3.2 Security Improvement

Secrets Management

Secrets Manager vs. Parameter Store (Cheatsheet)

Feature	Secrets Manager	Systems Manager Parameter Store
Primary Use	DB Credentials, API Keys	Config strings, AMI IDs, Secrets
Rotation	Built-in (Lambda)	No (Manual/Custom)
Cost	Paid ($0.40/secret/mo)	Free (Standard), Paid (Advanced)
Cross-Account	Yes	Yes (Advanced tier only)

WARNING

Exam Gotcha: If the question mentions automatic rotation of RDS credentials, the answer is Secrets Manager.

Compliance & Auditing

AWS Config

Function: Configuration history and Compliance auditing.
Rules:
- Managed: “S3 buckets should not be public”.
- Custom: Lambda function to check logic.
Remediation: Can automatically fix non-compliant resources using SSM Documents.
Aggregator: View Config data from multiple accounts/regions.

WARNING

Exam Gotcha: Config records changes to configuration. CloudTrail records API calls. If you want to know “Who changed it?”, use CloudTrail. If you want to know “What did it look like yesterday?”, use Config.

Vulnerability Management

Amazon Inspector

Function: Vulnerability scanning for EC2 and ECR.
Modes:
- Network Reachability: Network paths.
- Host Assessment: CVEs, CIS Benchmarks (Requires SSM Agent).

Patching Strategies

SSM Patch Manager: Define Maintenance Windows, Patch Baselines (what to install), and Patch Groups (target instances).

cloudnative wiki

Explorer

3.2-security-improvement

3.2 Security Improvement

Secrets Management

Secrets Manager vs. Parameter Store (Cheatsheet)

Compliance & Auditing

AWS Config

Vulnerability Management

Amazon Inspector

Patching Strategies

Graph View

Table of Contents