AWS cloud practitioner notes - Security

Last updated Apr 6, 2024 Published Jan 8, 2021

The content here is under the Attribution 4.0 International (CC BY 4.0) license

The AWS security model is shared meaning, AWS is responsible for the security of the cloud, and you, the customer are responsible for the security in the cloud. AWS controls the servers, data centers and all the layers in this section.

Module 6 - Shared responsibility model

Customer Responsibilities

Customers are responsible for everything they put in AWS.

|C|__________________________________ CUSTOMER DATA _______________________________________|

AWS responsibilities

AWS is responsible for the security of the cloud.

|A|_____________________________________ SOFTWARE _________________________________________|
| |_____ COMPUTE ______|______ STORAGE ______|_____ DATABASE _____|_____ NETWORKING _______|
| |_________________________ HARDWARE/AWS GLOBAL INFRASTRUCTURE ___________________________|
|S|______ REGIONS _____|____________ AVAILABILITY ZONES __________|__ EDGE LOCATIONS ______|

Module 6 - User permissions and access

AWS Identity and Access Management allows you to manage access to AWS services and resources.

  • The root account is the owner of the AWS account, this is the default permission for an AWS-created account. The root user account controls any resources. As such, the recommended security approach is to turn on MF2, for this account.
  • Users created by IAM, have no permissions by default. (Principle of least privilege)

As a best practice approach, avoid using the user root for everyday tasks. Instead, create a user and assign it the needed permissions.

IAM policy is a JSON document that describes which API calls a user can or can’t do. This is a policy example:

    "version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "s3:ListBucket",
        "Resource": "arn:aws:s3:::my_resource"

The following table describes the possible values for each field in the IAM policy JSON:

Option Value
Effect Allow / Deny
Action Any API call
Resource Which AWS resource the API call is for

IAM groups are groups of users, you can attach policies to a group and all users in that group will have the permissions listed there. IAM roles have associated permissions that allow or deny actions in AWS, and these roles can be assumed for a temporary amount of time.

Module 6 - Organizations

AWS Organizations are used to consolidate and manage multiple AWS accounts, in a centralized manner. This approach avoids the problem of managing multiple AWS accounts.

Module 6 - Compliance

Compliance checks if a given regulation is being followed, countries might have different compliances. For example:

  • Europian Union - GDPR
  • Health care in the USA - HIPAA

Aws has already built data centers, infrastructure and networking following industries’ best practices for security, and you as a customer inherit those practices as well. Enabling data protection is a configuration setting on the resource. AWS offers whitepapers are documents you can download and use for compliance reports.

  • AWS Artifact - compliance reports done by third parties [1]
  • AWS Compliance - compliance information in all one place [2]

Module 6 - Denial-of-service attacks

DDoS attack objective is to put down a given service such that it can no longer respond to requests from clients.

  • HTTP level attacks - too expensive to overwhelm AWS, not impossible though
  • UDP flood - security group
  • SLOWLORIS attack - Elastic load balancer

AWS WAF uses a web application firewall to filter traffic from bad actors.

AWS Shield standard

Automatically protects all AWS customers at no cost. It protects from the most common and frequent types of DDoS attacks.

AWS Shield Advanced

It is a paid service that provides detailed attack diagnostics.

Module 6 - Additional security resources

  • Encryption at rest (when the data is idle). Server-side encryption at rest is enabled in all DynamoDB data
  • Encryption in transit. SSL to data in transit encrypts data. (SQS, S3, RDS).

Amazon Inspector

runs an automated security assessment infrastructure, and checks deviations against best practices.

Amazon GuardDuty

It analyses streams of data from a network, VPC logs and DNS logs. Runs independently from AWS services.


  1. [1]AWS, “AWS Artifact,” 2021 [Online]. Available at: [Accessed: 07-Jan-2021]
  2. [2]AWS, “AWS Customer Compliance Center,” 2021 [Online]. Available at: [Accessed: 07-Jan-2021]