< All Topics

AWS Essentials

Posted
Updated
Author -Rajkumar Aute
Views90

By reading these notes, you will gain knowledge tailored to your role, whether you are a beginner or practitioner focusing on AWS Cloud technology foundations.

Note – This page contains a complete summary of the topics. To learn more about each topic, click on the (Expand)Topic-HeadingImage, or ‘Click Here’ hyperlink.

Before reading this document, please read Cloud Technology Essentials.

AWS is like a giant digital supermarket. You can “rent” everything from computers (EC2) and storage (S3) to databases (RDS). However, in DevSecOps, we don’t just want to “use” these services; we want to use them safely.

Shared Responsibility Model

Every DevSecOps engineer must understand this:

  • AWS is responsible for the Security “OF” the Cloud (Physical servers, data centers, hardware).
  • YOU are responsible for Security “IN” the Cloud (Your data, OS patching, firewall settings, IAM).

AWS Cloud Services – Category wise

Compute Services (Secure Processing)

In the world of DevSecOps, Compute is where your code actually “lives” and “runs.” If your compute layer is weak, a hacker can take control of your entire application. Instead of just looking at these as “servers,” look at them as Security Boundaries. Our goal is to ensure that:

  1. Every action is recorded and monitored (Auditability).
  2. No server is left unpatched (Automation).
  3. No code has more power than it needs (Least Privilege).
ServiceShort NotesDevSecOps Perspective
EC2EC2: IaaS where you control the OS; AWS handles the hardware.
Instance Types: Always pick Nitro (latest gens) for hardware-enforced isolation.
AMI: Hardened, pre-scanned “Golden” blueprints for Immutable Infrastructure.
Storage: Encrypt everything (EBS/EFS) by default using KMS keys.
Lifecycle: Stop/Hibernate to preserve forensic evidence; never terminate a hacked server.
Networking: Use Private IPs and hide backends behind NAT Gateways.
SG vs. NACL: SG (Stateful Scalpel) at the door; NACL (Stateless Shield) at the gate.
Access: Kill SSH/RDP; use SSM Session Manager for no-port audited access.
Patching: Automate with SSM Patch Manager; treat servers as “Cattle,” not “Pets.”
Bootstrap: Use User Data for setup and IMDSv2 to prevent credential theft.
Monitoring: Use CloudWatch Agent for RAM/Logs and automated threat response.
Pricing: Use Spot for CI/CD and Dedicated Hosts for physical compliance.
Hypervisor: Nitro is the modern “Guard-less” vault; Xen is the legacy “Manager” model.		Patching & Hardening: Use Systems Manager (SSM) to automate security patches. Always enforce IMDSv2 to prevent metadata theft.
Auto ScalingASG & Launch Templates: Use a Smart Manager (ASG) and an Instruction Manual (Launch Template) to scale resources, using Lifecycle Hooks to audit instances before they are deleted.Availability as Security: Prevents “Denial of Service” (DoS) by ensuring your app stays up during traffic spikes or attacks.
Lambda A “coding machine on rent” where you pay only for active milliseconds while AWS manages all servers.
Serverless: Instantly scales from zero to millions of requests without manual patching or idle costs.
Execution: Runs on Firecracker MicroVMs through a lifecycle of Download, Setup, Init, Run, and Shutdown.
Statelessness: Functions are ephemeral; use S3, DynamoDB, or EFS for any persistent data storage.
Languages: Supports Python, Node.js, Java, Go, Ruby, C#, and PowerShell, plus custom languages via Runtime API.
Starts: Cold starts cause initial setup delays; Provisioned Concurrency keeps functions “warm” and hyper-ready.
Power: You choose memory (up to 10GB); AWS automatically scales CPU power proportionally.
Quotas: Maximum 15-minute timeout, 6MB payload, and 250MB unzipped code packages.
Scaling: Exceeding account concurrency triggers 429 errors; protect critical functions with Reserved Concurrency.
DB Stress: Use RDS Proxy to manage high-volume connection pooling from scaling functions.		Smallest Attack Surface: No OS to hack! But you must use Code Signing to ensure only “trusted” code is deployed.
Elastic BeanstalkAutomates server setup (EC2, ELB, ASG) so you only worry about your code.
Architecture: Decouple your database (RDS outside) to prevent accidental data loss.
Tiers: Web Tier for APIs/Websites; Worker Tier for background tasks via SQS.
Deployments: Use Immutable for production to ensure “clean” servers and zero downtime.
Config (IaC): Use .ebextensions to fix security settings in code, not via manual clicks.
Health: Enable Enhanced Health to track real-time CPU, memory, and HTTP errors.
Lifecycle: Auto-delete old app versions to avoid S3 storage limits and costs.
Use Case: Perfect for small-to-mid teams who need Speed + Security without a big DevOps team.		Guardrail Management: Great for beginners, but ensure you monitor the underlying Security Groups created by Beanstalk.
ECSManaged Docker containers.Image Integrity: Use Amazon Inspector to scan container images for vulnerabilities before they ever reach production.
EKSManaged Kubernetes.Cluster Hardening: Use IAM Roles for Service Accounts (IRSA) so your pods don’t use the node’s permissions.
FargateServerless containers.Runtime Protection: Enable GuardDuty Runtime Monitoring (new for 2025) to detect if a container starts behaving strangely.
LightsailSimple VPS for small apps.Easy Perimeter: Good for small tasks, but lacks the advanced VPC security controls needed for large enterprise apps.
App RunnerQuick web/container deploy.Private Connectivity: Connect it to your VPC using Private Endpoints so your internal data never travels over the public internet.
BatchAutomated batch jobs.Ephemeral Security: Ensure that any temporary data stored during the job is encrypted at rest using AWS KMS.
Serverless App RepoReady-made serverless apps.Trust & Verify: Before deploying an app from the repo, always audit the Resource-Based Policies it creates.
OutpostsAWS hardware in your DC.Physical Security: Since it sits in your office, you are responsible for the physical locks and keys protecting the hardware.
Local ZonesLow-latency compute.Data Residency: Use these to keep sensitive data within specific geographic borders for compliance (like GDPR or RBI rules).
WavelengthCompute inside 5G networks.Edge Defense: Critical for IoT security. Focus on encrypting traffic from the mobile device directly to the Wavelength zone.
Snowball EdgeCompute on physical devices.Hardware Encryption: Uses the Nitro Security Key to ensure data is unreadable if the device is stolen during transport.
  1. Shifting Security “Left” in Compute
    • Don’t wait for the server to be running to check for security. Use Infrastructure as Code (IaC) templates (like Terraform or CloudFormation) and scan them for open ports (like port 22 or 3389) before they are even deployed.
  2. The “Golden Image” Strategy
    • Instead of fixing servers one by one, DevSecOps gurus use EC2 Image Builder to create “Golden Images.” These are pre-secured, pre-patched OS images that every team must use. This ensures a standard security baseline across the whole company.
  3. Vulnerability Management
    • manual scanning is dead. Security must be continuous. Amazon Inspector is your primary tool for automated vulnerability management.
      • Always-On: Automatically scans EC2 instances, Lambda functions, and ECR container images the moment they are created or updated.
      • Network Reachability: Detects if a server is accidentally exposed to the public internet.
      • CVE Detection: Identifies software vulnerabilities (Common Vulnerabilities and Exposures) in your OS and application libraries.

2. Storage Services – Data Protection & Integrity

In DevSecOps, storage is not just a “folder” to keep files. It is the most targeted area for data breaches. A single misconfigured S3 bucket can lead to a global scandal. We follow the “Data-at-Rest Encryption” and “Zero Trust” principles here.

ServiceShort NotesDevSecOps Perspective
S3Unlimited Object Storage.The Perimeter: Always enable Block Public Access at the account level. Use Versioning and MFA Delete to prevent accidental or malicious data loss.
S3 GlacierLong-term archive storage.Compliance Power: Use Vault Lock to make archives immutable (cannot be deleted), which is a requirement for many financial and legal audits.
EBSBlock storage for EC2.Encryption by Default: Turn on the account-level setting to ensure every new volume is encrypted with KMS. Never leave volumes unencrypted.
EFSShared file system for Linux.Network Isolation: Use IAM Access Points to control which applications can access specific folders, and always enforce Encryption in Transit.
FSx (Windows/Lustre)High-performance file servers.Managed Security: For Windows, it integrates with Active Directory, allowing you to apply familiar NTFS permissions in the cloud.
Storage GatewayHybrid cloud storage.Secure Bridge: Encrypts data before it leaves your on-prem data center to go to AWS, ensuring a secure “Handshake.”
AWS BackupCentralized backup service.Governance: Use AWS Backup Vault Lock to prevent even the ‘Root User’ from deleting backups—essential protection against Ransomware.
Snowball / SnowmobilePhysical data transfer.Anti-Tamper: Uses TPM (Trusted Platform Module) and Nitro security chips to ensure data is wiped if the device is physically tampered with.
DataSyncAutomated data transfer.Automated Integrity: Automatically performs checksums to ensure that the data copied to AWS is 100% identical to the source (no data corruption).
  1. S3 Bucket Policies vs. IAM Policies
    • As a Guru, you must know the difference. IAM Policies say “Who can do what,” but S3 Bucket Policies say “Who can access this specific bucket.” Always use both for a “Double-Lock” security system.
  2. Macie: The “PII” Scanner
    • Mention Amazon Macie in your storage notes. It uses Machine Learning to scan your S3 buckets and find “Sensitive Data” like Credit Card numbers or Aadhaar details that developers might have accidentally uploaded.
  3. Object Lock (WORM)
    • WORM (Write Once, Read Many) model. Once you “Lock” a file in S3 with Object Lock, nobody (not even a hacker with admin access) can delete it until the timer expires. This is the ultimate defense against data-wiping attacks.

3. Database Services – Secure Data Management

In DevSecOps, we follow the principle of “Least Privilege” for database access. We move away from “Master User” passwords and towards IAM-based authentication and Automated Secret Rotation.

ServiceShort NotesDevSecOps Perspective
RDSManaged SQL (MySQL, Postgres, Oracle).Zero-Credential Goal: Use IAM Database Authentication so your applications connect using IAM tokens instead of hardcoded passwords.
AuroraCloud-native SQL (High Speed).High Availability = Security: Distributed storage ensures data isn’t lost during an attack or failure. Use Database Activity Streams to monitor for SQL injections in real-time.
DynamoDBFast, Serverless NoSQL.Fine-Grained Access: Use IAM Policy Conditions to restrict access to specific rows or attributes in a table based on the user’s identity.
ElastiCacheRedis/Memcached (Speed).In-Memory Security: Always enable AUTH tokens (Redis) and Encryption in Transit (TLS) to prevent hackers from “sniffing” sensitive data stored in the cache.
NeptuneGraph DB for relationships.Relationship Privacy: Since Graph DBs store connections (like “Who knows Who”), ensure the VPC Security Groups are extremely tight to prevent metadata leaks.
DocumentDBManaged MongoDB.Audit Ready: Enable JSON-based auditing to track exactly who modified which document—a mandatory requirement for HIPAA/PCI compliance.
KeyspacesManaged Cassandra.Serverless Compliance: Because it’s serverless, you don’t manage the OS. Focus 100% on KMS encryption and VPC Endpoints for private traffic.
TimestreamTime-series for IoT/Metrics.Tamper-Proof Metrics: Use this for security logging. Once data is written, it’s hard to alter, making it great for tracking security events over time.
QLDBLedger with immutable history.The “Truth” Database: Every change is cryptographically chained. If a hacker tries to delete a record, the “Digest” will fail. Perfect for Audit Logs.
Glue Data CatalogMetadata Store.Catalog Guardrails: Use AWS Lake Formation on top of Glue to define granular permissions (e.g., “User A can see Table 1, but cannot see the Salary column”).
  1. The “Passwordless” Future (IAM Auth) – Most beginners use a username and password to connect to RDS. A DevSecOps Guru uses IAM Roles. This means:
    • No passwords to leak in the code.
    • Access is temporary (15-minute tokens).
    • Permission is managed centrally in IAM.
  2. Secrets Manager Integration – Explain that AWS Secrets Manager is the “Vault” for your database.
    • Auto-Rotation: It can automatically change your RDS password every 30 days without you doing anything.
    • Application-Friendly: Your application just asks Secrets Manager, “Give me the current password,” so the app never breaks when the password changes.
  3. VPC Security Groups for Databases – Never, ever make a database publicly accessible.
    • Place your RDS/Aurora in Private Subnets.
    • Configure the Security Group to only allow traffic from your Application’s Security Group (this is called “Referencing Security Groups”).
  4. Database Activity Streams (DAS) – For sensitive databases (like Finance or Health), mention DAS. It sends a real-time stream of all database activity to Kinesis. Security teams use this to detect abnormal “SELECT *” queries that look like a data exfiltration attempt.
  5. Compliance as Code – Use AWS Config Rules (like rds-storage-encrypted) to automatically check if every database in your account has encryption turned on. If it’s not encrypted, Config can notify the security team immediately.”

4. Networking & Content Delivery – The Secure Perimeter

For a DevSecOps Guru, the network is not just a “pipe” for data; it is the Perimeter Defense. In 2025, networking has shifted from simple connectivity to “Identity-Aware Networking” and “Zero Trust Architecture.”

In DevSecOps, we follow the “Deny by Default” rule. We use the network to isolate workloads so that even if one server is hacked, the attacker cannot move “East-West” to other parts of your infrastructure.

ServiceShort NotesDevSecOps Perspective
VPCYour private network.Isolation: Use separate VPCs for Prod, Dev, and Security. Enforce VPC Flow Logs to capture every “Accept” and “Reject” for security auditing.
VPC PeeringConnects two VPCs.Point-to-Point Security: Good for simple setups, but lacks central control. Ensure Security Groups on both sides are tightly restricted to specific IPs.
VPC LatticeMicroservices networking.Zero Trust at Scale: (2025 Essential) Simplifies service-to-service security using IAM Auth Policies. It handles the “Auth” and “TLS” automatically for your microservices.
Transit GatewayCentral Network Hub.Traffic Inspection: Use this as a “Security Hub” to route all Inter-VPC traffic through a Centralized Firewall VPC for deep packet inspection.
PrivateLinkPrivate service access.No Public Internet: Access AWS services (like S3 or Kinesis) without an Internet Gateway. This completely removes the “Public Attack Surface.”
Route 53DNS & Traffic Routing.DNS Security (DNSSEC): Enable DNSSEC to prevent “DNS Spoofing” attacks. Use Query Logging to detect if a hacked server is communicating with a malicious domain.
CloudFrontGlobal CDN.Edge Defense: Use Origin Access Control (OAC) so your S3 buckets only talk to CloudFront. Integrate with AWS WAF to block bots at the edge.
Global AcceleratorGlobal traffic optimizer.IP Obfuscation: Provides two static IPs, hiding your backend ALB/EC2 IP addresses from the public, making it harder for hackers to target your origin directly.
API GatewayAPI Management.Rate Limiting & Throttling: Protects your backend from “DDoS by App” by limiting how many requests a single user can make. Supports mTLS for strict client security.
Direct ConnectDedicated private line.Consistent Security: Bypasses the public internet entirely for hybrid setups. Use MACsec encryption (Layer 2) for ultra-secure hardware-level data transit.
Load Balancer (ALB/NLB)Distributes traffic.SSL Termination: Offload your SSL/TLS management to the ALB using AWS Certificate Manager (ACM) for automated 90-day certificate rotations.
App MeshService Mesh (Envoy).Observability: Provides deep visibility into service-to-service communication. Essential for detecting “Anomalous Traffic” patterns in microservices.
VPNSecure tunnel via internet.Secure Hybrid Access: Use AWS Client VPN with MFA for developers to access private resources safely from their home/office.
  1. Micro-Segmentation: – should not have one giant subnet. Instead, use Micro-segmentation:
    • Public Subnet: Only for Load Balancers and NAT Gateways.
    • Private Subnet: For App Servers (No public IP).
    • Data Subnet: For Databases (No internet access at all).
  2. Security Groups vs. NACLs
    • Security Groups (The Bouncer): Stateful. If you let a guest in, they can also leave. Operates at the Instance level.
    • NACLs (The Gate): Stateless. You must explicitly allow the guest to enter and explicitly allow them to leave. Operates at the Subnet level.
  3. VPC Flow Logs + Athena = Threat Hunting – A DevSecOps engineer doesn’t just “enable” logs; they analyze them.
  4. The “Security Hub” Pattern – For large companies, we use a Transit Gateway to send all traffic to a “Scanning VPC.” This VPC contains AWS Network Firewall or specialized appliances (like Palo Alto or Fortinet) to scan for viruses and malware inside the network packets.

5. Security, Identity & Compliance – The Shield & Guard

In DevSecOps, we move from “Manual Security” to “Security as Code.” We don’t wait for an audit to find a mistake; we use these tools to block mistakes before they happen.

ServiceBasic DefinitionDevSecOps “Guru” Perspective
IAMIdentity & Access Management.The Zero Trust Core: Use IAM Access Analyzer to find “Public” or “Cross-Account” access. Never use Root; always use MFA.
Identity Center (SSO)Single Sign-On for accounts.Centralized Control: Manage all your developers’ access from one place. Integrate with Okta or Azure AD to automate user joining/leaving.
CognitoApp login for users.Customer Security: Offload the risk of storing passwords. Use it for Social Login and built-in “Risk-based Adaptive Authentication.”
KMSEncryption Key management.The Master Key: Enforce Envelope Encryption. Every DevSecOps engineer must know how to write a “Key Policy” to prevent unauthorized data access.
Secrets ManagerStore passwords/API keys.Anti-Hardcoding: Use Automatic Rotation to change DB passwords every 30 days. No more “expired” or “leaked” passwords in Git.
Certificate ManagerSSL/TLS certificates.Encryption in Transit: Automates certificate renewal. No more “Website Not Secure” warnings that can cause downtime or SEO loss.
GuardDutyAI Threat Detection.The Security Eye: Detects if someone is using your account to mine Bitcoin or if a hacker is trying a “Brute Force” attack.
Security HubCentral Security Dashboard.The Command Center: Aggregates findings from all other tools. Use it to check your Compliance Score against CIS or PCI-DSS standards.
InspectorVulnerability Scanner.Continuous Scanning: (2025 Update) It now scans Lambda and Containers automatically. Catch CVEs in your code before hackers do.
WAFWeb Application Firewall.Bot Control: Use “Managed Rules” to stop common attacks like SQL Injection or Log4j exploits at the edge.
ShieldDDoS Protection.Availability Shield: Shield Standard is free. Shield Advanced is for massive companies that need a “DDoS Response Team” on call.
MacieFind sensitive data in S3.PII Privacy: Scans your buckets for Aadhaar cards, credit cards, or passwords. Helps you avoid heavy fines under data privacy laws.
DetectiveIncident Investigation.Forensics: If GuardDuty finds an alert, Detective helps you see the “Timeline” of how the hacker got in and what they touched.
ArtifactCompliance Reports.The Auditor’s Friend: Download AWS’s own ISO/SOC/PCI certificates to prove your cloud infrastructure is legally compliant.
Audit ManagerEvidence Collection.Audit Automation: Instead of manually searching for logs for a year-end audit, this tool collects evidence automatically every day.
  1. Identity-First Security – the Network Perimeter is gone. Identity is the new perimeter.
    • Role-Based Access Control (RBAC): Never give “AdministratorAccess” to a developer. Create custom roles for “ReadOnly” or “DeveloperAccess” with Permission Boundaries.
    • OIDC for CI/CD: When using GitHub Actions or GitLab, never use static IAM Access Keys. Use OIDC (OpenID Connect) to get temporary tokens for your pipeline.
  2. The “Automated Remediation” Cycle – Doesn’t just “detect” a problem; they “fix” it automatically.
    • If GuardDuty detects an EC2 instance talking to a malicious IP, it can trigger an EventBridge rule, which calls a Lambda function to automatically shut down that instance or change its Security Group. This is DevSecOps automation.
  3. Shift-Left Vulnerability Scanning
    • It scans ECR Images as soon as they are pushed.
    • It scans Lambda code for insecure libraries.
    • Integrate these findings into your CI/CD pipeline so the “Build Fails” if a critical vulnerability is found.
  4. Compliance-as-CodeAWS Security Hub plus AWS Config allows to stay “Always Compliant.” Instead of a manual audit once a year, get a “Security Score” every hour. If someone turns off S3 encryption, your score drops, and you get an alert.

6. Application Integration – The Secure Nervous System

ServiceBasic DefinitionDevSecOps “Guru” Perspective
SQSMessage queue between apps.Encryption & Isolation: Always use Server-Side Encryption (SSE) with KMS. Use Dead Letter Queues (DLQ) to isolate “poison pills” (malicious or corrupt messages) so they don’t crash your system.
SNSPush notifications (Email/SMS).Topic Privacy: Never use a wildcard * in your Access Policy. Use SNS Message Data Protection (2025 feature) to scan for PII (like mobile numbers) before sending notifications.
EventBridgeEvent router (The “Bus”).Security Automation: The heart of DevSecOps. Use it to route security alerts from GuardDuty to Lambda for Auto-Remediation. Use Schema Registry to ensure only “valid” event structures are allowed.
Step FunctionsServerless workflows.Visual Security Logic: Instead of complex code, use Step Functions to build “Security Playbooks” (e.g., Step 1: Quarantine Server, Step 2: Notify Admin, Step 3: Snapshot Disk). Use IAM Roles per State Machine.
AppFlowNo-code SaaS data transfer.SaaS Security: Move data between Salesforce/Slack and AWS without it ever touching the public internet. It uses PrivateLink to keep your company’s data safe during transit.
Amazon MQManaged ActiveMQ/RabbitMQ.Legacy Hardening: Used when migrating old apps. Ensure TLS/SSL is enforced for all client connections and use VPC Endpoints to hide the broker from the internet.
Step Functions (Distributed Map)Scaling workflows to millions.Governance at Scale: When processing millions of files (like logs), ensure you use Standardized Logging so you can audit every single iteration for security compliance.
  1. The “Poison Pill” Defense (SQS/SNS) – In a DevSecOps world, a hacker might send a “Malicious Message” designed to break your backend code.
    • Set up a Dead Letter Queue (DLQ). If a message fails to process 3 times, it is moved to the DLQ. then analyze it safely in a “Sandbox” environment to see if it was an attack attempt.
  2. EventBridge:
    • Real-time Remediation: If AWS Config detects an S3 bucket has become “Public,” it sends an event to EventBridge and triggers a Lambda function that immediately flips the bucket back to “Private.” This is called Self-Healing Infrastructure.
  3. SNS Data Protection – SNS now has Message Data Protection policies.
    • Set a policy that says: “If this message contains a Credit Card number or a PAN card number, block it from being sent to an Email or SMS endpoint.” This prevents accidental data leaks by developers.
  4. Step Functions for Incident Response – Instead of a human manually responding to a hack, build a Step Function Playbook.
    • Step 1: Revoke the compromised IAM user’s sessions.
    • Step 2: Attach a “Deny All” policy to the user.
    • Step 3: Send a message to the #security-alerts Slack channel.

7. Management, Monitoring & Governance

Management & Governance is about having Visibility and Control.

In DevSecOps, we use these tools to create Guardrails. Think of guardrails like the boundaries on a highway: they allow developers to drive fast (deploy code quickly) but prevent them from driving off the cliff (making a security mistake).

ServiceBasic DefinitionDevSecOps “Guru” Perspective
CloudWatchMetrics, logs, and alarms.Security Forensics: Use Logs Insights to query your application logs for “Hacking Patterns” (like 500 failed login attempts in 1 minute).
CloudTrailRecords every AWS API call.The “Truth” Machine: Records Who, What, Where, and When. If an S3 bucket is deleted, CloudTrail tells you exactly which user did it.
AWS ConfigTracks config changes.Compliance as Code: Automatically detects if someone opens Port 22 (SSH) to the world and can auto-remediate (close it) instantly.
Trusted AdvisorBest practice suggestions.Security Auditor: Flags critical issues like “MFA not enabled on Root Account” or “S3 buckets with public read access.”
OrganizationsManage multiple accounts.Policy Enforcement: Use Service Control Policies (SCPs) to block any account from ever disabling CloudTrail or GuardDuty.
Control TowerSecure Landing Zone.The Governance Hub: Automatically sets up a secure baseline for every new AWS account, ensuring they all follow the same security rules.
Well-Architected ToolBest practices check.The Exam Paper: Use the Security Pillar to find gaps in your architecture—like lack of encryption or missing incident response plans.
Service CatalogPre-approved IT services.Security-Approved Blueprints: Instead of letting devs create anything, give them “Hardened” templates that are already security-cleared.
License ManagerTrack software licenses.Compliance & Risk: Ensures you aren’t using unlicensed or “end-of-life” software that might have unpatched security vulnerabilities.
Cost Explorer / BudgetsAnalyze & alert on costs.Breach Detection: A sudden spike in cost (e.g., $1,000 in 1 hour) often means a hacker has hijacked your account for Crypto-mining.
Billing ConsoleBilling & cost management.Financial Visibility: Regular review of the bill helps identify “Shadow IT”—resources created by developers without security approval.
  1. The “Golden Rule” of CloudTrailCloudTrail must be turned on in ALL regions.
    • Use Log File Integrity Validation to ensure the hacker hasn’t modified the logs to hide their tracks.
  2. Service Control Policies (SCPs) – In a large company, you cannot trust everyone.
    • SCPs are “Super-Powers”: Even if a developer has “FullAdmin” access in their account, an SCP from the Organization level can stop them from deleting security logs. It is the ultimate “No-Go” zone.
  3. Real-time Security Alarms – Don’t wait for the monthly bill. Use CloudWatch Alarms linked to SNS:
  4. AWS Config Conformance Packs – Instead of checking rules one by one, use Conformance Packs. These are collections of AWS Config rules and remediation actions (e.g., “The PCI-DSS Pack”) that keep your entire cloud environment compliant with international security standards automatically.

8. DevOps, Developer Tools & IaC

In DevSecOps, the CI/CD pipeline is like an Automated Security Scanner. Every time a developer saves code, these tools should automatically check for passwords, vulnerabilities, and misconfigurations.

ServiceBasic DefinitionDevSecOps “Guru” Perspective
CodeCommitSecure Git repositories.No Leaks: Use Pre-commit hooks to prevent developers from accidentally pushing AWS keys or passwords into the repository.
CodeBuildCompiles & tests code.The Scanner: This is where you run SAST (Static Analysis) and SCA (Dependency scans) to find security flaws in your libraries.
CodeDeployAutomated deployments.Safe Rollouts: Use Blue/Green deployments to test the “Security Health” of a new version before shifting all users to it.
CodePipelineCI/CD automation.The Security Gate: Add Manual Approval gates and automated security tests between every stage of your release.
CodeStarProject management.Hardened Templates: Automatically sets up a CI/CD chain with best-practice IAM roles already configured.
CloudFormationInfrastructure as Code.Infrastructure Scanning: Use CloudFormation Guard to scan your templates for open ports or unencrypted disks before they are deployed.
CDKInfra via Python/JS.Logic-Based Security: Allows you to write “Security Compliance” directly into your code (e.g., a function that ensures all S3 buckets are private).
Cloud9Cloud-based IDE.Safe Environment: No need to store AWS credentials on your local laptop. Your coding environment stays inside the secure AWS VPC.
X-RayApp tracing/debugging.Attack Visibility: Helps you trace a “suspicious request” through your microservices to see exactly where a hack or error occurred.
Systems Manager (SSM)Server/Patch management.No SSH Needed: Use Session Manager to log into servers without opening Port 22. This completely removes a major entry point for hackers.
OpsWorksManaged Chef/Puppet.Compliance Automation: Use it to ensure every server in your fleet has the same security settings (e.g., “Firewall must be ON”).
ProtonMicroservice management.Golden Templates: Platform teams create “Secure Infrastructure Blueprints” that developers use to deploy their microservices safely.
  1. Static vs. Dynamic Scanning (SAST & DAST)
    • SAST (Static): Scans the source code inside CodeBuild. It looks for bad coding habits.
    • DAST (Dynamic): Scans the running application after CodeDeploy. It acts like a hacker trying to find open doors.
  2. SSM: The End of Bastion Hosts – In the old days, we used “Jump Boxes” or “Bastion Hosts” to access servers.
    • Use AWS Systems Manager Session Manager. It allows you to access your EC2 instances via the browser. You don’t need to manage SSH keys, and every command a developer types is logged in CloudTrail for auditing.
  3. Infrastructure as Code (IaC) Security
    • Never deploy a CloudFormation or CDK template without scanning it. Tools like Checkov or Tfsec can be integrated into CodeBuild to fail the build if a developer accidentally creates a “Public S3 Bucket.”
  4. Secret Management in Pipelines
    • Pull your sensitive keys from AWS Secrets Manager or SSM Parameter Store during the build phase. This way, your secrets never appear in your logs or your code repository.

Good to know services. Advance Services

9. Analytics, Big Data & ETL

ServiceBasic DefinitionDevSecOps “Guru” Perspective
AthenaQuery S3 data using SQL.The Auditor’s Secret Weapon: Use it to query millions of CloudTrail and VPC Flow Logs in seconds to find the “needle in the haystack” during a hack investigation.
GlueServerless ETL tool.Data PII Redaction: Use Glue jobs to automatically detect and “mask” (hide) sensitive info like Aadhaar or Credit Card numbers before the data enters the analytics pool.
Glue DataBrewNo-code data cleaning.Compliance Cleaning: Allows non-technical security teams to clean and prepare data for audits without writing complex code.
EMRBig Data (Hadoop/Spark).Transient Security: Use “Kerberos” and “Encryption at Rest” for Spark clusters. Always shut down clusters when finished to minimize the attack window.
RedshiftData Warehouse.Column-Level Security: Restrict access so that even if a user can see a table, they cannot see sensitive columns like “Passwords” or “SSN.”
QuickSightBusiness Dashboards.Security Visualization: Build real-time “Security Posture” dashboards to show your team’s compliance score or the number of blocked DDoS attacks.
Kinesis StreamsReal-time data streaming.Threat Hunting: Feed your system logs into a stream to detect “Live Attacks.” Always use KMS encryption to keep the moving data secret.
Kinesis FirehoseLoad streaming data.Immutable Storage: Use Firehose to dump security logs into an S3 bucket with “Object Lock” turned on, making them impossible for a hacker to delete.
Kinesis AnalyticsReal-time SQL analysis.Anomaly Detection: Write SQL queries that trigger an alarm the moment a user performs 1,000 “Access Denied” actions in 1 minute.
OpenSearchSearch & Analytics engine.Log Centralization: The standard way to store and search through logs (ELK Stack). Use Fine-grained access control to limit who can see which logs.
Data PipelineMove data on schedule.Legacy Security: Securely move data between on-prem and AWS. Ensure the IAM roles used have the absolute “Minimum Permissions” required.
Lake FormationSecure Data Lake builder.The Data Gatekeeper: Centrally manage permissions for your whole data lake. Instead of 100 S3 bucket policies, manage everything here in one place.

10. Machine Learning & AI

ServiceBasic DefinitionDevSecOps “Guru” Perspective
SageMakerBuild & deploy ML models.Threat Hunting: Train custom models on your VPC Flow Logs to find “Low and Slow” attacks that traditional firewalls miss.
BedrockManaged GenAI (Claude, Titan).Automated Incident Response: (2025 Trend) Use Bedrock to summarize complex GuardDuty alerts and generate “Step-by-Step” fixing instructions for developers.
LexBuild AI Chatbots.Security Bot: Build an internal Slack bot that allows developers to ask: “Is my S3 bucket public?” or “Reset my MFA” securely.
Polly / TranscribeSpeech-to-Text & Text-to-Speech.Vishing Defense: Use Transcribe to convert support call recordings to text and scan them for “Social Engineering” patterns or fraud.
ComprehendNatural Language Processing.Automatic PII Discovery: Scans logs and tickets to find “Hidden PII” (like Aadhaar numbers in a support chat) so you can redact them.
RekognitionImage & Video analysis.Physical & Digital Identity: Use it for “Face Match” in high-security apps or to scan uploaded user documents for fraudulent IDs.
TextractExtract text from docs.Secure Data Ingestion: Automatically read sensitive physical forms and move the data directly into an encrypted database, reducing human access to PII.
Lookout for MetricsDetects unusual changes.Breach Early Warning: Detects “Unusual Data Outbound” or a sudden spike in “Login Failures” that signals a targeted attack.
Lookout (Vision/Equip)Industrial AI.Physical Security: Use Vision to detect unauthorized persons in restricted server rooms or identify physical tampering with hardware.
Bedrock GuardrailsAI Safety & Security.Prompt Injection Defense: Prevents your AI from revealing secret company data or being “tricked” into giving harmful advice.

11. Migration & Transfer

ServiceBasic DefinitionDevSecOps “Guru” Perspective
DMSDatabase Migration Service.Continuous Sync: Migrate with zero downtime. Always enable SSL/TLS for the connection between your local DB and AWS to prevent “Man-in-the-Middle” attacks.
SCTSchema Conversion Tool.Security Mapping: When converting from SQL Server to Aurora, use SCT to ensure that Database Roles and Permissions are mapped correctly so you don’t lose access control.
Application Discovery ServiceFinds on-prem server info.Asset Inventory: (Replacement for SMS) Before moving, use this to find “Shadow IT”—servers that your security team didn’t even know existed.
Migration HubCentral tracking dashboard.Visibility: Gives the Security Officer a single view of all moving parts. If a migration task fails, it could be a sign of a network breach or a configuration error.
DataSyncFast data transfer.Integrity Checking: Automatically performs Checksums on every file moved. This ensures a hacker hasn’t modified your files or injected malware during the transfer.
Transfer FamilyManaged SFTP/FTP.Managed Perimeter: Replace your old, insecure FTP servers with this. It supports IAM Authentication and stores data directly in encrypted S3 buckets.
Snowball / SnowconePhysical data transport.Tamper-Proof Hardware: The data is encrypted using KMS before it hits the device. Even if the truck is hijacked, the data is unreadable without the AWS-managed key.

Tags:
Contents
Scroll to Top