Contents
- 1 🔐 AWS Fundamentals for Cybersecurity Engineers
- 1.1 ☁️ 1. IAM (Identity and Access Management)
- 1.2 🔐 2. KMS (Key Management Service)
- 1.3 🔍 3. Amazon GuardDuty
- 1.4 🧠 4. AWS Security Hub
- 1.5 🔐 5. AWS Config
- 1.6 🔍 6. Amazon Inspector
- 1.7 🔐 7. AWS WAF (Web Application Firewall)
- 1.8 🧰 8. AWS Shield & Shield Advanced
- 1.9 🔐 9. AWS Secrets Manager
- 1.10 🔐 10. AWS CloudTrail
- 1.11 🔎 11. Amazon Macie
- 1.12 ☁️ 12. VPC Flow Logs
- 1.13 📦 13. Amazon S3 Bucket Policies & ACLs
- 1.14 🔄 14. AWS Organizations & SCPs
- 1.15 🔐 15. Amazon Detective
- 2 ✅ Summary Table
🔐 AWS Fundamentals for Cybersecurity Engineers
As a cybersecurity engineer, understanding key AWS technologies is critical for securing cloud infrastructure. Below is a curated list of core AWS services, with explanations of what they are, why they matter, and how they’re used in security contexts.
☁️ 1. IAM (Identity and Access Management)
What it is:
AWS’s user, group, and role-based access control system.
Why it’s used:
To define who can access what AWS resources and how. IAM is the first line of defence in cloud security.
Use Cases:
- Enforcing least privilege
- Multi-Factor Authentication (MFA)
- Role assumption (temporary access for EC2, Lambda, etc.)
🔐 2. KMS (Key Management Service)
What it is:
A managed service to create, manage, and rotate encryption keys.
Why it’s used:
To encrypt data at rest and in transit across AWS services using FIPS 140-2 compliant keys.
Use Cases:
- S3 bucket encryption
- EBS volume encryption
- Encrypting secrets in Lambda or RDS
🔍 3. Amazon GuardDuty
What it is:
A threat detection service that uses ML and anomaly detection.
Why it’s used:
To detect malicious activity like crypto mining, port scanning, or unusual API calls.
Use Cases:
- Alerting on compromised IAM credentials
- Flagging suspicious EC2 traffic
- Detecting brute-force login attempts
🧠 4. AWS Security Hub
What it is:
A central dashboard to view and manage security alerts and compliance findings.
Why it’s used:
To aggregate findings from services like GuardDuty, Macie, and Inspector—and map them to CIS, PCI DSS, etc.
Use Cases:
- Continuous compliance monitoring
- Unified security posture view
- Integration with SIEM and SOAR tools
🔐 5. AWS Config
What it is:
A service that tracks resource configurations and changes over time.
Why it’s used:
To monitor configuration drift, support audits, and enforce security baselines.
Use Cases:
- Alert on open S3 buckets
- Detect non-compliant security group rules
- Show history of changes for IR
🔍 6. Amazon Inspector
What it is:
An automated vulnerability assessment tool.
Why it’s used:
To scan EC2 instances, ECR container images, and Lambda functions for CVEs and security issues.
Use Cases:
- CI/CD vulnerability scanning
- Risk assessments for EC2 workloads
- Monitor patching status
🔐 7. AWS WAF (Web Application Firewall)
What it is:
A managed firewall for web applications.
Why it’s used:
To filter traffic at the edge before it reaches apps—based on IP, geo, headers, or payload.
Use Cases:
- Block SQL injection and XSS
- Mitigate OWASP Top 10 attacks
- Protect CloudFront, ALB, API Gateway
🧰 8. AWS Shield & Shield Advanced
What it is:
DDoS protection services at the network and app layers.
Why it’s used:
To provide always-on mitigation against volumetric, state-exhaustion, and app-layer attacks.
Use Cases:
- Protect public-facing endpoints
- Real-time incident response with AWS SOC (Shield Advanced)
- Automated mitigation of DDoS attacks
🔐 9. AWS Secrets Manager
What it is:
A managed service to store and rotate secrets securely.
Why it’s used:
To manage passwords, tokens, and API keys without hardcoding them into apps.
Use Cases:
- Auto-rotate RDS credentials
- Secure access tokens for APIs
- Environment variable management
🔐 10. AWS CloudTrail
What it is:
A service that logs all AWS API calls.
Why it’s used:
For audit trails, forensic analysis, and compliance tracking.
Use Cases:
- Identify the source of a breach
- Monitor IAM activity
- Validate changes during an incident review
🔎 11. Amazon Macie
What it is:
A tool that uses ML to discover and classify sensitive data like PII.
Why it’s used:
To prevent accidental exposure of personal or regulated data in S3 buckets.
Use Cases:
- Detect PII or credit card data in S3
- Automate alerts for open buckets with sensitive content
- Support GDPR or HIPAA audits
☁️ 12. VPC Flow Logs
What it is:
Logs of IP traffic flowing in and out of network interfaces.
Why it’s used:
For network visibility, threat detection, and incident response.
Use Cases:
- Detect exfiltration attempts
- Alert on unusual egress patterns
- Validate firewall rule effectiveness
📦 13. Amazon S3 Bucket Policies & ACLs
What it is:
Access control mechanisms for S3 object storage.
Why it’s used:
To enforce who can read, write, or delete objects—with granular control.
Use Cases:
- Prevent public access
- Enable cross-account access with least privilege
- Log access attempts for sensitive data
🔄 14. AWS Organizations & SCPs
What it is:
A management structure for multiple AWS accounts and Service Control Policies.
Why it’s used:
To centrally govern security controls across accounts.
Use Cases:
- Block unsupported regions or services
- Enforce encryption policies org-wide
- Isolate dev/test/prod with delegated access
🔐 15. Amazon Detective
What it is:
A tool that helps visualise and investigate suspicious activity.
Why it’s used:
To accelerate security incident analysis using graph-based views of CloudTrail, GuardDuty, and VPC logs.
Use Cases:
- Investigate IAM anomalies
- Map related resources during an attack
- Timeline-based forensic analysis
✅ Summary Table
| AWS Service | Security Purpose | Common Use Case |
|---|---|---|
| IAM | Identity and access control | Role-based policies, MFA |
| KMS | Encryption key management | S3, EBS, RDS encryption |
| GuardDuty | Threat detection | Brute force, crypto mining alerts |
| Security Hub | Unified security dashboard | Compliance visibility (CIS, PCI, etc.) |
| AWS Config | Resource compliance tracking | Alert on insecure S3 buckets or changes |
| Inspector | Vulnerability management | CVE scans for EC2, ECR, Lambda |
| WAF | Web application protection | Block OWASP Top 10 |
| Shield / Shield Advanced | DDoS protection | L3/L7 attack mitigation |
| Secrets Manager | Secure credential storage | Auto-rotate DB credentials |
| CloudTrail | Audit log of API activity | Forensics, IR, compliance logs |
| Macie | Sensitive data detection | Identify PII, alert on exposure |
| VPC Flow Logs | Network traffic monitoring | Anomaly detection, IR |
| S3 Bucket Policies | Data access control | Block public access, enforce encryption |
| AWS Organizations/SCPs | Multi-account governance | Enforce global security rules |
| Detective | Forensic investigation tool | Deep dive into security events |