Security
AWS Systems Manager
AWS Parameter Store is a secure, centralized place to store configuration data and secrets for your applications.
Can store:
Strings (plain text)
Secure strings (encrypted secrets like passwords, API keys)
Configuration values (like database endpoints, environment variables)
It is part of AWS Systems Manager and works seamlessly with applications, EC2, Lambda, and other AWS services.
Why it is used
Centralized configuration: Keep app settings in one place.
Secure secrets: Store sensitive information encrypted.
Versioning & history: Track changes to parameters over time.
Automation: Applications can fetch parameters dynamically.
Integration: Works with AWS services like Lambda, EC2, ECS, CloudFormation.
How it works
Create a parameter → Name, value, type (String, SecureString, StringList).
Set permissions → IAM policies control who can read/write parameters.
Access parameter from apps → Applications retrieve values via SDK, CLI, or environment variables.
Optional encryption → Use AWS KMS to encrypt sensitive parameters.
Optional versioning → Keep history of changes for rollback or auditing.
Components
Parameter
The stored value (string, secure string, or list).
Analogy: A labeled envelope containing configuration info or a password.
SecureString / KMS encryption
Encrypts sensitive values.
Analogy: Envelope with a lock and key.
IAM Policies / Access Control
Who can read/write parameters.
Analogy: Only authorized people can open specific envelopes.
Versioning
Keeps track of updates.
Analogy: Each envelope revision gets a new date stamp.
Parameter Hierarchy
Organize parameters with paths like
/prod/db/password.Analogy: File folders organizing envelopes by environment and purpose.
Simple Analogy Wrap-up
Parameter Store = Office filing cabinet for configuration and secrets.
Parameter = Labeled envelope inside the cabinet.
SecureString = Locked envelope.
IAM Policies = Access rules for who can open envelopes.
Versioning = Tracking all previous versions of each envelope.
Key difference vs Secrets Manager:
Parameter Store: Can store both configuration and secrets; supports free tier; simpler for config values.
Secrets Manager: Designed primarily for sensitive secrets; automated rotation; more enterprise features.
Firewalls Layer 7 vs Layer 3/4/5
First, let’s break down the 3/4/5 firewall settings to better understand the Layer 7 configurations.
Layer 3 – Network Layer
What it does:
Handles addressing and routing of data packets between devices across networks.
Analogy:
Like a GPS or postal service deciding the route your letter (data packet) takes.
AWS Context:
Security groups, VPC route tables, and NACLs filter traffic by IP addresses.
Layer 4 – Transport Layer
What it does:
Ensures reliable data transfer (TCP/UDP), sequencing, and error checking.
Analogy:
Like a courier ensuring packages arrive intact and in order.
AWS Context:
Security groups and NACLs also filter by ports and protocols (TCP/UDP).
Layer 5 – Session Layer
What it does:
Manages sessions between applications, establishing, maintaining, and terminating connections.
Analogy:
Like a phone call operator connecting two parties and keeping the line open.
AWS Context:
AWS handles sessions via load balancers, NAT gateways, and VPN connections to keep connections active and secure.
Layer 3/4/5
Layer 7 – Application Layer Firewall (WAF)
What it does:
Filters traffic based on application content (HTTP/HTTPS, API requests).
Protects against SQL injection, XSS, bots, and malicious payloads.
Analogy:
Like a security officer opening packages to see what’s inside before letting it into the building.
AWS Context:
AWS WAF sits in front of CloudFront, ALB, or API Gateway.
Filters requests based on:
URL paths
Headers or cookies
JSON/XML payloads
IP reputation
Layer 7
Quick Summary Table
3
Routing & addressing
Security Groups, NACLs, Route Tables
GPS/postal service
4
Transport & reliability
Security Groups (ports/protocol)
Courier ensuring safe delivery
5
Session management
VPN, NAT Gateway, Load Balancer
Phone call operator
7
Application content inspection
AWS WAF, API Gateway
Security officer inspecting packages
Key Point:
Layer 3/4 → Fast, network-level filtering
Layer 7 → Smarter, inspects content to protect apps
AWS WAF
AWS WAF is a web application firewall that protects your web applications from common attacks at the application layer (Layer 7).
It sits in front of your apps hosted on CloudFront, Application Load Balancer (ALB), or API Gateway and filters HTTP/S traffic.
Why it is used
Protect against attacks: SQL injection, XSS, bots, and other web exploits.
Filter requests: Block, allow, or count traffic based on custom rules.
Compliance: Helps meet security standards for web apps.
Real-time protection: Monitor and respond quickly to threats.
How it works
Define a Web ACL (Access Control List) → Rules that allow, block, or count requests.
Add rules → Match requests based on IP, country, headers, URL strings, SQL patterns, etc.
Attach Web ACL → Apply it to CloudFront, ALB, or API Gateway.
Inspect traffic → WAF evaluates requests before they reach your app.
Take action → Block, allow, or log suspicious traffic.
Components
Web ACL
Central place to manage rules for your application.
Analogy: A gatekeeper’s instruction manual for what to allow or block.
Rules & Rule Groups
Conditions to detect malicious or unwanted requests.
Analogy: Checklists for inspecting packages, like “no liquids,” “no explosives.”
Conditions / Match Criteria
Match IP addresses, headers, query strings, or body content.
Analogy: Specific criteria for inspection, e.g., check for suspicious items inside packages.
Actions
Allow: Let the request through
Block: Stop the request
Count: Monitor without blocking
Analogy: Decide whether to let the visitor in, refuse entry, or just record them.
Security & Features
Protection against OWASP Top 10 attacks
Integration with CloudFront / ALB / API Gateway
Managed rule groups → Prebuilt rules for common attacks
Customizable rules → Fine-tune protection for your app
Real-time monitoring → Logs requests via CloudWatch
Simple Analogy Wrap-up
AWS WAF = Security officer at the web app entrance.
Web ACL = Officer’s instruction manual.
Rules = Checklists for suspicious items or behaviors.
Actions = Allow, block, or monitor each visitor.
WAF Rules
AWS Shield
AWS Shield is a managed service that protects AWS applications from DDoS (Distributed Denial of Service) attacks.
A DDoS attack is when attackers flood your app/network with too much traffic, trying to make it crash or become unavailable.
AWS Shield keeps your apps, websites, and APIs available by automatically detecting and mitigating these attacks.
Common Attacks
Why it is used
Availability: Prevents downtime during DDoS attacks.
Automatic protection: No need for manual intervention.
Cost protection: Helps avoid huge scaling costs from fake traffic.
Peace of mind: Your services stay online even under attack.
How it works
AWS Shield sits in front of AWS resources (like CloudFront, Route 53, ALB, or Global Accelerator) and:
Monitors incoming traffic in real time.
Detects abnormal spikes that look like an attack.
Filters bad traffic while allowing legitimate users through.
Components
AWS Shield Standard (default, free)
Built-in for all AWS customers.
Protects against common, smaller DDoS attacks (like SYN floods, UDP floods).
Always-on, no setup needed.
Best for basic protection.
AWS Shield Advanced (paid)
Protection against large, sophisticated DDoS attacks.
Extra features:
24/7 access to AWS DDoS Response Team (DRT).
Detailed attack diagnostics.
Cost protection (so you don’t pay for auto-scaling caused by fake attack traffic).
Best for mission-critical applications.
Security & Features
Automatic traffic engineering → Keeps good traffic flowing, blocks bad.
Integration with AWS WAF → For deeper Layer 7 protection.
Global threat intelligence → Learns from attacks worldwide.
CloudWatch metrics → See attack details and traffic behavior.
Simple Analogy
Imagine your app is a store.
Attackers = A huge crowd of fake customers rushing the entrance to block real customers.
AWS Shield Standard = A bouncer who stops small disruptive crowds automatically.
AWS Shield Advanced = A full security team + emergency plan for handling very large, sophisticated attacks, with experts on call.
AWS Shield vs AWS WAF
Shield: Protects availability from DDoS attacks (network floods).
WAF: Protects apps from malicious requests (SQL injection, XSS).
🔒 Best practice: Use both together → Shield handles floods, WAF handles malicious requests.
AWS CloudHSM – Hardware Security Module
What it is
AWS CloudHSM is a cloud-based hardware security module (HSM) that lets you create and manage your own encryption keys in a dedicated hardware device inside AWS.
HSM = a specialized, tamper-resistant hardware box designed to store cryptographic keys and perform encryption operations.
With CloudHSM, you own and control the keys, not AWS.
Why it is used
Compliance: Required for strict standards (PCI-DSS, HIPAA, FedRAMP, FIPS 140-2 Level 3).
Full control: You manage the keys; AWS cannot access them.
Secure encryption: Protect sensitive data (banking, healthcare, government).
Integration: Works with AWS services (EBS, RDS, S3) and on-premises apps.
How it works
You provision a CloudHSM cluster (in your VPC).
The HSM generates and stores keys in hardware (never leaves the HSM).
Applications (AWS or on-prem) connect securely to the HSM to use keys.
You can use it for encryption, digital signing, SSL/TLS offloading, PKI (certificates), and key management.
Components
CloudHSM Cluster
Group of HSMs deployed in your VPC.
Analogy: A vault room with multiple safes for redundancy.
HSM Device
The hardware unit storing and processing keys.
Analogy: The safe itself.
Keys
Cryptographic material (AES, RSA, ECC).
Analogy: The treasures inside the safe.
Client Software / PKCS#11, JCE, CNG APIs
Applications use these libraries to talk to the HSM.
Analogy: The authorized key holders allowed to access the safe.
Example Use Cases
Banks securing payment data.
Governments protecting classified info.
Companies managing their own PKI/certificates.
Secure SSL/TLS termination.
Simple Analogy
CloudHSM = A bank vault you rent inside AWS’s data center.
AWS provides the vault, but you own the keys and decide who can open it.
Even AWS staff cannot open your vault.
CloudHSM vs AWS KMS
Control
You control the keys entirely
AWS manages the keys for you
Compliance
FIPS 140-2 Level 3 certified
FIPS 140-2 Level 2
Complexity
More complex, needs client integration
Easier, fully managed
Use Case
Strict compliance, high-security apps
General encryption needs
AWS Config
What it is
AWS Config is a service that tracks the configuration of your AWS resources and checks if they follow compliance and security rules.
It answers:
“What resources do I have?”
“How are they configured?”
“Are they following best practices and policies?”
“What changed and when?”
Why it is used
Visibility: See all your AWS resources and their settings.
Compliance: Check if resources follow rules (like encryption enabled, tags applied).
Audit: Know who changed what and when.
Security: Detect misconfigurations that could create risks.
How it works
AWS Config records resource states (snapshots of configurations).
Stores history of changes over time.
Evaluates resources against rules (predefined or custom).
Alerts & reports on non-compliant resources.
Components
Configuration Items (CIs)
Snapshots of each resource’s settings.
Analogy: A photo of your room at a specific time.
Configuration History
Full timeline of changes to a resource.
Analogy: A time-lapse video of how your room changed.
Configuration Recorder
The tool that captures changes to resources.
Analogy: The camera taking the photos.
Rules
Compliance checks (e.g., “All S3 buckets must have encryption”).
Analogy: House rules like “Always lock the door.”
Conformance Packs
Bundles of multiple rules (for compliance frameworks like PCI, HIPAA).
Analogy: A rulebook you can apply at once.
Delivery Channel
Sends snapshots and history to S3 or CloudWatch.
Analogy: A mail service sending your photo album to storage.
Example Use Cases
Ensure all EBS volumes are encrypted.
Check that EC2 instances are not publicly exposed.
Verify IAM policies follow least privilege.
Audit all changes for compliance reports.
Simple Analogy
AWS Config = Security camera + compliance inspector for your AWS account.
Camera (Recorder): Captures every change.
Photo album (History): Stores snapshots.
Rules: Check if the house is following the rules.
Conformance packs: Apply a full rulebook at once.
Amazon Macie
What it is
Amazon Macie is a security service that uses machine learning (ML) to automatically find and protect sensitive data stored in AWS — mainly in Amazon S3 buckets.
It looks for things like:
Personally Identifiable Information (PII) → names, addresses, phone numbers
Financial data → credit card numbers, bank account info
Credentials → API keys, passwords
Why it is used
Data protection: Ensure sensitive data (like customer info) isn’t exposed.
Compliance: Helps with GDPR, HIPAA, PCI-DSS, etc.
Visibility: Know what kind of sensitive data you have and where it’s stored.
Automation: Continuous monitoring without manual searching.
How it works
Scans S3 buckets → Macie connects to your S3 storage.
Classifies data → Uses ML + predefined patterns to identify sensitive info.
Alerts & reports → Flags buckets with public access or sensitive data.
Integrates → Sends findings to AWS Security Hub, CloudWatch, or SIEMs.
Components
Macie Dashboard
Shows an overview of data security findings.
Analogy: A control room monitor for sensitive data.
Data Classification Jobs
Scans S3 buckets for sensitive data.
Analogy: Investigators searching boxes in a warehouse.
Findings
Results of scans → “Sensitive data found in Bucket X.”
Analogy: The report card from investigators.
Managed Data Identifiers
Prebuilt ML patterns (e.g., credit card numbers, SSNs).
Analogy: Trained sniffer dogs that know what to look for.
Custom Data Identifiers
Your own rules for specific data (e.g., employee IDs).
Analogy: Custom instructions to the investigators.
Example Use Cases
Detect credit card numbers in unprotected S3 files.
Identify personal data stored in logs.
Monitor for accidental public S3 bucket exposure.
Generate compliance reports for audits.
Simple Analogy
Amazon Macie = A detective with trained dogs patrolling your S3 storage.
Dogs (ML identifiers): Detect sensitive data like credit cards, PII.
Detective report (Findings): Alerts you if data is exposed.
Dashboard: Your crime board showing all incidents.
Amazon Inspector
What it is
Amazon Inspector is an automated vulnerability management service in AWS.
It scans your AWS workloads (like EC2, ECR container images, and Lambda functions) for:
Software vulnerabilities (CVEs)
Security issues (unpatched OS, misconfigurations)
Deviations from best practices
Why it is used
Continuous scanning → Automatically checks workloads for risks.
Faster remediation → Find and fix before attackers exploit.
Compliance → Supports security standards (PCI, ISO, etc.).
Integration → Works with Security Hub, EventBridge, and ticketing systems.
How it works
Enable Inspector → It automatically discovers your EC2 instances, container images, and Lambda functions.
Scans resources for known vulnerabilities and misconfigurations.
Generates findings ranked by severity (High, Medium, Low).
Sends alerts → To Security Hub, CloudWatch, or SIEM.
You patch or fix issues before attackers can exploit them.
Components
Inspector Scans
Continuous, automated vulnerability assessments.
Analogy: A security guard checking every door and window daily.
Findings
Results of the scan (e.g., “Outdated OpenSSL version”).
Analogy: Inspection report highlighting weak spots.
Risk Scoring
Prioritizes issues based on exploitability + business impact.
Analogy: Traffic light system (red = urgent, yellow = medium, green = safe).
Integrations
Works with AWS Security Hub, EventBridge, SNS.
Analogy: Connecting alarms to your control center.
Example Use Cases
Check EC2 instances for missing patches.
Scan Docker container images in Amazon ECR.
Monitor Lambda functions for known vulnerabilities.
Generate compliance reports for auditors.
Simple Analogy
Amazon Inspector = A building inspector.
Walks through your AWS “house” (EC2, containers, Lambdas).
Creates a report card of vulnerabilities (broken locks, weak doors).
Gives you a priority list of what to fix first.
Amazon GuardDuty
What it is
Amazon GuardDuty is a threat detection service in AWS.
It continuously monitors your AWS environment using machine learning, anomaly detection, and threat intelligence feeds to spot malicious activity or unauthorized behavior.
Why it is used
Detect suspicious activity (like unusual API calls, port scans, crypto-mining).
Alert you about compromised AWS accounts, EC2 instances, or IAM credentials.
Improve incident response with actionable findings.
No need to install agents – works out of the box.
How it works
Collects data from multiple AWS sources:
VPC Flow Logs (network traffic)
CloudTrail (API activity)
DNS logs (domain lookups)
EKS (Kubernetes audit logs)
Analyzes behavior → Uses ML + AWS threat intel to spot anomalies.
Generates findings → Each suspicious event is flagged with severity (Low/Medium/High).
Sends alerts → To Security Hub, EventBridge, or SIEM.
Components
Data Sources
VPC Flow Logs, CloudTrail, DNS Logs, EKS Logs.
Analogy: CCTV cameras installed everywhere in your AWS house.
Threat Detection Engine
Uses ML + AWS intel.
Analogy: AI security guard who can recognize suspicious behavior.
Findings
Examples: “EC2 communicating with known malware server,” “IAM role used unusually.”
Analogy: Police report about potential break-ins.
Integrations
Security Hub, EventBridge, Lambda (for automated response).
Analogy: Alarm system connected to police + fire station.
Example Use Cases
Detect EC2 instances doing crypto-mining.
Alert when IAM keys are stolen and used from unusual countries.
Spot port scanning or brute-force attempts.
Detect compromised Kubernetes workloads in EKS.
Simple Analogy
GuardDuty = Security guard with AI + CCTV feeds.
Always watching your AWS house.
Flags when someone tries to sneak in, steal keys, or act suspiciously.
Sends you an alert immediately.
AWS Security Services — Quick Differences
Service
What it Does
Analogy
Best For
Inspector
Scans workloads (EC2, ECR, Lambda) for vulnerabilities & misconfigurations
Building inspector checking for weak locks/unsafe wiring
Vulnerability management
GuardDuty
Detects active threats using logs (CloudTrail, VPC Flow, DNS, EKS)
AI guard watching CCTV feeds for burglars
Threat detection
WAF (Web App Firewall)
Blocks malicious web traffic (SQLi, XSS, bad bots)
Security gate filtering who enters the building
Protecting web applications
Shield (Standard/Advanced)
Protects against DDoS attacks
Bouncer preventing massive crowd from flooding entrance
DDoS protection
Macie
Finds & protects sensitive data in S3 (PII, financial data)
Document scanner highlighting passports, credit cards
Data security & compliance
Config
Monitors AWS resource configurations for compliance
Compliance officer checking rules are followed
Governance & compliance
Secrets Manager
Stores & rotates secrets (passwords, API keys) securely
Safe with automatic key rotation
Secret management
Parameter Store (SSM)
Stores configs & secrets (basic)
Filing cabinet with notes (less secure than a safe)
App configs & simple secrets
CloudHSM
Dedicated Hardware Security Module in AWS
Private vault only you can control
Custom encryption, compliance (FIPS 140-2)
KMS (Key Management Service)
Managed encryption keys for AWS services
Master key to lock/unlock resources
Encrypting data at rest/in transit
Security Hub
Centralizes findings from multiple services (Inspector, GuardDuty, Macie)
Command center dashboard for all alarms
Unified security view
IAM
Identity & access management for users, roles, policies
ID card & access passes
Who can access what
Organizations + SCPs
Multi-account governance with service control policies
Parent controlling rules for all kids
Central security control
Control Tower
Sets up multi-account AWS environment with guardrails
Blueprint for a secure gated community
Secure multi-account setup
How They Work Together
Identity Security → IAM, Organizations, Control Tower
Data Security → KMS, CloudHSM, Secrets Manager, Parameter Store, Macie
Network/App Protection → WAF, Shield
Workload Security → Inspector, GuardDuty
Governance/Compliance → Config, Security Hub
Simplified Analogy
IAM = ID cards
KMS/CloudHSM = Keys & Vaults
Secrets Manager/Parameter Store = Password managers
Inspector = Building inspector
GuardDuty = AI security guard
WAF = Security gate
Shield = Anti-riot bouncer
Macie = Document scanner
Config = Compliance officer
Security Hub = Control room dashboard
Last updated