Guarding the Cloud: Security Services & Auditing
In Part 1, I covered the identity side of Domain 1 — IAM, STS, Cognito, Organizations, and all the services that control who gets in and what they’re allowed to do. Now comes the next layer: how do you protect what’s inside, detect threats, and audit everything?
AWS has a surprisingly deep set of security tools. Some are for prevention, some for detection, some for compliance. Knowing which one does what — and when to use each — is a big part of Domain 1.
IAM Security Tools — Know What You’ve Got#
Before we get to the heavy-hitting security services, let’s cover the IAM-level auditing tools. These are the ones that help you answer questions like “who has access to what?” and “are there any permissions we’re not using?”
IAM Credentials Report — account-level. Generates a CSV of all IAM users in the account and the status of their credentials: passwords, access keys, MFA. Useful for security audits — quickly spot users without MFA enabled, access keys that haven’t been rotated, or credentials that aren’t being used at all. Generated on demand and may take a few minutes to compile.
IAM Access Advisor — user-level. Shows which services each user or role has accessed, and when they last accessed them. This is your go-to tool for implementing least privilege: if a user hasn’t touched a permission in 90+ days, it’s probably safe to remove it. Available per-user in the IAM console.
IAM Access Analyzer — finds resources shared with external entities. This one works at both the account level and the AWS Organizations level (key differentiator). It analyzes resource-based policies on S3 buckets, IAM roles, KMS keys, Lambda functions, and SQS queues, then generates findings when something is accessible from outside your zone of trust. It also offers policy validation and can even generate policies based on actual access activity.
IAM Policy Simulator — lets you test IAM policies before applying them. Select a user, group, or role, pick some actions, and see whether they’d be allowed or denied. Available at policysim.aws.amazon.com. Useful for troubleshooting “Access Denied” errors without changing anything in production.
| Tool | Scope | What It Answers |
|---|---|---|
| Credentials Report | Account | “Who has what credentials?” |
| Access Advisor | User/Role | “What has this user accessed?” |
| Access Analyzer | Account/Org | “What’s shared externally?” |
| Policy Simulator | Any entity | “Would this action be allowed?” |
AWS WAF — Layer 7 Filtering#
WAF (Web Application Firewall) operates at Layer 7 — the HTTP/HTTPS level. It lets you filter web traffic based on conditions you define.
You create Web ACLs (access control lists) with rules that can:
- Block or allow IP addresses — using IP sets
- Geo-match — block or allow traffic from specific countries
- Rate limiting — throttle requests from a single IP (e.g., max 2,000 requests per 5 minutes)
- String/regex matching — inspect headers, URIs, query strings, or body content
- Managed rule groups — pre-built rule sets from AWS or the Marketplace (OWASP Top 10, SQL injection, XSS, etc.)
WAF attaches to CloudFront distributions, Application Load Balancers (ALBs), and API Gateway. Not Network Load Balancers — WAF is L7 only.
The exam likes to test whether you know where WAF can be deployed. If a question mentions filtering HTTP requests, blocking by country, or rate-limiting API calls — WAF is the answer.
AWS Shield — DDoS Protection#
Shield comes in two tiers:
Shield Standard — free, always on, automatic. Protects against common Layer 3/4 DDoS attacks (SYN floods, UDP reflection, etc.). You don’t need to enable it — every AWS account has it by default.
Shield Advanced — paid tier ($3,000/month per organization) with enhanced protections:
- Real-time visibility — detailed attack metrics and diagnostics
- Cost protection — AWS credits for scaling costs caused by DDoS attacks (so you don’t get a surprise bill)
- DDoS Response Team (DRT) — 24/7 access to AWS’s DDoS experts who can help during an active attack
- Advanced L7 protections — when combined with WAF
- Health-based detection — integrates with Route 53 health checks for faster, more accurate detection
If a question mentions “DDoS protection” with no other context, Shield Standard is usually sufficient. If the question mentions “cost protection during DDoS”, “DDoS Response Team”, or “real-time attack metrics” — that’s Shield Advanced.
Amazon Inspector — Vulnerability Scanning#
Inspector is an automated vulnerability scanning service. It continuously scans your workloads for software vulnerabilities and unintended network exposure.
What it scans:
- EC2 instances — checks the OS and installed software against known CVE databases
- ECR container images — scans container images when they’re pushed to the registry
- Lambda functions — scans function code dependencies for known vulnerabilities
Inspector generates findings with severity ratings and remediation recommendations. It’s a continuous service — once enabled, it scans automatically whenever changes are detected (new instance launched, new image pushed, function updated).
The key differentiator: Inspector is about vulnerabilities in your software and network configuration, not about threat detection or data classification. Those are handled by GuardDuty and Macie respectively.
Amazon Macie — Finding Sensitive Data#
Macie is specifically about discovering sensitive data in your S3 buckets. It uses machine learning and pattern matching to automatically find and classify data like:
- Personally identifiable information (PII) — names, addresses, credit card numbers, passport numbers
- Financial data
- Healthcare records
- API keys and credentials accidentally stored in S3
Macie scans your S3 buckets, classifies the data it finds, and generates findings with details about what it found and where. You can set up automated alerts and remediation workflows.
If an exam question mentions “PII in S3”, “sensitive data discovery”, or “data classification” — Macie is the answer. It’s narrowly focused on S3 data.
Amazon GuardDuty — Threat Detection#
GuardDuty is a threat detection service that continuously monitors your AWS environment for malicious or unauthorized activity.
It analyzes multiple data sources:
- VPC Flow Logs — detect unusual network patterns
- DNS logs — identify communication with known malicious domains
- CloudTrail events — spot suspicious API calls
- EKS audit logs — monitor Kubernetes cluster activity
- S3 data events — detect unusual data access patterns
GuardDuty uses machine learning, anomaly detection, and threat intelligence to generate findings — things like “someone is trying to brute-force an EC2 instance”, “an IAM credential is being used from an unusual location”, or “a known malicious IP is accessing your resources.”
Here’s how the security services map to different concerns:
| Service | What It Does | What It Monitors |
|---|---|---|
| WAF | Filters web traffic | HTTP/HTTPS requests |
| Shield | Blocks DDoS attacks | L3/L4 (Standard) + L7 (Advanced) |
| Inspector | Finds vulnerabilities | EC2, ECR images, Lambda |
| Macie | Finds sensitive data | S3 buckets |
| GuardDuty | Detects threats | Flow Logs, DNS, CloudTrail, EKS, S3 |
AWS Penetration Testing#
Here’s something that catches people off guard: AWS does allow you to perform penetration testing on your own infrastructure, and you don’t need prior approval for most services.
8 services you can pen test without approval:
- EC2 instances, NAT Gateways, ELBs
- Amazon RDS
- Amazon Aurora
- Amazon CloudFront
- Amazon API Gateway
- AWS Lambda and Lambda Edge
- Amazon Lightsail
- Amazon Elastic Beanstalk
5 activities that are always prohibited:
- DNS zone walking via Route 53 Hosted Zones
- DoS, DDoS, or simulated DoS/DDoS attacks
- Port flooding
- Protocol flooding
- Request flooding (login, API, or other request flooding)
For services not on the permitted list, you must contact AWS Security first. Third-party tools are fine as long as they don’t violate the AWS Acceptable Use Policy.
The exam expects you to know both lists. The prohibited activities are basically anything that looks like a denial-of-service attack or DNS enumeration.
Quick Exam Tips#
Some patterns to watch for in this section:
- “Filter HTTP requests by country” or “rate-limit API calls” → WAF
- “DDoS protection” with no other context → Shield Standard (free, automatic)
- “Cost protection during DDoS” or “DDoS Response Team” → Shield Advanced
- “Scan EC2 for vulnerabilities” or “scan container images” → Inspector
- “Find PII in S3” or “data classification” → Macie
- “Detect unusual API calls” or “threat detection” → GuardDuty
- “Audit IAM credentials across the account” → Credentials Report
- “See which services a user has accessed” → Access Advisor
- “Find resources shared externally” → Access Analyzer
- “Test if a policy allows an action” → Policy Simulator
The trick is knowing the boundaries between these services. GuardDuty detects threats but doesn’t fix them. Inspector finds vulnerabilities but doesn’t block attacks. WAF blocks attacks but doesn’t scan for vulnerabilities. Each service has its lane.
This section was more straightforward than the identity stuff — the services are more clearly delineated, and each one has a distinct purpose. The hardest part is remembering which data sources GuardDuty monitors and which services Inspector scans. Tables help.
Series navigation:
- AWS SAA-C03: Identity & Access Management
- Guarding the Cloud: Security Services & Auditing (you’re here)
- Walls & Vaults: Data Protection & Networking