Cloud Security Lab
Identity, encryption, network security, and compliance for CLF-C02
Lab Progress
0 / 6 exercises
1
Shared Responsibility Model
25 minutes
Objective: Understand the division of security responsibilities between cloud providers and customers.
AWS Shared Responsibility
┌─────────────────────────────────────────────────────────────────────┐
│ SHARED RESPONSIBILITY MODEL │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ CUSTOMER RESPONSIBILITY (Security IN the Cloud) │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ Customer Data │ │
│ ├─────────────────────────────────────────────────────────────┤ │
│ │ Platform, Applications, Identity & Access Management │ │
│ ├─────────────────────────────────────────────────────────────┤ │
│ │ Operating System, Network & Firewall Configuration │ │
│ ├─────────────────────────────────────────────────────────────┤ │
│ │ Client-Side Encryption │ Server-Side Encryption │ │
│ │ Network Traffic Protection │ │
│ └─────────────────────────────────────────────────────────────┘ │
│ │
│ ════════════════════════════════════════════════════════════════ │
│ │
│ AWS RESPONSIBILITY (Security OF the Cloud) │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ Software: Compute │ Storage │ Database │ Networking │ │
│ ├─────────────────────────────────────────────────────────────┤ │
│ │ Hardware/AWS Global Infrastructure │ │
│ │ Regions │ Availability Zones │ Edge Locations │ │
│ └─────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
Responsibility by Service Type
| Service Type | Example | Customer Manages | AWS Manages |
|---|---|---|---|
| IaaS | EC2 | OS, apps, data, network config | Hardware, hypervisor |
| PaaS | Elastic Beanstalk | Apps, data | Runtime, OS, infrastructure |
| SaaS | AWS Trusted Advisor | Data access controls | Everything else |
| Serverless | Lambda | Code, data, IAM | Compute, network, runtime |
Tasks
- List 3 security tasks that are ALWAYS your responsibility
- List 3 security tasks that AWS handles for you
- Compare EC2 vs Lambda responsibilities (what changes?)
- Identify who is responsible for patching EC2 operating systems
2
Identity & Access Management (IAM)
40 minutes
Objective: Master IAM users, groups, roles, and policies for secure access control.
IAM Components
Users
Individual identities representing people or services. Each has unique credentials (password, access keys).
Groups
Collections of users with shared permissions. Attach policies to groups, not individual users.
Roles
Temporary security credentials for trusted entities (EC2, Lambda, cross-account access). No long-term credentials.
Policies
JSON documents defining permissions. Can be AWS-managed, customer-managed, or inline.
IAM Policy Example
// S3 Read-Only Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3ReadAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
Policy Evaluation: By default, all access is denied. An explicit Deny
always overrides any Allow. Use least privilege - grant minimum permissions needed.
IAM Best Practices
IAM Security Best Practices
═══════════════════════════════════════════════════════════
✓ Enable MFA for all users (especially root account)
✓ Use roles for applications, not access keys
✓ Rotate credentials regularly
✓ Apply least privilege principle
✓ Use IAM Access Analyzer to review permissions
✓ Never share credentials between users
✓ Use groups to manage permissions
✓ Monitor with CloudTrail
═══════════════════════════════════════════════════════════
Root Account Protection:
┌───────────────────────────────────────────────────────┐
│ ✗ Do NOT use for daily tasks │
│ ✓ Enable hardware MFA │
│ ✓ Lock away access keys (delete if possible) │
│ ✓ Create admin IAM user for daily operations │
└───────────────────────────────────────────────────────┘
Tasks
- Write an IAM policy that allows EC2 read-only access
- Explain when to use a Role vs a User
- Describe the policy evaluation logic (Allow vs Deny)
- List 5 IAM best practices from memory
3
Encryption & Data Protection
35 minutes
Objective: Understand encryption at rest, in transit, and key management with AWS KMS.
Encryption Types
Encryption at Rest
Data encrypted when stored (S3, EBS, RDS). Uses AES-256. Managed by AWS or customer-managed keys (CMK).
Encryption in Transit
Data encrypted while moving over network. TLS/SSL for HTTPS. VPN or Direct Connect for hybrid.
Client-Side Encryption
Data encrypted before sending to AWS. Customer manages encryption/decryption. Maximum control.
AWS Key Management Service (KMS)
AWS KMS Architecture
═══════════════════════════════════════════════════════════
Key Types:
┌─────────────────────────────────────────────────────────┐
│ AWS Managed Keys (aws/service) │
│ └─ Created and managed by AWS for each service │
│ └─ Automatic rotation (yearly) │
│ └─ Free to use │
├─────────────────────────────────────────────────────────┤
│ Customer Managed Keys (CMK) │
│ └─ Created by you, full control │
│ └─ Manual or automatic rotation │
│ └─ $1/month per key + usage │
├─────────────────────────────────────────────────────────┤
│ Customer Owned Keys (Imported) │
│ └─ You generate key material externally │
│ └─ Manual rotation only │
│ └─ Maximum control, maximum responsibility │
└─────────────────────────────────────────────────────────┘
═══════════════════════════════════════════════════════════
Envelope Encryption:
[Customer Master Key (CMK)]
│
│ encrypts
▼
[Data Encryption Key (DEK)]
│
│ encrypts
▼
[Your Data]
═══════════════════════════════════════════════════════════
Service Encryption Options
| Service | Encryption at Rest | Encryption in Transit |
|---|---|---|
| S3 | SSE-S3, SSE-KMS, SSE-C | HTTPS (enforced via bucket policy) |
| EBS | KMS encryption (one-click) | Encrypted between EC2 and EBS |
| RDS | KMS encryption at creation | SSL/TLS connections |
| DynamoDB | Enabled by default | HTTPS endpoints |
Tasks
- Explain the difference between SSE-S3, SSE-KMS, and SSE-C
- Describe envelope encryption and why it's used
- List 3 services that encrypt data at rest by default
- Write an S3 bucket policy that enforces HTTPS-only access
4
Network Security
40 minutes
Objective: Implement defense in depth using VPC security groups, NACLs, and WAF.
Defense in Depth
VPC Network Security Layers
═══════════════════════════════════════════════════════════
Internet
│
▼
┌───────────────────────────────────────────────────────┐
│ AWS WAF │
│ (Layer 7 - Application Firewall) │
│ SQL Injection │ XSS │ Rate Limiting │ Geo Block │
└───────────────────────────┬───────────────────────────┘
│
┌───────────────────────────▼───────────────────────────┐
│ AWS Shield │
│ (DDoS Protection) │
│ Standard (free) │ Advanced (paid, 24/7 DRT) │
└───────────────────────────┬───────────────────────────┘
│
┌───────────────────────────▼───────────────────────────┐
│ Internet Gateway │
└───────────────────────────┬───────────────────────────┘
│
┌───────────────────────────▼───────────────────────────┐
│ Network ACL (NACL) │
│ (Subnet-level, stateless firewall) │
│ Allows/Denies by IP, port, protocol │
└───────────────────────────┬───────────────────────────┘
│
┌───────────────────────────▼───────────────────────────┐
│ Security Group (SG) │
│ (Instance-level, stateful firewall) │
│ Only ALLOW rules, no DENY │
└───────────────────────────┬───────────────────────────┘
│
▼
[EC2 Instance]
Security Groups vs NACLs
| Feature | Security Group | Network ACL |
|---|---|---|
| Level | Instance (ENI) | Subnet |
| State | Stateful | Stateless |
| Rules | Allow only | Allow and Deny |
| Evaluation | All rules evaluated | Rules evaluated in order |
| Default | Deny all inbound | Allow all (custom: deny all) |
Stateful vs Stateless: Security Groups automatically allow return traffic.
NACLs require explicit rules for both inbound AND outbound traffic.
Security Group Example
# Web Server Security Group
Inbound Rules:
┌──────────┬─────────────┬─────────────────┬──────────────────┐
│ Type │ Protocol │ Port Range │ Source │
├──────────┼─────────────┼─────────────────┼──────────────────┤
│ HTTP │ TCP │ 80 │ 0.0.0.0/0 │
│ HTTPS │ TCP │ 443 │ 0.0.0.0/0 │
│ SSH │ TCP │ 22 │ 10.0.0.0/16 │
└──────────┴─────────────┴─────────────────┴──────────────────┘
Outbound Rules:
┌──────────┬─────────────┬─────────────────┬──────────────────┐
│ Type │ Protocol │ Port Range │ Destination │
├──────────┼─────────────┼─────────────────┼──────────────────┤
│ All │ All │ All │ 0.0.0.0/0 │
└──────────┴─────────────┴─────────────────┴──────────────────┘
Tasks
- Design a security group for a 3-tier architecture (web, app, db)
- Explain why NACLs need both inbound and outbound rules
- List 3 use cases for AWS WAF rules
- Compare AWS Shield Standard vs Advanced
5
AWS Security Services
35 minutes
Objective: Understand AWS native security services for monitoring, detection, and compliance.
Security Monitoring & Detection
AWS CloudTrail
Records API calls and events. Who did what, when, from where. Essential for auditing and forensics.
Amazon GuardDuty
Threat detection using ML. Analyzes CloudTrail, VPC Flow Logs, DNS logs. Detects compromised instances, reconnaissance.
AWS Security Hub
Centralized security dashboard. Aggregates findings from GuardDuty, Inspector, Macie. Automated compliance checks.
Amazon Inspector
Automated vulnerability assessment. Scans EC2, ECR, Lambda for CVEs and network exposure.
Amazon Macie
Discovers and protects sensitive data in S3. Uses ML to identify PII, financial data, credentials.
Security Services Map
AWS Security Services Ecosystem
═══════════════════════════════════════════════════════════
┌─────────────────────────────────────────────────────────┐
│ SECURITY HUB │
│ (Central Aggregation) │
└───────┬─────────────────────────────────────────────────┘
│
┌───────┴───────────────────────────────────────────────┐
│ │
▼ ▼ ▼ ▼ │
GuardDuty Inspector Macie Config │
(Threats) (Vulns) (Data) (Compliance) │
│ │ │ │ │
└───────────────┴───────────────┴───────────────┘ │
│ │
┌──────────────────────┴───────────────────────────────┐
│ CloudTrail │
│ (Audit & Logging) │
└──────────────────────────────────────────────────────┘
═══════════════════════════════════════════════════════════
Detection & Response:
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ GuardDuty │────►│ EventBridge │────►│ Lambda │
│ (Detect) │ │ (Route) │ │ (Respond) │
└─────────────┘ └─────────────┘ └─────────────┘
Tasks
- Explain the difference between CloudTrail and CloudWatch Logs
- List 3 types of threats GuardDuty can detect
- Design an automated response to a GuardDuty finding
- Identify which service to use for each scenario: vulnerability scanning, sensitive data discovery, API auditing
6
Compliance & Governance
30 minutes
Objective: Understand compliance frameworks, AWS Config, and governance best practices.
Compliance Frameworks
AWS maintains compliance certifications for:
SOC 1/2/3
PCI DSS
HIPAA
FedRAMP
GDPR
ISO 27001
ISO 27017
ISO 27018
AWS Artifact: Self-service portal for accessing AWS compliance reports
and agreements (BAA for HIPAA, GDPR DPA, etc.)
AWS Config
AWS Config - Continuous Compliance
═══════════════════════════════════════════════════════════
[AWS Resources]
│
│ Records configuration changes
▼
┌─────────────────┐
│ AWS Config │
│ (Recorder) │
└────────┬────────┘
│
┌────────┴────────┐
│ │
▼ ▼
[Config Rules] [Configuration
(Evaluation) History]
│ │
│ ▼
│ [S3 Bucket]
│ (30-day snapshots)
▼
[Compliance Status]
│
│ Non-compliant?
▼
[SNS/EventBridge]
│
▼
[Auto-Remediation]
(SSM, Lambda)
═══════════════════════════════════════════════════════════
Example Config Rules:
┌─────────────────────────────────────────────────────────┐
│ • s3-bucket-public-read-prohibited │
│ • encrypted-volumes │
│ • iam-password-policy │
│ • rds-instance-public-access-check │
│ • restricted-ssh │
│ • vpc-flow-logs-enabled │
└─────────────────────────────────────────────────────────┘
AWS Organizations & SCPs
Service Control Policies (SCPs)
Guardrails for accounts in an Organization. Define maximum permissions. Applied at OU or account level.
// SCP: Deny region outside us-east-1
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllOutsideUSEast1",
"Effect": "Deny",
"NotAction": [
"iam:*",
"organizations:*",
"support:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": ["us-east-1"]
}
}
}
]
}
Tasks
- List 3 compliance frameworks relevant to healthcare organizations
- Write an SCP that prevents users from disabling CloudTrail
- Identify 5 AWS Config rules for a security baseline
- Explain how to set up auto-remediation for non-compliant resources
Security Reflection
Consider the following as you complete this lab:
- How would you implement the principle of least privilege at scale?
- What is your incident response plan for a compromised IAM credential?
- How do you balance security controls with developer productivity?
- What security metrics would you track to measure your security posture?