5.3 Security Services Deep Dive
Key Takeaways
- AWS IAM Identity Center (formerly AWS SSO) provides single sign-on access to multiple AWS accounts and business applications.
- AWS Cognito provides authentication and authorization for web and mobile applications — supports user sign-up/sign-in and federation.
- AWS Directory Service provides managed Microsoft Active Directory for Windows workloads on AWS.
- Amazon GuardDuty analyzes CloudTrail, VPC Flow Logs, DNS logs, and EKS audit logs to detect threats using ML.
- AWS Security Token Service (STS) provides temporary security credentials for IAM roles and federated users.
Last updated: March 2026
Security Services Deep Dive
Identity Services
AWS IAM Identity Center (formerly AWS SSO)
IAM Identity Center provides centralized single sign-on (SSO) access to multiple AWS accounts and business applications.
| Feature | Detail |
|---|---|
| Single Sign-On | One login for all AWS accounts in your Organization |
| Built-in Directory | Or integrate with Active Directory, Okta, Azure AD |
| Permission Sets | Define permissions once, assign to multiple accounts |
| Business Apps | SSO to Salesforce, Slack, Office 365, and more |
Amazon Cognito
Amazon Cognito adds user authentication and authorization to your web and mobile apps.
| Feature | Detail |
|---|---|
| User Pools | User directory for sign-up/sign-in (username/password, social login) |
| Identity Pools | Provide temporary AWS credentials for app users to access AWS services |
| Federation | Sign in with Google, Facebook, Apple, SAML, OIDC |
| MFA | Built-in multi-factor authentication support |
| Scaling | Scales to millions of users |
On the Exam: Cognito = authentication for your APPLICATION users. IAM = access control for your AWS ACCOUNT users. Know the difference.
AWS Directory Service
| Service | Description |
|---|---|
| AWS Managed Microsoft AD | Full Microsoft Active Directory in the cloud |
| AD Connector | Proxy to redirect requests to your on-premises AD |
| Simple AD | Basic AD features powered by Samba |
Encryption Deep Dive
Encryption at Rest
Protects data stored on disk:
| Service | Encryption Method |
|---|---|
| S3 | SSE-S3, SSE-KMS, SSE-C (server-side); client-side encryption |
| EBS | AES-256 encryption using KMS; encrypt on creation |
| RDS | KMS encryption for storage, backups, snapshots, and read replicas |
| DynamoDB | Encryption at rest using AWS-owned, AWS-managed, or customer-managed KMS keys |
| EFS | KMS encryption enabled at file system creation |
Encryption in Transit
Protects data moving between systems:
| Method | Description |
|---|---|
| TLS/SSL | HTTPS connections to AWS services and APIs |
| VPN | Encrypted tunnel between on-premises and AWS |
| AWS Certificate Manager | Free SSL/TLS certificates for AWS services |
AWS KMS Key Types
| Key Type | Description | Management |
|---|---|---|
| AWS Owned Keys | AWS owns and manages; shared across accounts | No customer control |
| AWS Managed Keys | Created by AWS for specific services (aws/s3, aws/rds) | View only; automatic rotation |
| Customer Managed Keys | You create and manage in KMS | Full control; manual/automatic rotation |
Advanced Security Services
AWS WAF Detailed
WAF Rule Types:
| Rule Type | Description |
|---|---|
| Managed Rules | Pre-built by AWS or Marketplace sellers (OWASP Top 10, bot protection) |
| Custom Rules | You define based on IP, geo, string match, regex, rate-based |
| Rate-Based Rules | Automatically block IPs that exceed a request rate threshold |
Amazon GuardDuty Detailed
Data sources analyzed:
- CloudTrail Management Events — Unusual API calls, unauthorized deployments
- CloudTrail S3 Data Events — Suspicious S3 access patterns
- VPC Flow Logs — Unusual network traffic, port scanning
- DNS Logs — Communication with known command-and-control servers
- EKS Audit Logs — Kubernetes cluster threats
- Lambda Network Activity — Unusual Lambda function behavior
Finding types:
- Backdoor — Resources compromised and communicating with C&C servers
- CryptoCurrency — Resources mining cryptocurrency
- Trojan — Resources communicating with known malicious IPs
- UnauthorizedAccess — Unusual API calls from suspicious IPs
AWS Network Firewall
A managed stateful network firewall for VPCs with features including:
- Stateful packet inspection
- Intrusion prevention system (IPS)
- Web filtering
- Custom rules using Suricata-compatible format
Compliance Services Summary
| Service | Purpose |
|---|---|
| AWS Artifact | Download compliance reports (SOC, PCI, ISO) |
| AWS Audit Manager | Automate evidence collection for audits |
| AWS Config | Evaluate resource configurations against rules |
| AWS CloudTrail | Log all API activity for auditing |
| Amazon Inspector | Scan for software vulnerabilities |
| Amazon Macie | Discover and protect sensitive data in S3 |
| AWS Security Hub | Centralized security findings dashboard |
Test Your Knowledge
Which AWS service provides authentication and user management for web and mobile applications?
A
B
C
D
Test Your Knowledge
What is the difference between Amazon Cognito and AWS IAM?
A
B
C
D
Test Your Knowledge
Which AWS KMS key type gives you the MOST control over encryption key management?
A
B
C
D
Test Your Knowledge
Which AWS service provides centralized single sign-on (SSO) access across multiple AWS accounts in an Organization?
A
B
C
D