Domain 1 of 4 · Chapter 2 of 3

Secure Workloads and Applications

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing AWS Certified Solutions Architect – Associate premium course — no separate purchase.

Included in this chapter:

  • WAF rule groups: managed vs custom, rate-based vs IP-set
  • Shield Advanced cost protection: when the $3 000/mo pays for itself
  • Security Group composition patterns: hub-and-spoke, mesh, transit
  • Network ACL ephemeral-port pitfalls + worked examples
  • Secrets Manager rotation Lambda: the 4-step contract + cross-account templates
  • VPC Endpoint policies: restricting which actions are allowed through an endpoint

Layered defenses compared

LayerScopeStateful?Allow / DenyBest for
WAFL7 HTTP/HTTPS in front of CloudFront / ALB / API GatewayManaged + custom rulesSQL injection, XSS, bad bots, geo-block, rate-based
Shield StandardNetwork-edge L3/L4 (CloudFront, Route 53, GA)Auto-protectCommon volumetric DDoS — free and on
Shield AdvancedSame + EIPs + ALB + custom resourcesShield Response Team (SRT)$3 000/mo; large-scale DDoS + cost protection
Security GroupENI (per-instance)StatefulAllow onlyPer-instance allow-list; return traffic auto-allowed
Network ACLSubnetStatelessAllow + DenySubnet-wide deny-list; needs explicit ephemeral-port rules
GuardDutyAccount-wide threat detectionFindings onlyAnomaly detection from VPC Flow Logs, CloudTrail, DNS
InspectorEC2 + ECR + Lambda vulnerability scanFindings onlySoftware vulnerabilities, network reachability
MacieS3 sensitive-data discoveryFindings onlyPII / PHI / financial detection across S3

Decision tree

What's the threat?Web app attackDDoSNetwork accessAWS WAF(L7: SQLi, XSS, bots)Large-scale + cost concern?Per-instance or subnet?YesNoPer-instanceSubnetShield Advanced($3 000/mo + SRT)Shield Standard(free, auto on)Security Group(stateful)Network ACL(stateless + deny)Always: enable GuardDuty + Security Hub for cross-account threat aggregation
Cheat sheet

Cheat sheet

  • Defense in depth — never a single fence
  • VPC endpoints + PrivateLink keep AWS traffic off the internet
  • Security Groups stateful, NACLs stateless
  • Secrets Manager + rotation beats static credentials
  • WAF only attaches to CloudFront, ALB, API Gateway, AppSync
  • Shield Advanced: $3 000/month per payer account
  • Secrets Manager rotation: configurable schedule (commonly 30 / 60 / 90 days)
  • GuardDuty + Security Hub for org-wide detection
  • Parameter Store SecureString vs Secrets Manager
  • GuardDuty findings flow → EventBridge → Lambda for auto-response
  • Inspector scans EC2 + ECR + Lambda automatically
  • Network Firewall: stateful + managed rule groups for VPC-level inspection
  • Alternating-users rotation strategy eliminates credential downtime
  • AWS Managed Rules provide OWASP Top 10 coverage with zero maintenance
  • WAF rate-based rules automatically block IPs exceeding a request threshold
  • Reference a security group ID as source to avoid IP management
  • WAF evaluates rules lowest-priority-number first; Allow and Block are terminating
  • WAF scope-down statements exclude specific traffic from a managed rule group
  • Custom NACLs deny all traffic by default; rule order determines precedence
  • Use aws:SourceVpce or aws:SourceVpc to restrict S3 access to a specific VPC endpoint or VPC

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. Security groups for your VPC
  2. Network ACLs
  3. AWS WAF Developer Guide
  4. AWS Shield overview (Standard + Advanced)
  5. AWS Shield pricing
  6. Gateway endpoints (S3, DynamoDB)
  7. What is AWS PrivateLink
  8. AWS Secrets Manager User Guide
  9. Rotate AWS Secrets Manager secrets
  10. AWS KMS Developer Guide
  11. Managed rotation for AWS Secrets Manager secrets
  12. AWS Systems Manager Parameter Store
  13. How AWS WAF works
  14. Shield Response Team (SRT) support
  15. Schedule automatic rotation
  16. Rotation strategies (4-step Lambda contract)
  17. What is Amazon GuardDuty
  18. What is AWS Security Hub
  19. What is Amazon Inspector
  20. What is Amazon Macie
  21. What is Amazon EventBridge
  22. AWS Secrets Manager pricing
  23. GuardDuty findings via EventBridge
  24. What is AWS Network Firewall
  25. AWS WAF rule types