Domain 2 of 4 · Chapter 3 of 6

Security controls for new solutions

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing AWS Certified Solutions Architect - Professional premium course — no separate purchase.

Included in this chapter:

  • Least-privilege IAM: roles, boundaries, and ABAC
  • Identity for applications and workforce
  • Data protection: KMS, ACM, Secrets Manager, S3
  • Network and edge security controls
  • Detective controls and exam pattern recognition

Choosing the right network / edge security control

DimensionSecurity groupNetwork ACLAWS WAFAWS Network Firewall
ScopePer ENI / instancePer subnetCloudFront / ALB / API GatewayVPC (per subnet via firewall endpoint)
OSI layerL3/L4 (stateful)L3/L4 (stateless)L7 (HTTP/HTTPS)L3-L7 stateful inspection
Allow vs DenyAllow rules onlyAllow and Deny rulesAllow, Block, Count, CAPTCHAAllow and Deny (Suricata rules)
Typical useMicrosegmentation between tiersBlock a specific IP/CIDR at subnet edgeSQLi/XSS, rate limiting, bot controlEgress filtering, domain allow-lists, IDS/IPS
StatefulYes (return traffic auto-allowed)No (must allow ephemeral ports)Yes (per request)Yes (stateful engine)

Decision tree

Where does the threatact?HTTP layer (L7)Inside VPCVPC egressApp attack orvolumetric DDoS?Need an explicit Denyfor an IP/CIDR?AWS Network Firewall(egress / IDS-IPS)App (SQLi/XSS)DDoSAWS WAF(L7 on CF/ALB/APIGW)Shield Advanced($3,000/mo + SRT)YesNoNetwork ACL(stateless, Deny)Security group(stateful, allow-only)Private service access?PrivateLink + CloudFront OACAlways: enable GuardDuty + Security Hub for continuous threat detection

Cheat sheet

  • Compute uses roles, never stored access keys
  • Permissions boundary caps, never grants
  • Boundary delegates role creation safely
  • ABAC scales access by tag matching
  • Default 10 managed policies per role (max 25)
  • Cognito user pool authenticates; identity pool authorizes to AWS
  • Cognito identity pools support guest (unauthenticated) roles
  • IAM Identity Center for workforce, Cognito for app users
  • STS request quota is 600/sec per account per Region
  • Role session is 15 min–12 hours, default 1 hour
  • KMS uses envelope encryption
  • Cross-account KMS needs BOTH key policy and IAM policy
  • Customer-managed KMS keys cost ~$1/key/month
  • KMS key deletion has a 7–30 day waiting period
  • Secrets Manager managed rotation needs no Lambda for RDS/Aurora
  • Security group vs network ACL: stateful allow vs stateless deny
  • WAF is L7; Shield is DDoS; Network Firewall is VPC egress
  • WAF rate-based rule: minimum 10, window 60/120/300/600s
  • Shield Advanced is $3,000/month per payer account
  • PrivateLink keeps service traffic off the internet
  • CloudFront OAC keeps the S3 origin private
  • Detective stack: GuardDuty, Security Hub, CloudTrail, Config
  • Macie finds PII; Inspector finds CVEs
  • S3 Block Public Access plus default encryption by default
  • KMS multi-Region keys share key material across Regions
  • Use a CloudHSM custom key store for single-tenant FIPS 140-2/140-3 Level 3 keys
  • Reference a security group as the source to isolate application tiers

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. IAM roles
  2. AWS STS API reference
  3. Permissions boundaries for IAM entities
  4. Attribute-based access control (ABAC) for AWS
  5. What is IAM Identity Center
  6. Amazon Cognito user pools
  7. Amazon Cognito identity pools
  8. AWS KMS concepts (envelope encryption)
  9. AWS KMS grants
  10. What is AWS Certificate Manager
  11. Blocking public access to your Amazon S3 storage
  12. What is AWS Secrets Manager
  13. Security groups for your VPC
  14. Network ACLs
  15. What is AWS WAF
  16. AWS Shield Advanced overview
  17. What is AWS Network Firewall
  18. What is AWS PrivateLink
  19. Restricting access to an Amazon S3 origin (OAC)
  20. What is Amazon GuardDuty
  21. What is AWS Security Hub
  22. AWS CloudTrail user guide
  23. What is AWS Config
  24. What is Amazon Macie
  25. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
  26. What is Amazon Inspector