Understanding AWS security is essential for the DVA-C02 exam. Key areas include identity and access management, encryption, and secrets management.
IAM Fundamentals
- Policies: JSON documents attached to users, groups, or roles that define allowed or denied actions on resources.
- Roles: Preferred over long-term access keys for granting permissions to AWS services (e.g., Lambda, EC2) or cross-account access.
- Least Privilege: Grant only the permissions required for a task. Exam questions often test whether a role has unnecessary permissions.
- STS (Security Token Service): Issues temporary credentials via
AssumeRole. Used for cross-account access and identity federation.
Resource-based policies (e.g., S3 bucket policies, Lambda resource policies) allow access from other accounts or services without assuming a role.
Encryption
- KMS (Key Management Service): Used to encrypt data at rest in services like S3, DynamoDB, RDS, and EBS. Supports AWS-managed keys and customer-managed keys (CMKs).
- Envelope Encryption: KMS encrypts a data key, which is then used to encrypt the actual data locally. This avoids sending large payloads to KMS.
- S3 Encryption Options: SSE-S3 (AWS-managed), SSE-KMS (customer visibility via KMS), SSE-C (customer-provided keys), and client-side encryption.
- In Transit: Use HTTPS/TLS for all API calls. AWS SDKs default to HTTPS.
Secrets and Configuration Management
- Secrets Manager: Stores and automatically rotates secrets (database passwords, API keys). Integrates with RDS natively. Charges per secret per month.
- Systems Manager Parameter Store: Stores configuration values and secrets. Standard tier is free; Advanced tier supports larger values and policies. SecureString parameters are encrypted via KMS.
- Key difference: Secrets Manager supports automatic rotation; Parameter Store does not rotate secrets natively but is lower cost.
Application-Level Security
- Cognito User Pools: Handles user authentication (sign-up, sign-in). Returns JWTs.
- Cognito Identity Pools: Exchanges tokens (from User Pools or third-party IdPs) for temporary AWS credentials via STS.
- API Gateway Authorization: Supports IAM authorization, Lambda authorizers (custom logic), and Cognito User Pool authorizers.
Never hard-code credentials in application code or store them in source control. Use IAM roles for compute resources and Secrets Manager or Parameter Store for sensitive values.