AWS Security and Compliance

Security in AWS is a shared responsibility between AWS and the customer. AWS secures the physical infrastructure — data centers, hardware, and the hypervisor layer. The customer secures everything built on top — the operating system, applications, data, and access controls. Understanding this model and using the right AWS security services is essential for building safe, compliant cloud environments.

The AWS Shared Responsibility Model

+---------------------------------------------------+
|           CUSTOMER RESPONSIBILITY                 |
|  Data encryption, IAM permissions, OS patching,  |
|  network configuration, application security     |
+---------------------------------------------------+
|              AWS RESPONSIBILITY                   |
|  Physical data centers, hardware, hypervisor,    |
|  managed service infrastructure (RDS, Lambda)    |
+---------------------------------------------------+

For managed services like RDS or Lambda, AWS takes more responsibility — the customer does not patch the database engine or the Lambda runtime. For EC2, the customer is responsible for patching the operating system and application.

AWS Key Management Service (KMS)

AWS KMS is a managed service for creating and controlling encryption keys. It integrates with nearly every AWS service — S3, RDS, EBS, DynamoDB, Lambda — to encrypt data at rest.

Key Types

  • AWS Managed Keys: Created and managed automatically by AWS for specific services. No control over key rotation or access policy.
  • Customer Managed Keys (CMK): Created by the customer. Full control over key policy, rotation, and deletion. Can be disabled or revoked.
  • Customer Provided Keys: Bring your own key material from an external HSM (Hardware Security Module).

Envelope Encryption

KMS uses envelope encryption to protect large amounts of data efficiently:

Data Key (generated by KMS) → encrypts the actual data
              |
Master Key (CMK in KMS) → encrypts the data key
              |
Only encrypted data + encrypted data key stored — master key never leaves KMS

AWS Shield

AWS Shield protects AWS applications against DDoS (Distributed Denial of Service) attacks — attacks that flood a server with traffic until it becomes unavailable.

  • AWS Shield Standard: Free, automatically active for all AWS customers. Protects against common network and transport layer DDoS attacks on Route 53, CloudFront, and Elastic Load Balancers.
  • AWS Shield Advanced: Paid ($3,000/month). Provides enhanced protection against larger, more sophisticated attacks. Includes 24/7 access to the AWS DDoS Response Team (DRT) and cost protection (DDoS scaling charges are waived).

AWS WAF (Web Application Firewall)

AWS WAF protects web applications from common web exploits. It works at the HTTP layer, filtering malicious requests before they reach the application. WAF integrates with CloudFront, ALB, API Gateway, and AppSync.

WAF rules can block or allow traffic based on:

  • IP address or IP range (block specific countries or known attacker IPs)
  • HTTP headers, body, URI strings
  • SQL injection patterns
  • Cross-site scripting (XSS) patterns
  • Rate limiting (block IPs making more than X requests per minute)
  • Geographic location

AWS Managed Rule Groups

AWS provides pre-built WAF rule groups that cover common threats — the OWASP Top 10, known malicious IP addresses, and automated bot traffic — without requiring security expertise to write custom rules.

Amazon GuardDuty

GuardDuty is an intelligent threat detection service that continuously monitors AWS accounts for malicious activity and unauthorized behavior. It analyzes:

  • CloudTrail logs (API calls)
  • VPC Flow Logs (network traffic)
  • DNS logs (domain lookups)
  • S3 data event logs

GuardDuty uses machine learning and threat intelligence to detect anomalies — unusual API calls, access from unexpected countries, cryptocurrency mining activity, or compromised EC2 instances communicating with known malicious IPs.

GuardDuty Finding Example:
  Type: Recon:IAMUser/MaliciousIPCaller
  Severity: High
  Detail: IAM credentials used from a known malicious IP address.
  Action: Disable compromised IAM user immediately.

AWS Inspector

AWS Inspector automatically assesses EC2 instances and container images for software vulnerabilities and unintended network exposure. It produces a list of findings prioritized by severity (Critical, High, Medium, Low) with remediation steps.

Inspector checks for:

  • Known CVEs (Common Vulnerabilities and Exposures) in installed packages
  • Network accessibility (ports open to the internet that should not be)
  • Outdated software versions

AWS CloudTrail

CloudTrail records every API call made in the AWS account — who did what, when, and from where. Every action in the console, CLI, or SDK creates a CloudTrail event.

CloudTrail Event Example:
  Event: DeleteBucket
  User: arn:aws:iam::123456789:user/Ravi
  Time: 2024-03-15T14:32:00Z
  Source IP: 103.45.67.89
  Resource: my-customer-data-bucket

CloudTrail is critical for security audits, compliance investigations, and detecting unauthorized activity. Logs are stored in S3 and can be queried with Athena.

AWS Config

AWS Config continuously monitors and records the configuration state of AWS resources. It evaluates resources against defined compliance rules and alerts when rules are violated.

Example Config rules:

  • S3 buckets must not be publicly accessible.
  • All EC2 instances must have encryption enabled on root volumes.
  • RDS instances must have Multi-AZ enabled in production.
  • IAM users must have MFA enabled.

Config shows the configuration history of any resource — what it looked like yesterday, last week, or last month — enabling root cause analysis of configuration-related incidents.

Amazon Macie

Macie uses machine learning to automatically discover, classify, and protect sensitive data stored in S3 buckets. It detects personally identifiable information (PII) — names, credit card numbers, passport numbers, email addresses — and alerts when sensitive data is exposed or misconfigured.

AWS Security Hub

Security Hub aggregates security findings from multiple AWS services — GuardDuty, Inspector, Macie, Config, and third-party tools — into a single, unified dashboard. It scores the security posture of the AWS environment against industry standards like CIS AWS Foundations Benchmark and PCI DSS.

+----------------------------------------------------------+
|               AWS Security Hub Dashboard                 |
|                                                          |
|  Security Score: 78/100                                  |
|                                                          |
|  Critical Findings: 3     High: 12     Medium: 45        |
|                                                          |
|  Sources: GuardDuty | Inspector | Macie | Config | WAF   |
+----------------------------------------------------------+

Compliance Programs

AWS maintains compliance certifications for numerous global standards. Resources can be deployed in compliant environments without starting from scratch:

  • SOC 1, 2, 3 — Financial controls and security
  • ISO 27001, 27017, 27018 — Information security
  • PCI DSS — Payment card data security
  • HIPAA — US healthcare data
  • GDPR — European data privacy
  • FedRAMP — US government cloud

Summary

  • The Shared Responsibility Model defines what AWS secures (infrastructure) and what the customer secures (data, OS, access).
  • KMS manages encryption keys. Shield protects against DDoS. WAF filters malicious HTTP traffic.
  • GuardDuty detects threats using ML. Inspector finds software vulnerabilities. Macie discovers sensitive data in S3.
  • CloudTrail logs all API activity for auditing. AWS Config enforces configuration compliance rules.
  • Security Hub centralizes all security findings into one dashboard with an overall security score.
Previous lessons
Back to courses
Next lessons

Leave a Comment