Curriculum Overview: AWS Application Integration Services

This curriculum covers the core AWS services designed to enable communication between independent components of cloud-native applications: Amazon EventBridge, Amazon Simple Notification Service (SNS), and Amazon Simple Queue Service (SQS). These services are fundamental to building decoupled, highly scalable, and event-driven architectures.

## Prerequisites

Before starting this module, students should possess the following foundational knowledge:

• Cloud Fundamentals: Basic understanding of AWS Regions, Availability Zones, and the Shared Responsibility Model.
• Computing Basics: Familiarity with Amazon EC2 (instances) and AWS Lambda (serverless functions).
• Data Formats: A basic understanding of JSON (JavaScript Object Notation), as it is the primary format for events and messages.
• Architectural Concepts: Awareness of the difference between monolithic and microservices architectures.

## Module Breakdown

## Module Objectives per Module

Module 1: Amazon EventBridge

• Define EventBridge as a "smart hub" for application events.
• Configure Rules to trigger actions based on system state changes (e.g., an EC2 instance stopping).
• Differentiate between event-based triggers and metric-based triggers (CloudWatch Alarms).

Module 2: Amazon SNS

• Explain the Publish/Subscribe (Pub/Sub) model.
• Identify supported protocols: SMS, Email, HTTP/S, and Lambda.
• Understand the "fan-out" pattern where one message is sent to multiple subscribers.

Module 3: Amazon SQS

• Define Decoupling and its importance in preventing system failure cascades.
• Distinguish between Standard Queues (at-least-once delivery) and FIFO Queues (first-in-first-out).
• Describe how SQS acts as a buffer to handle spikes in traffic.

## Visual Anchors

Service Selection Logic

Integration Architecture Example

## Success Metrics

To demonstrate mastery of this curriculum, the student must be able to:

• Identify which service to use when a requirement specifies "pushing notifications to mobile devices" (SNS).
• Explain how SQS prevents a web server from crashing during a sudden burst of 1,000,000 requests.
• Design a simple workflow where EventBridge triggers a Lambda function based on an IAM user login event.
• Calculate basic free tier limits: Recognize that SNS and SQS both offer ~1 million free requests/publishes.

## Real-World Application

In a career as a Cloud Architect or Developer, these services are the "glue" of the cloud:

• Resilience: By using SQS, you ensure that if your database goes down, your messages aren't lost—they stay in the queue until the database returns.
• Agility: With EventBridge, you can add new features (like an email alert) to an existing system without modifying the original code; you simply add a new event rule.
• Scalability: These services are serverless and scale automatically, meaning you don't have to manage servers for your messaging infrastructure.

## Examples Section

[!TIP] Use these scenarios to decide which service to implement in your architecture.

▶Deep Dive: SNS vs. SQS

While both handle messages, remember: SNS is Push (it sends data to you immediately) and SQS is Pull (your application must go and ask for the data). They are often used together in a "Fan-out" pattern where SNS sends a message to multiple SQS queues simultaneously.

AWS Access Management Capabilities: Comprehensive Curriculum Overview

This document provides a structured roadmap for mastering AWS Identity and Access Management (IAM) and related security services, aligned with the AWS Certified Cloud Practitioner (CLF-C02) exam objectives.

---

Prerequisites

Before beginning this curriculum, learners should have a foundational understanding of the following:

• Cloud Computing Basics: Familiarity with the on-demand nature of cloud resources.
• The Shared Responsibility Model: Understanding that while AWS secures the "cloud," the customer is responsible for security "in the cloud" (specifically identity and data access).
• Basic Networking: Understanding that resources exist within a Virtual Private Cloud (VPC) and require controlled entry points.

[!IMPORTANT] Mastery of Access Management is the single most critical factor in preventing data breaches within an AWS environment.

---

Module Breakdown

---

Learning Objectives per Module

Module 1: The Root User & Initial Security

• Identify tasks that only the account root user can perform (e.g., changing account settings, closing the account).
• Explain the critical importance of protecting the root user with Multi-Factor Authentication (MFA).
• Understand why daily administrative tasks should never be performed by the root user.

Module 2: IAM Entities (Users, Groups, Roles)

• Differentiate between an IAM User (individual), an IAM Group (collection of users), and an IAM Role (temporary credentials).
• Apply the Principle of Least Privilege: Granting only the minimum permissions required to perform a task.

Module 3: Permissions & Policies

• Understand that policies are JSON documents that define what actions are allowed on which resources.
• Identify the difference between AWS Managed Policies (pre-built) and Customer Managed Policies.

Module 4: Enterprise Identity

• Define AWS IAM Identity Center (formerly Single Sign-On) and its role in managing multiple accounts.
• Understand Federation (e.g., SAML 2.0) to allow users to sign in using corporate credentials (like Active Directory).

Module 5: Credential Storage & Automation

• Explain the role of AWS Secrets Manager in rotating and managing database credentials and API keys.
• Identify how AWS Systems Manager provides a unified interface for operational tasks and parameter storage.

---

Real-World Application

Understanding access management is not just for passing the exam; it is vital for professional cloud operations:

• Case Study: The S3 Data Breach: A company fails to use the Principle of Least Privilege, giving an EC2 instance full administrative access. If the instance is compromised, the attacker can delete the entire S3 infrastructure. Applying an IAM Role with only s3:GetObject permission would have prevented the disaster.
• Compliance & Auditing: Using AWS CloudTrail in conjunction with IAM allows organizations to see exactly who made what API call, which is essential for HIPAA or PCI-DSS compliance.
• Credential Rotation: In a production environment, hardcoding passwords in application code is a major risk. Using AWS Secrets Manager allows the system to change passwords automatically every 30 days without human intervention.

---

Success Metrics

To determine if you have mastered this curriculum, you should be able to:

1. Diagram the Auth Flow: Explain how an IAM User authenticates (MFA/Password) and then gets authorized (Policy evaluation).
2. Configuration Task: Successfully create an IAM Group, attach the AmazonS3ReadOnlyAccess policy, and verify a user in that group cannot delete a bucket.
3. Policy Logic Calculation: Identify the outcome of a policy conflict.
   • Formula for Policy Evaluation: $(\text{Explicit Deny}) > (\text{Explicit Allow}) > (\text{Default Deny})$
4. Recall Test: List 3 tasks exclusive to the Root User.

---

Resource Links

• AWS IAM Documentation
• AWS Shared Responsibility Model
• AWS Well-Architected Framework: Security Pillar

Prerequisites

Before starting this lab, ensure you have the following ready:

• An active AWS Account.
• Administrative access to the account (It is highly recommended to use an IAM Admin user, not the AWS root user, to follow best practices).
• AWS CLI installed and configured on your local machine (aws configure) with your administrative credentials.
• Basic familiarity with using a command-line interface (CLI) or terminal.

Learning Objectives

By completing this 30-minute lab, you will be able to:

1. Create and manage IAM Groups and Users within an AWS account.
2. Apply the Principle of Least Privilege by attaching specific, restricted managed policies to an IAM Group.
3. Generate and configure programmatic access credentials (access keys) for an IAM User.
4. Verify access controls by attempting authorized and unauthorized actions via the AWS CLI.

Architecture Overview

The following diagram illustrates the relationship between the IAM entities and the AWS resources you will configure in this lab.

Step-by-Step Instructions

Step 1: Create a Test S3 Bucket

We need a resource for our new IAM user to interact with. We will create an Amazon S3 bucket.

(Note: S3 bucket names must be globally unique. Replace 12345 with random numbers if the bucket name is taken).

▶Console alternative

Navigate to

S3 > Create bucket

. Enter a unique bucket name like brainybee-lab-bucket-12345, leave all defaults, and click

Create bucket

.

[!TIP] Always use lowercase letters and hyphens for S3 bucket names to avoid DNS-compliance errors.

Step 2: Create an IAM Group

Following best practices, we assign permissions to groups rather than individual users. We will create a group for users who only need read access to S3.

▶Console alternative

Navigate to

IAM > User Groups > Create group

. Name the group brainybee-s3-readers and click

Create group

.

[!IMPORTANT] IAM Group names are case-sensitive in some contexts, so stick to a consistent naming convention.

Step 3: Attach a Least-Privilege Policy to the Group

We will attach an AWS Managed Policy that explicitly grants Read-Only access to S3, embodying the principle of least privilege.

▶Console alternative

Navigate to

IAM > User Groups

, click on brainybee-s3-readers, go to the

Permissions

tab, click

Add permissions > Attach policies

. Search for AmazonS3ReadOnlyAccess, check the box, and click

Add permissions

.

[!NOTE] The ARN (Amazon Resource Name) arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess points to an AWS-managed policy maintained by AWS. You do not need to write the JSON for this policy yourself.

Step 4: Create an IAM User and Access Keys

Now, create a user who will act as our test subject, and generate programmatic credentials so they can use the CLI.

▶Console alternative

Navigate to

IAM > Users > Add users

. Name the user brainybee-test-user. Do not give them console access. Once created, click on the user, go to

Security credentials

, and click

Create access key

for CLI use. Save the resulting keys.

[!WARNING] The CLI will output an AccessKeyId and a SecretAccessKey. Copy these immediately! The secret key is only displayed once. If you lose it, you must delete the key and generate a new one.

Step 5: Add the User to the Group

Currently, the user has no permissions. By adding them to the group, they will inherit the S3 Read-Only policy.

▶Console alternative

Navigate to

IAM > Users

, click brainybee-test-user, go to the

Groups

tab, click

Add user to groups

, select brainybee-s3-readers, and save.

[!TIP] In a real-world scenario, if a user changes roles within a company, you simply remove them from their old group and add them to a new one, rather than auditing dozens of individual user-level policies.

Step 6: Configure the Test User Profile locally

Set up a secondary AWS CLI profile on your machine to test the new user's access.

Paste the AccessKeyId and SecretAccessKey you generated in Step 4. You can leave the default region and output format blank.

Checkpoints

Verify that the configuration works and that the principle of least privilege is actively protecting your environment.

Checkpoint 1: Test Authorized Access (Read)

Attempt to list S3 buckets using the test user's profile. Because they are in the brainybee-s3-readers group, this should succeed.

Expected Result: You should see a list of your S3 buckets, including the brainybee-lab-bucket-12345 you created in Step 1.

Checkpoint 2: Test Unauthorized Access (Write)

Attempt to create a new S3 bucket using the test user's profile. This should fail because the policy explicitly grants only read access.

Expected Result: An AccessDenied error. This proves your least privilege boundaries are functioning correctly.

Clean-Up / Teardown

[!WARNING] Remember to run the teardown commands to avoid ongoing clutter and potential security vulnerabilities from stray access keys.

Run the following CLI commands using your default (Admin) profile to remove all created resources.

Troubleshooting

Cost Estimate

This lab strictly utilizes AWS IAM (which is always free) and standard Amazon S3 bucket creation without uploading heavy objects.

• Total Estimated Cost: $0.00 (Covered entirely by the AWS Free Tier and IAM zero-cost structure).

AWS AI/ML and Data Analytics Services: Curriculum Overview

This curriculum provides a comprehensive overview of the Artificial Intelligence (AI), Machine Learning (ML), and Data Analytics services within the AWS ecosystem, specifically aligned with the AWS Certified Cloud Practitioner (CLF-C02) exam objectives (Domain 3.7).

---

Prerequisites

Before diving into AI/ML and Analytics, students should possess the following foundational knowledge:

• Cloud Fundamentals: Understanding of the AWS Shared Responsibility Model and Global Infrastructure.
• Storage Basics: Familiarity with Amazon S3 (Simple Storage Service), as it often serves as the "Data Lake" for analytics and ML training.
• Basic IT Literacy: Understanding the difference between structured data (databases) and unstructured data (text, images).
• Cloud Economics: Awareness of the pay-as-you-go model, which is critical for high-resource tasks like ML training.

---

Module Breakdown

---

Learning Objectives per Module

Module 1: Foundations of AI & ML

• Define AI vs. ML: Distinguish between general Artificial Intelligence and the subset of Machine Learning.
• Amazon SageMaker: Understand its role as a "smart assistant" for the entire ML lifecycle: building, training, and deploying models.

Module 2: Specialized AI Services

• Natural Language Processing (NLP): Identify Amazon Comprehend for sentiment analysis and Amazon Translate for language conversion.
• Speech & Text: Differentiate between Polly (text-to-speech), Transcribe (speech-to-text), and Textract (extracting text from documents).
• Vision & Conversation: Explain the use of Rekognition for image analysis and Lex for building conversational chatbots.

Module 3: Data Analytics Core

• Serverless Querying: Use Amazon Athena to query data residing in S3 using standard SQL.
• Data Integration: Understand AWS Glue for ETL (Extract, Transform, Load) processes and data cataloging.

Module 4: Real-Time & Visualization

• Streaming Data: Identify Amazon Kinesis for processing real-time, streaming data at scale.
• Business Intelligence (BI): Recognize Amazon QuickSight as the primary tool for creating dashboards and visualizing data.

---

Visual Anchors

The Data Analytics Pipeline

AI/ML Service Categorization

---

Success Metrics

To demonstrate mastery of this curriculum, students should be able to:

1. Match Service to Scenario: If a customer needs to turn a voice recording into text, identify Amazon Transcribe immediately.
2. Explain SageMaker's Value: Articulate how SageMaker allows developers to build ML models without being "coding experts" in low-level algorithms.
3. Define SQL-on-S3: Explain how Amazon Athena eliminates the need to load data into a database before querying it.
4. Identify Real-Time Constraints: Recognize that Amazon Kinesis is the correct choice for sub-second data ingestion, unlike batch processing.

[!IMPORTANT] For the CLF-C02 exam, you do not need to know how to code these services, but you must know what problem each service solves.

---

Real-World Application

Understanding these services is critical for modern career paths in Cloud Architecture and Data Engineering:

• Customer Support: Using Amazon Lex and Amazon Polly to create automated, human-like phone support systems (IVR).
• Financial Auditing: Using Amazon Textract to automatically pull data from thousands of scanned invoices, saving hundreds of manual labor hours.
• E-commerce: Using Amazon Personalize (AI) or SageMaker to suggest products to users based on their browsing history.
• Executive Reporting: Connecting Amazon QuickSight to an S3 data lake to give CEOs real-time visibility into global sales trends.

▶Deep Dive: Why use SageMaker vs. Specialized Services?

If you have a very specific, common task (like translating text), use a specialized service like

Amazon Translate

. If you are trying to predict something unique to your business (like custom stock market fluctuations), use

Amazon SageMaker

to build a custom model from your own data.

Hands-On Lab: AWS AI/ML and Storage Services Integration

Welcome to this guided hands-on lab! Artificial intelligence (AI) and machine learning (ML) are among the most exciting areas in cloud computing today. AWS provides a suite of managed AI services that allow you to add powerful capabilities—like natural language processing (NLP) and computer vision—to your applications without requiring deep ML expertise.

In this 30-minute lab, we will combine Amazon S3 (for storage) with Amazon Comprehend (for text analytics) and Amazon Rekognition (for image analysis) to demonstrate how these services interact.

---

Prerequisites

Before starting this lab, ensure you have the following ready:

• AWS Account: Active AWS account with Administrator or PowerUser access.
• CLI Tools: AWS CLI installed and configured (aws configure) with valid access keys.
• Prior Knowledge: Basic familiarity with the terminal/command prompt and understanding of cloud storage concepts.
• Local Files: You will need a sample image (e.g., a .jpg of a landscape, animal, or city) saved on your local machine.

[!WARNING] Never hardcode or share your AWS credentials. Always use environment variables or secure AWS CLI profiles.

---

Learning Objectives

By completing this lab, you will be able to:

1. Provision an Amazon S3 bucket to store raw unstructured data for machine learning.
2. Use Amazon Rekognition to identify objects, people, or scenes in an image.
3. Extract sentiment and key entities from unstructured text using Amazon Comprehend.
4. Clean up and tear down AWS resources to avoid unexpected charges.

---

Architecture Overview

The following diagram illustrates the workflow of the services we are building:

---

Step-by-Step Instructions

Step 1: Create an S3 Bucket for ML Data

Amazon S3 (Simple Storage Service) is the foundational object storage layer for most data analytics and ML workflows on AWS. We need a place to store our image before analyzing it.

[!TIP] S3 bucket names must be globally unique. Replace <YOUR_ACCOUNT_ID> with your actual 12-digit AWS account number or a unique random string.

▶Console alternative

1. Log into the AWS Management Console.
2. Navigate to S3 and click Create bucket.
3. Enter brainybee-ai-lab-<YOUR_ACCOUNT_ID> as the Bucket name.
4. Leave all other settings as default and click Create bucket.

📸 Screenshot: [Placeholder: S3 Bucket Creation screen]

Step 2: Upload a Sample Image

Find a sample image on your computer (e.g., sample-image.jpg). We will upload this image to our newly created S3 bucket.

▶Console alternative

1. In the S3 Console, click on your new bucket.
2. Click the Upload button.
3. Click Add files, select sample-image.jpg from your computer.
4. Click Upload at the bottom of the screen.

Step 3: Analyze Image with Amazon Rekognition

Amazon Rekognition makes it easy to add image and video analysis to your applications. We will ask Rekognition to detect labels (objects, scenes, concepts) in the image we just uploaded.

Explanation: This command tells Rekognition to look at sample-image.jpg inside your S3 bucket and return the top 5 labels describing what it sees along with a confidence score.

▶Console alternative

1. Navigate to Amazon Rekognition in the AWS Console.
2. In the left sidebar, click Label detection.
3. Under the demo section, upload your sample-image.jpg.
4. View the resulting tags and confidence scores on the right-hand panel.

Step 4: Analyze Text Sentiment with Amazon Comprehend

Amazon Comprehend uses natural-language processing (NLP) to find insights and relationships in text. Let's analyze a sample review to determine its sentiment (Positive, Negative, Neutral, or Mixed).

Explanation: Unlike Rekognition which read from S3, here we are passing the text string directly into the synchronous Comprehend API. You should receive a JSON response indicating a high POSITIVE sentiment score.

Step 5: Extract Entities with Amazon Comprehend

Comprehend can also pull out key entities like Organizations, Locations, Persons, and Dates.

▶Console alternative (Steps 4 & 5)

1. Navigate to Amazon Comprehend in the AWS Console.
2. Click Launch Amazon Comprehend.
3. Scroll down to the Real-time analysis section.
4. Paste your text into the Input text box.
5. Click Analyze and explore the Entities and Sentiment tabs below to see the visual output.

---

Checkpoints

Verify your progress after the steps above to ensure everything is functioning correctly:

1. Storage Verification: Run aws s3 ls s3://brainybee-ai-lab-<YOUR_ACCOUNT_ID>/.
   • Expected Output: You should see sample-image.jpg listed with its timestamp and file size.
2. Rekognition Verification: Review the JSON output from Step 3.
   • Expected Output: A list of Labels containing a Name (e.g., "Nature", "Dog") and a Confidence score close to 99.0.
3. Comprehend Verification: Review the JSON output from Step 4.
   • Expected Output: "Sentiment": "POSITIVE" should be the top-level key.

---

Troubleshooting

---

Cost Estimate

This lab is designed to be highly cost-effective and falls comfortably within the AWS Free Tier if you are eligible:

• Amazon S3: Standard storage for one image is a fraction of a cent.
• Amazon Rekognition: Free tier includes 1,000 image analyses per month.
• Amazon Comprehend: Free tier includes 50,000 units of text (100 characters = 1 unit) per month.
• Total Estimated Cost: $0.00

---

Clean-Up / Teardown

[!WARNING] Remember to run the teardown commands to avoid ongoing charges. Even though storage costs are negligible, it is best practice to clean up lab environments.

To destroy the resources created in this lab, execute the following commands in your CLI:

1. Delete the image file from S3:

   bashCopy

   aws s3 rm s3://brainybee-ai-lab-<YOUR_ACCOUNT_ID>/sample-image.jpg

2. Delete the empty S3 bucket:

   bashCopy

   aws s3 rb s3://brainybee-ai-lab-<YOUR_ACCOUNT_ID>

3. (Optional) Verify the bucket is gone:

   bashCopy

   aws s3 ls | grep brainybee-ai-lab

   If nothing is returned, the teardown was successful.

---

Concept Review: AWS AI/ML Ecosystem

To solidify what we just practiced, let's look at how the AWS AI/ML services fit together based on the CLF-C02 syllabus.

Quick Comparison Table

AWS Certified Cloud Practitioner (CLF-C02) Curriculum Overview

This document provides a comprehensive overview of the AWS Certified Cloud Practitioner (CLF-C02) curriculum. This foundational certification validates an individual's overall understanding of the AWS Cloud platform, independent of specific technical roles.

---

## Prerequisites

While there are no mandatory certifications required before taking the CLF-C02, AWS recommends the following baseline experience to ensure success:

• Experience: Approximately six months of exposure to the AWS Cloud in any capacity (technical, managerial, sales, purchasing, or financial).
• General IT Knowledge: A basic understanding of information technology (IT) services and how they are integrated into the AWS Cloud platform.
• Technical Familiarity: General knowledge of application servers and basic networking concepts.

[!IMPORTANT] This exam is designed for individuals who want to demonstrate cloud fluency and a high-level understanding of the AWS ecosystem, making it ideal for both technical and non-technical professionals.

---

## Module Breakdown

The curriculum is divided into four primary domains. Each domain focuses on a critical aspect of cloud operations and strategy.

Curriculum Structure

---

## Learning Objectives per Module

Domain 1: Cloud Concepts

• Objective: Define the AWS Cloud and its value proposition.
• Example: Understanding how "Agility" allows a startup to launch global applications in minutes rather than weeks.

Domain 2: Security and Compliance

• Objective: Describe the AWS Shared Responsibility Model.
• Example: AWS is responsible for the security of the cloud (physical data centers), while the customer is responsible for security in the cloud (patching their own guest OS).

Domain 3: Cloud Technology and Services

• Objective: Identify core AWS services for common use cases.
• Example: Using Amazon S3 for durable object storage (like hosting static website images) versus Amazon EC2 for scalable virtual servers.

Domain 4: Billing, Pricing, and Support

• Objective: Compare various pricing models and support tools.
• Example: Utilizing AWS Cost Explorer to visualize and forecast spending patterns over a 12-month period.

---

## Success Metrics

To pass the CLF-C02 examination, candidates must meet specific scoring criteria and demonstrate proficiency across all domains.

Scoring Breakdown

• Score Range: 100 to 1000 points.
• Passing Threshold: A minimum scaled score of 700 is required.
• Question Format: Multiple choice (one correct) and Multiple response (two or more correct).

[!TIP] The exam includes 15 unscored questions used by AWS for evaluation. These do not affect your final grade, but they are not identified, so treat every question as if it counts.

---

## Real-World Application

Achieving the AWS Cloud Practitioner certification is not just about passing an exam; it provides the foundational language for modern business technology.

1. Career Progression: It serves as the prerequisite or "stepping stone" toward Associate-level certifications, such as AWS Certified Solutions Architect or AWS Certified Developer.
2. Cross-Functional Collaboration: Enables sales, marketing, and legal teams to communicate effectively with engineering departments regarding cloud costs and security requirements.
3. Strategic Migration: Helps decision-makers understand the Well-Architected Framework, ensuring that cloud migrations are cost-effective, secure, and reliable.

▶Click to expand: Key Core Service Real-World Examples

• Amazon EC2: Virtual machines for running custom software.
• AWS Lambda: Serverless functions that run code only when triggered by events (e.g., a file upload).
• Amazon RDS: Managed relational databases (SQL) that handle their own backups and patching.
• Amazon VPC: A private, isolated section of the AWS Cloud where you can launch resources in a virtual network you define.

Hands-On Lab: Implementing Core AWS Security Controls

Prerequisites

Before starting this lab, ensure you have the following:

• AWS Account: An active AWS account with Administrator (AdministratorAccess) permissions.
• CLI Tools: AWS CLI installed and configured locally (aws configure) with an IAM user's access keys.
• Prior Knowledge: Basic understanding of the AWS Shared Responsibility Model and Identity and Access Management (IAM).
• Region: We will use us-east-1 (N. Virginia) for this lab. Ensure your CLI is configured for this region.

Learning Objectives

By completing this lab, you will be able to:

1. Enforce strict password requirements using AWS IAM Password Policies.
2. Enable continuous threat detection using Amazon GuardDuty.
3. Securely store and retrieve sensitive credentials using AWS Secrets Manager.
4. Audit account activity using AWS CloudTrail.

Architecture Overview

This lab provisions security guardrails across your AWS account to ensure confidentiality, integrity, and availability.

Step-by-Step Instructions

Step 1: Configure an IAM Password Policy

A strong password policy is the first line of defense for identity management. We will enforce a 14-character minimum with complexity requirements.

▶Console alternative

1. Navigate to IAM in the AWS Management Console.
2. In the left navigation pane, choose Account settings.
3. Under Password policy, click Edit.
4. Select Custom and check the boxes for uppercase, lowercase, numbers, and non-alphanumeric characters.
5. Set the minimum password length to 14.
6. Check Allow users to change their own password.
7. Click Save changes.

📸 Screenshot: The IAM Account Settings page showing custom password policy checkboxes.

[!TIP] The Principle of Least Privilege states that users should only be granted the permissions necessary to perform their specific job functions. Combining strict password policies with Multi-Factor Authentication (MFA) is a critical best practice.

Step 2: Enable Amazon GuardDuty for Threat Detection

Amazon GuardDuty is a machine-learning-powered threat detection service that continuously monitors malicious activity and unauthorized behavior.

Note: This command will output a DetectorId. You do not need to save it for this lab.

▶Console alternative

1. Navigate to GuardDuty in the AWS Management Console.
2. Click Get Started.
3. Click the Enable GuardDuty button.

📸 Screenshot: The GuardDuty welcome screen with the blue "Enable GuardDuty" button.

Step 3: Securely Store Credentials in AWS Secrets Manager

Hardcoding passwords in application code is a major security vulnerability. AWS Secrets Manager allows you to securely store, rotate, and manage API keys and database passwords.

▶Console alternative

1. Navigate to Secrets Manager in the console.
2. Click Store a new secret.
3. Choose Other type of secret.
4. Under Key/value pairs, add row 1: Key = username, Value = admin.
5. Add row 2: Key = password, Value = SuperSecretPassword123!.
6. Click Next.
7. Enter the Secret name as brainybee-lab-db-secret and click Next.
8. Leave rotation disabled, click Next, then click Store.

📸 Screenshot: The Secrets Manager configuration screen showing key-value pairs.

Step 4: Verify Activity in AWS CloudTrail

CloudTrail automatically logs all API calls made in your account for the last 90 days. We will use it to audit the secret we just created.

▶Console alternative

1. Navigate to CloudTrail in the console.
2. In the left pane, click Event history.
3. In the Lookup attributes filter, select Event name and type CreateSecret.
4. Click on the event to view the JSON record showing your IAM user identity and the time the API call was made.

📸 Screenshot: The CloudTrail Event history table showing the CreateSecret event.

Checkpoints

Verify that your resources have been provisioned correctly before proceeding.

Checkpoint 1: Verify Password Policy

Expected Result: A JSON output detailing your strict password policy parameters (e.g., "MinimumPasswordLength": 14).

Checkpoint 2: Verify GuardDuty is Active

Expected Result: An array containing at least one Detector ID string.

Checkpoint 3: Retrieve the Secret

Expected Result: A JSON response containing your secret string with the username and password.

Clean-Up / Teardown

[!WARNING] Remember to run the teardown commands to avoid ongoing charges. GuardDuty offers a 30-day free trial, but Secrets Manager charges per secret stored.

Execute the following commands to delete the resources created in this lab:

1. Delete the IAM Password Policy (Reverts to AWS defaults):

2. Delete the Secret (forces immediate deletion without a recovery window):

3. Delete the GuardDuty Detector: First, retrieve your Detector ID, then pass it to the delete command.

Troubleshooting

Stretch Challenge

Now that you have enabled GuardDuty, try enabling AWS Security Hub. Security Hub aggregates findings from GuardDuty, Inspector, and Macie into a single pane of glass.

Your Challenge: Use the AWS CLI to enable AWS Security Hub and manually trigger a sample GuardDuty finding to see it appear in the Security Hub console.

▶Show solution

bashCopy

# Enable Security Hub aws securityhub enable-security-hub --enable-default-standards # Get your GuardDuty Detector ID DETECTOR_ID=$(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) # Generate sample findings in GuardDuty (which will sync to Security Hub) aws guardduty create-sample-findings --detector-id $DETECTOR_ID

Navigate to Security Hub in the console to view the aggregated sample findings.

Cost Estimate

This lab falls largely under the AWS Free Tier, assuming your account is eligible and you clean up promptly:

• IAM / CloudTrail Event History: Always free.
• Amazon GuardDuty: 30-day free trial for new accounts. Afterward, priced based on log volume analyzed.
• AWS Secrets Manager: $0.40 per secret per month. If deleted immediately using --force-delete-without-recovery, the prorated cost will be $0.00.

Concept Review

Security and Compliance in the AWS Cloud are governed by the Shared Responsibility Model. AWS is responsible for the security OF the cloud (infrastructure, physical data centers), while you (the customer) are responsible for security IN the cloud (your data, password policies, firewall rules).

The CIA Triad

AWS security measures are built around the CIA Triad:

• Confidentiality: Ensuring data is encrypted (e.g., KMS) and access is strictly controlled (e.g., IAM, Secrets Manager).
• Integrity: Ensuring data is not altered.
• Availability: Ensuring systems and data remain accessible.

AWS Security Service Comparison

Understanding the differences between AWS threat detection and compliance tools is essential for the Cloud Practitioner exam:

These tools combined allow organizations to build highly secure architectures that adhere strictly to industry compliance standards while leveraging the elastic nature of the AWS cloud.

AWS Cloud Security, Governance, and Compliance: Curriculum Overview

This curriculum provides a structured path to mastering the foundational security, governance, and compliance concepts required for the AWS Certified Cloud Practitioner (CLF-C02) exam. It focuses on the Shared Responsibility Model, AWS security services, and regulatory compliance tools.

---

Prerequisites

Before starting this curriculum, students should have a baseline understanding of the following:

• Cloud Computing Basics: Familiarity with on-demand delivery, pay-as-you-go pricing, and scalability.
• Foundational AWS Concepts: Basic knowledge of the AWS Management Console and core services (Compute, Storage, Networking).
• General Security Concepts: A high-level understanding of what firewalls, encryption, and user passwords are used for in traditional IT.

---

Module Breakdown

---

Module Objectives

Module 1: The Shared Responsibility Model

• Objective: Distinguish between "Security OF the Cloud" and "Security IN the Cloud."
• Key Skill: Describe how responsibilities shift when moving from IaaS (EC2) to PaaS (RDS) or SaaS (Lambda).

Module 2: Compliance & Governance

• Objective: Identify where to find AWS compliance reports and how to manage multiple accounts.
• Key Skill: Use AWS Artifact to download SOC or HIPAA reports for auditing purposes.

Module 3: Security Monitoring

• Objective: Understand the purpose of automated security assessment services.
• Key Skill: Differentiate between Amazon GuardDuty (threat detection) and Amazon Inspector (vulnerability scanning).

---

Visual Anchors

The Shared Responsibility Model

The Security (CIA) Triad

---

Success Metrics

To demonstrate mastery of this curriculum, the learner must be able to:

1. Map Services to Needs: Correctly identify which service to use for a specific security task (e.g., "Which service finds PII?" → Amazon Macie).
2. Compliance Literacy: Locate and explain the significance of a SOC 2 report within AWS Artifact.
3. Scenario Analysis: Given a scenario (e.g., an EC2 instance is compromised), identify whether the fix is the customer's or AWS's responsibility.
4. Security Hub Integration: Explain how AWS Security Hub aggregates findings from GuardDuty and Inspector into a single dashboard.

[!IMPORTANT] Domain 2 (Security and Compliance) represents 30% of the scored content on the CLF-C02 exam. Mastering these concepts is critical for passing.

---

Real-World Application

• Compliance Officer: Use AWS Artifact to provide evidence of security controls to external auditors during annual certifications.
• Security Operations (SecOps): Set up Amazon GuardDuty to automatically alert the team if an unauthorized user attempts to access an S3 bucket from a malicious IP address.
• Cloud Architect: Implement encryption at rest using AWS KMS to ensure that even if physical storage media were stolen, the data would remain unreadable.

▶Click to expand: Service Comparison Table

Service	Primary Function	Real-World Example
AWS Shield	DDoS Protection	Protecting a web app from being overwhelmed by fake traffic.
AWS WAF	Web Traffic Filtering	Blocking SQL injection attacks on a login page.
Amazon Inspector	Vulnerability Scanning	Finding out if your EC2 instance has an outdated, insecure software version.
AWS KMS	Key Management	Managing the digital keys used to encrypt your database.

AWS Security, Governance, and Compliance: Foundational Controls Lab

Welcome to this hands-on lab covering Domain 2 of the AWS Certified Cloud Practitioner (CLF-C02) exam. In this lab, you will apply the AWS Shared Responsibility Model by implementing critical security and compliance controls "IN" the cloud. You will enable threat detection, enforce encryption at rest, configure public access blocks, and practice least-privilege IAM policies.

Prerequisites

Before starting this lab, ensure you have the following:

• AWS Account: Access to an AWS account with Administrator privileges.
• AWS CLI Installed: The AWS Command Line Interface installed and configured on your local machine.
• IAM Credentials: Your CLI must be authenticated using aws configure with an Access Key and Secret Access Key.
• Prior Knowledge: Basic understanding of Amazon S3, IAM, and the concepts of encryption.

Learning Objectives

By completing this lab, you will be able to:

1. Enable and interpret findings in Amazon GuardDuty (Continuous Threat Detection).
2. Secure an Amazon S3 bucket using Server-Side Encryption (Encryption at Rest) and Public Access Blocks.
3. Implement IAM least-privilege access management for cloud resources.
4. Understand the practical application of the AWS Shared Responsibility Model.

Architecture Overview

The following diagrams illustrate the infrastructure you will build and how it maps to the AWS Shared Responsibility Model.

Lab Infrastructure

AWS Shared Responsibility Context

---

Step-by-Step Instructions

Step 1: Enable Amazon GuardDuty for Threat Detection

Amazon GuardDuty is an intelligent threat detection service that continuously monitors for malicious activity and unauthorized behavior. As a customer, enabling it fulfills your responsibility to monitor your AWS environment.

[!TIP] Generating sample findings populates the GuardDuty console with mock data (like simulated Bitcoin mining or unauthorized API calls) so you can see what actual threats look like without needing a real security incident.

▶Console alternative

1. Navigate to the GuardDuty console.
2. Click Get Started and then click Enable GuardDuty.
3. In the left navigation pane, choose Settings.
4. Scroll down to Sample findings and click Generate sample findings.
5. Go back to the Findings page in the left pane to view the generated threats.

📸 Screenshot: A list of findings with severity tags (High, Medium, Low).

Step 2: Create a Secure, Encrypted S3 Bucket

Data security requires "Encryption at Rest." We will create an S3 bucket, enable default AES-256 encryption, and apply a strict "Block Public Access" configuration.

Note: Replace <YOUR_ACCOUNT_ID> with your actual 12-digit AWS account number to ensure the bucket name is globally unique.

▶Console alternative

1. Navigate to the S3 console and click Create bucket.
2. Enter brainybee-secure-data-<YOUR_ACCOUNT_ID> for the Bucket name.
3. In the Block Public Access settings for this bucket section, ensure Block all public access is CHECKED.
4. Scroll to Default encryption, ensure Server-side encryption is Enabled, and Encryption key type is Amazon S3 managed keys (SSE-S3).
5. Click Create bucket.

📸 Screenshot: The S3 bucket creation screen highlighting the "Block all public access" checkbox.

Step 3: Implement Least Privilege with IAM

Identity and Access Management (IAM) is a core piece of the customer's shared responsibility. We will create a policy that grants only read access to the specific S3 bucket you just created.

▶Console alternative

1. Navigate to the IAM console.
2. In the left navigation pane, choose Policies, then click Create policy.
3. Switch to the JSON tab and paste the JSON from the code block above (ensure you replace <YOUR_ACCOUNT_ID>).
4. Click Next, name the policy BrainyBeeS3ReadOnly, and click Create policy.

📸 Screenshot: The IAM visual editor showing "Limited: Read" access to a specific S3 resource.

---

Checkpoints

Verify that your configurations were applied correctly by running the following commands:

Checkpoint 1: Verify GuardDuty is Active

Checkpoint 2: Verify S3 Encryption is Applied

Checkpoint 3: Verify Public Access is Blocked

---

Troubleshooting

---

Clean-Up / Teardown

[!WARNING] Cost Warning: Amazon GuardDuty offers a 30-day free trial. If left running after the trial, you will incur ongoing charges based on the volume of CloudTrail and VPC Flow Logs analyzed. Run these teardown commands to avoid unexpected costs.

Execute the following commands to delete all resources provisioned in this lab:

[!NOTE] If you enabled GuardDuty via the console, you can disable it by navigating to GuardDuty > Settings > Suspend or Disable GuardDuty and clicking Disable GuardDuty.

AWS Cloud Value Proposition: Curriculum Overview

This document provides a comprehensive roadmap for mastering the AWS Cloud Value Proposition, focusing on the economic, operational, and strategic benefits of migrating to the Amazon Web Services ecosystem. This curriculum aligns with the AWS Certified Cloud Practitioner (CLF-C02) exam objectives.

## Prerequisites

Before beginning this curriculum, candidates should possess the following foundational knowledge:

• General IT Knowledge: Basic understanding of information technology services and their use in business.
• Infrastructural Basics: Familiarity with the concepts of servers, networking, and storage.
• Recommended Experience: AWS suggests at least six months of experience with the AWS Cloud in any role (technical, managerial, sales, or financial).
• Business Context: A basic understanding of the difference between capital investments and operational expenses.

## Module Breakdown

## Learning Objectives per Module

Module 1: Benefits of the AWS Cloud

• Define Agility: Understand how AWS increases speed of deployment and fosters experimentation.
• Global Infrastructure: Explain the benefits of global reach for reducing latency and providing high availability.
• Elasticity vs. Scalability: Distinguish between the ability to handle growth and the ability to shrink resources based on demand.

Module 2: Design Principles

• Well-Architected Framework: Identify and define the six pillars of the framework.

[!IMPORTANT] The Well-Architected Framework is essential for building secure, high-performing, resilient, and efficient infrastructure.

Module 3: Migration & Cloud Adoption Framework (CAF)

• The CAF Perspectives: Understand the six perspectives: Business, People, Governance, Platform, Security, and Operations.
• Value Chain: Describe the transformation of technology, processes, and organizations.

Module 4: Cloud Economics

• Cost Models: Compare Capital Expenses (CapEx) with Operating Expenses (OpEx).
• Metered Payment: Explain the "pay-as-you-go" model and how it relates to rightsizing and automation.

## Success Metrics

To determine mastery of the AWS Cloud Value Proposition, you should be able to:

1. Articulate the "Big Idea": Explain why a university would "terminate" millions of CPUs after a weekend rather than buying them (CapEx avoidance).
2. Pillar Identification: Given a scenario (e.g., "reducing carbon footprint"), identify the relevant Well-Architected Pillar (Sustainability).
3. Economic Justification: Calculate the theoretical benefit of Economies of Scale (lower prices due to AWS's massive volume).
4. Migration Readiness: Identify which AWS CAF perspective addresses "reduced business risk" or "increased revenue."

## Real-World Application

Case Study: High-Speed Experimentation

In traditional IT, testing a new AI model required purchasing physical servers (weeks of procurement). In the AWS environment, a large university can spin up hundreds of thousands of EC2 virtual machines for a single weekend of testing.

• The Result: The university pays only for the hours used (metered billing) and avoids the massive overhead of unneeded idle hardware.

Career Impact

Understanding the value proposition allows professionals in Sales, Finance, and Management to:

• Build business cases for cloud migration.
• Optimize existing cloud spend to increase ROI.
• Leverage AWS global reach to enter new markets in minutes rather than months.

[!TIP] Always remember: In the cloud, infrastructure is temporary and disposable, not a permanent asset to be maintained at all costs.