AWS Security Capabilities: Curriculum Overview
Security capabilities that AWS provides
Curriculum Overview: AWS Security Capabilities
This curriculum provides a comprehensive roadmap for mastering the security tools and features provided by Amazon Web Services (AWS). It covers identity management, threat detection, data protection, and compliance tools necessary for the AWS Certified Cloud Practitioner (CLF-C02) and beyond.
Prerequisites
Before beginning this curriculum, students should have a baseline understanding of the following:
- Cloud Computing Fundamentals: Understanding of cloud vs. on-premises deployments.
- AWS Global Infrastructure: Knowledge of Regions and Availability Zones.
- Basic Networking: General understanding of IP addresses, firewalls, and DNS.
- The Shared Responsibility Model: A high-level awareness that security is a joint effort between AWS and the customer.
Module Breakdown
| Module | Topic | Focus Area | Difficulty |
|---|---|---|---|
| Mod 1 | Identity & Access Management | IAM, Root User, Least Privilege | Beginner |
| Mod 2 | Detection & Monitoring | GuardDuty, Inspector, Config | Intermediate |
| Mod 3 | Data Protection | KMS, CloudHSM, Secrets Manager | Intermediate |
| Mod 4 | Infrastructure Protection | AWS Shield, WAF, Security Hub | Intermediate |
| Mod 5 | Compliance & Governance | AWS Artifact, Audit Manager | Beginner |
Learning Objectives per Module
Module 1: Identity & Access Management (IAM)
- Implement the Principle of Least Privilege using IAM users, groups, and roles.
- Secure the AWS Root User account using Multi-Factor Authentication (MFA).
- Configure IAM Password Policies to enforce strong credential management.
Module 2: Automated Detection & Assessment
- Use Amazon Inspector to identify security vulnerabilities in EC2 instances.
- Deploy Amazon GuardDuty for continuous threat detection and malicious activity monitoring.
- Utilize Amazon Detective to conduct post-incident analysis and visualize security logs.
Module 3: Cryptography & Secrets
- Manage encryption keys using AWS KMS (software-based) and AWS CloudHSM (hardware-based).
- Securely store and rotate database credentials using AWS Secrets Manager.
- Distinguish between Encryption at Rest and Encryption in Transit.
Module 4: Perimeter & Resource Security
- Protect against DDoS attacks using AWS Shield (Standard and Advanced).
- Aggregate security findings into a single dashboard using AWS Security Hub.
- Share resources securely across accounts using AWS Resource Access Manager (RAM).
Module 5: Compliance Resources
- Retrieve AWS compliance reports (SOC, PCI DSS) via AWS Artifact.
- Automate evidence collection for audits using AWS Audit Manager.
[!IMPORTANT] Security is the highest priority at AWS. Understanding the Shared Responsibility Model is the foundation of this entire curriculum: AWS secures the "Cloud," while you secure your content "in" the Cloud.
Visual Anchors
The AWS Security Landscape
Threat Detection Flow
Examples Section
Scenario 1: Preventing Credential Leaks
Service: AWS Secrets Manager Action: Instead of hardcoding a database password in your application code, you store the password in Secrets Manager. Your application calls an API to retrieve the password at runtime, and the password is automatically rotated every 30 days.
Scenario 2: Vulnerability Management
Service: Amazon Inspector Action: You launch a fleet of EC2 instances. Amazon Inspector automatically scans these instances for known software vulnerabilities (CVEs) and provides a report with severity scores and remediation steps.
Scenario 3: DDoS Mitigation
Service: AWS Shield Action: A web application experiences a volumetric SYN flood attack. AWS Shield Standard automatically detects and mitigates the attack at the network layer without user intervention.
Success Metrics
You have mastered this curriculum when you can:
- Categorize Services: Correctly assign any of the 10+ mentioned services to their primary function (e.g., "Inspector = Vulnerability Scanning").
- Apply Principles: Explain why using the Root User for daily tasks is a security risk.
- Differentiate Tools: Explain the difference between AWS Artifact (getting reports) and AWS Audit Manager (running audits).
- Calculate Risk: Understand that the complexity of an encryption key contributes to the security posture of an S3 bucket: where is security, is policy, and is access control.
Real-World Application
- Security Engineer: Uses GuardDuty and Security Hub to manage the security posture of enterprise-scale environments.
- Compliance Officer: Uses AWS Artifact to provide proof of security to auditors during annual reviews.
- Cloud Architect: Designs secure-by-default infrastructures using KMS for automated data encryption and IAM roles for service-to-service communication.
[!TIP] Always start by enabling MFA on your root account. It is the single most effective step to prevent account compromise.