Security Capabilities that AWS Provides (General Overview)
💡 Definition
Security capabilities that AWS provides refer to the comprehensive set of services, features, and best practices integrated into the AWS Cloud to help customers protect their data, systems, and applications. These capabilities align with the "security of the cloud" aspect of the Shared Responsibility Model and empower customers to implement "security in the cloud."
🔑 Key Concepts
- Identity and Access Management:
- Detection and Monitoring:
- CloudTrail: Logs all API calls for auditing and security analysis.
- CloudWatch: Monitors resources and applications, enabling security-related alarms.
- Amazon GuardDuty: Intelligent threat detection for accounts and workloads.
- Amazon Inspector: Automated vulnerability management for EC2, ECR, Lambda.
- AWS Security Hub: Aggregates security findings and automates security checks.
- Infrastructure Protection:
- Security Groups & NACLs: Network firewalls for instances and subnets.
- WAF: Web Application Firewall protecting against common web exploits.
- Shield: Managed DDoS protection.
- Network Firewall: Managed stateful network firewall for VPCs.
- Data Protection:
- KMS: Managed service for creating and controlling encryption keys.
- S3 Encryption: Server-side and client-side encryption options for object storage.
- Data at Rest & Data in Transit: Broad support for encrypting data wherever it resides or moves.
- Compliance & Governance:
- AWS Artifact: On-demand access to AWS security and compliance reports.
- AWS Config: Assesses, audits, and evaluates resource configurations against desired states.
- AWS Audit Manager: Automates evidence collection for audits.
⚙️ How it Works
AWS designs its infrastructure with security as a top priority, offering physical security, global network protection, and a secure software development lifecycle. On top of this, AWS provides a vast array of services that customers can configure and integrate to secure their specific workloads. These services operate at different layers of the cloud environment, from network boundaries to data storage and identity management, giving customers granular control over their security posture.
🎯 Use Cases
- Implementing Defense in Depth: Applying multiple layers of security controls.
- Meeting Compliance Standards: Leveraging AWS's compliance and tools to satisfy regulatory requirements.
- Proactive Threat Detection: Automatically identifying and responding to potential security incidents.
- Protecting Sensitive Data: Ensuring data is encrypted and access is controlled throughout its lifecycle.
💰 Pricing Model
- Many foundational security features (like IAM, Security Groups, NACLs) are free. Dedicated security services (like Shield Advanced, WAF, KMS, Amazon GuardDuty, Amazon Inspector, AWS Security Hub) typically incur costs based on usage (e.g., number of requests, data processed, resources scanned).
📝 Exam Tips (CLF-C02)
- Keywords: "Security of the cloud", "Security in the cloud", "Defense in depth", "Compliance".
- Remember the Shared Responsibility Model when considering what AWS secures versus what the customer secures.
- Familiarize yourself with the core purpose of key security services like IAM, Shield, WAF, KMS, CloudTrail, and AWS Config.
See Also: * Shared Responsibility Model * IAM * Shield * WAF * Security Group * NACL * KMS * Amazon Inspector * Amazon GuardDuty * AWS Security Hub