Security controls for new solutions
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing AWS Certified Solutions Architect - Professional premium course — no separate purchase.
Included in this chapter:
- Least-privilege IAM: roles, boundaries, and ABAC
- Identity for applications and workforce
- Data protection: KMS, ACM, Secrets Manager, S3
- Network and edge security controls
- Detective controls and exam pattern recognition
Choosing the right network / edge security control
| Dimension | Security group | Network ACL | AWS WAF | AWS Network Firewall |
|---|---|---|---|---|
| Scope | Per ENI / instance | Per subnet | CloudFront / ALB / API Gateway | VPC (per subnet via firewall endpoint) |
| OSI layer | L3/L4 (stateful) | L3/L4 (stateless) | L7 (HTTP/HTTPS) | L3-L7 stateful inspection |
| Allow vs Deny | Allow rules only | Allow and Deny rules | Allow, Block, Count, CAPTCHA | Allow and Deny (Suricata rules) |
| Typical use | Microsegmentation between tiers | Block a specific IP/CIDR at subnet edge | SQLi/XSS, rate limiting, bot control | Egress filtering, domain allow-lists, IDS/IPS |
| Stateful | Yes (return traffic auto-allowed) | No (must allow ephemeral ports) | Yes (per request) | Yes (stateful engine) |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
- CLF-C02 AWS Certified Cloud Practitioner
- DVA-C02 AWS Certified Developer - Associate
- PCA Professional Cloud Architect
- PDE Professional Data Engineer
- SAA-C03 AWS Certified Solutions Architect – Associate
- SAA-C03 AWS Certified Solutions Architect – Associate
- SAA-C03 AWS Certified Solutions Architect – Associate
References
- IAM roles
- AWS STS API reference
- Permissions boundaries for IAM entities
- Attribute-based access control (ABAC) for AWS
- What is IAM Identity Center
- Amazon Cognito user pools
- Amazon Cognito identity pools
- AWS KMS concepts (envelope encryption)
- AWS KMS grants
- What is AWS Certificate Manager
- Blocking public access to your Amazon S3 storage
- What is AWS Secrets Manager
- Security groups for your VPC
- Network ACLs
- What is AWS WAF
- AWS Shield Advanced overview
- What is AWS Network Firewall
- What is AWS PrivateLink
- Restricting access to an Amazon S3 origin (OAC)
- What is Amazon GuardDuty
- What is AWS Security Hub
- AWS CloudTrail user guide
- What is AWS Config
- What is Amazon Macie
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
- What is Amazon Inspector