⚑ IT Wisdom I love Ansible. It's like telling someone exactly what to do and then watching them fail in 47 slightly different ways.
Skilled Practitioner
4249 XP 1751 to Expert

Key Concepts

  • Least Privilege: Grant only the minimum permissions needed β€” applies to IAM users, roles, and policies
  • IAM Roles vs Users: Roles are preferred for AWS services (EC2, Lambda, etc.); users for humans; never hardcode credentials
  • Resource-based vs Identity-based policies: Resource-based policies (S3 bucket policy, KMS key policy) attach to the resource; identity-based attach to the principal
  • SCPs (Service Control Policies): Applied at AWS Organizations level β€” they limit what accounts can do, but don't grant permissions
  • Permission Boundaries: Set the maximum permissions an IAM entity can have β€” useful for delegating admin without over-permissioning
  • Encryption at rest: Use KMS (managed keys) or SSE for S3, EBS, RDS, etc.
  • Encryption in transit: TLS/HTTPS β€” use ACM for certificates, enforce via bucket policies or ALB listeners
  • VPC Security Layers: Security Groups (stateful, instance level) + NACLs (stateless, subnet level)
  • Private vs Public Subnets: Public = internet-facing (IGW route); Private = no direct internet access, use NAT Gateway for outbound
  • Secrets Management: Use Secrets Manager (auto-rotation) or Parameter Store (cheaper, no auto-rotation natively)
  • WAF: Protects against Layer 7 attacks (SQLi, XSS) β€” attach to CloudFront, ALB, or API Gateway
  • Shield: DDoS protection β€” Standard (free, always on) vs Advanced (paid, 24/7 response team)
  • GuardDuty: Threat detection using logs (CloudTrail, VPC Flow Logs, DNS) β€” no agents needed
  • CloudTrail: Logs all API calls β€” critical for auditing and forensics; enable in all regions

How It Works

Request Authorization Flow: 1. AWS evaluates all applicable policies (SCP β†’ Permission Boundary β†’ Identity Policy β†’ Resource Policy) 2. Explicit Deny always wins β€” anywhere in the chain 3. Default is implicit deny β€” nothing is allowed unless explicitly permitted

VPC Traffic Flow: - Inbound: Internet β†’ IGW β†’ NACL (subnet) β†’ Security Group (instance) - Security Groups are stateful (return traffic auto-allowed) - NACLs are stateless (must explicitly allow inbound AND outbound rules)

KMS Envelope Encryption: - Data is encrypted with a data key, which is itself encrypted by the KMS CMK - Decryption requires calling KMS to unwrap the data key first


Commands / Syntax / Key Values

Service / Feature Key Detail
S3 Block Public Access Account-level setting overrides bucket policies
S3 Server-Side Encryption SSE-S3 (AWS managed), SSE-KMS (audit trail), SSE-C (customer key)
Security Group rules Stateful β€” allow inbound = return traffic automatic
NACL rules Stateless β€” need explicit allow for BOTH directions; evaluated in number order
KMS Key rotation Automatic annual rotation for CMKs (enable manually)
IAM policy evaluation Deny > Allow; no policy = implicit deny
Secrets Manager Supports auto-rotation via Lambda
Parameter Store SecureString type = KMS encrypted
VPC Endpoint Gateway (S3, DynamoDB β€” free) vs Interface (most services β€” uses PrivateLink, has cost)

Exam Gotchas

  1. SCPs don't grant permissions β€” even if SCP allows something, IAM policies must also allow it. An SCP is a guardrail, not a grant.
  2. NACLs are stateless β€” a common trap is allowing inbound traffic but forgetting the outbound rule (especially ephemeral ports 1024–65535 for responses).
  3. Security Groups can't explicitly deny β€” you can only allow; to block specific IPs you need NACLs.
  4. Secrets Manager β‰  Parameter Store β€” if the question mentions automatic rotation, answer is Secrets Manager. If cost-sensitive or simple config, use Parameter Store.
  5. **IAM
My Notes
Edit your saved notes here. Saving replaces what is stored.
Add More Notes
Paste new content here. It will be added below your existing notes β€” nothing gets overwritten.
← Back to Course Practice This Topic