AWSAWS SAA-C03

AWS Security Services Explained for AWS SAA-C03

Security in AWS is not one service you enable. It is a layer of specialized tools that each cover a different part of the attack surface: encryption keys, API audit trails, threat detection, DDoS protection, web traffic filtering, vulnerability scanning, and data classification. Understanding which service does what is exactly what the SAA-C03 exam tests, because the scenarios describe a security problem and expect you to know which tool addresses it. KMS manages encryption keys. CloudTrail records who called what API. GuardDuty detects active threats using machine learning. Shield protects against volumetric attacks. WAF filters malicious web requests. Inspector finds software vulnerabilities. Macie finds sensitive data in S3.

9 min

3 sections · 8 exam key points

Encryption and key management with KMS

AWS Key Management Service (KMS) creates, stores, and controls cryptographic keys used to encrypt data across AWS services. When you encrypt an S3 object, an EBS volume, a Secrets Manager secret, or a DynamoDB table, KMS is the service holding the key. KMS keys never leave KMS unencrypted: AWS uses envelope encryption, where KMS generates a data key, you use that data key to encrypt your data locally, and then KMS encrypts the data key itself with your KMS key before storing it.

Key types matter for the exam. AWS managed keys are created and managed by AWS for use with specific services. You cannot rotate, delete, or set policies on them directly. Customer managed keys (CMK) give you full control: you set the key policy, define who can use and administer the key, enable automatic annual rotation, and can disable or schedule deletion. AWS owned keys are entirely managed by AWS for its own use and you have no visibility into them.

Secrets Manager stores and automatically rotates credentials like database passwords, API keys, and OAuth tokens. It integrates with RDS, Redshift, and DocumentDB to rotate credentials automatically without application restarts. Parameter Store in Systems Manager is a lower-cost alternative for configuration values and non-sensitive parameters, with an optional SecureString type that uses KMS encryption.

Threat detection, network protection, and compliance

CloudTrail records every API call made in your AWS account: who called it, from which IP, what parameters were passed, and what the response was. This is the audit trail for security investigations and compliance. CloudTrail logs go to S3 for long-term retention and to CloudWatch Logs for real-time alerting. Without CloudTrail enabled, you have no record of what happened if an incident occurs.

GuardDuty uses machine learning to analyze CloudTrail logs, VPC Flow Logs, and DNS logs for signs of malicious activity: unusual API calls from unexpected locations, known malicious IP addresses communicating with your resources, crypto mining behavior, or compromised credentials. GuardDuty is threat detection, not prevention: it generates findings that you investigate and respond to. It does not block traffic.

Shield protects against DDoS attacks. Shield Standard is automatically enabled for all AWS customers at no charge and protects against common volumetric attacks at Layers 3 and 4. Shield Advanced is a paid subscription that adds protection for more sophisticated attacks, dedicated DDoS response team access, cost protection for AWS charges incurred during an attack, and enhanced visibility into attacks. WAF (Web Application Firewall) filters HTTP requests based on rules you define: block requests from specific IP ranges, countries, or requests matching SQL injection or cross-site scripting patterns. WAF attaches to ALB, API Gateway, CloudFront, or AppSync.

How to choose the correct answer

KMS: encryption key creation and management. Envelope encryption: data key encrypts data, KMS key encrypts the data key.

CloudTrail: API audit log. Who called what, when, from where. Required for security investigations and compliance.

GuardDuty: ML-based threat detection from CloudTrail, VPC Flow Logs, DNS logs. Findings only, no blocking.

Shield Standard: automatic, free, Layer 3/4 DDoS protection. Shield Advanced: paid, sophisticated attacks, DRT access.

WAF: HTTP request filtering at ALB, API Gateway, CloudFront. Rules for IPs, geo-blocking, OWASP patterns.

Inspector: automated vulnerability assessment for EC2 instances and container images in ECR.

Macie: uses ML to discover, classify, and protect sensitive data (PII, credentials) in S3 buckets.

Security Hub: aggregates findings from GuardDuty, Inspector, Macie, and other services into a single dashboard.

AWS security service reference

Service	What it protects	How it works
KMS	Data at rest across AWS services	Manages encryption keys, envelope encryption
CloudTrail	API audit trail	Logs all API calls to S3 and/or CloudWatch Logs
GuardDuty	Account and workload threats	ML analysis of CloudTrail, VPC Flow Logs, DNS logs
Shield Standard	All resources (free)	Automatic Layer 3/4 DDoS mitigation
Shield Advanced	Protected resources (paid)	Enhanced DDoS protection, DRT access, cost protection
WAF	HTTP/HTTPS endpoints	Rule-based filtering of web requests
Inspector	EC2 and container images	Automated CVE vulnerability scanning
Macie	S3 buckets	ML-based sensitive data discovery and classification

Key exam facts — AWS SAA-C03

KMS customer managed keys: you control key policy, rotation, enable/disable, and deletion schedule.
CloudTrail: enabled per region, applies to all API calls including management console, CLI, and SDK.
GuardDuty: analyzes existing AWS logs, does not require agents, does not block traffic on its own.
Shield Standard: always on, no configuration, protects against common volumetric DDoS. Free.
Shield Advanced: subscription service, protects specific resources, includes DDoS Response Team access.
WAF rules: managed rule groups from AWS or Marketplace, or custom rules. Attach to ALB/CloudFront/API GW.
Inspector: continuously scans EC2 instances and ECR container images for known CVEs.
Macie: automated sensitive data discovery in S3, generates findings for PII and credentials.

Common exam traps

GuardDuty blocks malicious traffic automatically when it detects a threat.

GuardDuty is a detection service, not a prevention service. It generates findings (alerts) describing suspicious activity but does not block anything on its own. Automated remediation requires EventBridge rules that trigger Lambda functions or Security Hub automations in response to GuardDuty findings.

Enabling CloudTrail alone is sufficient for security monitoring.

CloudTrail records API calls but does not analyze them for suspicious patterns. You need GuardDuty to analyze CloudTrail logs for threats, CloudWatch alarms or CloudTrail Insights to detect anomalous API activity, and Security Hub to aggregate findings. CloudTrail is the data source, not the detection layer.

AWS WAF and Shield protect the same threats.

Shield protects against DDoS attacks: volumetric floods, protocol attacks, and resource exhaustion at the network and transport layer. WAF protects against application-layer attacks: SQL injection, XSS, bad bots, and malicious HTTP patterns. Most production deployments use both together because they address different threat vectors.

Practice this topic

AWS SAA-C03practice questions

Test yourself on AWS Security Services

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime