Mastering Data Security Controls (AWS SAA-C03)

This study guide focuses on identifying and implementing the correct security controls to protect data within the AWS ecosystem, aligned with Domain 1 of the Solutions Architect - Associate exam.

Learning Objectives

After studying this guide, you should be able to:

Define and apply the CIA Triad (Confidentiality, Integrity, Availability) to cloud architectures.
Categorize data using Classification Zones to determine necessary protection levels.
Select appropriate Encryption Mechanisms for data at rest and data in transit.
Identify the use cases for security services like AWS Macie, KMS, and ACM.
Implement Governance Controls to maintain compliance and auditability.

Key Terms & Glossary

CIA Triad: The foundational model of information security consisting of Confidentiality, Integrity, and Availability.
PII (Personally Identifiable Information): Any data that could potentially identify a specific individual (e.g., SSN, Email).
KMS (Key Management Service): A managed service to create and control encryption keys.
ACM (AWS Certificate Manager): A service to provision, manage, and deploy SSL/TLS certificates for use with AWS services.
Envelope Encryption: The practice of encrypting data with a data key, and then encrypting the data key under another key.

The "Big Idea"

Data security in AWS is not a "one-size-fits-all" setting. It is a layered defense-in-depth strategy. You must protect the data itself (encryption), the identity accessing it (IAM), the perimeter around it (VPC/Security Groups), and the continuous monitoring of its state (Macie/CloudTrail). The goal is to move from "Permissive by Default" to "Least Privilege and Encrypted by Default."

Formula / Concept Box

Goal	Mechanism	AWS Service Tool
Confidentiality	Encryption / Access Control	KMS, IAM, S3 Bucket Policies
Integrity	Hashing / Digital Signatures	CloudTrail (Log File Validation), KMS
Availability	Redundancy / Backups	S3 Replication, EBS Snapshots, Multi-AZ
In-Transit Security	TLS/SSL Encryption	AWS Certificate Manager (ACM)
At-Rest Security	AES-256 / Key Management	AWS KMS, CloudHSM

Hierarchical Outline

Data Governance & Classification
- Classification Zones: Organizing data from "Public" to "Highly Protected" based on sensitivity.
- Amazon Macie: Uses ML to automatically discover, classify, and protect PII in S3 buckets.
Encryption at Rest
- Amazon EBS Encryption: Transparent encryption for block storage; uses KMS keys.
- Amazon S3 Encryption: Server-Side (SSE-S3, SSE-KMS, SSE-C) or Client-Side encryption.
- AWS KMS: Centralized key management; integrated with most AWS services.
Encryption in Transit
- TLS/SSL: Encrypting data between the client and the AWS endpoint.
- AWS Certificate Manager: Automates the renewal and deployment of TLS certificates to ALBs and CloudFront.
Access and Monitoring
- IAM Policy: Defining "Who" can do "What" to data.
- AWS CloudTrail: Auditing "Who did what and when" across the account.
- AWS GuardDuty: Intelligent threat detection monitoring for malicious activity.

Visual Anchors

Data Security Logic Flow

Loading Diagram...

Encryption at Rest vs. In Transit

Compiling TikZ diagram…

⏳

Running TeX engine…

This may take a few seconds

Definition-Example Pairs

Least Privilege Access: Granting only the minimum permissions required to perform a task.
- Example: An application that only reads files from S3 should have s3:GetObject permission, but not s3:DeleteObject or s3:PutObject.
Data Retention Policy: A set of rules determining how long data must be kept and when it can be deleted.
- Example: Using S3 Lifecycle policies to transition objects to Glacier after 30 days and delete them after 7 years for regulatory compliance.
Shared Responsibility Model: A framework dividing security tasks between AWS (Security of the cloud) and the customer (Security in the cloud).
- Example: AWS manages the physical security of the disk hardware, while the customer is responsible for enabling encryption on that disk.

Worked Examples

Scenario: Securing Healthcare Records

Problem: A healthcare provider is moving patient records to AWS. They must ensure that data is encrypted at rest using keys they can audit, and that no unencrypted data ever leaves the VPC. They also need to be alerted if PII is found in public-facing buckets.

Step-by-Step Solution:

At-Rest: Store data in Amazon S3 and enable SSE-KMS. This ensures the data is encrypted and provides an audit trail of every time the key is used via CloudTrail.
In-Transit: Deploy an Application Load Balancer (ALB) and associate a certificate from AWS Certificate Manager (ACM) to enforce HTTPS/TLS connections.
Discovery: Enable Amazon Macie to scan S3 buckets for patterns matching Social Security Numbers or Medical IDs.
Network: Use VPC Endpoints (Interface or Gateway) to ensure S3 traffic stays within the AWS private network, avoiding the public internet.

Checkpoint Questions

Which service would you use to automatically discover sensitive PII data in an S3 bucket?
What is the difference between SSE-S3 and SSE-KMS in terms of key management responsibility?
To protect data being transferred from an on-premises data center to an EC2 instance, which control should be implemented?
How does Amazon EBS encryption affect performance on supported instance types?
True or False: AWS CloudTrail can be used to prove that a specific IAM user accessed an encrypted object in S3.

▶Click to view answers

Amazon Macie.
SSE-S3 uses keys managed entirely by AWS; SSE-KMS allows the user to manage the key (rotation, permissions, auditing).
TLS/SSL (Encryption in transit).
Encryption happens on the EC2 host with negligible impact on latency/performance.
True. CloudTrail logs the API calls, including the Decrypt call made to KMS to view the object.