2.3 Security Controls (New Solutions)
Application Security
AWS Shield
- Shield Standard: Free. Protects against common L3/L4 attacks (SYN floods).
- Shield Advanced: Paid ($3k/mo). Protects against sophisticated attacks. Includes DDoS Response Team (DRT) support and cost protection (refunds scaling costs during attack).
VPC Endpoints (Cheatsheet)
| Type | Interface Endpoint (PrivateLink) | Gateway Endpoint |
|---|---|---|
| Technology | ENI with Private IP | Route Table Entry |
| Scope | Most AWS Services (SQS, SNS, Kinesis, etc.) | S3 and DynamoDB ONLY |
| Cost | Hourly charge + Data processing | Free |
| Access | Can be accessed from on-prem via VPN/DX | Cannot be accessed from on-prem (usually) |
WARNING
Exam Gotcha: If you need to access S3 from on-prem via private connectivity, you usually need an Interface Endpoint for S3 (or a proxy), because Gateway Endpoints don’t support VPN/DX access natively.
Access Control
Least Privilege Strategies
- IAM Access Analyzer: Identifies resources shared with external principals.
- Permissions Boundaries: Use for delegating admin rights to developers (e.g., “You can create users, but only with this boundary attached”).
Cognito (User Auth)
- User Pools: Identity provider (Sign up/Sign in). Returns JWT.
- Identity Pools: Federation. Exchanges JWT/SAML for temporary AWS IAM Credentials.
WARNING
Exam Gotcha: Use User Pools for authentication (username/password). Use Identity Pools for authorization (getting generic AWS credentials to access S3/DynamoDB directly).