LearningTree · AWS · Security

AWS Security —
Defense in Depth

Not a checklist of services — a layered defense strategy. AWS has 10+ security services. Understanding which layer each protects — identity, encryption, network, detection — is the real skill for both production architecture and certification exams.

The AWS Security Layer Model

AWS security is defense in depth — multiple layers, each protecting against different threats. If one layer fails, others still hold. The secret: never rely on a single security control. Layer identity + encryption + network + detection.

How AWS Security Services protect different layers

Security Service Categories — What Each Protects

   Layer Service Protects One-Liner 
 ① IdentityIAMWho can do whatUsers, roles, policies, least privilege
② EncryptionKMSData at restKey management, envelope encryption, HSM-backed
② CredentialsSecrets ManagerPasswords & keysStore, rotate, retrieve credentials securely
③ TransportACMData in transitFree TLS certs, auto-renewal, HTTPS everywhere
④ Network (L7)WAFHTTP attacksSQLi, XSS, bots, rate limiting, geo-blocking
④ Network (L3/4)ShieldDDoS attacksVolumetric floods, SYN/UDP attacks
⑤ DetectionGuardDutyThreats & anomaliesML-based threat detection, zero infrastructure
⑥ HardwareCloudHSMKey security (FIPS L3)Dedicated HSM, regulatory compliance
⑦ VulnerabilityInspectorCVEs in workloadsEC2 / ECR / Lambda CVE scanning, network exposure
⑧ Data SecurityMacieSensitive data in S3PII / PCI / HIPAA discovery, bucket misconfiguration
  

Layer	Service	Protects	One-Liner
① Identity	IAM	Who can do what	Users, roles, policies, least privilege
② Encryption	KMS	Data at rest	Key management, envelope encryption, HSM-backed
② Credentials	Secrets Manager	Passwords & keys	Store, rotate, retrieve credentials securely
③ Transport	ACM	Data in transit	Free TLS certs, auto-renewal, HTTPS everywhere
④ Network (L7)	WAF	HTTP attacks	SQLi, XSS, bots, rate limiting, geo-blocking
④ Network (L3/4)	Shield	DDoS attacks	Volumetric floods, SYN/UDP attacks
⑤ Detection	GuardDuty	Threats & anomalies	ML-based threat detection, zero infrastructure
⑥ Hardware	CloudHSM	Key security (FIPS L3)	Dedicated HSM, regulatory compliance
⑦ Vulnerability	Inspector	CVEs in workloads	EC2 / ECR / Lambda CVE scanning, network exposure
⑧ Data Security	Macie	Sensitive data in S3	PII / PCI / HIPAA discovery, bucket misconfiguration

🧠 Key Insight

These services are not alternatives — they protect different layers. A secure production system uses all of them together: IAM (identity) + KMS (encryption) + ACM (TLS) + WAF (app firewall) + Shield (DDoS) + GuardDuty (detection) + Inspector (CVE scanning) + Macie (data discovery).

Decision Guide — When to Use What

   You Need… Use Why 
 Control who can access AWS resourcesIAMPolicies, roles, conditions, federation, least privilege
Encrypt data at rest (S3, EBS, RDS)KMSManaged keys, envelope encryption, CloudTrail audit
Store & rotate database passwords/API keysSecrets ManagerAuto-rotation, IAM-controlled, never hardcode creds
Free HTTPS certificates with auto-renewalACMDNS validation, zero-touch renewal, ALB/CloudFront
Block SQL injection, XSS, bots, bad IPsWAFLayer 7 HTTP inspection, managed rules, rate limiting
DDoS protection with response teamShield Advanced24/7 SRT, cost protection, L7 DDoS mitigation
Detect compromised credentials or malwareGuardDutyML + threat intel, zero config, $5-20/month
Dedicated HSM, FIPS 140-2 Level 3CloudHSMSingle-tenant hardware, regulatory compliance
Scan EC2 / containers / Lambda for CVEsInspectorContinuous, automated, agentless for ECR/Lambda
Find PII / sensitive data in S3MacieML-based discovery, GDPR/HIPAA/PCI compliance
Store config safely (non-secret, free)SSM Parameter StoreHierarchical config, free tier, SecureString for sensitive
  

You Need…	Use	Why
Control who can access AWS resources	IAM	Policies, roles, conditions, federation, least privilege
Encrypt data at rest (S3, EBS, RDS)	KMS	Managed keys, envelope encryption, CloudTrail audit
Store & rotate database passwords/API keys	Secrets Manager	Auto-rotation, IAM-controlled, never hardcode creds
Free HTTPS certificates with auto-renewal	ACM	DNS validation, zero-touch renewal, ALB/CloudFront
Block SQL injection, XSS, bots, bad IPs	WAF	Layer 7 HTTP inspection, managed rules, rate limiting
DDoS protection with response team	Shield Advanced	24/7 SRT, cost protection, L7 DDoS mitigation
Detect compromised credentials or malware	GuardDuty	ML + threat intel, zero config, $5-20/month
Dedicated HSM, FIPS 140-2 Level 3	CloudHSM	Single-tenant hardware, regulatory compliance
Scan EC2 / containers / Lambda for CVEs	Inspector	Continuous, automated, agentless for ECR/Lambda
Find PII / sensitive data in S3	Macie	ML-based discovery, GDPR/HIPAA/PCI compliance
Store config safely (non-secret, free)	SSM Parameter Store	Hierarchical config, free tier, SecureString for sensitive

Architecture Patterns

3 Common Security Patterns — Public Web · Internal · Regulated

💡 Production Minimum

Every production account should have: Shield Standard (free) + GuardDuty ($5–20/mo) + IAM (free) + KMS ($1/key) + ACM (free) + WAF (if public, ~$10–30/mo). Total: under $50/month for excellent layered security.

Exam Insights

🎯 Exam Keywords → Service

“least privilege, who can access what, cross-account” → IAM
“encrypt S3/EBS/RDS, envelope encryption, key rotation” → KMS
“store database password, rotate credentials automatically” → Secrets Manager
“free HTTPS certificate, auto-renewal, CloudFront TLS” → ACM
“block SQL injection, XSS, rate limit HTTP requests” → WAF
“DDoS protection, response team, cost protection” → Shield Advanced
“detect compromised credentials, crypto mining, suspicious API” → GuardDuty
“FIPS 140-2 Level 3, dedicated HSM, single-tenant” → CloudHSM
“scan EC2 for CVEs, container image vulnerabilities, Lambda packages” → Inspector
“discover PII in S3, GDPR compliance, find sensitive data” → Macie
“store config cheaply, hierarchical parameters” → SSM Parameter Store
“certificate for CloudFront” → ACM in us-east-1

⚠️ Common Exam Traps

KMS ≠ Secrets Manager — KMS encrypts data; Secrets Manager stores & rotates credentials
Secrets Manager ≠ Parameter Store — SM has rotation + cross-account; PS is free + hierarchical
WAF ≠ Shield — WAF = Layer 7 HTTP content; Shield = Layer 3/4 volumetric DDoS
Shield Standard is always on (free); Shield Advanced costs $3K/month (opt-in)
ACM public certs cannot be exported to EC2 — use ALB/CloudFront for TLS termination
KMS = FIPS Level 2; CloudHSM = FIPS Level 3 — don't confuse them
GuardDuty detects threats; it does NOT block anything — you must automate responses
KMS controls who can decrypt data — both needed
Cross-account Secrets Manager requires custom CMK (aws/secretsmanager key won't work)
ACM CloudFront certificates MUST be in us-east-1 regardless of app region
Inspector finds vulnerabilities before exploitation; GuardDuty detects threats during/after — use both
Macie is S3-only — it cannot scan EBS, EFS, RDS, or other storage
Inspector requires SSM Agent on EC2; ECR and Lambda are agentless

Explore Each Service

① identity

AWS IAM

Users, roles, policies, federation, cross-account access. The foundation of all AWS security — 8 chapters from beginner to advanced.

② encryption

AWS KMS

Key management, envelope encryption, key policies, rotation, service integrations. 8-chapter deep dive into data-at-rest security.

② credentials

Secrets Manager

Store, retrieve, and rotate database passwords & API keys automatically. Never hardcode credentials again.

③–⑧ protection

WAF · ACM · CloudHSM · Shield · GuardDuty · Inspector · Macie

Seven services covering web firewall, TLS certificates, hardware HSM, DDoS protection, threat detection, vulnerability scanning, and sensitive data discovery.