2.3 AWS Security Services
Key Takeaways
- AWS Shield provides DDoS protection: Shield Standard (free, automatic) protects all AWS customers; Shield Advanced (paid) provides enhanced protection with 24/7 DDoS response team.
- AWS WAF (Web Application Firewall) protects web applications from common exploits like SQL injection and cross-site scripting (XSS).
- Amazon GuardDuty uses machine learning to continuously monitor for malicious activity and unauthorized behavior in your AWS environment.
- Amazon Inspector automatically assesses EC2 instances and container images for software vulnerabilities and unintended network exposure.
- AWS CloudTrail logs every API call made in your AWS account — essential for auditing, compliance, and security investigation.
AWS Security Services
AWS provides a comprehensive suite of security services that protect your workloads at every layer. For the CLF-C02 exam, you need to know what each service does and when to use it.
Network and Application Protection
AWS Shield — DDoS Protection
AWS Shield protects against Distributed Denial of Service (DDoS) attacks.
| Feature | Shield Standard | Shield Advanced |
|---|---|---|
| Cost | Free (automatic) | $3,000/month + data transfer |
| Protection Level | Common network-layer attacks | Sophisticated, large-scale attacks |
| Coverage | All AWS customers, automatic | Must be enabled per resource |
| DDoS Response Team | No | Yes (24/7 AWS DDoS Response Team) |
| Cost Protection | No | Yes (credits for DDoS-related scaling) |
| Visibility | Basic | Real-time attack visibility, diagnostics |
| Integrations | CloudFront, Route 53, ELB | CloudFront, Route 53, ELB, EC2, Global Accelerator |
On the Exam: If a question asks about DDoS protection, the answer is AWS Shield. If they mention COST protection during a DDoS attack or access to a 24/7 response team, it is Shield Advanced.
AWS WAF — Web Application Firewall
AWS WAF protects web applications from common web exploits and bots. It lets you create rules that control which traffic reaches your applications.
What WAF protects against:
- SQL injection — Malicious SQL code in input fields
- Cross-site scripting (XSS) — Injecting malicious scripts into web pages
- Geo-blocking — Block traffic from specific countries
- Rate limiting — Prevent abuse by limiting request rates
- Bot management — Block or allow specific bots
WAF can be deployed on:
- Amazon CloudFront (CDN)
- Application Load Balancer (ALB)
- Amazon API Gateway
- AWS AppSync
AWS Firewall Manager
AWS Firewall Manager simplifies the administration of firewall rules across multiple accounts and resources in an AWS Organization. It works with WAF, Shield Advanced, Security Groups, and Network Firewall.
Threat Detection and Monitoring
Amazon GuardDuty — Intelligent Threat Detection
Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious activity and unauthorized behavior.
How it works:
- Analyzes AWS CloudTrail logs, VPC Flow Logs, and DNS logs
- Uses machine learning, anomaly detection, and integrated threat intelligence
- Detects threats like cryptocurrency mining, unauthorized access, compromised instances
- Generates findings with severity levels (Low, Medium, High)
No infrastructure to manage — just enable it with one click.
Amazon Inspector — Vulnerability Assessment
Amazon Inspector automatically discovers and scans workloads for software vulnerabilities and unintended network exposure.
What Inspector scans:
- EC2 instances — OS vulnerabilities, missing patches
- Container images in Amazon ECR — Known vulnerabilities (CVEs)
- Lambda functions — Code vulnerabilities and dependencies
Key feature: Provides a risk score for each finding based on the Common Vulnerability Scoring System (CVSS) and additional context like network reachability.
Amazon Detective — Security Investigation
Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of security findings. It automatically collects log data from AWS resources and uses machine learning to build a linked set of data for security investigation.
Use Detective when: You have a GuardDuty finding and need to investigate the full scope of the compromise.
Logging and Auditing
AWS CloudTrail — API Logging
AWS CloudTrail records all API calls made in your AWS account. Think of it as a security camera for your AWS activity.
What CloudTrail records:
| Detail | Information Captured |
|---|---|
| Who | The IAM identity that made the call |
| What | The API action (e.g., RunInstances, CreateBucket) |
| When | Date and time of the call |
| Where | Source IP address |
| Which | The resources involved |
Key features:
- Enabled by default for management events (90-day history)
- Create a trail to store events in S3 for long-term retention
- Integrates with CloudWatch Logs for real-time monitoring
- Essential for compliance auditing and forensic investigation
On the Exam: If a question asks "which service records API activity" or "who made changes to resources," the answer is AWS CloudTrail.
Amazon CloudWatch — Monitoring and Observability
While primarily a monitoring service, CloudWatch has security applications:
- CloudWatch Alarms — Alert on unusual activity (e.g., spike in failed logins)
- CloudWatch Logs — Centralize and search log data
- CloudWatch Events / EventBridge — Trigger automated responses to security events
Data Protection
AWS Key Management Service (KMS)
AWS KMS lets you create and manage encryption keys used to encrypt your data across AWS services.
Key features:
- Create customer managed keys (CMKs) or use AWS managed keys
- Integrates with most AWS services (S3, EBS, RDS, etc.)
- Automatic key rotation (annually for AWS managed keys)
- All key usage is logged in CloudTrail
AWS Certificate Manager (ACM)
ACM provisions, manages, and deploys SSL/TLS certificates for use with AWS services and internal resources.
- Free public SSL/TLS certificates for use with AWS services
- Automatic certificate renewal
- Used with CloudFront, ELB, API Gateway
Amazon Macie — Data Discovery and Protection
Amazon Macie uses machine learning to automatically discover, classify, and protect sensitive data in S3 (like personally identifiable information — PII, credit card numbers, social security numbers).
AWS Secrets Manager
AWS Secrets Manager helps you protect secrets (passwords, API keys, database credentials) needed to access your applications. It can automatically rotate secrets on a schedule.
Security Hub and Compliance
AWS Security Hub
AWS Security Hub provides a comprehensive view of your security posture across AWS. It aggregates findings from GuardDuty, Inspector, Macie, Firewall Manager, and other tools into a single dashboard.
Key features:
- Centralized security findings dashboard
- Automated security checks against industry standards (CIS, PCI DSS)
- Cross-account security visibility via AWS Organizations
Quick Reference: Which Service for Which Scenario?
| Scenario | Service |
|---|---|
| DDoS protection | AWS Shield |
| Block SQL injection attacks | AWS WAF |
| Detect cryptocurrency mining on EC2 | Amazon GuardDuty |
| Find vulnerabilities in EC2 instances | Amazon Inspector |
| Track who deleted an S3 bucket | AWS CloudTrail |
| Discover PII in S3 buckets | Amazon Macie |
| Manage encryption keys | AWS KMS |
| Centralized view of all security findings | AWS Security Hub |
| Investigate a security incident | Amazon Detective |
| Manage firewall rules across multiple accounts | AWS Firewall Manager |
| Store and rotate database passwords | AWS Secrets Manager |
Which AWS service provides managed DDoS protection and is included for free for all AWS customers?
A company needs to protect its web application from SQL injection attacks. Which AWS service should they use?
Which AWS service should you use to find out who deleted an S3 bucket in your account last week?
Amazon Macie is BEST described as a service that:
Which AWS service provides a centralized view of security findings from multiple AWS security services?