SkarpSkarp

Chapter 9 of 20

Protecting Data and Workloads: Core Security Services and Best Practices

See how encryption, network controls, and monitoring services work together to protect your data and applications running on AWS.

27 min readen

Big Picture: Protecting Data and Workloads on AWS

Three Security Pillars

You will connect three pillars: data protection, network controls, and monitoring/incident detection to protect AWS workloads.

Shared Responsibility Reminder

You focus on the customer side of the line: using AWS services correctly under the rule that security and compliance are shared responsibilities between AWS and the customer.

Exam-Level Focus

For Cloud Practitioner, you must recognize the main services and concepts, and understand who is responsible for what, not every low-level setting.

Prevent, Detect, Respond

Use a simple model: Prevent (encrypt, lock networks), Detect (log, monitor), Respond (investigate, fix).

Architecture Reasoning

Goal: look at a simple AWS architecture and explain where data lives, how it is protected, which network controls apply, and what logs and alerts exist.

Data Protection Basics: At Rest vs In Transit

Data at Rest

Data at rest is stored data: S3 objects, EBS volumes, RDS storage, backups. Protection usually means encrypting it on disk.

Data in Transit

Data in transit is data moving over networks: browser to load balancer, app to database, services over VPC links, usually protected with TLS.

Customer Decisions

You decide where and when to enable encryption. AWS provides features, but you configure them to match your risk and compliance needs.

KMS as a Common Pattern

Many AWS services integrate with AWS Key Management Service (AWS KMS) to manage encryption keys for both data at rest and in transit.

Encrypting Data at Rest: S3, EBS, RDS and KMS

AWS KMS Overview

AWS KMS is a managed service to create, store, and control cryptographic keys, often backing encryption for S3, EBS, and RDS.

S3 Server-Side Encryption

S3 supports server-side encryption (SSE), including SSE-S3 (S3-managed keys) and SSE-KMS (KMS keys). You can set default bucket encryption.

EBS Encryption

EBS volumes can be encrypted at creation. Encryption covers the volume, its snapshots, and traffic between EC2 and the volume.

RDS Encryption

RDS encryption is chosen at DB creation and protects storage, backups, same-Region read replicas, and snapshots using KMS keys.

Transparent to Apps

For the exam: enabling these at-rest encryption options is usually transparent to your application code.

Example Walkthrough: Enforcing S3 Default Encryption

Scenario Setup

Your university stores student lab results in S3. Policy: all lab data must be encrypted at rest with KMS.

Step 1: Pick a KMS Key

Use a customer managed KMS key, for example `alias/lab-data-key`, so the security team controls rotation and access.

Step 2: Bucket Default Encryption

On bucket `uni-lab-results-prod`, enable default encryption with SSE-KMS and select `alias/lab-data-key`.

Step 3: Key Access Control

In the KMS key policy, allow the app role to encrypt/decrypt, and avoid giving broad `kms:*` permissions to many users.

Step 4: Governance Guardrail

Use a rule (for example AWS Config) to detect buckets without default encryption and mark them non-compliant.

Exam Angle

If asked how to ensure all new objects are encrypted with a specific KMS key, the best answer is default SSE-KMS on the bucket.

Protecting Data in Transit: TLS and AWS Service Integrations

TLS Basics

Data in transit is protected by encrypted connections, usually TLS. Think `https://` instead of `http://` for web endpoints.

ALB and Certificates

Application Load Balancers can terminate TLS using certificates from AWS Certificate Manager, handling HTTPS from clients.

CloudFront End-to-End

CloudFront can enforce HTTPS from viewers to edge and from edge to your origin, supporting end-to-end encryption.

Other Services

RDS supports TLS connections; PrivateLink and VPC endpoints keep traffic on AWS networks, often still layered with TLS.

Common Exam Trap

Encrypting EBS or using private subnets does not equal encrypting data in transit. That requires TLS or similar protocols.

Network-Level Security: VPC, Security Groups, and NACLs

VPC Overview

A VPC is your logically isolated network in AWS where you define subnets, routing, and gateways for your resources.

Security Groups

Security groups are stateful virtual firewalls on instances and ENIs. They use allow-only rules based on protocol, port, and source.

Typical SG Usage

Example: allow inbound HTTPS from the internet to a web server; allow DB access only from the app server’s security group.

Network ACLs

NACLs are subnet-level, stateless filters with numbered rules that can both allow and deny traffic.

SG vs NACL on Exams

Remember: SG = stateful, instance-level, allow-only. NACL = stateless, subnet-level, allow and deny.

Example Architecture: Securing a Simple 3-Tier Web App

3-Tier Setup

Public subnet: ALB. Private subnet A: EC2 app servers. Private subnet B: RDS database. Static files in an S3 bucket.

Network Security Groups

ALB SG: allow HTTP/HTTPS from internet. App SG: allow HTTP only from ALB SG. RDS SG: allow DB port only from App SG.

Data-at-Rest Encryption

Enable SSE-KMS on S3, encrypt EBS volumes, and enable RDS storage encryption using KMS keys.

Data-in-Transit Encryption

Users connect to the ALB via HTTPS with an ACM certificate; app may connect to RDS using TLS.

Monitoring Layer

Use VPC Flow Logs, AWS CloudTrail, and Amazon CloudWatch metrics/alarms to gain visibility into behavior and issues.

Exam Use

For questions about improving security, mentally check SGs, encryption at rest, TLS in transit, and logging/monitoring.

Logging, Monitoring, and Detection: CloudTrail, CloudWatch, GuardDuty

CloudTrail Purpose

AWS CloudTrail records API calls and console actions for auditing and investigations, such as who changed a security group.

CloudWatch Purpose

Amazon CloudWatch collects metrics and logs, and lets you set alarms on thresholds like CPU, errors, or custom metrics.

GuardDuty Purpose

Amazon GuardDuty is a managed threat detection service that analyzes CloudTrail, VPC Flow Logs, and DNS logs for suspicious activity.

Core Trio

For Cloud Practitioner, think of CloudTrail (who did what), CloudWatch (how the system behaves), GuardDuty (is anything suspicious).

Exam Distinction

CloudTrail is not for performance metrics; CloudWatch is not for auditing IAM changes. Match each service to the right use case.

Quick Check: Data Protection and Network Controls

Answer this question to test your understanding of encryption and network security basics.

A company runs a web application on EC2 behind an Application Load Balancer in a VPC. They must ensure that: 1) All data stored in S3 is encrypted at rest. 2) Only the Application Load Balancer can reach the EC2 instances. Which combination of actions best meets these requirements with minimal changes to the application code?

  1. Enable default SSE-KMS encryption on the S3 bucket and configure the EC2 security group to allow inbound HTTP/HTTPS only from the ALB security group.
  2. Encrypt the EBS volumes attached to the EC2 instances and move the EC2 instances into a private subnet.
  3. Use client-side encryption in the application before uploading to S3 and create a NACL that blocks all inbound traffic to the EC2 subnet.
  4. Enable HTTPS on the ALB and attach an IAM role to the EC2 instances that allows S3 access.
Show Answer

Answer: A) Enable default SSE-KMS encryption on the S3 bucket and configure the EC2 security group to allow inbound HTTP/HTTPS only from the ALB security group.

Option 1 directly addresses both requirements: default SSE-KMS on the S3 bucket ensures all stored objects are encrypted at rest, and the EC2 security group rule that only allows inbound traffic from the ALB security group ensures that only the load balancer can reach the instances. Option 2 encrypts EBS (not S3) and private subnets do not by themselves restrict ALB access. Option 3 requires app changes and NACLs that block all inbound traffic would also block the ALB. Option 4 handles encryption in transit and access permissions but does not guarantee S3 encryption at rest or restrict EC2 access only to the ALB.

Quick Check: Monitoring and Detection

Test your understanding of logging and threat detection services.

Your security team wants to know **who** changed an IAM policy that suddenly grants broad S3 access, and they also want to automatically detect **suspicious API activity** in the future. Which AWS services should you rely on first?

  1. Amazon CloudWatch Logs for both the history and suspicious activity detection.
  2. AWS CloudTrail to review the change history and Amazon GuardDuty to detect suspicious API activity.
  3. Amazon GuardDuty for the history and AWS CloudTrail for future suspicious activity.
  4. VPC Flow Logs to see policy changes and Amazon CloudWatch to detect suspicious API calls.
Show Answer

Answer: B) AWS CloudTrail to review the change history and Amazon GuardDuty to detect suspicious API activity.

Use AWS CloudTrail to see who changed IAM policies and when, because it records API calls and console actions. Use Amazon GuardDuty to detect suspicious API activity going forward, as it continuously analyzes CloudTrail, VPC Flow Logs, and DNS logs for threats. CloudWatch Logs and VPC Flow Logs do not directly answer 'who changed an IAM policy', and GuardDuty is not a historical configuration audit tool.

Thought Exercise: Spot the Weakest Link

Imagine this scenario and identify the weakest security link.

Scenario

A startup builds a simple photo-sharing site on AWS:

  • Public S3 bucket stores user-uploaded photos.
  • Static website hosting is enabled directly on the S3 bucket.
  • Users upload photos via a web form that sends them straight to S3 using pre-signed URLs.
  • The bucket has no default encryption configured.
  • There is no CloudTrail trail configured, and no GuardDuty enabled.

Your task

  1. List two major security issues in this design.
  2. For each issue, write down one AWS feature that would help fix it.

Pause for a moment and think or jot down your answers.

Suggested answers (flip mentally and compare)

  1. Issue: Public S3 bucket exposes all user photos to the internet.
  • Fix: Make the bucket private and serve content through Amazon CloudFront with an origin access control or origin access identity, or use S3 Block Public Access settings.
  1. Issue: Data at rest is not encrypted.
  • Fix: Enable default SSE-S3 or SSE-KMS on the bucket.
  1. Issue: No visibility into who accessed or modified the bucket configuration.
  • Fix: Enable AWS CloudTrail and store logs in a separate, locked-down S3 bucket.
  1. Issue: No automated threat detection.
  • Fix: Turn on Amazon GuardDuty for the account and Region.

On the exam, when you see a scenario like this, look for: public buckets, missing encryption, and missing logging/detection as common weaknesses.

Key Term Review

Flip through these flashcards to reinforce the core services and concepts from this module.

Data at rest
Data stored on persistent media such as S3 objects, EBS volumes, RDS storage, backups, and snapshots. Typically protected by disk-level or service-level encryption.
Data in transit
Data moving over networks between clients and services or between services. Typically protected using encrypted protocols such as TLS (HTTPS).
AWS Key Management Service (AWS KMS)
A managed service that lets you create and control cryptographic keys used to encrypt data across many AWS services, including S3, EBS, and RDS.
S3 server-side encryption (SSE)
An S3 feature where AWS encrypts objects as it writes them to disks and decrypts them when accessed. Modes include SSE-S3 (S3-managed keys) and SSE-KMS (KMS-managed keys).
Security group
A stateful virtual firewall attached to EC2 instances, ENIs, and some managed services. Uses allow-only rules based on protocol, port, and source.
Network ACL (NACL)
A stateless, subnet-level network filter with numbered rules that can both allow and deny traffic. Return traffic must be explicitly allowed.
AWS CloudTrail
A service that records AWS API calls and console actions, providing an audit trail of who did what and when in your AWS accounts.
Amazon CloudWatch
A monitoring service for AWS resources and applications that collects metrics and logs and lets you create alarms and dashboards.
Amazon GuardDuty
A managed threat detection service that analyzes CloudTrail, VPC Flow Logs, and DNS logs to identify suspicious or malicious activity in your AWS environment.
Default bucket encryption
An S3 configuration that automatically applies server-side encryption to all new objects in a bucket, even if the uploader does not specify encryption.

Key Terms

Data at rest
Data stored on persistent media such as S3 objects, EBS volumes, RDS storage, backups, and snapshots. Typically protected by disk-level or service-level encryption.
AWS CloudTrail
A service that records AWS API calls and console actions, providing an audit trail of who did what and when in your AWS accounts.
Security group
A stateful virtual firewall attached to EC2 instances, ENIs, and some managed services. Uses allow-only rules based on protocol, port, and source.
Data in transit
Data moving over networks between clients and services or between services. Typically protected using encrypted protocols such as TLS (HTTPS).
Amazon GuardDuty
A managed threat detection service that analyzes CloudTrail, VPC Flow Logs, and DNS logs to identify suspicious or malicious activity in your AWS environment.
Amazon CloudWatch
A monitoring service for AWS resources and applications that collects metrics and logs and lets you create alarms and dashboards.
Network ACL (NACL)
A stateless, subnet-level network filter with numbered rules that can both allow and deny traffic. Return traffic must be explicitly allowed.
Default bucket encryption
An S3 configuration that automatically applies server-side encryption to all new objects in a bucket, even if the uploader does not specify encryption.
Server-side encryption (SSE)
An encryption approach where a service like Amazon S3 encrypts data as it writes it to disk and decrypts it when accessed, handling key usage on the server side.
AWS Key Management Service (AWS KMS)
A managed service that lets you create and control cryptographic keys used to encrypt data across many AWS services, including S3, EBS, and RDS.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself