07. More Services
π‘οΈ 01. AWS Certificate Manager (ACM)β
AWS Certificate Manager (ACM) provides and manages SSL/TLS certificates to enable HTTPS (in-flight encryption) for AWS resources.
| Feature | Description |
|---|---|
| Purpose | Secure communication between users and apps using HTTPS |
| Free Public Certs | Public certificates are free and auto-renewed |
| Private Certs | For internal apps via AWS Private CA |
| Integration | Works with ALB, CloudFront, API Gateway, etc. |
| Validation | Domain ownership verified via DNS or email |
| Automation | ACM handles provisioning, renewal, and deployment |
π§ How It Worksβ
- Request a certificate in ACM (public or private).
- Validate domain ownership.
- Attach to AWS resources (e.g., ALB, CloudFront, API Gateway).
- ACM auto-renews certificates before expiry.
π‘ Exam Tipβ
If a question mentions HTTPS, SSL/TLS certificate, or in-flight encryption,
the answer is AWS Certificate Manager (ACM).
π 02. AWS Secrets Manager
AWS Secrets Manager securely stores, retrieves, and automatically rotates secrets like database passwords or API keys.
- Stores secrets securely (DB creds, API keys, etc.)
- Auto-rotation using Lambda (e.g., every 30 or 90 days)
- Integrates with Amazon RDS (MySQL, PostgreSQL, Aurora)
- Encrypted using AWS KMS
- Access via SDK, CLI, or Console
- Paid service β $0.40 per secret/month (+ API costs)
π‘ Notesβ
- Removes hardcoded credentials in apps
- For non-sensitive configs, use SSM Parameter Store instead
- Exam tip β For RDS password rotation, answer is Secrets Manager
π 03. AWS Artifact
AWS Artifact is a portal (not an actual service) that provides on-demand access to AWS compliance reports and agreements.
- Not a service, but a self-service compliance portal.
- Provides access to security and compliance documents.
- Useful for audits and regulatory compliance.
𧩠Two Main Componentsβ
| Component | Description |
|---|---|
| Artifact Reports | Download AWS compliance and security reports (e.g., ISO, PCI, SOC). |
| Artifact Agreements | Review, accept, and track AWS legal agreements like BAA (Business Associate Addendum) and HIPAA. |
π‘ Use Caseβ
- Supports internal audit and compliance reviews.
- Demonstrates that workloads hosted on AWS meet industry standards.
- Accessible globally via the AWS Console β Artifact.
π Remember:
AWS Artifact = Compliance Reports + Agreements portal (ISO, PCI, SOC, HIPAA, BAA).
π‘οΈ 04. Amazon GuardDuty
Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts, workloads, and data stored in S3 for malicious activity and unauthorized behavior.
| Feature | Description |
|---|---|
| Intelligent Threat Detection | Uses machine learning, anomaly detection, and integrated threat intelligence to identify potential security risks. |
| No Setup Overhead | Enabled with one click, no agents or software installation required. Includes a 30-day free trial. |
| Continuous Monitoring | Continuously analyzes multiple AWS data sources for suspicious activity. |
π Data Sources Analyzedβ
| Category | Examples |
|---|---|
| Core Sources | - VPC Flow Logs β Detect unusual IPs or network traffic patterns. - AWS CloudTrail Logs β Identify unusual API calls or unauthorized deployments. - DNS Logs β Detect encoded data exfiltration via DNS queries. |
| Optional Sources | - S3 Data Events (GetObject, DeleteObject, etc.) - EBS Volumes (malware scanning) - RDS/Aurora Login Events - EKS Audit & Runtime Logs - Lambda Network Activity |
βοΈ Integration & Automationβ
| Component | Purpose |
|---|---|
| Amazon EventBridge | Receives GuardDuty findings as events. |
| Automation | Create EventBridge rules to trigger: - Lambda functions (auto-remediation) - SNS notifications (alerts) |
| Use Cases | - Auto-isolate compromised EC2 instances - Notify SecOps teams of suspicious actions |
π° Common GuardDuty Findingsβ
| Type | Example |
|---|---|
| Credential Compromise | Unusual API activity in CloudTrail |
| Network Threats | Port scanning, brute-force attempts |
| Malware / Crypto Attacks | GuardDuty detects cryptocurrency mining indicators |
| Data Exfiltration | DNS tunneling, unauthorized S3 data access |
π§ Summaryβ
- Amazon GuardDuty provides intelligent, continuous threat detection using multiple AWS log sources.
- Findings are sent to EventBridge β can trigger Lambda or SNS for response automation.
- Helps protect against unauthorized activity, data theft, and crypto-mining attacks.
𧩠05. Amazon Inspector
Amazon Inspector is an automated vulnerability management service that continuously scans AWS workloads for software vulnerabilities and unintended network exposure.
| Capability | Description |
|---|---|
| Automated Scanning | Continuously assesses resources without manual intervention. |
| Agent-Based for EC2 | Uses AWS Systems Manager (SSM) Agent on EC2 instances to evaluate vulnerabilities and network reachability. |
| Integrated with ECR & Lambda | Automatically scans container images in Amazon ECR and Lambda functions during deployment. |
| Continuous Updates | Automatically rescans when the CVE database is updated. |
βοΈ Components & Scopeβ
| Resource Type | What It Scans | Assessment Criteria |
|---|---|---|
| EC2 Instances | OS packages and network configuration | Known vulnerabilities (CVE), unintended network access |
| ECR Container Images | Pushed Docker images | Software vulnerabilities (CVE database) |
| Lambda Functions | Function code and dependencies | Software/package vulnerabilities |
π§ How It Worksβ
- Enable Inspector in the AWS Management Console.
- It automatically discovers eligible EC2, ECR, and Lambda resources.
- Scans them continuously against:
- Known CVEs (Common Vulnerabilities and Exposures)
- Network Reachability (for EC2 only)
- Generates findings with risk scores for prioritization.
π Findings & Integrationsβ
| Integration | Purpose |
|---|---|
| AWS Security Hub | Centralized view of all vulnerability findings. |
| Amazon EventBridge | Event-driven automation on new findings (e.g., notify via SNS, trigger Lambda). |
| Risk Scoring | Assigns severity levels to vulnerabilities for remediation prioritization. |
π‘ Example Use Casesβ
- Identify outdated OS packages or open ports on EC2 instances.
- Detect vulnerabilities in container base images before deployment.
- Scan Lambda functions for insecure dependencies.
- Automate remediation through EventBridge β Lambda workflows.
𧩠Summaryβ
- Amazon Inspector continuously evaluates EC2, ECR, and Lambda for vulnerabilities and exposure.
- Uses CVE databases and network reachability analysis.
- Findings flow into Security Hub and EventBridge for visibility and automation.
- Helps maintain a proactive security posture across AWS workloads.
𧩠06. AWS Configβ
AWS Config is a service that helps you audit, record, and evaluate the configurations of your AWS resources over time.
π§ What AWS Config Doesβ
| Feature | Description |
|---|---|
| Configuration Recording | Tracks configuration changes of AWS resources (e.g., EC2, S3, IAM). |
| Compliance Auditing | Checks if resources comply with internal or regulatory standards. |
| Change History | Maintains a timeline of configuration changes for each resource. |
| Data Storage | Stores configuration snapshots in Amazon S3, which can be analyzed using Athena. |
| Notifications | Sends SNS alerts when resource configurations change. |
| Integration | Works with AWS CloudTrail to show who made API calls. |
π§ Example Questions AWS Config Can Answerβ
- β Is there unrestricted SSH access in my security groups?
- β Are any of my S3 buckets publicly accessible?
- β How has my Application Load Balancer configuration changed over time?
π Key Pointsβ
- AWS Config is a per-region service.
- You can aggregate configuration data across multiple regions and accounts.
- You can view resource compliance and configuration history at any time.
π Use Case Exampleβ
| Task | AWS Config Feature Used |
|---|---|
| Track changes to EC2 instances | Configuration Recorder |
| Identify non-compliant resources | Config Rules |
| Notify when changes occur | SNS Integration |
| Analyze historical configurations | S3 + Athena |
In short:
𧩠AWS Config continuously records resource configurations, checks for compliance, and alerts you about changes β helping maintain visibility and governance across your AWS environment.
π 07. Amazon Macie
Amazon Macie is a fully managed data security and privacy service that uses machine learning (ML) and pattern matching to automatically discover, classify, and protect sensitive data stored in AWS.
π§ What Macie Doesβ
| Feature | Description |
|---|---|
| Data Discovery | Scans and identifies sensitive data (e.g., PII, financial data) in your Amazon S3 buckets. |
| Machine Learning & Pattern Matching | Uses ML models to detect patterns such as credit card numbers, API keys, and personal data. |
| Automated Classification | Classifies and labels S3 objects containing sensitive data. |
| Security Alerts | Generates findings and sends alerts for any exposure or risk detected. |
| Data Visibility | Provides a centralized dashboard to view where sensitive data is located and how itβs being accessed. |
𧩠Common Use Casesβ
- π Identify PII (Personally Identifiable Information) across S3 buckets.
- β οΈ Detect unintended data exposure or publicly accessible sensitive data.
- π§Ύ Support compliance with standards like GDPR, HIPAA, or PCI-DSS.
- π Monitor data security posture over time.
π Key Pointsβ
- Fully managed service β no need to maintain infrastructure.
- Analyzes only S3 data at present.
- Integrates with Amazon EventBridge, AWS Security Hub, and SNS for alerting and automation.
- Helps maintain data privacy and compliance across your AWS environment.
In short:
π Amazon Macie uses AI-powered scanning to automatically find, classify, and protect sensitive data like PII in your S3 buckets β keeping your AWS environment secure and compliant.
π‘οΈ 08. AWS Security Hub
AWS Security Hub is a centralized security and compliance service that helps you analyze, manage, and automate security checks across multiple AWS accounts and regions.
π§ What Security Hub Doesβ
| Feature | Description |
|---|---|
| Centralized Dashboard | Provides a unified view of your AWS security posture and compliance status. |
| Automated Security Checks | Continuously evaluates your AWS environment against security standards like CIS AWS Foundations and PCI DSS. |
| Findings Aggregation | Collects and normalizes alerts (called findings) from multiple AWS services and partner tools. |
| Multi-Account Management | Supports AWS Organizations for centralized security visibility across all accounts. |
| Integration & Automation | Integrates with AWS services and third-party tools for alerting, remediation, and workflow automation. |
𧩠Integrated AWS Servicesβ
Security Hub aggregates findings from:
| Source Service | Purpose |
|---|---|
| AWS Config | Compliance and configuration tracking (must be enabled first) |
| Amazon GuardDuty | Threat detection and anomaly analysis |
| Amazon Inspector | Vulnerability assessment |
| Amazon Macie | Sensitive data discovery |
| IAM Access Analyzer | Identifies risky permissions |
| AWS Systems Manager | Operational insights |
| AWS Firewall Manager | Network and firewall compliance |
| AWS Health | AWS account and resource health events |
| AWS Partner Tools | Security and compliance integrations |
βοΈ Example Capabilitiesβ
- π View compliance status in a single dashboard.
- β οΈ Detect misconfigurations or vulnerabilities across accounts.
- π Automate response actions via EventBridge or Lambda.
- π§Ύ Generate consolidated reports for audits and compliance reviews.
π Key Pointsβ
- Requires AWS Config to be enabled.
- Aggregates data across multiple accounts and regions.
- Supports custom insights and automated workflows for remediation.
In short:
π‘οΈ AWS Security Hub acts as the command center for your cloud security β unifying findings from AWS and partner services to give you complete visibility, compliance insights, and automated threat response.
π΅οΈββοΈ 09. Amazon Detective
Amazon Detective is a security analysis and investigation service that helps you analyze, visualize, and identify the root cause of security issues or suspicious activities across your AWS environment.
π§ What Amazon Detective Doesβ
| Feature | Description |
|---|---|
| Deeper Investigation | Helps you investigate findings from GuardDuty, Macie, and Security Hub to determine the true cause and impact. |
| Automated Data Collection | Continuously ingests and processes data from VPC Flow Logs, AWS CloudTrail, and Amazon GuardDuty. |
| Graph-Based Analysis | Uses machine learning (ML) and graph models to connect and analyze related events and entities. |
| Unified View | Combines events, activities, and relationships across AWS accounts into a single interactive interface. |
| Visual Context | Generates visualizations to understand the βwho, what, when, and whereβ behind each incident. |
𧩠Example Use Casesβ
- π Investigate suspicious API calls or unusual user behavior.
- π§Ύ Trace the source of an attack or data exfiltration attempt.
- π§ Identify affected resources and related activities during a breach.
- βοΈ Speed up incident response by providing contextual insights.
π How It Worksβ
- Findings Identified: GuardDuty, Macie, or Security Hub detect a potential issue.
- Data Collected: Detective automatically pulls in related logs and metrics.
- Graph Analysis: It builds an entity graph linking users, IPs, resources, and actions.
- Root Cause Visualization: You can explore interactive visual reports to pinpoint the cause.
βοΈ Key Integrationsβ
| Integrated Source | Data Type |
|---|---|
| VPC Flow Logs | Network traffic patterns |
| AWS CloudTrail | API call and user activity history |
| Amazon GuardDuty | Security findings and threat indicators |
In short:
π΅οΈββοΈ Amazon Detective helps you quickly investigate and visualize security incidents β turning raw logs into meaningful insights that reveal the root cause and context behind suspicious activity.
`
π¨ 10. AWS Abuse
AWS Abuse is the official channel for reporting abusive, malicious, or illegal activities originating from AWS resources or IP addresses.
π§ Purposeβ
AWS provides the Abuse Reporting Service to help individuals or organizations report cases where AWS infrastructure is being misused β whether intentionally or unintentionally β to perform harmful or prohibited actions.
π« Common Types of Abuseβ
| Type | Description |
|---|---|
| Spam | Receiving unwanted or unsolicited emails from AWS-owned IPs, or websites hosted on AWS sending spam messages. |
| Port Scanning | AWS resources sending packets to discover open or unsecured network ports. |
| DoS / DDoS Attacks | AWS IPs attempting to flood, crash, or overwhelm your applications or servers. |
| Intrusion Attempts | Unauthorized login or hacking attempts on your systems. |
| Hosting Illegal or Copyrighted Content | Distribution of pirated, copyrighted, or objectionable material without consent. |
| Malware Distribution | AWS resources being used to spread malicious software designed to harm computers or networks. |
𧩠How to Report Abuseβ
If you suspect AWS infrastructure is being used abusively:
| Reporting Method | Description |
|---|---|
| AWS Abuse Form | Submit an online report through the official AWS Abuse portal. |
| Send details to π§ abuse@amazonaws.com including: - Source IP address - Time and date (with timezone) - Nature of the abuse - Relevant logs or evidence |
In short:
π¨ AWS Abuse is your go-to channel for reporting any malicious, abusive, or illegal behavior originating from AWS infrastructure β helping maintain a secure and trustworthy cloud ecosystem.