Unit 3: Infrastructure Security — Curriculum Overview

This curriculum covers the design, implementation, and troubleshooting of security controls across three primary layers of the AWS cloud environment: the network edge, the compute layer, and the internal network infrastructure. This unit aligns with Domain 3 of the AWS Certified Security - Specialty (SCS-C03) exam.

Prerequisites

Before starting this unit, learners should have a solid foundation in the following areas:

• Cloud Fundamentals: Understanding of the AWS Shared Responsibility Model (specifically the customer's responsibility for "Security in the Cloud").
• Core Networking: Proficiency with Virtual Private Cloud (VPC) constructs, including subnets, route tables, and Internet Gateways (IGW).
• Identity Basics: Knowledge of IAM roles, policies, and trust relationships as they apply to AWS resources.
• Basic Security Concepts: Familiarity with common threats like DDoS, SQL injection, and the OWASP Top 10.

Module Breakdown

Learning Objectives per Module

Module 1: Network Edge Services

• Edge Defense: Select and implement strategies for edge protection using AWS WAF (Web Application Firewall) to mitigate OWASP Top 10 threats.
• DDoS Mitigation: Differentiate between AWS Shield Standard and Shield Advanced for Layer 3, 4, and 7 protection.
• Traffic Shaping: Configure CloudFront headers and geolocation-based rules to restrict or permit traffic based on geographic requirements.

Module 2: Compute Workload Security

• Hardening: Design hardened Amazon Machine Images (AMIs) and container images using EC2 Image Builder.
• Vulnerability Management: Use Amazon Inspector to scan compute resources for known vulnerabilities and GuardDuty for runtime monitoring.
• Secure Access: Implement "no-ingress" administrative access using Systems Manager (SSM) Session Manager instead of traditional SSH/RDP.

Module 3: Network Infrastructure & Connectivity

• Granular Traffic Control: Design multi-layered defense using Security Groups (stateful) and Network ACLs (stateless).
• Network Segmentation: Implement isolated subnets and utilize AWS Network Firewall for deep packet inspection and domain filtering.
• Hybrid Connectivity: Secure communication between on-premises and AWS using Site-to-Site VPN and Direct Connect with MACsec.

Visual Anchors

Layered Defense-in-Depth Model

Vulnerability & Patching Lifecycle

Success Metrics

To demonstrate mastery of Unit 3, the learner must be able to:

1. Deploy a Web ACL: Successfully create an AWS WAF rule that blocks SQL injection and rate-limits requests from specific IP ranges.
2. Configure Session Manager: Access a private EC2 instance (no Public IP) via the AWS Console without opening Port 22/3389 in a Security Group.
3. Implement Network Segmentation: Design a VPC where application servers in a private subnet can only communicate with the database via specific ports, while the database has no route to the internet.
4. Automate Patching: Configure an SSM Maintenance Window that automatically applies "Critical" security patches to a fleet of EC2 instances weekly.
5. Troubleshoot Reachability: Use the VPC Reachability Analyzer to identify why a specific network path between two instances is blocked.

Real-World Application

Infrastructure security is the "digital fortress" of a modern enterprise. Mastery of these concepts is critical for:

• Preventing Data Breaches: By hardening AMIs and scanning for vulnerabilities, you close the doors that attackers use to gain initial access.
• Compliance: Many regulatory frameworks (PCI-DSS, HIPAA, SOC2) require documented patching processes and strict network segmentation.
• Availability: Using Shield and WAF protects against DDoS attacks that could otherwise take a business offline, resulting in lost revenue and reputation.
• Operational Excellence: Automating security with Infrastructure as Code (IaC) and Systems Manager reduces the "human error" factor, which is the leading cause of cloud security misconfigurations.

[!IMPORTANT] Always follow the Principle of Least Privilege (PoLP) not just for users, but for network traffic. If a service doesn't need to talk to the internet, it shouldn't have a route to it.

Comparison: Security Groups vs. Network ACLs