Identity and Access Management (IAM)
- Apply least privilege: grant only the permissions required to perform a task.
- Use IAM roles for EC2 instances, Lambda functions, and cross-account access instead of embedding long-term credentials.
- Use IAM policies (identity-based and resource-based) to control access; understand the difference between allow and explicit deny.
- Enable MFA for the root account and privileged IAM users.
Data Protection
- Encryption at rest: Use AWS KMS-managed keys (SSE-KMS), S3-managed keys (SSE-S3), or customer-provided keys (SSE-C) for S3. EBS volumes and RDS instances support KMS encryption.
- Encryption in transit: Enforce TLS/HTTPS using ACM certificates with CloudFront, ALB, or API Gateway. Use SSL/TLS for RDS connections.
- Secrets Manager stores and rotates database credentials and API keys; prefer it over hardcoding secrets or using SSM Parameter Store for credentials requiring automatic rotation.
Network Security
- Security Groups are stateful firewalls applied at the instance/ENI level; deny all inbound by default.
- Network ACLs (NACLs) are stateless and applied at the subnet level; rules are evaluated in order by rule number.
- Place sensitive resources (databases, application servers) in private subnets; expose only necessary services through public subnets or load balancers.
- Use VPC endpoints (Gateway for S3/DynamoDB; Interface for most other services) to keep traffic off the public internet.
- AWS WAF filters web exploits (SQL injection, XSS) at the application layer; attach to CloudFront, ALB, or API Gateway.
- AWS Shield Standard is included automatically; Shield Advanced adds enhanced DDoS protection for additional cost.
Monitoring and Threat Detection
- AWS CloudTrail logs all API calls; enable in all regions and store logs in a secured S3 bucket.
- Amazon GuardDuty uses machine learning to detect threats from CloudTrail, VPC Flow Logs, and DNS logs.
- AWS Config tracks resource configuration changes and evaluates compliance against rules.
- Amazon Inspector performs automated vulnerability assessments on EC2 instances and container images.
Key Exam Tips
- Prefer IAM roles over access keys whenever a service needs to call another AWS service.
- An explicit Deny always overrides Allow in IAM policy evaluation.
- S3 Block Public Access settings can override bucket and object ACLs — use this to prevent accidental public exposure.
- Security Groups cannot explicitly deny; use NACLs to block specific IP ranges.