> ## Documentation Index
> Fetch the complete documentation index at: https://resources.devweekends.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & IAM

> Master IAM, encryption, KMS, security services, and AWS security best practices

<Frame>
  <img src="https://mintcdn.com/devweeekends/sTu6A4whRFPJo0_g/images/aws/shared-responsibility-model.svg?fit=max&auto=format&n=sTu6A4whRFPJo0_g&q=85&s=2ca892619e4d2bc72c29ac017bd34add" alt="AWS Shared Responsibility Model" width="1080" height="1080" data-path="images/aws/shared-responsibility-model.svg" />
</Frame>

## Module Overview

<Info>
  **Estimated Time**: 6-8 hours | **Difficulty**: Intermediate | **Prerequisites**: Core Concepts
</Info>

This module covers AWS security from IAM fundamentals to advanced patterns including threat detection, compliance monitoring, and network protection. Security in AWS follows the "shared responsibility model" -- AWS secures the infrastructure (the building), and you secure what you put inside it (the doors, locks, and who gets the keys). The most common AWS security incidents are not sophisticated hacks -- they are leaked access keys on GitHub, overly permissive IAM policies, and publicly accessible S3 buckets. Security is critical for the AWS certification exams and real-world architecture.

<Warning>
  **Important**: Learning cloud without security is incomplete and can lead to major risks. This module covers core security services and best practices that are essential for any production workload.
</Warning>

**What You'll Learn:**

* IAM users, groups, roles, and policies
* IAM Identity Center (AWS SSO) for centralized access
* Policy evaluation logic and troubleshooting
* AWS Organizations and SCPs
* KMS encryption and key management
* Secrets management patterns
* **Threat Detection**: GuardDuty, Inspector, Macie
* **Compliance & Audit**: CloudTrail, AWS Config, Security Hub
* **Monitoring**: CloudWatch logs, metrics, and alarms
* **Network Protection**: WAF, Shield, Firewall Manager
* Defense in depth strategies

***

## IAM (Identity and Access Management)

IAM controls WHO can access WHAT in your AWS account. Think of IAM as the badge access system for a corporate office -- Users are employees with badges, Groups are department access lists ("Engineering gets floor 3"), Roles are temporary visitor badges that anyone can pick up and drop off, and Policies are the rules programmed into each badge reader. IAM is the most fundamental AWS security service and arguably the most important thing to get right. Think of IAM as the keycard system for your entire building: it determines which doors (services) each person (or service) can open, at what times, and under what conditions. Getting IAM wrong is the number one cause of AWS security breaches -- nearly every publicized S3 data leak traces back to misconfigured IAM or bucket policies.

<Frame>
  <img src="https://mintcdn.com/devweeekends/sTu6A4whRFPJo0_g/images/aws/iam-architecture.svg?fit=max&auto=format&n=sTu6A4whRFPJo0_g&q=85&s=c5b02d22f929c901150b2ac25b2495d5" alt="IAM Architecture and Policy Flow" width="1080" height="1080" data-path="images/aws/iam-architecture.svg" />
</Frame>

### IAM Components

```
┌────────────────────────────────────────────────────────────────┐
│                         AWS Account                             │
├────────────────────────────────────────────────────────────────┤
│                                                                 │
│   Root User (email@company.com) - NEVER use for daily tasks    │
│                          │                                      │
│                          ▼                                      │
│   ┌──────────────────────────────────────────────────────────┐ │
│   │                        IAM                                │ │
│   │                                                           │ │
│   │   USERS            GROUPS           ROLES                 │ │
│   │   ─────            ──────           ─────                 │ │
│   │   • John           • Admins         • EC2-S3-Role         │ │
│   │   • Jane           • Developers     • Lambda-DynamoDB     │ │
│   │   • API-User       • ReadOnly       • Cross-Account       │ │
│   │                                                           │ │
│   │                    POLICIES                               │ │
│   │                    ────────                               │ │
│   │   • AdministratorAccess (AWS Managed)                     │ │
│   │   • S3ReadOnly (AWS Managed)                              │ │
│   │   • CustomAppPolicy (Customer Managed)                    │ │
│   │                                                           │ │
│   └──────────────────────────────────────────────────────────┘ │
│                                                                 │
└────────────────────────────────────────────────────────────────┘
```

### Users vs Roles

| Feature           | IAM Users            | IAM Roles                  |
| ----------------- | -------------------- | -------------------------- |
| **Identity**      | Permanent            | Temporary                  |
| **Credentials**   | Password/Access Keys | Temporary tokens           |
| **Use Case**      | Humans, CI/CD        | Services, cross-account    |
| **Best Practice** | MFA required         | Preferred for applications |

***

## IAM Policies

JSON documents that define permissions. Every action in AWS -- from launching an EC2 instance to reading an S3 object -- is evaluated against one or more policies. The most common beginner mistake is granting `"Action": "*"` and `"Resource": "*"` to get things working, then never tightening it. This is the equivalent of giving everyone a master key to every room in your building.

### Policy Structure

```json theme={null}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowS3Read",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "203.0.113.0/24"
                }
            }
        }
    ]
}
```

### Policy Elements

| Element       | Description                 | Example                              |
| ------------- | --------------------------- | ------------------------------------ |
| **Effect**    | Allow or Deny               | `"Effect": "Allow"`                  |
| **Action**    | What operations             | `"s3:GetObject"`                     |
| **Resource**  | Which resources             | `"arn:aws:s3:::bucket/*"`            |
| **Condition** | When to apply               | IP address, time, MFA                |
| **Principal** | Who (for resource policies) | `"AWS": "arn:aws:iam::123:user/Bob"` |

### Common Policy Patterns

```json theme={null}
// Allow EC2 to assume a role
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

// Deny all S3 delete operations
{
    "Effect": "Deny",
    "Action": "s3:Delete*",
    "Resource": "*"
}

// Allow only with MFA
{
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "Bool": {
            "aws:MultiFactorAuthPresent": "true"
        }
    }
}
```

***

## Policy Evaluation Logic

```
┌────────────────────────────────────────────────────────────────┐
│                   Policy Evaluation Flow                        │
├────────────────────────────────────────────────────────────────┤
│                                                                 │
│                    Request comes in                             │
│                          │                                      │
│                          ▼                                      │
│              ┌───────────────────────┐                         │
│              │  Explicit DENY exists? │                         │
│              └───────────┬───────────┘                         │
│                    Yes   │   No                                 │
│               ┌──────────┴──────────┐                          │
│               ▼                     ▼                          │
│         ┌─────────┐       ┌───────────────────┐                │
│         │  DENY   │       │ Explicit ALLOW     │                │
│         │ Request │       │    exists?         │                │
│         └─────────┘       └─────────┬─────────┘                │
│                               Yes   │   No                      │
│                          ┌──────────┴──────────┐               │
│                          ▼                     ▼               │
│                    ┌─────────┐           ┌─────────┐           │
│                    │  ALLOW  │           │  DENY   │           │
│                    │ Request │           │(implicit)│           │
│                    └─────────┘           └─────────┘           │
│                                                                 │
│   Key: Explicit DENY always wins!                               │
│                                                                 │
└────────────────────────────────────────────────────────────────┘
```

***

## IAM Roles for Services

Allow AWS services to access other AWS resources.

### EC2 Instance Profile

```
┌────────────────────────────────────────────────────────────────┐
│                   EC2 with IAM Role                             │
├────────────────────────────────────────────────────────────────┤
│                                                                 │
│   ┌─────────────────────────────────────────────────────────┐  │
│   │                      EC2 Instance                        │  │
│   │                                                          │  │
│   │   Instance Profile                                       │  │
│   │   ┌──────────────────────────────────────────────────┐  │  │
│   │   │              IAM Role                             │  │  │
│   │   │  ┌────────────────────────────────────────────┐  │  │  │
│   │   │  │           Attached Policy                   │  │  │  │
│   │   │  │  • s3:GetObject on my-bucket               │  │  │  │
│   │   │  │  • dynamodb:* on my-table                  │  │  │  │
│   │   │  └────────────────────────────────────────────┘  │  │  │
│   │   └──────────────────────────────────────────────────┘  │  │
│   │                                                          │  │
│   │   Application code uses SDK - no credentials needed!     │  │
│   │   boto3.client('s3')  # Automatically uses role          │  │
│   │                                                          │  │
│   └─────────────────────────────────────────────────────────┘  │
│                                                                 │
└────────────────────────────────────────────────────────────────┘
```

```python theme={null}
import boto3

# On EC2 with role - credentials automatically retrieved
s3 = boto3.client('s3')  # No access keys needed!

# SDK automatically calls instance metadata service:
# curl http://169.254.169.254/latest/meta-data/iam/security-credentials/MyRole
#
# Why roles instead of access keys? Roles issue temporary credentials that
# rotate automatically (typically every 6 hours). Access keys are permanent
# and a single leaked key in a git commit can compromise your entire account.
# A senior engineer would say: "If I see access keys hardcoded anywhere --
# environment variables, config files, code -- that is an immediate P0 fix."
#
# Common mistake: Using IMDSv1 (the curl above). Always enforce IMDSv2 with
# HttpTokens=required on your instances. IMDSv1 is vulnerable to SSRF attacks
# that can steal the role's temporary credentials from inside the instance.
```

***

## AWS Organizations

Manage multiple AWS accounts centrally.

```
┌────────────────────────────────────────────────────────────────┐
│                     AWS Organizations                           │
├────────────────────────────────────────────────────────────────┤
│                                                                 │
│   Management Account (Root)                                     │
│           │                                                     │
│           ├── OU: Production                                    │
│           │       ├── Account: Prod-App1                        │
│           │       └── Account: Prod-App2                        │
│           │                                                     │
│           ├── OU: Development                                   │
│           │       ├── Account: Dev                              │
│           │       └── Account: Staging                          │
│           │                                                     │
│           └── OU: Security                                      │
│                   ├── Account: Audit                            │
│                   └── Account: Log-Archive                      │
│                                                                 │
│   Service Control Policies (SCPs)                               │
│   ─────────────────────────────                                 │
│   • Apply guardrails across OUs/Accounts                        │
│   • Cannot grant permissions, only restrict (think of SCPs as    │
│   •   guardrails on a highway -- they prevent going off-road   │
│   •   but don't tell you which lane to drive in)               │
│   • Example: Deny leaving organization                          │
│                                                                 │
└────────────────────────────────────────────────────────────────┘
```

***

## IAM Identity Center (AWS SSO)

IAM Identity Center provides centralized identity management for workforce users across your AWS Organization. It replaces the need to create individual IAM users in each account.

<Frame>
  <img src="https://mintcdn.com/devweeekends/sTu6A4whRFPJo0_g/images/aws/iam-identity-center.svg?fit=max&auto=format&n=sTu6A4whRFPJo0_g&q=85&s=b500b49769e43551a9916845adc55ad0" alt="IAM Identity Center Architecture" width="1080" height="1080" data-path="images/aws/iam-identity-center.svg" />
</Frame>

### Why Use IAM Identity Center?

<CardGroup cols={2}>
  <Card title="Single Sign-On" icon="key">
    One login provides access to all AWS accounts and applications
  </Card>

  <Card title="Centralized Management" icon="sitemap">
    Manage users and permissions from a single place
  </Card>

  <Card title="No Long-Term Credentials" icon="shield-check">
    Temporary credentials automatically issued and rotated
  </Card>

  <Card title="External IdP Integration" icon="plug">
    Connect to Okta, Azure AD, Google Workspace, and more
  </Card>
</CardGroup>

### Identity Sources

| Source                        | Description                      | Best For                        |
| ----------------------------- | -------------------------------- | ------------------------------- |
| **Identity Center Directory** | Built-in user directory          | Small teams, getting started    |
| **Active Directory**          | AWS Managed AD or AD Connector   | Enterprises with existing AD    |
| **External IdP (SAML 2.0)**   | Okta, Azure AD, Google, OneLogin | Organizations with existing IdP |
| **External IdP (OIDC)**       | OAuth 2.0 / OpenID Connect       | Modern identity providers       |

### Setting Up External IdP with SAML 2.0

```
┌─────────────────────────────────────────────────────────────────────┐
│                   SAML 2.0 Federation Flow                           │
├─────────────────────────────────────────────────────────────────────┤
│                                                                      │
│   User                  External IdP              AWS Identity Center│
│     │                       │                            │           │
│     │ 1. Access AWS Portal  │                            │           │
│     │─────────────────────────────────────────────────────►          │
│     │                       │                            │           │
│     │ 2. Redirect to IdP    │                            │           │
│     │◄───────────────────────────────────────────────────│           │
│     │                       │                            │           │
│     │ 3. Authenticate       │                            │           │
│     │──────────────────────►│                            │           │
│     │                       │                            │           │
│     │ 4. SAML Assertion     │                            │           │
│     │◄──────────────────────│                            │           │
│     │                       │                            │           │
│     │ 5. SAML + Session     │                            │           │
│     │─────────────────────────────────────────────────────►          │
│     │                       │                            │           │
│     │ 6. Access Granted (Temp Credentials)               │           │
│     │◄───────────────────────────────────────────────────│           │
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘
```

### Permission Sets

Permission Sets define what users can do in AWS accounts. They are reusable templates attached to users/groups for specific accounts.

```json theme={null}
// Example: ReadOnlyAccess Permission Set
{
    "Name": "ReadOnlyAccess",
    "Description": "Read-only access across all services",
    "ManagedPolicies": [
        "arn:aws:iam::aws:policy/ReadOnlyAccess"
    ],
    "SessionDuration": "PT4H",  // 4 hours
    "Tags": {
        "Environment": "Production"
    }
}

// Example: Custom Admin Permission Set with inline policy
{
    "Name": "DatabaseAdmin",
    "Description": "Full RDS and DynamoDB access",
    "InlinePolicy": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "rds:*",
                    "dynamodb:*"
                ],
                "Resource": "*"
            }
        ]
    },
    "PermissionsBoundary": {
        "ManagedPolicyArn": "arn:aws:iam::aws:policy/PowerUserAccess"
    }
}
```

### Identity Center CLI Configuration

```bash theme={null}
# Configure AWS CLI for Identity Center SSO
aws configure sso
# Follow prompts:
# - SSO start URL: https://my-org.awsapps.com/start
# - SSO Region: us-east-1
# - Choose account and role

# Login via SSO
aws sso login --profile my-sso-profile

# Use SSO profile
aws s3 ls --profile my-sso-profile
```

### External IdP Configuration (Okta Example)

```
┌─────────────────────────────────────────────────────────────────────┐
│                     Okta ↔ AWS Identity Center                       │
├─────────────────────────────────────────────────────────────────────┤
│                                                                      │
│  In Okta:                                                            │
│  ────────                                                            │
│  1. Add "AWS IAM Identity Center" application                        │
│  2. Configure SAML settings:                                         │
│     • ACS URL: https://[region].signin.aws.amazon.com/saml          │
│     • Audience URI: urn:amazon:webservices                          │
│  3. Download IdP metadata XML                                        │
│                                                                      │
│  In AWS Identity Center:                                             │
│  ─────────────────────────                                           │
│  1. Settings → Identity source → Change identity source              │
│  2. Select "External identity provider"                              │
│  3. Upload IdP metadata                                              │
│  4. Configure SCIM for automatic user/group provisioning             │
│                                                                      │
│  SCIM Endpoint: https://scim.[region].amazonaws.com/[instance-id]   │
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘
```

### ABAC (Attribute-Based Access Control)

Identity Center supports passing user attributes from your IdP for fine-grained access control.

```json theme={null}
// Session policy using attributes
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::company-data/${aws:PrincipalTag/department}/*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalTag/team": "${s3:ExistingObjectTag/team}"
                }
            }
        }
    ]
}
```

***

## Encryption

### Encryption at Rest

| Service  | Encryption Method      |
| -------- | ---------------------- |
| S3       | SSE-S3, SSE-KMS, SSE-C |
| EBS      | AES-256 with KMS       |
| RDS      | AES-256 with KMS       |
| DynamoDB | AWS owned or KMS       |

### Encryption in Transit

* **TLS/SSL** for all API calls
* **HTTPS** endpoints
* **VPN** for hybrid connectivity

### AWS KMS (Key Management Service)

```
┌────────────────────────────────────────────────────────────────┐
│                         AWS KMS                                 │
├────────────────────────────────────────────────────────────────┤
│                                                                 │
│   Key Types:                                                    │
│   ─────────                                                     │
│   • AWS Managed Keys (aws/s3, aws/ebs)                         │
│     - Automatic rotation                                        │
│     - Cannot control policies                                   │
│                                                                 │
│   • Customer Managed Keys (CMK)                                 │
│     - You control key policies                                  │
│     - Optional automatic rotation (yearly)                      │
│     - Audit via CloudTrail                                      │
│                                                                 │
│   • Customer Managed Keys (External)                            │
│     - Bring your own key material                               │
│     - You manage rotation                                       │
│                                                                 │
│   Envelope Encryption:                                          │
│   ┌───────────────────────────────────────────────────────┐    │
│   │  CMK encrypts → Data Key                               │    │
│   │  Data Key encrypts → Your Data                         │    │
│   │                                                        │    │
│   │  Store: [Encrypted Data Key] + [Encrypted Data]        │    │
│   └───────────────────────────────────────────────────────┘    │
│                                                                 │
└────────────────────────────────────────────────────────────────┘
```

***

## Security Best Practices

<CardGroup cols={2}>
  <Card title="Enable MFA" icon="fingerprint">
    Require MFA for root and privileged users
  </Card>

  <Card title="Least Privilege" icon="minimize">
    Grant only necessary permissions
  </Card>

  <Card title="Use Roles" icon="id-card">
    Prefer roles over long-term credentials
  </Card>

  <Card title="Rotate Keys" icon="rotate">
    Regularly rotate access keys
  </Card>

  <Card title="Enable CloudTrail" icon="shoe-prints">
    Log all API calls for auditing
  </Card>

  <Card title="Use SCPs" icon="building-shield">
    Enforce guardrails across accounts
  </Card>
</CardGroup>

### Security Checklist

```python theme={null}
security_checklist = {
    "identity": [
        "✓ MFA on root account",
        "✓ No access keys on root",
        "✓ Individual IAM users (no sharing)",
        "✓ Groups for permissions",
        "✓ Strong password policy",
    ],
    "access": [
        "✓ Least privilege policies",
        "✓ Roles for applications",
        "✓ Regular access reviews",
        "✓ Remove unused credentials",
    ],
    "monitoring": [
        "✓ CloudTrail enabled (all regions)",
        "✓ Config rules for compliance",
        "✓ GuardDuty for threat detection",
        "✓ Security Hub for findings",
    ],
    "network": [
        "✓ Private subnets for databases",
        "✓ Security groups (least privilege)",
        "✓ VPC Flow Logs enabled",
        "✓ WAF for public applications",
    ],
    "data": [
        "✓ Encryption at rest (KMS)",
        "✓ Encryption in transit (TLS)",
        "✓ S3 Block Public Access",
        "✓ Backup and recovery tested",
    ]
}
```

***

## Security Services Overview

<Frame>
  <img src="https://mintcdn.com/devweeekends/sTu6A4whRFPJo0_g/images/aws/security-monitoring-services.svg?fit=max&auto=format&n=sTu6A4whRFPJo0_g&q=85&s=5e69c509dede8b3a9e9545947ba2dc79" alt="AWS Security and Monitoring Services" width="1080" height="1080" data-path="images/aws/security-monitoring-services.svg" />
</Frame>

AWS provides a comprehensive suite of security services for threat detection, compliance monitoring, and network protection.

| Service                 | Purpose                           | Key Feature              |
| ----------------------- | --------------------------------- | ------------------------ |
| **IAM**                 | Identity and access management    | Fine-grained permissions |
| **IAM Identity Center** | Centralized SSO for Organizations | External IdP integration |
| **KMS**                 | Key management for encryption     | Envelope encryption      |
| **Secrets Manager**     | Store and rotate secrets          | Automatic rotation       |
| **CloudTrail**          | API activity logging              | Who did what, when       |
| **Config**              | Resource compliance monitoring    | Continuous compliance    |
| **GuardDuty**           | Threat detection                  | ML-powered analysis      |
| **Security Hub**        | Security findings aggregation     | Unified dashboard        |
| **WAF**                 | Web Application Firewall          | OWASP protection         |
| **Shield**              | DDoS protection                   | Layer 3/4/7              |
| **Inspector**           | Vulnerability scanning            | CVE detection            |
| **Macie**               | Sensitive data discovery          | PII detection in S3      |

***

## Threat Detection Services

### Amazon GuardDuty

GuardDuty is an intelligent threat detection service that continuously monitors for malicious activity and unauthorized behavior.

```
┌────────────────────────────────────────────────────────────────────┐
│                      Amazon GuardDuty                               │
├────────────────────────────────────────────────────────────────────┤
│                                                                     │
│   Data Sources:                         Finding Categories:         │
│   ─────────────                         ───────────────────         │
│   • CloudTrail Events                   • Recon (port scans)        │
│   • VPC Flow Logs                       • Instance Compromise       │
│   • DNS Logs                            • Account Compromise        │
│   • S3 Data Events                      • Bucket Compromise         │
│   • EKS Audit Logs                      • Malware Detection         │
│   • RDS Login Activity                  • Cryptocurrency Mining     │
│                                                                     │
│   ┌──────────────────────────────────────────────────────────────┐ │
│   │  ML Models analyze behavior patterns to detect anomalies     │ │
│   │  Threat intelligence feeds from AWS and third parties        │ │
│   │  Automatic updates - no infrastructure to manage             │ │
│   └──────────────────────────────────────────────────────────────┘ │
│                                                                     │
└────────────────────────────────────────────────────────────────────┘
```

**Key Features:**

* **No agents required**: Analyzes AWS logs directly
* **Multi-account support**: Centralized via Organizations
* **Automated response**: Integrate with EventBridge for remediation
* **30-day free trial**: Test before committing

```python theme={null}
import boto3

# Enable GuardDuty (run in each region)
guardduty = boto3.client('guardduty', region_name='us-east-1')

# Create detector
response = guardduty.create_detector(
    Enable=True,
    FindingPublishingFrequency='FIFTEEN_MINUTES',
    DataSources={
        'S3Logs': {'Enable': True},
        'Kubernetes': {'AuditLogs': {'Enable': True}},
        'MalwareProtection': {'ScanEc2InstanceWithFindings': {'EbsVolumes': True}}
    }
)

# List findings
findings = guardduty.list_findings(
    DetectorId=response['DetectorId'],
    FindingCriteria={
        'Criterion': {
            'severity': {'Gte': 7}  # High severity only
        }
    }
)
```

### Amazon Inspector

Inspector automatically discovers and scans workloads for software vulnerabilities and network exposure.

```
┌────────────────────────────────────────────────────────────────────┐
│                       Amazon Inspector                              │
├────────────────────────────────────────────────────────────────────┤
│                                                                     │
│   Scan Targets:              Vulnerability Types:                   │
│   ─────────────              ────────────────────                   │
│   • EC2 Instances            • CVEs in installed packages          │
│   • Lambda Functions         • Network reachability issues         │
│   • Container Images (ECR)   • Code vulnerabilities (Lambda)       │
│                                                                     │
│   Continuous Scanning:                                              │
│   ┌────────────────────────────────────────────────────────────┐   │
│   │  EC2: Rescans when new CVEs published or package changes   │   │
│   │  ECR: Scans on push and when new CVEs discovered          │   │
│   │  Lambda: Scans on deploy and when dependencies update     │   │
│   └────────────────────────────────────────────────────────────┘   │
│                                                                     │
│   Risk Score: 1-10 based on CVSS + network exposure + exploitability│
│                                                                     │
└────────────────────────────────────────────────────────────────────┘
```

### Amazon Macie

Macie uses machine learning to discover, classify, and protect sensitive data in S3.

```python theme={null}
# Macie sensitive data findings example
macie_finding = {
    "finding_type": "SensitiveData:S3Object/Personal",
    "severity": "HIGH",
    "s3_bucket": "customer-data-bucket",
    "s3_object": "exports/users.csv",
    "sensitive_data": {
        "category": "PERSONAL_INFORMATION",
        "detections": [
            {"type": "EMAIL_ADDRESS", "count": 1547},
            {"type": "PHONE_NUMBER", "count": 892},
            {"type": "CREDIT_CARD_NUMBER", "count": 23},
            {"type": "AWS_CREDENTIALS", "count": 2}
        ]
    },
    "recommendation": "Enable S3 encryption, review access policies"
}
```

***

## Logging and Audit Services

### AWS CloudTrail

CloudTrail records all API calls made in your AWS account - essential for security analysis, compliance, and troubleshooting.

```
┌────────────────────────────────────────────────────────────────────┐
│                         AWS CloudTrail                              │
├────────────────────────────────────────────────────────────────────┤
│                                                                     │
│   Event Types:                                                      │
│   ─────────────                                                     │
│   • Management Events: Control plane (CreateBucket, RunInstances)  │
│   • Data Events: Data plane (GetObject, PutItem)                   │
│   • Insights Events: Unusual API activity patterns                 │
│                                                                     │
│   Trail Configuration:                                              │
│   ┌────────────────────────────────────────────────────────────┐   │
│   │  • Multi-region trail (recommended)                         │   │
│   │  • Organization trail for all accounts                      │   │
│   │  • Log file validation (integrity)                          │   │
│   │  • Encrypt with KMS                                         │   │
│   │  • Send to CloudWatch Logs for alerting                     │   │
│   └────────────────────────────────────────────────────────────┘   │
│                                                                     │
│   Storage: S3 bucket (5 years recommended for compliance)           │
│                                                                     │
└────────────────────────────────────────────────────────────────────┘
```

**CloudTrail Event Example:**

```json theme={null}
{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAEXAMPLE:admin-session",
        "arn": "arn:aws:sts::123456789012:assumed-role/AdminRole/admin-session",
        "accountId": "123456789012"
    },
    "eventTime": "2024-01-15T10:30:00Z",
    "eventSource": "s3.amazonaws.com",
    "eventName": "DeleteBucket",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "203.0.113.50",
    "userAgent": "aws-cli/2.0",
    "requestParameters": {
        "bucketName": "important-data-bucket"
    },
    "responseElements": null,
    "errorCode": null
}
```

**CloudTrail Insights Configuration:**

```python theme={null}
import boto3

cloudtrail = boto3.client('cloudtrail')

# Create trail with Insights enabled
trail = cloudtrail.create_trail(
    Name='organization-trail',
    S3BucketName='cloudtrail-logs-bucket',
    IsMultiRegionTrail=True,
    EnableLogFileValidation=True,
    KMSKeyId='arn:aws:kms:us-east-1:123456789012:key/example-key',
    IsOrganizationTrail=True
)

# Enable Insights
cloudtrail.put_insight_selectors(
    TrailName='organization-trail',
    InsightSelectors=[
        {'InsightType': 'ApiCallRateInsight'},
        {'InsightType': 'ApiErrorRateInsight'}
    ]
)
```

### AWS Config

Config continuously monitors and records AWS resource configurations and evaluates them against desired configurations.

```
┌────────────────────────────────────────────────────────────────────┐
│                          AWS Config                                 │
├────────────────────────────────────────────────────────────────────┤
│                                                                     │
│   Core Features:                                                    │
│   ──────────────                                                    │
│   • Configuration Recording: Track all resource changes            │
│   • Config Rules: Evaluate compliance (managed + custom)           │
│   • Conformance Packs: Collections of rules (CIS, PCI-DSS)        │
│   • Aggregator: Multi-account/region view                          │
│                                                                     │
│   Common Managed Rules:                                             │
│   ─────────────────────                                             │
│   • s3-bucket-public-read-prohibited                               │
│   • encrypted-volumes                                               │
│   • iam-password-policy                                             │
│   • rds-instance-public-access-check                               │
│   • vpc-flow-logs-enabled                                          │
│   • cloudtrail-enabled                                             │
│   • guardduty-enabled-centralized                                  │
│                                                                     │
└────────────────────────────────────────────────────────────────────┘
```

**Config Rules Example:**

```python theme={null}
import boto3

config = boto3.client('config')

# Create a managed rule
config.put_config_rule(
    ConfigRule={
        'ConfigRuleName': 's3-encryption-required',
        'Description': 'Checks if S3 buckets have default encryption enabled',
        'Source': {
            'Owner': 'AWS',
            'SourceIdentifier': 'S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED'
        },
        'MaximumExecutionFrequency': 'TwentyFour_Hours',
        'ConfigRuleState': 'ACTIVE'
    }
)

# Create conformance pack for CIS benchmarks
config.put_conformance_pack(
    ConformancePackName='CIS-AWS-Foundations',
    TemplateS3Uri='s3://config-templates/cis-aws-foundations.yaml'
)
```

### AWS Security Hub

Security Hub provides a comprehensive view of security alerts and compliance status across AWS accounts.

```
┌────────────────────────────────────────────────────────────────────┐
│                       AWS Security Hub                              │
├────────────────────────────────────────────────────────────────────┤
│                                                                     │
│   Aggregates findings from:                                         │
│   ┌─────────────┐  ┌─────────────┐  ┌─────────────┐               │
│   │  GuardDuty  │  │  Inspector  │  │   Macie     │               │
│   └──────┬──────┘  └──────┬──────┘  └──────┬──────┘               │
│          │                │                │                        │
│          └────────────────┼────────────────┘                        │
│                           ▼                                         │
│              ┌─────────────────────────┐                           │
│              │     Security Hub        │                           │
│              │  ┌───────────────────┐  │                           │
│              │  │ Unified Dashboard │  │                           │
│              │  │ + ASFF Format     │  │                           │
│              │  └───────────────────┘  │                           │
│              └─────────────────────────┘                           │
│                           │                                         │
│          ┌────────────────┼────────────────┐                        │
│          ▼                ▼                ▼                        │
│   ┌─────────────┐  ┌─────────────┐  ┌─────────────┐               │
│   │ CIS AWS     │  │  PCI-DSS    │  │  Custom     │               │
│   │ Foundations │  │  Standard   │  │  Standards  │               │
│   └─────────────┘  └─────────────┘  └─────────────┘               │
│                                                                     │
│   Security Standards:                                               │
│   • AWS Foundational Security Best Practices                        │
│   • CIS AWS Foundations Benchmark                                   │
│   • PCI-DSS v3.2.1                                                 │
│   • NIST SP 800-53                                                 │
│                                                                     │
└────────────────────────────────────────────────────────────────────┘
```

***

## Monitoring with CloudWatch

Amazon CloudWatch provides monitoring and observability for AWS resources and applications.

### CloudWatch Components

| Component              | Purpose                 | Use Case                   |
| ---------------------- | ----------------------- | -------------------------- |
| **Metrics**            | Numerical data points   | CPU, memory, requests      |
| **Logs**               | Application/system logs | Debug, audit, troubleshoot |
| **Alarms**             | Threshold notifications | Alert on anomalies         |
| **Dashboards**         | Visual monitoring       | Operational visibility     |
| **Events/EventBridge** | Event routing           | Automation triggers        |

### Security-Focused CloudWatch Alarms

```python theme={null}
import boto3

cloudwatch = boto3.client('cloudwatch')

# Alarm for root account usage
cloudwatch.put_metric_alarm(
    AlarmName='RootAccountUsage',
    AlarmDescription='Alert when root account is used',
    MetricName='RootAccountUsageCount',
    Namespace='CloudTrailMetrics',
    Statistic='Sum',
    Period=300,
    EvaluationPeriods=1,
    Threshold=1,
    ComparisonOperator='GreaterThanOrEqualToThreshold',
    AlarmActions=['arn:aws:sns:us-east-1:123456789012:security-alerts']
)

# Alarm for unauthorized API calls
cloudwatch.put_metric_alarm(
    AlarmName='UnauthorizedAPICalls',
    MetricName='UnauthorizedAttemptCount',
    Namespace='CloudTrailMetrics',
    Statistic='Sum',
    Period=300,
    EvaluationPeriods=1,
    Threshold=5,
    ComparisonOperator='GreaterThanOrEqualToThreshold',
    AlarmActions=['arn:aws:sns:us-east-1:123456789012:security-alerts']
)

# Alarm for security group changes
cloudwatch.put_metric_alarm(
    AlarmName='SecurityGroupChanges',
    MetricName='SecurityGroupEventCount',
    Namespace='CloudTrailMetrics',
    Statistic='Sum',
    Period=300,
    EvaluationPeriods=1,
    Threshold=1,
    ComparisonOperator='GreaterThanOrEqualToThreshold',
    AlarmActions=['arn:aws:sns:us-east-1:123456789012:security-alerts']
)
```

### CloudWatch Logs Insights Queries

```sql theme={null}
-- Find failed console logins
fields @timestamp, @message
| filter @message like /ConsoleLogin/ and errorMessage like /Failed/
| stats count() by bin(1h)

-- Track IAM policy changes
fields @timestamp, userIdentity.userName, eventName, requestParameters
| filter eventSource = 'iam.amazonaws.com'
| filter eventName in ['CreatePolicy', 'DeletePolicy', 'AttachUserPolicy', 'DetachUserPolicy']
| sort @timestamp desc

-- Find S3 bucket policy modifications
fields @timestamp, userIdentity.arn, eventName, requestParameters.bucketName
| filter eventSource = 's3.amazonaws.com'
| filter eventName in ['PutBucketPolicy', 'DeleteBucketPolicy', 'PutBucketAcl']
| sort @timestamp desc

-- Detect potential data exfiltration (large S3 downloads)
fields @timestamp, requestParameters.bucketName, requestParameters.key, bytesTransferredIn
| filter eventName = 'GetObject'
| filter bytesTransferredIn > 100000000
| sort bytesTransferredIn desc
```

### Database Monitoring

```python theme={null}
# RDS Performance Insights
rds = boto3.client('rds')

# Enable Performance Insights
rds.modify_db_instance(
    DBInstanceIdentifier='production-db',
    EnablePerformanceInsights=True,
    PerformanceInsightsRetentionPeriod=7,  # 7 days free tier
    PerformanceInsightsKMSKeyId='arn:aws:kms:us-east-1:123456789012:key/example'
)

# DynamoDB monitoring - create alarm for throttled requests
cloudwatch.put_metric_alarm(
    AlarmName='DynamoDB-ThrottledRequests',
    MetricName='ThrottledRequests',
    Namespace='AWS/DynamoDB',
    Dimensions=[{'Name': 'TableName', 'Value': 'production-table'}],
    Statistic='Sum',
    Period=60,
    EvaluationPeriods=2,
    Threshold=10,
    ComparisonOperator='GreaterThanThreshold',
    AlarmActions=['arn:aws:sns:us-east-1:123456789012:ops-alerts']
)
```

***

## Network Protection Services

### AWS WAF (Web Application Firewall)

WAF protects web applications from common exploits that could affect availability, compromise security, or consume excessive resources.

```
┌────────────────────────────────────────────────────────────────────┐
│                           AWS WAF                                   │
├────────────────────────────────────────────────────────────────────┤
│                                                                     │
│   Deployment Targets:                                               │
│   ─────────────────                                                 │
│   • Amazon CloudFront                                               │
│   • Application Load Balancer                                       │
│   • Amazon API Gateway                                              │
│   • AWS AppSync                                                     │
│                                                                     │
│   Rule Types:                                                       │
│   ───────────                                                       │
│   • AWS Managed Rules (OWASP, Known Bad Inputs, Bot Control)       │
│   • Rate-based Rules (DDoS, brute force protection)                │
│   • Custom Rules (regex, geo-blocking, IP sets)                    │
│                                                                     │
│   Web ACL Structure:                                                │
│   ┌────────────────────────────────────────────────────────────┐   │
│   │  Rule 1: AWS-AWSManagedRulesCommonRuleSet (Priority: 1)    │   │
│   │  Rule 2: AWS-AWSManagedRulesSQLiRuleSet (Priority: 2)      │   │
│   │  Rule 3: RateLimit-1000-per-5min (Priority: 3)             │   │
│   │  Rule 4: BlockBadCountries (Priority: 4)                   │   │
│   │  Default Action: ALLOW                                      │   │
│   └────────────────────────────────────────────────────────────┘   │
│                                                                     │
└────────────────────────────────────────────────────────────────────┘
```

**WAF Configuration Example:**

```python theme={null}
import boto3

wafv2 = boto3.client('wafv2')

# Create Web ACL with managed rules
web_acl = wafv2.create_web_acl(
    Name='production-web-acl',
    Scope='REGIONAL',  # or 'CLOUDFRONT'
    DefaultAction={'Allow': {}},
    Rules=[
        {
            'Name': 'AWS-AWSManagedRulesCommonRuleSet',
            'Priority': 1,
            'Statement': {
                'ManagedRuleGroupStatement': {
                    'VendorName': 'AWS',
                    'Name': 'AWSManagedRulesCommonRuleSet'
                }
            },
            'OverrideAction': {'None': {}},
            'VisibilityConfig': {
                'SampledRequestsEnabled': True,
                'CloudWatchMetricsEnabled': True,
                'MetricName': 'CommonRules'
            }
        },
        {
            'Name': 'RateLimitRule',
            'Priority': 2,
            'Statement': {
                'RateBasedStatement': {
                    'Limit': 2000,
                    'AggregateKeyType': 'IP'
                }
            },
            'Action': {'Block': {}},
            'VisibilityConfig': {
                'SampledRequestsEnabled': True,
                'CloudWatchMetricsEnabled': True,
                'MetricName': 'RateLimit'
            }
        }
    ],
    VisibilityConfig={
        'SampledRequestsEnabled': True,
        'CloudWatchMetricsEnabled': True,
        'MetricName': 'ProductionWebACL'
    }
)
```

### AWS Shield

Shield provides DDoS protection for AWS resources.

| Feature             | Shield Standard      | Shield Advanced               |
| ------------------- | -------------------- | ----------------------------- |
| **Cost**            | Free (included)      | \$3,000/month + data transfer |
| **Protection**      | Layer 3/4            | Layer 3/4/7                   |
| **Detection**       | Automatic            | Real-time detection           |
| **Response**        | Automatic mitigation | 24/7 DDoS Response Team       |
| **Cost Protection** | No                   | Yes (scaling cost coverage)   |
| **WAF Credits**     | No                   | Included                      |
| **Visibility**      | Basic                | Advanced metrics & reports    |

### AWS Firewall Manager

Centrally manage security rules across your organization.

```
┌────────────────────────────────────────────────────────────────────┐
│                     AWS Firewall Manager                            │
├────────────────────────────────────────────────────────────────────┤
│                                                                     │
│   Manages:                       Benefits:                          │
│   ────────                       ─────────                          │
│   • WAF rules                    • Centralized management           │
│   • Shield Advanced              • Automatic remediation            │
│   • Security Groups              • Cross-account deployment         │
│   • Network Firewall             • Compliance enforcement           │
│   • Route 53 Resolver DNS FW     • Audit trail via Config           │
│                                                                     │
│   Policy Example:                                                   │
│   ┌────────────────────────────────────────────────────────────┐   │
│   │  "Enforce WAF on all ALBs in Production OU"                │   │
│   │  • Scope: OU=Production                                    │   │
│   │  • Resources: AWS::ElasticLoadBalancingV2::LoadBalancer   │   │
│   │  • Managed Rule Groups: CommonRuleSet, SQLiRuleSet        │   │
│   │  • Auto-remediate: Yes                                     │   │
│   └────────────────────────────────────────────────────────────┘   │
│                                                                     │
└────────────────────────────────────────────────────────────────────┘
```

<Tip>
  **Golden Rule**: Never hardcode credentials in code. Use IAM roles for services, Secrets Manager for applications, and environment variables only for local development.
</Tip>

***

## 🎯 Interview Questions

<AccordionGroup>
  <Accordion title="Q1: Explain the difference between IAM Users and Roles">
    **IAM Users:**

    * Permanent identities with long-term credentials
    * Password and/or access keys
    * Used for humans or CI/CD systems
    * Should always have MFA enabled

    **IAM Roles:**

    * Temporary credentials (15 min - 12 hours)
    * No password/keys stored
    * Assumed by users, services, or external identities
    * Preferred for applications

    **When to use each:**

    * User: Human access to AWS Console
    * Role: EC2, Lambda, cross-account access, SSO
  </Accordion>

  <Accordion title="Q2: How does IAM policy evaluation work?">
    **Evaluation order:**

    1. All applicable policies collected
    2. Check for explicit DENY → DENY wins
    3. Check for explicit ALLOW → ALLOW
    4. No match → Implicit DENY

    **Key rules:**

    * Explicit DENY always wins
    * Must have explicit ALLOW to proceed
    * Default is implicit DENY

    **Policy types evaluated:**

    1. SCPs (Organizations)
    2. Identity-based policies
    3. Resource-based policies
    4. Permission boundaries
    5. Session policies
  </Accordion>

  <Accordion title="Q3: How would you implement least privilege?">
    **Strategy:**

    1. **Start with zero access**, add as needed

    2. **Use managed policies** for common patterns

    3. **Use conditions** to narrow scope:
       ```json theme={null}
       "Condition": {
         "StringEquals": {"aws:RequestedRegion": "us-east-1"},
         "Bool": {"aws:MultiFactorAuthPresent": "true"}
       }
       ```

    4. **Use resource-level permissions**:
       ```json theme={null}
       "Resource": "arn:aws:s3:::my-bucket/users/${aws:username}/*"
       ```

    5. **Regular access reviews** with IAM Access Analyzer

    6. **Permission boundaries** to cap maximum permissions
  </Accordion>

  <Accordion title="Q4: How do you securely manage secrets in AWS?">
    **Options (in order of preference):**

    1. **IAM Roles** (no secrets needed)
       * Best for AWS service-to-service

    2. **Secrets Manager**
       * Automatic rotation
       * RDS/Aurora integration
       * \$0.40/secret/month

    3. **Parameter Store (SecureString)**
       * Free tier available
       * KMS encryption
       * No auto-rotation

    4. **Environment Variables**
       * Okay for non-sensitive config
       * Never for passwords/API keys

    **Anti-patterns:**

    * ❌ Hardcoded in source code
    * ❌ Committed to git
    * ❌ Stored in unencrypted files
  </Accordion>

  <Accordion title="Q5: Explain cross-account access with IAM roles">
    **Scenario:** Account A needs to access S3 in Account B

    **Setup:**

    1. **Account B**: Create role with trust policy

    ```json theme={null}
    {
      "Principal": {"AWS": "arn:aws:iam::ACCOUNT_A:root"},
      "Action": "sts:AssumeRole",
      "Condition": {"StringEquals": {"sts:ExternalId": "secret123"}}
    }
    ```

    2. **Account B**: Attach S3 permissions to role

    3. **Account A**: IAM policy allowing sts:AssumeRole

    4. **Account A**: Application assumes role

    ```python theme={null}
    sts = boto3.client('sts')
    credentials = sts.assume_role(
        RoleArn='arn:aws:iam::ACCOUNT_B:role/CrossAccountRole',
        RoleSessionName='MySession',
        ExternalId='secret123'
    )
    ```
  </Accordion>

  <Accordion title="Q6: When would you use IAM Identity Center vs IAM Users?">
    **Use IAM Identity Center when:**

    * Managing access across multiple AWS accounts
    * You have an existing IdP (Okta, Azure AD, etc.)
    * You want SSO experience for users
    * Need centralized permission management
    * Want to eliminate long-term credentials

    **Use IAM Users when:**

    * Single AWS account with few users
    * CI/CD pipelines (though roles are preferred)
    * Service accounts that can't use roles
    * Legacy applications requiring access keys

    **Best Practice:** Prefer Identity Center for human access, IAM roles for applications.
  </Accordion>

  <Accordion title="Q7: How would you set up a security monitoring strategy?">
    **Layered approach:**

    1. **Threat Detection:**
       * GuardDuty for continuous monitoring
       * Inspector for vulnerability scanning
       * Macie for sensitive data discovery

    2. **Logging & Audit:**
       * CloudTrail for API logging (all regions)
       * Config for resource compliance
       * VPC Flow Logs for network visibility

    3. **Centralization:**
       * Security Hub to aggregate findings
       * CloudWatch for metrics/alarms
       * S3 for long-term log storage

    4. **Response:**
       * EventBridge for automated remediation
       * SNS for alerting
       * Lambda for custom responses

    ```python theme={null}
    # Example: Auto-remediate public S3 bucket
    def lambda_handler(event, context):
        bucket = event['detail']['resourceId']
        s3.put_public_access_block(
            Bucket=bucket,
            PublicAccessBlockConfiguration={
                'BlockPublicAcls': True,
                'IgnorePublicAcls': True,
                'BlockPublicPolicy': True,
                'RestrictPublicBuckets': True
            }
        )
    ```
  </Accordion>

  <Accordion title="Q8: Explain AWS WAF vs Shield vs Firewall Manager">
    **AWS WAF:**

    * Layer 7 (application) protection
    * Protects against: SQL injection, XSS, bad bots
    * Custom rules for specific threats
    * Rate limiting
    * Deployed on: CloudFront, ALB, API Gateway

    **AWS Shield:**

    * Layer 3/4 (network) DDoS protection
    * Standard: Free, automatic protection
    * Advanced: \$3K/month, 24/7 DRT support, cost protection
    * Protects: EC2, ELB, CloudFront, Route 53

    **Firewall Manager:**

    * Centralized management across Organization
    * Manages: WAF rules, Shield, Security Groups
    * Auto-remediation capabilities
    * Compliance enforcement

    **When to use together:**

    * WAF + Shield Advanced for comprehensive protection
    * Firewall Manager to enforce policies across accounts
  </Accordion>

  <Accordion title="Q9: How does GuardDuty detect threats?">
    **Data Sources Analyzed:**

    * CloudTrail management and data events
    * VPC Flow Logs
    * DNS query logs
    * S3 data events
    * EKS audit logs
    * RDS login activity

    **Detection Methods:**

    * Machine learning for anomaly detection
    * Threat intelligence feeds
    * Known attack patterns

    **Finding Categories:**

    * Reconnaissance (port scans, API probing)
    * Instance compromise (crypto mining, C\&C)
    * Account compromise (unusual API calls)
    * Bucket compromise (public exposure)

    **Response Integration:**

    ```python theme={null}
    # EventBridge rule for high-severity findings
    {
        "source": ["aws.guardduty"],
        "detail-type": ["GuardDuty Finding"],
        "detail": {
            "severity": [{"numeric": [">=", 7]}]
        }
    }
    ```
  </Accordion>
</AccordionGroup>

***

## 🧪 Hands-On Lab: Secure Application Setup

**Objective**: Configure secure access for a web application with proper IAM roles

<Steps>
  <Step title="Create IAM Role for EC2">
    Attach policy for S3 read, DynamoDB access
  </Step>

  <Step title="Create Application Secrets">
    Store database password in Secrets Manager with rotation
  </Step>

  <Step title="Configure KMS Key">
    Create CMK for application encryption, define key policy
  </Step>

  <Step title="Enable CloudTrail">
    Enable in all regions, log to S3 with encryption
  </Step>

  <Step title="Configure Access Analyzer">
    Find and fix overly permissive policies
  </Step>
</Steps>

***

## Security Quick Reference

```python theme={null}
# Security configuration checklist
security_config = {
    "account_level": {
        "mfa_on_root": True,
        "no_root_access_keys": True,
        "cloudtrail_all_regions": True,
        "config_enabled": True,
        "guardduty_enabled": True,
    },
    "iam_policies": {
        "least_privilege": True,
        "use_roles_not_keys": True,
        "mfa_for_privileged": True,
        "regular_access_review": True,
    },
    "encryption": {
        "s3_default_encryption": True,
        "ebs_default_encryption": True,
        "rds_encryption": True,
        "secrets_in_secrets_manager": True,
    },
    "network": {
        "vpc_flow_logs": True,
        "security_group_review": True,
        "waf_for_public_apps": True,
    }
}
```

***

## Next Module

<Card title="Well-Architected Framework" icon="building" href="/aws/well-architected">
  Learn the 6 pillars of AWS Well-Architected Framework
</Card>
