protects the hardware and infrastructure. YOU protect your data, applications, identity, and configurations.
Teacher Note: AWS security is like renting an apartment. The building owner (AWS) maintains the walls, roof, locks, and security cameras in the lobby. You (the customer) are responsible for locking your apartment door, not leaving valuables visible, and managing who has your key.
Key Security Services
| Service | What It Does | Think of It As |
|---|
| AWS WAF | Web Application Firewall — blocks SQL injection, XSS, DDoS | Bouncer at your API's door |
| AWS Shield | DDoS protection — Standard (free) and Advanced ($3,000/month) | Riot shield for your application |
| AWS KMS | Key Management Service — creates and manages encryption keys | Keymaster for all your encryption |
| Secrets Manager | Stores and auto-rotates database passwords, API keys | Secure password manager with auto-change |
| GuardDuty | Threat detection using ML — finds compromised accounts, crypto miners | Security detective for your account |
| Inspector | Scans EC2 and Lambda for CVEs (security vulnerabilities) | Automated security vulnerability scanner |
| Macie | Discovers sensitive data (PII, credit cards) in S3 | Data privacy detective |
| Security Hub | Central dashboard for all security findings | Security operations centre dashboard |
| CloudTrail | API audit trail — who did what, when | Security CCTV for your AWS account |
Encryption — Protecting Data
| Where | Service | Notes |
|---|
| In transit | TLS/HTTPS | ACM provides free SSL certificates |
| At rest — S3 | SSE-S3 or SSE-KMS | KMS provides audit trail of key usage |
| At rest — EBS | EBS Encryption with KMS | Enabled per volume at creation |
| At rest — RDS | RDS Encryption with KMS | Enabled at instance creation — cannot add later |
| Secrets | Secrets Manager | Auto-rotates RDS passwords via Lambda |
The Shared Responsibility Model
AWS Responsibility (Security OF the cloud):
Physical data center security
Hardware and network infrastructure
Managed service patching (RDS, Lambda, S3)
Customer Responsibility (Security IN the cloud):
IAM user management and permissions
Data encryption
Application security
Operating system patching (on EC2)
Security group and NACL configuration
Exam Tip: Shared Responsibility Model is a guaranteed exam topic. For managed services (S3, DynamoDB, Lambda): AWS manages more of the stack. For EC2: you manage the OS, patches, and application. Remember: AWS never manages YOUR data — encryption, access control, and data classification are always YOUR responsibility.