AWS Certified Solutions Architect - Professional: Determining Security Controls
Determine security controls based on requirements
Comprehensive Study Guide: Determining Security Controls
This study guide covers the critical task of determining and prescribing security controls based on specific business and technical requirements, a core domain for the AWS Certified Solutions Architect – Professional (SAP-C02) exam.
Learning Objectives
After studying this guide, you should be able to:
- Identify security and compliance requirements based on application scope (Public vs. Internal).
- Prescribe IAM policies and roles that adhere to the principle of least privilege.
- Design multi-layered network security using Security Groups, NACLs, and WAF.
- Develop encryption strategies for data at rest and data in transit across complex environments.
- Implement centralized security monitoring and threat detection using AWS managed services.
Key Terms & Glossary
- Principle of Least Privilege (PoLP): Granting only the minimum permissions necessary for a user or service to perform its function.
- Stateful vs. Stateless: Security Groups are stateful (return traffic is automatically allowed); Network ACLs (NACLs) are stateless (return traffic must be explicitly allowed).
- WORM (Write Once, Read Many): A data storage technology that prevents files from being edited or deleted, often implemented via S3 Object Lock.
- Encryption at Rest: Protecting data where it is stored (e.g., EBS, S3) using keys from AWS KMS or CloudHSM.
- Encryption in Transit: Protecting data as it moves over the network, typically using TLS/SSL.
The "Big Idea"
Security in the AWS Professional context is not a "one-size-fits-all" checklist. It is a requirement-driven process where the architecture must be tailored to the environment's sensitivity. Whether a solution is public-facing or internal-only dictates the depth of the defense-in-depth strategy. Your environment's security is only as strong as its weakest system; therefore, centralizing logs and automating threat detection is essential for proactive recovery.
Formula / Concept Box
| Security Layer | AWS Component | Focus Area |
|---|---|---|
| Edge / Perimeter | AWS Shield, AWS WAF | DDoS Protection & Layer 7 Attacks |
| Network (Subnet) | Network ACL (NACL) | Stateless IP/Port filtering |
| Network (Instance) | Security Groups (SG) | Stateful traffic control for ENIs |
| Identity | IAM Roles, SCPs | Permission boundaries and access |
| Data | KMS, Macie, S3 Object Lock | Encryption and sensitive data discovery |
Hierarchical Outline
- Determining Scope & Requirements
- Public vs. Internal: Internet-facing apps require WAF/Shield; internal apps focus on VPC Endpoints.
- Regulatory Frameworks: Assessing needs for NIST, PCI-DSS, or HIPAA compliance.
- Identity and Access Management (IAM)
- Roles over Users: Preferring temporary credentials for cross-account access.
- Service Control Policies (SCPs): Establishing the absolute "guardrails" in AWS Organizations.
- Infrastructure Protection
- Network Security: Implementing layered defense (WAF SG NACL).
- VPC Endpoints: Using Interface (PrivateLink) and Gateway Endpoints to keep traffic off the public internet.
- Data Protection
- Encryption at Rest: Choosing between AWS Managed Keys, CMKs, or CloudHSM.
- Encryption in Transit: Enforcing HTTPS/TLS at the Load Balancer and CloudFront levels.
- Detection and Response
- GuardDuty: ML-based threat detection (VPC Flow Logs, DNS, CloudTrail).
- Security Hub: Centralized dashboard for findings from multiple accounts and services.
Visual Anchors
1. The Defense-in-Depth Pipeline
2. Encryption Strategy (KMS Flow)
\begin{tikzpicture}[node distance=2cm, every node/.style={fill=white, font=\small}, align=center] % Nodes \node (user) [draw, rectangle] {User/Application}; \node (kms) [draw, circle, right=of user] {AWS KMS$Master Key)}; \node (storage) [draw, cylinder, shape border rotate=90, right=of kms] {S3 / EBS$Encrypted Data)};
% Arrows \draw[->] (user) -- node[above] {1. Request Key} (kms); \draw[->] (kms) -- node[below] {2. Return Data Key} (user); \draw[->] (user) -- node[above] {3. Encrypt & Store} (storage); \draw[<->] (storage) -- node[below] {4. Decrypt via KMS} (kms); \end{tikzpicture}
Definition-Example Pairs
- AWS WAF: A web application firewall that helps protect your web applications from common web exploits.
- Example: Creating a rule to block SQL injection patterns or specific IP ranges associated with known bad actors.
- VPC Interface Endpoint: An elastic network interface with a private IP address that serves as an entry point for traffic destined for a supported service.
- Example: Allowing an EC2 instance in a private subnet to securely access the Kinesis API without using a NAT Gateway.
- Amazon GuardDuty: A managed threat detection service that continuously monitors for malicious activity and unauthorized behavior.
- Example: Detecting an EC2 instance that has been compromised and is communicating with a known Bitcoin mining command-and-control server.
Worked Examples
Scenario: Securing a Multi-Account Data Pipeline
Requirement: A company needs to move data from a "Production" account to a "Security Analytics" account for long-term storage and compliance. The data must be immutable for 7 years.
Step-by-Step Solution:
- Cross-Account IAM: Create an IAM Role in the Analytics account that trusts the Production account to write to a specific S3 bucket.
- Encryption: Use a Customer Managed Key (CMK) in KMS with a policy that allows the Production account's role to use the key for encryption.
- Immutability: Enable S3 Object Lock on the destination bucket in "Compliance Mode" with a retention period of 7 years.
- Network Control: Implement a VPC Endpoint for S3 in the Production VPC to ensure the data transfer never traverses the public internet.
- Monitoring: Enable CloudTrail across both accounts and aggregate logs into a centralized Log Archive Account.
Checkpoint Questions
- What is the primary difference between a Security Group and a Network ACL in terms of traffic state?
- Which service should you use to centralize security findings from Amazon GuardDuty, Amazon Macie, and Amazon Inspector?
- How does S3 Object Lock facilitate compliance with WORM requirements?
- When should you choose a Gateway VPC Endpoint over an Interface VPC Endpoint?
[!TIP] Answer Keys: 1. SGs are stateful (auto-allow return); NACLs are stateless (need explicit return rules). 2. AWS Security Hub. 3. It prevents deletion or overwriting of objects for a fixed duration. 4. Use Gateway Endpoints only for S3 and DynamoDB; use Interface Endpoints (PrivateLink) for almost everything else.
Muddy Points & Cross-Refs
- Gateway vs. Interface Endpoints: This is a common point of confusion. Remember: Gateway is free and only for S3/DynamoDB. Interface costs money per hour/GB and is powered by PrivateLink.
- Managed Keys vs. CMKs: If you need to share keys across accounts, you must use a Customer Managed Key (CMK); AWS Managed Keys cannot be shared cross-account.
- WAF vs. Shield: WAF is for application-layer (Layer 7) filtering; Shield is for network/transport-layer (Layer 3/4) DDoS protection.
Comparison Tables
Managed Security Services Comparison
| Service | Primary Function | Source Data | Best Use Case |
|---|---|---|---|
| GuardDuty | Threat Detection | VPC Flow Logs, CloudTrail, DNS | Detecting compromised instances or IAM credentials. |
| Macie | Data Privacy | S3 Buckets | Finding PII (Personally Identifiable Information) in S3. |
| Inspector | Vulnerability Scanning | EC2 Instances, ECR Images | Checking for software vulnerabilities and deviations from best practices. |
| Security Hub | Posture Management | Other AWS Security Services | Centralizing findings and checking for CIS compliance. |