AWS Security Specialty: Identity, Data Protection, and Threat Detection on AWS

SCS-C02 tests IAM at depth. IAM policy evaluation logic: when a principal makes a request, AWS evaluates all applicable policies in order — start with explicit Deny (any Deny anywhere = access denied), then check Organisation SCPs, then permission boundaries, then identity-based policies, then resource-based policies. If no explicit Allow is found in relevant policies, access is denied. Cross-account access: resource-based policies (S3 bucket policy, Lambda resource policy) grant access to principals in other accounts directly — no role assumption needed. Cross-account role assumption: the trusted account creates a role with a trust policy listing the trusting account's principal; the trusting account's user runs STS AssumeRole. IAM Access Analyzer: identifies resources shared with external principals — generates findings for S3 buckets, IAM roles, KMS keys, and Lambda functions accessible from outside the organisation or account. Analyse findings and apply least privilege using IAM policy generation from CloudTrail events. AWS Organizations: SCPs apply to member accounts — explicit allow in SCP + explicit allow in IAM policy = access granted; SCP deny = access denied regardless of IAM policy. SCP design: start from FullAWSAccess managed SCP and add deny statements (deny list) rather than starting from empty and adding allows (allow list) — allow list requires managing every allowed action.

AWS KMS is foundational to data security. KMS key types: AWS-managed keys (automatically rotated, service-specific, you cannot see or control the key material), Customer-managed keys (CMK — you control rotation, deletion, access policy), Customer-supplied keys (SSE-C — you provide key material with each request, AWS never stores it). KMS key policies: unlike IAM, KMS key policies must explicitly allow the AWS account root — without this, even the account owner cannot use the key. KMS grants: temporary permission delegation without modifying the key policy — used by services like Secrets Manager to allow Lambda access. Envelope encryption: data encrypted with a data key, data key encrypted with a CMK — AWS KMS never exports unencrypted keys. S3 security: bucket policies (resource-based — grant/deny cross-account and public access), S3 Block Public Access (account-level and bucket-level — prevents all forms of public access, override any individual ACL or bucket policy setting — enable at account level for a strong default), Object Lock (WORM — Write Once Read Many — Compliance mode cannot be overridden by anyone, Governance mode allows privileged override — use for immutable audit logs and compliance data). Macie: machine learning-powered PII detection in S3 — identifies sensitive data, generates findings for excessive permissions and unencrypted data.

AWS threat detection services work together. GuardDuty: ML-based threat detection — continuously analyses CloudTrail events, VPC Flow Logs, DNS logs, EKS audit logs, and S3 access logs — generates findings for: cryptocurrency mining (unexpected EC2 compute usage), credential exfiltration (API calls from unusual locations), backdoor activity (communication with known C2 IPs), malicious instance profile use (instance role used from external IP), data exfiltration (S3 data copied to unknown destination). GuardDuty findings go to EventBridge — trigger Lambda for automated response (block IP in WAF, isolate instance, disable IAM key). Security Hub: aggregates findings from GuardDuty, Inspector, Macie, Firewall Manager, and partner products in ASFF format — applies security standards (AWS Foundational Security Best Practices, CIS AWS Benchmarks, PCI DSS) and generates control status. AWS Detective: investigates findings — visualises entity relationships, timeline of activity, and baseline deviations using graph analysis — reduces investigation time from hours to minutes. Inspector v2: vulnerability assessment for EC2 instances and container images — integrates with ECR for automated image scanning.

AWS network security in depth. AWS WAF: layer 7 firewall rules for CloudFront, ALB, API Gateway, and AppSync — rule types: AWS managed rule groups (pre-built protection for OWASP Top 10, SQLi, XSS, Bad Bots), rate-based rules (throttle IPs sending excessive requests — DDoS mitigation), IP set rules (allow/block specific IPs), regex pattern rules (inspect string patterns in URI, header, body, query string). WAF logging to S3, CloudWatch Logs, or Kinesis Data Firehose — analyse with Athena or Security Lake. Shield Standard: automatic DDoS protection included for all AWS customers at no cost — protects against layer 3 and 4 volumetric attacks. Shield Advanced: $3,000/month — 24/7 DDoS Response Team, real-time attack visibility, cost protection for Auto Scaling during attacks, advanced WAF integration. VPC security in depth: VPC Flow Logs capture source IP, destination IP, ports, protocol, bytes, accept/reject — stored in CloudWatch Logs or S3 — query with Athena for threat hunting. Network Firewall: stateful managed firewall service within the VPC — Suricata-compatible IPS rules, domain filtering, TLS inspection — deploy in dedicated inspection VPC with Traffic Mirroring for deep packet capture.

IR preparation on AWS. Detection-to-response pipeline: GuardDuty finding > EventBridge rule > SNS notification AND Lambda automation. Lambda incident response playbooks: quarantine EC2 instance (modify security group to deny all traffic), snapshot EBS volumes for forensics, disable compromised IAM access key (iam.update_access_key status=Inactive), revoke IAM role temporary credentials (attach deny policy), capture EC2 memory image (SSM Run Command to run LiME or FTK agent). AWS Security Lake: centralises security logs from AWS services, third-party sources, and on-premises — OCSF (Open Cybersecurity Schema Format) normalisation — query with Amazon Athena. Compliance automation: Config rules evaluate resource configurations continuously — Config remediation with SSM Automation documents automatically fixes non-compliant resources. Conformance Packs deploy pre-packaged compliance rule sets (CIS Level 1, PCI DSS, HIPAA) across an organisation. Audit Manager automates evidence collection for frameworks (GDPR, SOC 2, PCI DSS) — maps AWS Config rule results, CloudTrail activity, and Security Hub findings to framework controls.