1.2 Prescribe Security Controls
Identity Management
AWS IAM (Identity and Access Management)
- Principals: Users (People), Roles (Applications/Services/Federated Users).
- Policies:
- Identity-based: Attached to User/Role/Group.
- Resource-based: Attached to resource (S3 Bucket Policy, KMS Key Policy).
- Permissions Boundary: Sets the maximum permissions an entity can have.
- Evaluation Logic: Explicit Deny > Explicit Allow > Default Deny.
IAM Identity Center (formerly SSO)
- Use Case: Centralized login for multiple AWS accounts and business apps.
- Source: Can integrate with Active Directory (AD), External IdPs (Okta, Azure AD), or standalone.
Cross-Account Access
- Role Assumption: Best practice for granting access to external accounts.
- Account A (Trusted): Has the user.
- Account B (Trusting): Has the Role + Trust Policy allowing Account A.
- External ID: Used to prevent “Confused Deputy” problem when a third-party accesses your account.
WARNING
Exam Gotcha: IAM Groups cannot be principals in a policy. You cannot assume a role into a Group. You assume a role as a User or Service.
Network Security
Security Groups (SG) vs. Network ACLs (NACL)
| Feature | Security Group | Network ACL |
|---|---|---|
| Level | Instance (ENI) | Subnet |
| State | Stateful (Return traffic allowed automatically) | Stateless (Return traffic must be explicitly allowed) |
| Rules | Allow only | Allow and Deny |
| Order | All rules evaluated | Numbered order (lowest processed first) |
AWS WAF (Web Application Firewall)
- Protects: CloudFront, ALB, API Gateway, AppSync.
- Rules: SQL injection, XSS, geo-blocking, rate-based rules (DDoS protection).
WARNING
Exam Gotcha: WAF cannot be attached directly to an EC2 instance. It must be fronted by an ALB or CloudFront.
Governance & Multi-Account Management
AWS Organizations
- Service Control Policies (SCPs): JSON policies applied to OUs or Accounts.
- Function: They define the maximum permissions. They DO NOT grant permissions. They act as a filter.
- Inheritance: Permissions flow down. Block at Root = Block everywhere.
- Management Account: The payer account. SCPs do not affect the Management Account itself.
WARNING
Exam Gotcha: Even if an IAM AdministratorAccess policy allows
*, an SCP denyingec2:*will prevent that user from launching instances. Implicit Deny: If an SCP does not explicitly allow a service (e.g. at Root), it is denied by default? No, the default SCP isFullAWSAccess. If you replace it, ensure you Allow what you need.
Encryption & Key Management
AWS KMS (Key Management Service)
- CMK (Customer Master Key) Types:
- AWS Managed: Free, auto-rotated (1 year), used by services by default.
- Customer Managed: Paid, user-controlled rotation (optional, 1 year), strictly controlled policies.
- Key Policies: The primary way to control access to a KMS key. IAM policies alone are not enough unless the Key Policy allows IAM access.
- Multi-Region Keys: Replicate keys across regions to decrypt data in DR regions without re-encrypting.
WARNING
Exam Gotcha: If you lose the key material for an Imported Key, you cannot decrypt the data. AWS Managed Keys cannot be used for custom encryption operations in code; they are for AWS services only.
AWS Certificate Manager (ACM)
- Public Certs: Free, auto-renewed only if DNS/Email validation remains valid and in use by an AWS resource (ELB, CloudFront).
- Private Certs: Paid (Private CA), used for internal instances/services.
WARNING
Exam Gotcha: You generally cannot export the private key of a public ACM certificate. It must be used on an integrated AWS service (ELB, CloudFront, API Gateway).
Centralized Monitoring
AWS Security Hub
- Function: Aggregates alerts (findings) from GuardDuty, Inspector, Macie, and IAM Access Analyzer.
- Standards: Checks against CIS Benchmarks, PCI-DSS.
Amazon GuardDuty
- Function: Intelligent threat detection (ML-based).
- Sources: VPC Flow Logs, CloudTrail Logs, DNS Logs (and now EKS/S3/Lambda data).
- Agentless: Does not require installing software on EC2.
WARNING
Exam Gotcha: GuardDuty is Regional. You must enable it in every region (or via Organizations) to have full coverage.