Lesson 17
Security Services
KMS, WAF, Shield, AWS Organizations, and Amazon Cognito — protecting your AWS environment
AWS Key Management Service (KMS)
AWS KMS enables you to create and manage encryption keys and control their use across AWS services and your applications.
Key Features
- Customer Master Keys (CMKs): Logical representations of a master key. CMKs control access to data encryption keys that encrypt and decrypt your data.
- Hardware Security Modules (HSMs): Keys are protected by FIPS 140-2 validated HSMs.
- CloudTrail integration: Every key usage is logged to CloudTrail for auditing and compliance.
- Service integration: Works with S3, EBS, EFS, RDS, DynamoDB, and most AWS services automatically.
- Import your own keys: You can import keys from your own key management infrastructure.
- Fine-grained control: Specify which IAM users and roles can use specific keys, and under what conditions.
Key distinction: KMS manages encryption keys. CloudHSM provides dedicated hardware security modules (single-tenant, FIPS 140-2 Level 3). For CLF-C02, focus on KMS — it handles the encryption needs for most services.
AWS Shield
AWS Shield is a managed DDoS protection service that safeguards applications running on AWS. It provides always-on detection and automatic inline mitigations that minimize application downtime and latency.
Shield Standard (Free)
- Automatically enabled for all AWS customers at no additional cost.
- Protects against most common Infrastructure layer (Layer 3/4) DDoS attacks:
- UDP floods (volumetric)
- TCP SYN floods (state exhaustion)
- Reflection attacks
- Integrated with CloudFront and Route 53 by default.
Shield Advanced (Paid)
- Additional protection against larger, more sophisticated attacks.
- Covers EC2, Elastic Load Balancing, CloudFront, Global Accelerator, and Route 53.
- DDoS Response Team (DRT): Available 24/7 — but requires Business or Enterprise Support plan.
- Includes cost protection: if DDoS causes a scaling spike in your AWS bill, Shield Advanced provides credits.
- Provides detailed attack diagnostics and visibility through CloudWatch metrics.
AWS WAF (Web Application Firewall)
AWS WAF is a web application firewall that protects web applications from common web exploits that could affect availability, compromise security, or consume excessive resources.
Key Capabilities
- Custom rules: Define rules to block, allow, or monitor (count) web requests based on conditions you specify — IP addresses, HTTP headers, URI strings, SQL injection patterns, cross-site scripting (XSS).
- Managed rule groups: Pre-configured rules from AWS and AWS Marketplace sellers (e.g., OWASP Top 10 protection).
- Rate-based rules: Automatically block IPs that exceed a request-rate threshold (e.g., block IPs making more than 2,000 requests in 5 minutes).
- Integration: Deploy on CloudFront, Application Load Balancer, API Gateway, and AWS AppSync.
Shield vs. WAF: Shield protects against DDoS (volumetric, network-level attacks). WAF protects against application-layer attacks (SQL injection, XSS, bad bots). They are complementary and often used together.
AWS Organizations & SCPs
AWS Organizations enables you to consolidate multiple AWS accounts into an organization that you centrally manage.
Key Security Features
- Organizational Units (OUs): Group accounts hierarchically (e.g., Production OU, Development OU). Attach different policies to each OU.
- Service Control Policies (SCPs): JSON policies that specify the maximum permissions for accounts in the organization. SCPs never grant permissions — they only restrict them. They act as a guardrail that defines what users and roles can do.
- IAM + SCP intersection: Permissions = intersection of what SCP allows (guardrail) AND what IAM policies grant. Both must permit the action.
- SCPs override administrators: Even the admin of a member account cannot exceed the SCP restrictions set at the organization or OU level.
- Consolidated billing: Single payment method for all accounts, with volume pricing discounts.
Amazon Cognito
Amazon Cognito adds user sign-up, sign-in, and access control to web and mobile applications. It handles user identity management so you don't have to build it yourself.
Key Features
- User pools: A user directory that provides sign-up and sign-in for your app users. Scales to millions of users.
- Identity pools: Provides temporary AWS credentials for users to access AWS services (e.g., let an app user upload to S3 without embedding AWS keys in the app).
- Federation: Users can sign in through social identity providers (Facebook, Google, Amazon) or enterprise providers (Microsoft Active Directory) via SAML 2.0.
- Compliance: Supports HIPAA, PCI DSS, SOC, ISO 27001, ISO 9001.
- SAML 2.0 support: Enables single sign-on (SSO) — sign in once with corporate credentials to access multiple SAML-enabled applications.
Security Services Quiz
Select one answer per question. You will receive immediate feedback.
1. A company wants to enable server-side encryption for their Amazon S3 buckets. Which AWS service manages the encryption keys?
2. A company wants protection against DDoS attacks at the infrastructure layer (Layer 3/4). Which AWS service provides this at no additional cost?
3. An application receives a high volume of requests from a single IP address. The security team wants to block this IP. Which service can filter web traffic based on IP addresses and HTTP headers?
4. An organization with multiple AWS accounts wants to restrict all member accounts from using services that are not HIPAA-eligible. What should they use?
5. A mobile application needs a user sign-up and sign-in feature that allows authentication via Google and Facebook. Which AWS service provides this?
Progress: 0/5 correct (0%). Answer all questions to see the final recommendation.
Primary Source: AWS Academy Module 4: AWS Cloud Security (module-4.txt) — Sections 4, 5: Securing accounts, AWS Organizations, KMS, Cognito, Shield. AWS WAF from exam guide objectives.