AWS Cloud Practitioner Study Session Nine

January 02, 2026

I am taking the AWS Cloud Practitioner Exam in approximately two days and want to ensure I am prepared. This series will serve as non-exhaustive note taking for the information that I am internalizing as I go.

ChatGPT Summary

AWS Security & Identity – Exam-Focused Summary with Memory Aids

Security questions on the Cloud Practitioner exam are about concepts and service selection, not configuration. The key is knowing who is responsible, what service does what, and where security applies.

Core Security Concepts

Authentication vs Authorization

• Authentication → Who are you?
• Authorization → What are you allowed to do?

🧠 Memory Tip

AuthN = Name
AuthZ = Access

AWS Shared Responsibility Model (Very Testable)

Customer Responsibility — Security IN the Cloud

Customers secure:

• Data
• Applications
• IAM users, roles, permissions
• OS, network configs (for EC2)

AWS Responsibility — Security OF the Cloud

AWS secures:

• Physical data centers
• Hardware
• Global infrastructure
• Virtualization layer

🧠 Memory Tip

AWS secures the cloud, YOU secure what’s in it

AWS Security Control Goals

AWS security controls are designed to:

1. Prevent incidents
2. Protect networks, apps, and data
3. Detect & Respond to threats

🧠 Memory Tip

Prevent → Protect → Detect

AWS Identity and Access Management (IAM)

Key IAM Rules

• IAM is deny by default
• You must explicitly allow permissions
• An AWS account has one root user
  • Cannot be deleted
  • Should rarely be used

🧠 Memory Tip

Nothing is allowed unless you say so

IAM Roles

• Provide temporary permissions
• Used by:
  • AWS services
  • Applications
  • Users switching roles

🧠 Real-World Example

Morning = barista role
Afternoon = cashier role

🧠 Memory Tip

Roles = temporary hats

Principle of Least Privilege

• Grant only the permissions required
• Nothing extra

🧠 Exam Clue

• “Minimal access”
• “Restrict permissions” → Least privilege

AWS IAM Identity Center (Formerly SSO)

• Centralized identity management
• Supports federated identities
• Single sign-on (SSO) across:
  • Multiple AWS accounts
  • AWS services
  • External identity providers

🧠 Memory Tip

One login, many services

AWS Secrets Manager

• Secure storage for:
  • Passwords
  • API keys
  • Database credentials
• Supports automatic rotation

🧠 Memory Tip

Secrets Manager = No hardcoded passwords

AWS Systems Manager

• Central management for:
  • EC2
  • On-prem
  • Hybrid & multicloud
• Provides:
  • Patch management
  • Inventory
  • Automation

🧠 Memory Tip

Systems Manager = Fleet control

Network & Application Attacks

DoS vs DDoS

• DoS → Single source attack
• DDoS → Distributed (many compromised systems)

🧠 Memory Tip

Extra D = Distributed

AWS Network-Level Protection

Built-In Infrastructure Protection

Security Groups

• Act as virtual firewalls
• Allow only approved traffic
• Operate at instance level

🧠 Memory Tip

Security Groups = Who can knock on the door

Elastic Load Balancing (ELB)

• Absorbs traffic spikes
• Protects backend servers
• Operates at regional scale

🧠 Memory Tip

ELB = Traffic shock absorber

AWS Regions

• Massive global capacity
• Extremely difficult to overwhelm

🧠 Memory Tip

Size is security

AWS Protection Services (DDoS & Web Protection)

AWS Shield

• Shield Standard
  • Free
  • Protects against common DDoS attacks
• Shield Advanced
  • Paid
  • Advanced detection & mitigation
  • Integrates with:
    • CloudFront
    • Route 53
    • ELB

🧠 Memory Tip

Standard = automatic
Advanced = detailed & expensive

AWS WAF (Web Application Firewall)

• Filters HTTP/S requests
• Uses rules & ACLs
• Protects against:
  • SQL injection
  • XSS

🧠 Memory Tip

WAF = Web traffic bouncer

Data Encryption

Types of Encryption

• At Rest → Stored data
• In Transit → Moving data (SSL/TLS)

🧠 Memory Tip

Rest = stored
Transit = traveling

AWS Data Protection Services

Encryption at Rest (Defaults)

• Amazon S3
  • All new objects encrypted automatically
• Amazon EBS
  • Volumes & snapshots encryptable
• Amazon DynamoDB
  • Server-side encryption enabled using AWS KMS

🧠 Memory Tip

AWS encrypts by default

AWS Key Management Service (KMS)

• Create and manage cryptographic keys
• Control key usage across services

🧠 Key Concept

• Cryptographic Key = Locks and unlocks data

🧠 Memory Tip

KMS = Key vault

Amazon Macie

• Uses ML to discover sensitive data
• Monitors data at rest in S3
• Identifies:
  • PII
  • Financial data

🧠 Memory Tip

Macie watches your S3

AWS Certificate Manager (ACM)

• Manages SSL/TLS certificates
• Enables encryption in transit
• Integrates with:
  • ELB
  • CloudFront
  • API Gateway

🧠 Memory Tip

ACM = HTTPS made easy

Detection & Response Services

Amazon Inspector

• Automated vulnerability scanning
• Supports:
  • EC2
  • Containers
  • Lambda

🧠 Memory Tip

Inspector inspects

Amazon GuardDuty

• Threat detection service
• Uses:
  • ML
  • Anomaly detection
  • Known malicious IPs

🧠 Memory Tip

GuardDuty guards

Amazon Detective

• Investigates security findings
• Uses visualizations to find root cause

🧠 Memory Tip

Detective solves the crime

AWS Security Hub

• Central security dashboard
• Aggregates findings from:
  • GuardDuty
  • Inspector
  • Macie
• Produces actionable insights

🧠 Memory Tip

Security Hub = Security command center

Exam Power Summary

Study materials:

• Free Code Camp Preparation
• AWS Certified Solutions Architect Practice Tests
• AWS Cloud Practitioner Essentials
• AWS Documentation
  • What is Cloud Computing?
  • Shared Responsibility Model
  • Regions and Availability Zones
  • Containers on AWS
  • Amazon Elastic Container Registry
  • Amazon Elastic Container Service
  • Amazon Elastic Kubernetes Service
  • AWS Fargate
  • AWS Elastic Beanstalk
  • AWS Batch
  • What is Amazon Lightsail?
  • What is AWS Outposts?
  • Choosing a modern application strategy
  • AWS Global Infrastructure
  • AWS for the Edge
  • AWS CloudFormation
  • Amazon Virtual Private Cloud
  • Subnet
  • Internet gateway
  • Virtual private gateway
  • AWS Client VPN
  • AWS Site-to-Site VPN
  • AWS PrivateLink
  • AWS Direct Connect
  • Network Access Control List (network ACL)
  • Security groups
  • Domain Name System (DNS)
  • Amazon Route 53
  • Amazon CloudFront
  • AWS Global Accelerator
  • Amazon Transit Gateway
  • NAT Gateway
  • API Gateway
  • Amazon EC2 Instance Store User Guide
  • Amazon Elastic Block Store (Amazon EBS)
  • Amazon Elastic Block Store (Amazon EBS) FAQ
  • Amazon EBS Snapshots User Guide
  • Amazon Data Lifecycle Manager User Guide
  • Amazon Simple Storage Service (Amazon S3)
  • Amazon Simple Storage Service (Amazon S3) FAQ
  • Amazon S3 Storage Classes
  • Amazon S3 Versioning User Guide
  • Amazon S3 Buckets User Guide
  • Amazon Elastic File System (Amazon EFS)
  • Amazon Elastic File System (Amazon EFS) FAQ
  • Amazon FSx
  • Amazon FSx for Windows File Server
  • Amazon FSx for NetApp ONTAP
  • Amazon FSx for OpenZFS
  • Amazon FSx for Lustre
  • AWS Storage Gateway
  • Amazon S3 File Gateway
  • Tape Gateway
  • Volume Gateway
  • Amazon Relational Database Service (Amazon RDS)
  • Amazon RDS Security
  • Amazon Aurora
  • AWS Database Migration Service (AWS DMS)
  • Amazon DynamoDB
  • Amazon ElastiCache
  • Amazon DocumentDB
  • Amazon Backup
  • Amazon Neptune
  • What Is a Relational Database?
  • What Is a NoSQL Database?
  • What Is an In-Memory Caching Service?
  • AWS Shared Responsibility Model
  • Amazon Comprehend
  • Amazon Polly
  • Amazon Transcribe
  • Amazon Translate
  • Amazon Kendra
  • Amazon Rekognition
  • Amazon Textract
  • Amazon Lex
  • Amazon Personalize
  • Amazon SageMaker AI
  • Amazon SageMaker JumpStart
  • Amazon Bedrock
  • Amazon Q Business
  • Amazon Q Developer
  • Amazon Kinesis Data Streams
  • Amazon Data Firehose
  • Amazon S3
  • Amazon Redshift
  • AWS Glue Data Catalog
  • AWS Glue
  • Amazon EMR
  • Amazon Athena
  • Amazon QuickSight
  • Amazon OpenSearch Service
  • AWS Identity and Access Management (IAM)
  • AWS IAM Identity Center
  • AWS Secrets Manager
  • AWS Systems Manager
  • AWS Shield
  • AWS WAF
  • AWS Key Management Service (AWS KMS)
  • Amazon Macie
  • AWS Certificate Manager (ACM)
  • Amazon Inspector
  • Amazon GuardDuty
  • Amazon Detective
  • AWS Security Hub
• ChatGPT

Raw Input Notes:

Authentication: Process of verifying identity of user or entity. Authorization: Grants users certain access rights / permissions.

Shared Responsibility Model

Customers: Security in the cloud: Customers are responsible for securing everything they create and manage in the AWS Cloud.

AWS: Security of the cloud: AWS operates, manages, controls components of all layers of the infrastructure. (Foundational software, virtualization, hardware and global infrastructure that supports DBs from which services operate.)

AWS Security Controls:

• Prevent security incidents through proper permission and access management.
• Protect networks, applications, data.
• Detect and respond to security incidents as they occur.

IAM is deny by default. IAM Roles allow users to gain temporary access to permissions. Example, an employee might need to work as a barista in morning and cashier in afternoon. An AWS account can only have one root user, which cannot be deleted.

Principle of least privilege dictactes that you should only give people and systems access to what they need and nothing else.

AWS IAM Identity Center

• Centralizes IAM, also connects to existing identity source, provides workforce with sso access to all connected AWS services and accounts (federated IAM).

Federated identity management is a system that allows users to access multiple applications, services, or domains uing a single set of credentials.

AWS Secrets Manager

• Provides a secure way to manage, rotate, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. This helps keep your applications, services, and IT resources safe.

Secrets are confidential or private information intended to be known only to specific individuals or groups. Examples: passwords, database credentials, API keys.

AWS Systems Manager

• Provides a centralized view of nodes across your org’s accounts and Regions in multi-cloud and hybrid environments. Enables quickly accessing node info, such as ID and OS details, automate registry edits, user management, secure patching.

Nodes are connection points in a network, system, or structure.

Network and Application Attacks

• DoS Attacks - Attacker floods web app with excessive network traffic.
• DDoS Attack - Attacker can use multiple infected computers to unknowingly send excessive traffic to web applciation.

AWS Network and Application Protection

• AWS Protection through Infrastructure

• Security Groups - Only allow in proper request traffic. Operate at the AWS network level so they can shrug off massive attacks using the entire AWS Region’s capacity.

• Elastic Load Balancing (ELB) - ELB handles traffic first before handing it off, so your frontend server is not overwhelmed. Like security groups, it runs at Region level.

• AWS Regions - Enormous capacity of Regions makes them difficult to overwhelm.

AWS Protection through Services

• AWS Standard Shield - Designed to automatically protect AWS customers from the most common, frequently occuring types of DDoS attacks at no cost.
• AWS Shield Advanced - Paid service that provides detailed attack diagnostics and ability to detect and mitigate sophisticated DDoS attacks. Integrates with CloudFront, Route 53, and ELB.
• AWS WAF - Web application firewall that monitors network requests that come into web apps. Checks IP address of requests against ACL.

Types of Data Encryption

• Data Encryption at Rest
• Data Encryption in Transit - SSL/TLS certificates are used to establish encrypted network connections fom one system to another.

AWS Data Protection

• Amazon S3 - All new buckets have encryption configred, all uploaded objects encrypted at rest.
• Amazon EBS - Volumes and snapshots can be encrypted at rest, including boot and data volumes of an Amazon EC2 instance.
• Amazon DynamoDB - Server-side encryption at rest is enabled on table data using encryption keys stored in AWS Key Management Service (AWS KMS)

AWS Protection Services

• AWS Key Management Service (AWS KMS) - Can use AWS KMS to create and manage cryptographic keys.
• Can control the use of keys across wide range of services and in your applications.
• Cryptographic key - Random string of digits used for locking (encrypting) and unlocking (decrypting) data

Amazon Macie

• Can monitor your sensitive data at rest to make sure it’s safe. Uses ML and automation to discover sensitive data stored in Amazon S3. Can use Macie to assess your security posture.

AWS Certificate Manager (ACM)

• Centralizes the management of SSL/TLS certificates that provide data encryption in transit. Can be used to protect various AWS services and connected on-prem resources.
• SSL/TLS certificates used to establish encrypted network connections from one system to another.

Detection and Response Services

• Amazon Inspector - Helps improve the security and compliance of applications by running automated security assessments for Amazon EC2 instances, containers, and Lambda functions.
• Amazon GuardDuty - Provides intelligent threat detection across your infrastructure and resources. Uses known malicious IP addresses, anomaly detection, ML to identify threats more accurately.
• Can view in AWS Management Console. Can configure AWS Lambda functions to perform remediation steps automatically.
• Amazon Detective - After threat detected, can use Amazon Detective to further investigate root cause. Uses visualizations
• AWS Security Hub - Brings multiple security services together into single place and format. Automatically aggregates security findings from AWS and partner services, organizes them into actionable, meaningful groupings called insights. Can accelerate time to resolution with automated remediation.