Security Services
IAM controls who can do what. The services on this page protect what’s running — application firewalls, DDoS protection, threat detection, encryption key management, and vulnerability scanning. Together they form defense in depth.
Internet ──► Shield (DDoS) ──► WAF (app firewall) ──► CloudFront / ALB ──► Your App │ GuardDuty (threat detection) ◄── CloudTrail, VPC Flow Logs, DNS │ Inspector (vulnerability scan) ◄── EC2, ECR images │ Security Hub (central dashboard) ◄── all findings │ KMS (encryption keys) ◄── encrypt data at rest and in transit │VPC Flow Logs feed both operational RCA and GuardDuty-style analysis. For enabling logs, querying ACCEPT vs REJECT, and correlating with security groups and NACLs, see VPC Flow Logs and Network RCA.
AWS WAF (Web Application Firewall)
Section titled “AWS WAF (Web Application Firewall)”WAF inspects HTTP/HTTPS requests and blocks malicious traffic before it reaches your application.
What WAF Protects
Section titled “What WAF Protects”WAF attaches to:
- CloudFront distributions
- ALB (Application Load Balancer)
- API Gateway (REST and HTTP APIs)
- AppSync (GraphQL APIs)
How It Works
Section titled “How It Works”Request ──► WAF evaluates rules ──► Allow / Block / Count / CAPTCHA │ Block → 403 ForbiddenWeb ACLs and Rules
Section titled “Web ACLs and Rules”A Web ACL is a set of rules evaluated in order:
| Rule Type | What It Does | Example |
|---|---|---|
| AWS Managed Rules | Pre-built rules maintained by AWS | SQL injection protection, XSS, known bad inputs |
| Rate-based | Block IPs exceeding a request threshold | Block IP if > 2,000 requests in 5 minutes |
| IP set | Allow/block specific IP ranges | Allow only office IPs, block known bad actors |
| Geo match | Block/allow by country | Block requests from countries you don’t serve |
| Custom rules | Match on headers, body, query strings, URI | Block if User-Agent contains “bot” |
Common Rule Groups (AWS Managed)
Section titled “Common Rule Groups (AWS Managed)”| Rule Group | Protects Against |
|---|---|
AWSManagedRulesCommonRuleSet | OWASP Top 10: SQLi, XSS, path traversal, etc. |
AWSManagedRulesSQLiRuleSet | SQL injection |
AWSManagedRulesKnownBadInputsRuleSet | Log4j, Spring exploits, etc. |
AWSManagedRulesAmazonIpReputationList | Known malicious IPs |
AWSManagedRulesBotControlRuleSet | Bot detection and management |
Example: Basic WAF Setup
Section titled “Example: Basic WAF Setup”# Create a Web ACL with managed rulesaws wafv2 create-web-acl \ --name my-web-acl \ --scope REGIONAL \ --default-action '{"Allow":{}}' \ --rules '[ { "Name": "AWS-CommonRuleSet", "Priority": 1, "Statement": { "ManagedRuleGroupStatement": { "VendorName": "AWS", "Name": "AWSManagedRulesCommonRuleSet" } }, "OverrideAction": {"None":{}}, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "CommonRuleSet" } }, { "Name": "RateLimit", "Priority": 2, "Statement": { "RateBasedStatement": { "Limit": 2000, "AggregateKeyType": "IP" } }, "Action": {"Block":{}}, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "RateLimit" } } ]'Best practice: Start with managed rules in Count mode (logs but doesn’t block), review the logs, then switch to Block mode.
AWS Shield (DDoS Protection)
Section titled “AWS Shield (DDoS Protection)”Shield protects against Distributed Denial of Service attacks.
Shield Standard vs Advanced
Section titled “Shield Standard vs Advanced”| Feature | Shield Standard | Shield Advanced |
|---|---|---|
| Cost | Free (automatic) | $3,000/month + data transfer |
| Protection | Layer 3/4 (network/transport) | Layer 3/4/7 (including application layer) |
| Resources | All AWS resources | CloudFront, ALB, NLB, Elastic IP, Global Accelerator |
| Response team | None | AWS Shield Response Team (SRT) — 24/7 |
| Cost protection | None | Refund for scaling costs caused by DDoS |
| Visibility | Basic | Real-time attack dashboards, detailed metrics |
Shield Standard is always on — you’re already protected against common volumetric attacks (SYN floods, UDP reflection).
Shield Advanced is for high-value applications where DDoS could cause significant business impact or where you need the AWS response team and cost protection.
GuardDuty (Threat Detection)
Section titled “GuardDuty (Threat Detection)”GuardDuty uses machine learning and threat intelligence to detect suspicious activity in your account — without deploying any agents.
Data Sources GuardDuty Analyzes
Section titled “Data Sources GuardDuty Analyzes”| Source | What It Finds |
|---|---|
| CloudTrail events | Unusual API calls, credential compromise, privilege escalation |
| VPC Flow Logs | Port scanning, data exfiltration, communication with known malicious IPs |
| DNS logs | DNS queries to command-and-control servers, crypto-mining domains |
| S3 data events | Unusual access patterns, public bucket access from unexpected IPs |
| EKS audit logs | Suspicious Kubernetes API calls, container escapes |
| Lambda network activity | Unusual outbound connections from Lambda functions |
Finding Types (Examples)
Section titled “Finding Types (Examples)”| Finding | Severity | What It Means |
|---|---|---|
UnauthorizedAccess:EC2/SSHBruteForce | Medium | Someone is brute-forcing SSH on an instance |
Recon:EC2/PortProbeUnprotectedPort | Low | An external IP is scanning open ports |
CryptoCurrency:EC2/BitcoinTool.B!DNS | High | An instance is communicating with a Bitcoin mining pool |
Exfiltration:S3/ObjectRead.Unusual | High | Unusual volume of S3 reads (possible data theft) |
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration | High | EC2 instance credentials used from outside AWS |
Enabling GuardDuty
Section titled “Enabling GuardDuty”# Enable (one command)aws guardduty create-detector --enable
# List findingsaws guardduty list-findings --detector-id abc123Responding to Findings
Section titled “Responding to Findings”GuardDuty generates findings but doesn’t block anything automatically. Set up automated responses:
GuardDuty finding ──► EventBridge rule ──► Lambda ──► Auto-remediate (quarantine instance, revoke credentials, notify Slack)Security Hub
Section titled “Security Hub”Security Hub aggregates security findings from multiple services into a single dashboard and checks compliance against standards.
What It Aggregates
Section titled “What It Aggregates”GuardDuty findings ──►┐Inspector findings ──►├──► Security Hub ──► Dashboard + compliance scoreWAF logs ──►│Firewall Manager ──►│IAM Access Analyzer ──►│Config rules ──►┘Compliance Standards
Section titled “Compliance Standards”Security Hub automatically checks your account against:
| Standard | What It Checks |
|---|---|
| AWS Foundational Security Best Practices | 200+ checks across all services |
| CIS AWS Foundations Benchmark | Center for Internet Security recommendations |
| PCI DSS | Payment Card Industry standards |
| NIST 800-53 | US federal security framework |
Each check produces a finding with a severity and remediation guidance.
Enabling Security Hub
Section titled “Enabling Security Hub”aws securityhub enable-security-hub \ --enable-default-standardsKMS (Key Management Service)
Section titled “KMS (Key Management Service)”KMS manages encryption keys for data at rest and in transit across AWS services.
Key Types
Section titled “Key Types”| Type | What It Is | Use Case |
|---|---|---|
| AWS managed | Created and managed by AWS for a specific service | Default encryption (S3, EBS, RDS) — simplest |
| Customer managed | Created and managed by you | Fine-grained access control, rotation policy, cross-account |
| Customer provided (SSE-C) | You provide and manage keys outside AWS | Regulatory requirements |
Using KMS
Section titled “Using KMS”# Create a customer managed keyaws kms create-key --description "My app encryption key"
# Encrypt dataaws kms encrypt --key-id alias/my-key --plaintext "sensitive data" --output text --query CiphertextBlob
# Decryptaws kms decrypt --ciphertext-blob fileb://encrypted.bin --output text --query Plaintext | base64 --decodeEnvelope Encryption
Section titled “Envelope Encryption”For large data, KMS uses envelope encryption:
- KMS generates a data key (plaintext + encrypted copy).
- Your app encrypts data with the plaintext data key.
- Store the encrypted data + encrypted data key together.
- To decrypt: send the encrypted data key to KMS → get plaintext key → decrypt data.
This way, KMS never sees your data — only the small data key.
Services That Use KMS
Section titled “Services That Use KMS”| Service | What’s Encrypted |
|---|---|
| S3 | Objects (SSE-S3, SSE-KMS) |
| EBS | Volumes and snapshots |
| RDS | Database storage |
| Secrets Manager | All secrets |
| Parameter Store | SecureString parameters |
| Lambda | Environment variables |
| SQS | Messages |
| CloudWatch Logs | Log groups |
Best practice: Enable default encryption on S3 buckets, EBS volumes, and RDS instances. Use customer managed keys when you need cross-account access or audit key usage.
Key Rotation
Section titled “Key Rotation”# Enable automatic rotation (every year)aws kms enable-key-rotation --key-id alias/my-keyKMS keeps old key material so previously encrypted data can still be decrypted. New data uses the new key material.
Inspector (Vulnerability Scanning)
Section titled “Inspector (Vulnerability Scanning)”Inspector scans EC2 instances and container images for software vulnerabilities and network exposure.
What It Scans
Section titled “What It Scans”| Target | What It Finds |
|---|---|
| EC2 instances | OS vulnerabilities (CVEs), unintended network exposure |
| ECR container images | Package vulnerabilities in Docker images |
| Lambda functions | Vulnerabilities in Lambda deployment packages |
How It Works
Section titled “How It Works”# Enable Inspector (automatic scanning)aws inspector2 enable --resource-types EC2 ECR LAMBDAInspector continuously scans — no agents to install (uses SSM Agent for EC2). Findings include:
- CVE ID and severity (Critical, High, Medium, Low)
- Affected package and version
- Fixed version (if available)
- Remediation guidance
Example Finding
Section titled “Example Finding”Title: CVE-2024-12345 in openssl 3.0.2Severity: HIGHResource: i-abc123 (EC2)Package: openssl 3.0.2-0ubuntu1Fixed in: openssl 3.0.2-0ubuntu1.14Recommendation: Update openssl to >= 3.0.2-0ubuntu1.14Defense in Depth Summary
Section titled “Defense in Depth Summary”| Layer | Service | Protects Against |
|---|---|---|
| Edge | Shield + WAF | DDoS, SQL injection, XSS, bots |
| Network | Security groups, NACLs, VPC | Unauthorized network access |
| Identity | IAM, MFA | Unauthorized API access |
| Data | KMS, Secrets Manager | Data exposure (encryption at rest/transit) |
| Detection | GuardDuty | Active threats, anomalous behavior |
| Vulnerability | Inspector | Known CVEs, misconfigurations |
| Compliance | Security Hub | Drift from security standards |
| Audit | CloudTrail | Who did what, when |
Key Takeaways
Section titled “Key Takeaways”- WAF blocks malicious HTTP traffic (SQLi, XSS, bots, rate limiting). Start with AWS managed rules in Count mode, then switch to Block.
- Shield Standard (free) protects against network-layer DDoS. Shield Advanced adds application-layer protection and the AWS response team.
- GuardDuty detects threats using ML on CloudTrail, VPC Flow Logs, and DNS — enable it and set up EventBridge rules for automated response.
- Security Hub aggregates findings from all security services into one dashboard with compliance scoring.
- KMS manages encryption keys. Use customer managed keys for fine-grained control; enable default encryption on S3, EBS, and RDS.
- Inspector continuously scans EC2, ECR images, and Lambda for known vulnerabilities.