AWS Security & Compliance for CloudOps

AWS Key Management Service (KMS)#

KMS manages cryptographic keys for encrypting data across AWS services.

Key types#

KMS key operations#

# Create a CMK
aws kms create-key \
  --description "Production EBS Encryption Key" \
  --key-usage ENCRYPT_DECRYPT

# Enable automatic key rotation (yearly)
aws kms enable-key-rotation --key-id <key-id>

# Encrypt data
aws kms encrypt \
  --key-id alias/my-key \
  --plaintext fileb://secret.txt \
  --output text --query CiphertextBlob | base64 -d > secret.enc

# Decrypt data
aws kms decrypt \
  --ciphertext-blob fileb://secret.enc \
  --output text --query Plaintext | base64 -d

KMS key policy#

Every CMK has a key policy — a resource-based policy that controls who can use and manage the key:

{
  "Statement": [
    {
      "Sid": "Allow key administration",
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::123456789:role/KeyAdmin"},
      "Action": ["kms:Create*", "kms:Delete*", "kms:Disable*"],
      "Resource": "*"
    },
    {
      "Sid": "Allow key usage",
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::123456789:role/AppRole"},
      "Action": ["kms:Decrypt", "kms:GenerateDataKey"],
      "Resource": "*"
    }
  ]
}

Multi-region keys#

KMS multi-region keys share the same key material in multiple regions — enabling cross-region decryption without re-encryption:

Data encrypted in us-east-1 with mrk-123
→ Replicated to eu-west-1 as mrk-123 (same key material)
→ Can be decrypted in eu-west-1 without cross-region API calls

Envelope encryption#

KMS uses envelope encryption for large data:

1. Request a Data Encryption Key (DEK) from KMS
2. KMS returns: plaintext DEK + encrypted DEK
3. Encrypt your data with plaintext DEK (locally — fast)
4. Store encrypted data + encrypted DEK together
5. To decrypt: send encrypted DEK to KMS → get back plaintext DEK → decrypt data

This means KMS only ever handles small keys, not large payloads.

---

AWS Secrets Manager#

Secrets Manager stores and automatically rotates secrets (database passwords, API keys, OAuth tokens).

vs SSM Parameter Store#

Store and retrieve a secret#

# Store a database credential
aws secretsmanager create-secret \
  --name "prod/myapp/db" \
  --description "Production DB credentials" \
  --secret-string '{"username":"admin","password":"S3cur3P@ss"}'

# Retrieve in application
aws secretsmanager get-secret-value \
  --secret-id "prod/myapp/db" \
  --query SecretString --output text | python3 -c "import sys,json; d=json.load(sys.stdin); print(d['password'])"

Automatic rotation#

# Enable automatic rotation for an RDS secret
aws secretsmanager rotate-secret \
  --secret-id "prod/myapp/db" \
  --rotation-rules AutomaticallyAfterDays=30 \
  --rotation-lambda-arn arn:aws:lambda:us-east-1:123456789:function:SecretsManagerRotation

Monitoring & troubleshooting#

• CloudTrail logs every GetSecretValue call — audit who accessed secrets
• Set CloudWatch Alarms on secret access failure (ResourceNotFoundException)
• Multi-region replica secrets stay in sync — promote replica to primary for DR

---

AWS Certificate Manager (ACM)#

ACM provisions, manages, and renews SSL/TLS certificates.

# Request a public certificate
aws acm request-certificate \
  --domain-name "*.myapp.com" \
  --validation-method DNS \
  --subject-alternative-names "myapp.com"

# List certificates
aws acm list-certificates --certificate-statuses ISSUED

Key facts:

• Public ACM certificates are free (for use with AWS services like ALB, CloudFront)
• ACM auto-renews certificates before expiry — no manual intervention
• ACM certificates cannot be exported for use outside AWS (use ACM Private CA for that)
• Import your own certificates into ACM if needed

---

AWS WAF (Web Application Firewall)#

WAF protects web applications from common Layer 7 exploits: SQL injection, XSS, bot traffic.

Deploy on#

• Application Load Balancer (ALB)
• Amazon CloudFront
• API Gateway
• AWS AppSync

Web ACL rules#

Rules are evaluated in order (priority number).
Each rule has an action: Allow, Block, Count, CAPTCHA.

Rule types:
1. AWS Managed Rule Groups (AWSManagedRulesCommonRuleSet, etc.)
2. Custom rules (IP sets, regex, rate-based)
3. Rate-based rules (block IPs exceeding N requests/5 min)

Rate-based rule (block DDoS)#

aws wafv2 create-web-acl \
  --name "prod-web-acl" \
  --scope REGIONAL \
  --default-action Allow={} \
  --rules '[{
    "Name": "RateLimitRule",
    "Priority": 1,
    "Action": {"Block": {}},
    "Statement": {
      "RateBasedStatement": {
        "Limit": 1000,
        "AggregateKeyType": "IP"
      }
    },
    "VisibilityConfig": {
      "SampledRequestsEnabled": true,
      "CloudWatchMetricsEnabled": true,
      "MetricName": "RateLimitRule"
    }
  }]' \
  --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=prod-web-acl

AWS Managed Rule Groups#

---

AWS Shield#

Shield protects against DDoS attacks.

Shield Advanced covers: EC2, ELB, CloudFront, Route 53, Global Accelerator.

AWS Firewall Manager#

Firewall Manager centrally manages WAF rules, Shield Advanced protections, and Security Group rules across all accounts in an Organization:

Org root account (Firewall Manager)
  → Deploy WAF Web ACL to ALL accounts in the org
  → Enforce SG rules across all VPCs
  → Auto-enroll new accounts

---

Amazon GuardDuty#

GuardDuty is a threat detection service that uses ML to identify malicious activity — analyzing CloudTrail logs, VPC Flow Logs, DNS logs, and EKS audit logs.

Finding types#

Enable GuardDuty#

# Enable GuardDuty
aws guardduty create-detector --enable

# List findings
aws guardduty list-findings --detector-id <id>

# Get finding details
aws guardduty get-findings \
  --detector-id <id> \
  --finding-ids <finding-id>

GuardDuty + EventBridge automation#

GuardDuty finding: "CryptoCurrency:EC2/BitcoinTool.B!DNS"
  → EventBridge rule (severity ≥ MEDIUM)
    → Lambda: snapshot + terminate the compromised instance
    → SNS: alert security team

---

Amazon Inspector#

Inspector scans EC2 instances and container images for software vulnerabilities (CVEs) and network exposure.

Scan types#

# Enable Inspector (requires SSM Agent on EC2)
aws inspector2 enable --resource-types EC2 ECR

# List findings
aws inspector2 list-findings \
  --filter-criteria '{"severity":[{"comparison":"EQUALS","value":"CRITICAL"}]}'

Inspector findings integrate with Security Hub for centralised reporting.

---

Amazon Macie#

Macie uses ML to discover, classify, and protect sensitive data in S3 — automatically detecting PII (names, SSNs, credit cards, passwords).

# Enable Macie and create a job to scan a bucket
aws macie2 enable-macie

aws macie2 create-classification-job \
  --job-type ONE_TIME \
  --name "scan-prod-bucket" \
  --s3-job-definition '{
    "bucketDefinitions": [{
      "accountId": "123456789",
      "buckets": ["prod-customer-data"]
    }]
  }'

Macie findings appear in Security Hub and can trigger EventBridge rules.

---

AWS Security Hub#

Security Hub aggregates security findings from GuardDuty, Inspector, Macie, Config, Firewall Manager, and IAM Access Analyzer — providing a unified security view with prioritisation.

Enable and view findings#

# Enable Security Hub
aws securityhub enable-security-hub \
  --enable-default-standards  # CIS AWS Foundations, AWS Foundational Security Best Practices

# List findings by severity
aws securityhub get-findings \
  --filters '{"SeverityLabel":[{"Value":"CRITICAL","Comparison":"EQUALS"}]}' \
  --sort-criteria '[{"Field":"SeverityLabel","SortOrder":"desc"}]'

Cross-account aggregation#

In an Organisation, designate an administrator account for Security Hub to aggregate findings from all member accounts into one view.

---

IAM Security for CloudOps#

Permission Boundaries#

A permission boundary sets the maximum permissions an IAM entity can have — even if their policy grants more:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["ec2:*", "s3:*"],
    "Resource": "*"
  }]
}

# Apply boundary when creating a role
aws iam create-role \
  --role-name DevRole \
  --assume-role-policy-document file://trust-policy.json \
  --permissions-boundary arn:aws:iam::123456789:policy/DevBoundary

IAM Access Analyzer#

Identifies resources shared with external principals (public or cross-account):

aws accessanalyzer create-analyzer \
  --analyzer-name "org-analyzer" \
  --type ORGANIZATION

# List findings
aws accessanalyzer list-findings --analyzer-name "org-analyzer"

IAM Security Tools#

# Generate credentials report
aws iam generate-credential-report
aws iam get-credential-report --output text --query Content | base64 -d > credentials.csv

Identity Federation#

SAML 2.0 federation:
Corporate IdP (AD/Okta) ─── SAML assertion ──→ AWS STS AssumeRoleWithSAML ──→ Temporary credentials

Cognito User Pools:
Web/mobile app users → Cognito → federate into AWS IAM roles

---

Logging in AWS — Summary#

---

Hands-on: Secure an EC2 Instance End-to-End#

1. Encrypt EBS root volume with KMS CMK:
   - Create CMK: aws kms create-key
   - Launch EC2 with encrypted EBS: --block-device-mappings Encrypted=true,KmsKeyId=<arn>

2. Store app secrets in Secrets Manager:
   - aws secretsmanager create-secret --name "prod/app/db" --secret-string '{...}'
   - Attach IAM role to EC2 allowing: secretsmanager:GetSecretValue

3. Enable GuardDuty on the account:
   - aws guardduty create-detector --enable
   - Set up EventBridge rule for HIGH/CRITICAL findings → SNS

4. Enable Inspector:
   - aws inspector2 enable --resource-types EC2
   - EC2 must have SSM Agent; Inspector auto-scans for CVEs

5. Enable AWS Config:
   - Rule: encrypted-volumes → auto-remediate with SSM Automation
   - Rule: restricted-ssh → alert + remediate

6. Install CloudWatch Agent for log forwarding:
   - Forward /var/log/secure and /var/log/messages
   - Create metric filter for "Failed password" → alarm + SNS

7. Enable Security Hub:
   - All findings (GuardDuty, Inspector, Config) in one dashboard

---

Common SOA-C03 Exam Questions#

Q: Your application needs to access a database password stored securely, with automatic rotation. What do you use? AWS Secrets Manager — it supports automatic rotation for RDS, Redshift, and DocumentDB credentials. The Lambda rotation function handles updating both the secret and the database atomically.

Q: An EC2 instance is mining cryptocurrency. How did you detect it and what do you do? GuardDuty detected CryptoCurrency:EC2/BitcoinTool.B!DNS (suspicious DNS lookups to known mining pools). Immediate response: snapshot the instance for forensics, isolate it (remove from load balancer, add restrictive SG), then terminate. Investigate with CloudTrail to determine root cause.

Q: How do you ensure every EC2 instance is encrypted with KMS?

1. AWS Config rule: encrypted-volumes — reports non-compliant instances
2. Set an auto-remediation using SSM Automation to stop, snapshot, re-encrypt volume, and restart
3. Use SCP (Service Control Policy) to deny launching unencrypted instances

Q: What's the difference between WAF and Shield? WAF filters Layer 7 HTTP/HTTPS traffic based on rules (SQL injection, XSS, rate limits). Shield protects at Layer 3/4 against volumetric DDoS attacks. Use both together — Shield for network-level attacks, WAF for application-level attacks.

---

What to Learn Next#

1. AWS Account Management — centralize security policies across accounts with Organizations and SCPs
2. AWS CloudWatch Monitoring — route security findings to alarms and automated remediation
3. AWS Systems Manager — SSM Patch Manager closes vulnerabilities found by Inspector