AWS: Services & Architecture
by Sergey Okinchuk
PrivateLinkIAM

Chapter Five

Security & Identity

Security on AWS is a shared responsibility: AWS secures the cloud, you secure what you run in it. These eight services are the controls you own — identity first, because every other control depends on it.

8 services

Core Terminology

A few terms recur across this chapter. Defining them here keeps the service sections focused.

Principal
Any entity that makes a request — an IAM user, role, or AWS service. Policies grant or deny what a principal may do.
Identity vs Resource Policy
An identity policy attaches to a principal (what this role can do); a resource policy attaches to a resource (who can touch this bucket). Both are evaluated.
Least Privilege
Grant only the permissions actually needed. The default posture for every role — broad wildcards are how breaches escalate.
Envelope Encryption
Data is encrypted with a data key, which is itself encrypted by a KMS key. KMS never sees your data, only the small data key.
Shared Responsibility Model
AWS secures the infrastructure (the cloud); you secure your data, identities, and configuration (in the cloud).

Services in This Chapter

Service 32
AWS IAM
The permission system for all of AWS — users, roles, and policies deciding who can do what to which resource. Get this right or nothing else is secure.
SecurityIdentity
Service 33
AWS KMS
Managed encryption keys. Creates, stores, and controls access to the keys that encrypt data across AWS services, with full CloudTrail auditing.
SecurityEncryption
Service 34
AWS Secrets Manager
Stores, rotates, and delivers database credentials, API keys, and tokens — so secrets stay out of code and configuration files.
SecuritySecrets
Service 35
AWS WAF & Shield
Web application firewall plus DDoS protection at the edge. Filters malicious requests and absorbs volumetric attacks in front of CloudFront and ALB.
SecurityEdge
Service 36
Amazon GuardDuty
Threat detection that analyzes logs and network activity for signs of compromise — no agents, just continuous intelligent monitoring.
SecurityDetection
Service 37
Amazon Macie
Discovers and classifies sensitive data — PII, credentials — in S3, so you know where your regulated data actually lives.
SecurityData
Service 38
AWS Security Hub
Aggregates findings from GuardDuty, Macie, Inspector, and others into one prioritized view, scored against standards like CIS and PCI.
SecurityPosture
Service 39
AWS Certificate Manager
Free, auto-renewing TLS certificates for AWS endpoints — removing the manual cert-renewal toil that causes avoidable outages.
SecurityTLS