Skip to content

Security

Security in AWS is a shared responsibility. AWS secures the infrastructure; you secure what you build on top of it. These notes cover the core concepts and AWS services for identity, access, encryption, and threat detection.

  • IAM

    Identity and Access Management. AWS Organizations, SCPs, permission evaluation order, roles vs users, and identity federation.

    IAM

  • Cryptography

    Symmetric vs asymmetric encryption, SSH key auth, TLS handshake, hashing with salt, KMS envelope encryption, and quantum threats.

    Cryptography

  • Security Tools

    GuardDuty, Inspector, WAF, Wireshark, nmap, and the attack patterns you're defending against.

    Security Tools

The Shared Responsibility Model

AWS is responsible for security OF the cloud:
  -> Physical data centres (locks, guards, power)
  -> Hardware (servers, networking gear)
  -> Virtualisation layer (Nitro hypervisor)
  -> Global infrastructure (Regions, AZs, Edge)

You are responsible for security IN the cloud:
  -> Data (encryption at rest and in transit)
  -> IAM (who has access to what)
  -> OS patching (on EC2)
  -> Network config (VPC, Security Groups, NACLs)
  -> Application security (your code, your configs)

It shifts by service:
  EC2 (IaaS)    -> you own OS, middleware, app security
  RDS (PaaS)    -> AWS manages OS + engine, you own data + access
  Lambda        -> AWS manages runtime, you manage code + config
  S3            -> AWS manages infra, you manage access policies

Security Mindset

Least privilege:    Grant only the permissions actually needed
Defence in depth:   Multiple layers -- if one fails, others hold
Zero trust:         Verify every request, never assume internal = safe
Encrypt everything: At rest and in transit, always
Assume breach:      Design systems assuming an attacker is already inside