1.

Amazon API Gateway:

Amazon API Gateway.

Amazon API Gateway is a service provided by AWS that acts as a front door for your
applications to access data, business logic, or services. It helps you build and manage APIs
(Application Programming Interfaces) at any scale—whether you're connecting to
services within AWS, external web services, or your own backend systems.

Think of API Gateway as a bridge between your app and your backend services.

Architecture of API Gateway

What Does API Gateway Do?

API Gateway helps you:

● Create APIs (REST, HTTP, WebSocket).

● Deploy them to the cloud.
● Maintain and monitor them.
● Secure them with authentication and access control.

You can create APIs for:

● Your own mobile or web apps.

● Third-party apps that need to access your services.
● Internal systems that interact with AWS services.

Types of APIs Supported

API Type Description Use Case Example

REST API HTTP-based, stateless APIs CRUD operations on a database

 HTTP API Lightweight, fast alternative to REST Integrating Lambda functions

WebSocket Supports real-time, 2-way Chat apps, gaming, live updates

communication

Key Features of API Gateway

Here are some powerful tools and features built into API Gateway:

1. Stateful & Stateless APIs: Supports both WebSocket (stateful) and HTTP/REST
(stateless) APIs.
2. Authentication & Authorization:
○ IAM Policies (AWS identity-based access)
○ Lambda Authorizers (custom logic)
○ Amazon Cognito (user pools for authentication)
3. Canary Deployments: Gradually roll out updates to APIs with safety.
4. Monitoring Tools:
○ CloudTrail: Tracks API changes and user activity.
○ CloudWatch: Logs API usage, sets alarms for performance metrics.
5. Custom Domains: Use your own domain instead of AWS-generated URLs.
6. WAF (Web Application Firewall): Protect your APIs from common web attacks.
7. X-Ray: Trace API requests and understand latency problems.
8. AWS CloudFormation: Automate and template your API deployments.

How It Works in a Serverless Setup

Amazon API Gateway plays a big role in serverless applications. Here’s how it typically
works:

[ User's App ]
↓
[ API Gateway ]
↓
[ AWS Lambda ]
↓
[ AWS Services or Databases ]

● API Gateway receives the request from your app.

● It forwards it to a Lambda function.
● Lambda processes the request and returns the result via API Gateway.

This model is cost-effective, scalable, and fully managed, making it ideal for modern
apps.

Summary
Feature API Gateway Benefits
 Easy Quickly create, publish, and test APIs
Setup

Secure Supports IAM, Cognito, Lambda authorizers

Scalable Handles traffic automatically

Monitored Integrates with CloudWatch and X-Ray

Versatile Works with REST, HTTP, and WebSocket

APIs

2. Amazon VPC:

Amazon Virtual Private Cloud (VPC):

Amazon Virtual Private Cloud (Amazon VPC) lets you create a logically isolated virtual
network in the AWS Cloud. Think of it like building your own private, customizable data
center — but on AWS’s vast, scalable infrastructure.

What is Amazon VPC?

A VPC is your own private network space inside AWS, where you can launch resources
like EC2 instances, databases, or Lambda functions in a controlled, secure environment.
It works just like a traditional network in your on-premise data center but offers greater
flexibility, scalability, and availability.

How Amazon VPC Works (With Visualization)

When you create a VPC in the AWS Console, you can view a resource map that visually
represents your setup. For example, if you choose to create a VPC with basic resources
selected:

● You get an IPv4 and IPv6 CIDR block

● Subnets across 2 Availability Zones
● 3 Route tables
● An Internet Gateway
 ● A Gateway Endpoint

The diagram will show how public subnets route traffic to the Internet Gateway, allowing
public access, while private subnets stay internal.

What’s Inside a VPC?

Here’s how a typical VPC is structured:

┌─────────────────────────────┐
│ Amazon VPC │
│ (Your Private Cloud) │
└─────────────────────────────┘
│
┌────────────┬──────────────┐
▼ ▼ ▼
Subnet A Subnet B Subnet C (Optional)
(AZ-1) (AZ-2) (AZ-3)
│ │
EC2 Instance EC2 Instance
│ │
┌────────────┐ ┌────────────┐
│ Route Table│ │ Route Table│
└────────────┘ └────────────┘
│ │
▼ ▼
Internet Internet
Gateway Gateway

VPC Components—Building Blocks

IP Addressing

● You define an IP address range for your VPC using CIDR blocks like
10.0.0.0/16.
● Both IPv4 and IPv6 are supported.

Subnets

● Subnets are smaller networks within your VPC, tied to one Availability Zone (AZ).
● You can create:
○ Public Subnets—Connected to the internet
○ Private Subnets—Isolated from the internet

Route Tables
● Control the traffic flow inside and outside your VPC.
● Each subnet is linked to a route table that determines how packets travel.
● Example: A public subnet route table might have 0.0.0.0/0 → Internet Gateway.

Gateways
● Internet Gateway (IGW): Allows public access to the internet.
● NAT Gateway: Enables outbound-only internet for private subnets.
● VPC Endpoints: Connect to AWS services like S3 without using the internet.

Default vs Nondefault VPCs

Default VPC

● Automatically created for every region in new AWS accounts (after Dec 4, 2013).
● Includes:
○ One default subnet per AZ
○ Internet Gateway and Route Table
○ DNS settings for public IP and hostname resolution

Instances launched here have internet access by default.

Nondefault (Custom) VPC

● You create and configure it manually:

○ Set IP range, subnets, gateways
○ Control security settings
● Perfect for secure or private apps

How VPC Accesses the Internet

In a Default VPC

● Public subnets have direct internet access via Internet Gateway.

● EC2 instances get both private and public IPs.
In a Nondefault VPC

● Instances in private subnets don't get public IPs by default.

● You must:
○ Assign a public IP manually, or
○ Use Elastic IP with IGW
○ Use NAT Gateway to allow outbound internet only

Connecting VPC to Other Networks

To Corporate or Home Network

● Use Site-to-Site VPN (IPsec):

○ Two tunnels connect AWS to your on-prem network.
○ Uses Virtual Private Gateway (AWS side) and Customer Gateway (your
side).

Between VPCs

● VPC Peering: Direct private communication between VPCs.

● Transit Gateway: Acts like a regional router connecting multiple VPCs, VPNs, and
AWS Direct Connect.

Security in a VPC

● Security Groups: Virtual firewalls at the instance level.

● Network ACLs: Stateless filters at the subnet level.
● Flow Logs: Monitor and analyze IP traffic within the VPC

Summary Table
Component Function

CIDR Block Defines IP range for VPC

Subnets Divide the VPC; tied to Availability Zones

Route Tables Direct traffic flow via rules

Internet Gateway Enables public internet access

NAT Gateway Allows private subnets to access the internet (outbound

only)

VPC Peering Private connection between two VPCs

Transit Gateway Central hub to connect VPCs and networks

Site-to-Site VPN Connects VPC with on-prem network securely

Security Group Firewall for instances

Network ACL Firewall for subnets

AWS Backbone Network Secure, fast inter-region communication

Why Use Amazon VPC?

● ✅ Security: Full control over access and data flow

● ✅ Scalability: Expand your network anytime

● ✅ Flexibility: Design your architecture your way

● ✅ Cost-effective: No upfront hardware costs

● ✅ Private Networking: Leverages AWS’s ultra-reliable backbone

AWS Key Mangement Service(KMS)

Amazon RDS integrates automatically with AWS Key Management Service (AWS KMS)
to handle encryption keys. It uses a secure technique called envelope encryption, which
protects your database by encrypting the data encryption keys themselves using a master
key. (You can read more about this in the AWS KMS Developer Guide under Envelope
encryption.)

When encrypting your RDS DB instances, you have two choices for the type of KMS key
you want to use:

1. Customer managed keys (CMKs): These are created and controlled by you. You
can manage their permissions, enable automatic rotation, and even delete them
when no longer needed.
2. AWS managed keys: These are created and controlled by AWS on your behalf. The
default key for RDS is called aws/rds, and while it simplifies things, you cannot
manage, rotate, or delete it.

To handle encryption key operations, you can use the AWS KMS console, AWS CLI, or the
AWS KMS API. If you want to track who used which key and when, AWS CloudTrail helps
by logging every action related to both customer- and AWS-managed keys.

Authorizing Use of Customer Managed Keys

When you create or modify an RDS resource using a customer-managed key, RDS acts on
your behalf, which means you (or the user) need permission to interact with that key.
Specifically, you need permission to run these two operations:

● kms:CreateGrant
● kms:DescribeKey

You can grant these permissions using key policies or IAM policies, depending on your
setup. If you want to tighten access, you can add conditions. For example, using the
kms:ViaService condition key with the value rds.<region>.amazonaws.com ensures
the key can only be used by RDS within a particular Region.

You can also control access by checking the encryption context, which is metadata AWS
adds during encryption to verify the right service and use case.

Understanding the Encryption Context

The encryption context helps maintain security and transparency. It’s like a tag that goes
along with every encryption/decryption request, helping AWS KMS validate and log usage
correctly. If this context doesn’t match during decryption, the operation fails adding an extra
layer of security.

RDS always includes the DB instance ID in the encryption context. For example:

{ "aws:rds:db-id": "db-CQYSMDPBRZ7BPMH7Y3RTDG5QY" }

If a KMS key is used with both RDS and Amazon EBS (for the underlying storage volumes),
the encryption context includes both the DB instance ID and the EBS volume ID, like this:

{
"aws:rds:db-id": "db-BRG7VYS3SVIFQW7234EJQOM5RQ",
"aws:ebs:id": "vol-ad8c6542"
}

AWS Key Management Service (KMS) is a secure and fully managed service that helps
you create, control, and manage encryption keys. KMS keys are protected by FIPS 140-3
Level 3 validated hardware and never leave AWS unencrypted. It simplifies the protection of
root keys used to encrypt data keys. You can also manage access through key policies.
AWS KMS is available in multiple Regions, has no upfront costs, and is backed by a service
level agreement (SLA) for availability.
Amazon CloudFront:-
Amazon CloudFront is a content delivery network (CDN) that speeds up the distribution of
both static and dynamic web content—such as HTML, CSS, JavaScript, and image files. It
delivers this content to users through a global network of data centers called edge
locations.

How CloudFront Works

 When a user requests content (e.g., an image or webpage), CloudFront routes the
request to the nearest edge location to minimize latency.
 If the requested file is already cached at that edge location, CloudFront delivers it
instantly.
 If it’s not cached, CloudFront fetches it from the origin server you define—this could
be an Amazon S3 bucket, MediaPackage channel, or your own HTTP server
(custom origin).

This helps reduce the number of hops across the internet, resulting in faster loading
speeds, lower latency, higher data transfer rates, and increased reliability.

Key Features and Benefits

 Global Edge Network
CloudFront has numerous edge locations worldwide, allowing it to serve content
closer to users for fast access.
 High Performance
Content is delivered through the AWS global backbone, bypassing slow or
congested paths on the internet.
 Content Caching
Files are cached at edge locations. If they're not available there, they’re fetched from
the origin and cached for future use.
 Supports Static and Dynamic Content
You can deliver images, video streams, HTML, and even dynamic content like API
responses.
 Custom Domain Name Support
You can use either the CloudFront domain (e.g., d123.cloudfront.net) or your own
domain (e.g., www.example.com).
Setting Up CloudFront
1. Choose an Origin Server
o This can be Amazon S3, an EC2 instance, or your own server (like Apache or
NGINX).
o Origin contains the original version of your content (e.g., files, videos, APIs).

2. Create a CloudFront Distribution

o This connects your content with CloudFront.
o You define details like origin location, cache behavior, logging, and
distribution settings.

3. CloudFront Assigns a Domain Name

o CloudFront gives a unique URL for your distribution (e.g.,
d123.cloudfront.net/logo.jpg).
o You can optionally use your own custom domain.

4. Distribute Your Content

o Use the CloudFront domain or your custom domain in your app or website
links.
o CloudFront handles caching, routing, and content delivery automatically.

Caching and Expiration

 By default, files remain cached in an edge location for 24 hours.
 You can customize caching behavior by setting headers or metadata from your
origin.
 Cache time can be as short as 0 seconds or set to any longer period as needed.

Use Cases for CloudFront

 Websites and Web Apps – Deliver fast-loading pages, images, and resources to
users worldwide.
 Streaming Media – Distribute video and audio with low latency.
 Software Distribution – Serve downloadable content like software packages or
updates.
 API Acceleration – Speed up API responses using caching and edge network
proximity.

Pricing
CloudFront pricing is based on usage:
 Data transferred out to the internet.
 Number of HTTP/HTTPS requests.
 Regional edge location costs.
There is no upfront fee; you pay only for what you use. It’s also eligible for the AWS
Free Tier.

Additional Notes
 CloudFront can be integrated with AWS SDKs for seamless development.
  Technical resources such as API docs and CLI commands are available to automate
and manage your distributions.
 Supports private content delivery using signed URLs or signed cookies for
access control.

Conclusion
Amazon CloudFront makes your website or application faster, more reliable, and scalable by
serving your content from locations closest to your users. With global reach, customizable
caching, and flexible origin support, it’s a powerful tool to boost content delivery and user
experience across the world.

Direct Connect:-
AWS Direct Connect is a cloud service that links your on-premises network directly to
AWS, using a dedicated fiber-optic connection. It allows you to bypass internet service
providers, resulting in more consistent network performance, lower latency, and better
security for accessing AWS services.

With Direct Connect, you can create virtual interfaces (VIFs) to access AWS public
services like Amazon S3 or to Amazon VPCs, based on your use case.

How It Works
 You set up a dedicated connection between your network and an AWS Direct
Connect location.
 One end of the connection is your router, and the other end connects to an AWS
router.
 You can then configure virtual interfaces (VIFs) to route traffic to specific AWS
services.
 AWS Direct Connect uses Edge Routers located in AWS Direct Connect facilities
worldwide.

Key Components
1. Connection
 o A physical link from your on-premises router to AWS Direct Connect’s router.
o Can be dedicated or hosted by an AWS Partner.
2. Virtual Interfaces (VIFs)
o Enable communication with AWS services.
o You must create at least one VIF to use your Direct Connect connection.

Types of Virtual Interfaces

1. Private VIF
o Connects to a VPC using private IP addresses.
o Can be linked to a Direct Connect Gateway to reach multiple VPCs across
Regions/accounts.

2. Public VIF
o Used to access AWS public services (like S3, DynamoDB) via public IP
addresses.
o Provides global access to AWS services in all public Regions.

3. Transit VIF
o Connects to one or more Transit Gateways using a Direct Connect
Gateway.
o Enables large-scale multi-account, multi-region VPC networking.

Network Requirements
To use Direct Connect, your network setup must include:
 Single-mode fiber with the appropriate Ethernet transceivers:
o 1G: 1000BASE-LX
o 10G: 10GBASE-LR
o 100G: 100GBASE-LR4
o 400G: 400GBASE-LR4
 802.1Q VLAN encapsulation support across all devices.
 BGP (Border Gateway Protocol) support with MD5 authentication.
 Optional: BFD (Bidirectional Forwarding Detection) for faster failover.
 Supports both IPv4 and IPv6 protocols.
 Supports jumbo frames (up to 9023 bytes).

Use Cases and Benefits

 High-throughput data transfer between on-prem and AWS.
 Secure, low-latency access to VPC resources without going over the public
internet.
 Connect multi-region VPCs via Transit Gateway integration.
 Ideal for financial services, healthcare, media, and other industries with strict
network performance and compliance needs.

Accessing Remote AWS Regions

 A single Direct Connect connection can access public AWS services globally.
 To reach VPCs in other Regions, use a Direct Connect Gateway.
Routing Policies and Pricing
 Uses BGP for dynamic routing between your network and AWS.
 AWS publishes BGP communities to allow fine-grained routing control.
 Pricing is based on port speed, location, and data transferred out of AWS.

Summary
AWS Direct Connect provides a dedicated, secure, and reliable connection to AWS from
your on-premises network. It supports flexible networking options via private, public, and
transit virtual interfaces, making it suitable for enterprises that need stable, high-
performance connectivity to AWS cloud infrastructure.

AWS Networking and Content Delivery:-

Networking and content delivery refer to how data is transferred between systems,
services, and users—whether within AWS or from AWS to the internet. Networking ensures
smooth and secure communication between resources, while content delivery focuses on
delivering content (like images, videos, or files) quickly and efficiently to users around the
world.

In AWS, networking is virtual, flexible, and can be customized based on performance

requirements such as latency, throughput, jitter, and bandwidth. Depending on where
users and on-premises systems are located, AWS provides tools and services to reduce
distance, improve speed, and increase reliability.

Key Networking Concepts

 Latency: The delay before data begins to transfer.
 Throughput: The amount of data transferred over time.
 Jitter: The variation in delay of packet delivery.
 Bandwidth: The maximum amount of data that can be transferred at once.

Each workload may require different performance characteristics, and AWS offers multiple
options to match those requirements.

AWS Networking is Virtualized

On AWS, networks are not physical but software-defined. This allows configuring them as
needed without dealing with hardware.
Virtual Private Cloud (VPC) is the base of networking in AWS. It allows launching AWS
resources in an isolated, customizable network.

Network Optimization Tools

To improve performance, AWS provides various features and services:
1. Enhanced Networking
 Uses Elastic Network Adapter (ENA) or Intel VF to increase packet rate and
reduce latency for Amazon EC2 instances.
 Ideal for high-performance computing and low-latency apps.

2. EC2 Networking-Optimized Instances

 Some EC2 instances are optimized for better network performance (e.g., high
bandwidth, low latency).

3. Amazon S3 Transfer Acceleration

 Speeds up file uploads and downloads to S3 by routing traffic through AWS edge
locations.

4. Amazon CloudFront
 Delivers static and dynamic content using a global network of edge locations.
 Reduces latency by caching content closer to the user.

Services to Reduce Distance and Jitter

1. Amazon Route 53 Latency-Based Routing
 Directs user traffic to the AWS region with the lowest latency.
 Improves responsiveness for users in different geographic locations.

2. Amazon VPC Endpoints

 Allows private connections between a VPC and supported AWS services, avoiding
exposure to the public internet.

3. AWS Direct Connect

 Establishes a dedicated network connection from on-premises to AWS.
 Offers more consistent performance than internet-based connections.

4. AWS Global Accelerator

 Uses the AWS global network to direct user traffic to optimal endpoints.
 Improves availability, speed, and performance for global applications.

Edge and Resource Placement

When user location or physical resources create limitations, these are mitigated using:
 Edge Locations: Part of CloudFront and AWS Global Accelerator, they bring content
closer to users.
 Regional Resource Placement: Services and data can be placed in specific regions
or Availability Zones to reduce latency.

Summary
AWS networking and content delivery solutions are designed to meet various performance
needs. With virtual networks, edge services, optimized routing, and acceleration tools, AWS
supports fast, reliable, and secure communication for workloads across the globe. The right
combination of services is chosen based on performance factors and resource location.

VPC Peering:-
A Virtual Private Cloud (VPC) is a logically isolated virtual network within AWS that allows
launching of AWS resources like EC2 instances in a customized environment. It offers full
control over IP addressing, subnets, route tables, and security settings.

VPC Peering is a networking connection between two VPCs that enables traffic routing
using private IP addresses. This allows resources in both VPCs to communicate as if they
are in the same network. Peering can happen between VPCs within the same account,
across different AWS accounts, or across Regions (inter-Region peering).
Key Features of VPC Peering
 Uses the existing infrastructure of a VPC
 Not a gateway, VPN, or physical hardware
 No single point of failure or bandwidth bottleneck
 All inter-Region traffic is encrypted and stays on AWS backbone

Use Cases
 Sharing files and applications across VPCs in different accounts
 Accessing resources like databases in another VPC
 Replicating data across Regions for high availability

How VPC Peering Works

 The requester VPC owner initiates the peering request
 The accepter VPC owner accepts the request
 Both VPCs must manually update route tables to allow traffic
 Security groups must be updated to allow communication
 DNS hostname resolution can be enabled to use private IPs when public DNS names
are used

VPC Peering Lifecycle Stages

 Initiating-request: Request has been made
 Failed: Connection failed and stays visible for 2 hours
 Pending-acceptance: Awaiting approval (expires in 7 days if not accepted)
 Expired: Not accepted in time; visible for 2 days
 Rejected: Declined by accepter; visible for 2 hours or 2 days depending on account
 Provisioning: Accepted and being processed
 Active: Connection is live and usable
 Deleting: Deletion in progress
 Deleted: Connection removed; visible for up to 2 days

Multiple VPC Peering Connections

 A VPC peering connection is one-to-one
 Multiple peering connections can be created for a single VPC
  Transitive routing is not supported. If VPC A is peered with B and C, traffic from B to
C must go through a direct peering connection

Limitations of VPC Peering

 Only one active peering connection allowed between two VPCs
 Tags are local to the account/Region in which they are created
 Cannot query Amazon DNS server in the peer VPC
 DNS hostname resolution must be enabled for resolving private DNS to private IPs
 CIDR blocks must not overlap (for any block, including secondary)
 Reverse path forwarding is not supported

IPv6 Support
 IPv6 communication is supported if both VPCs have IPv6 CIDR blocks and are
properly configured with routes and security rules

Edge-to-Edge Routing Limitations

 VPC B cannot use internet gateway, NAT device, VPN, or Direct Connect of VPC A
 Gateway endpoints in VPC A cannot be accessed from VPC B

MTU (Maximum Transmission Unit)

 Within the same Region: 9001 bytes
 Inter-Region peering: 8500 bytes

Shared VPCs and Subnets

 Only the VPC owner can manage peering connections
 Participants in shared VPCs cannot manage peering

Conclusion
VPC Peering is a powerful way to interconnect VPCs for private communication and
resource sharing. While it simplifies network architectures without the need for VPNs or
gateways, careful planning is required due to its one-to-one nature and the lack of transitive
routing.

AWS Shared Responsibility Model

The AWS Shared Responsibility Model explains how the work of securing cloud resources is
divided between AWS and the customer. Both have defined roles to ensure that workloads
and data remain safe in the cloud.
AWS is responsible for “Security of the Cloud” while customers are responsible for “Security
in the Cloud”. This means AWS protects the base infrastructure, and customers protect
whatever they create and store inside AWS.

AWS Responsibility – Security of the Cloud

AWS takes care of the security for the infrastructure that runs AWS services. This includes:
 Physical security of data centers and facilities
 Hardware such as servers, storage devices, and networking
 Host operating systems and virtualization layers
 Continuous monitoring and maintenance of the infrastructure
By handling these areas, AWS ensures that the foundation of the cloud is always
secure.

Customer Responsibility – Security in the Cloud

The customer is responsible for securing everything they run or store inside the cloud. This
responsibility changes depending on the AWS services used. Customer tasks include:

 Configuring security groups, firewalls, and network rules

 Creating and managing IAM users, roles, and permissions
 Encrypting sensitive data at rest and in transit
 Applying software updates and patches to applications
 Monitoring for unusual or unauthorized activities
This ensures that applications and data remain secure from threats.

Benefits of the Shared Responsibility Model

 Reduces operational load, as AWS manages the infrastructure security

 Provides clear role separation between AWS and customer
 Makes it easier to maintain compliance and security at scale

Least Privilege Principle in DevOps

For DevOps environments, AWS recommends following the least privilege model. This
means:
 A user or service has only the exact access rights required for their role, no more and
no less
 This approach reduces the chance of accidental changes or misuse
 Permissions are managed using AWS Identity and Access Management (IAM) for
authentication and authorization

Summary
The AWS Shared Responsibility Model creates a balanced approach to cloud security. AWS
handles the core infrastructure and physical protections, while customers take charge of
securing their own applications, data, and configurations. By following this model and
applying principles like least privilege, cloud workloads remain secure and compliant.

Security and Compliance in AWS

Security and compliance are two of the most important aspects of cloud computing. In
simple terms, security is about protecting data, applications, and infrastructure from threats,
while compliance ensures that cloud usage follows laws, policies, and industry standards.

AWS makes security a top priority. As more organizations move to the cloud, AWS helps
them adopt strong identity management, access control, and monitoring. Security is not only
about protection — it is also about enabling safe innovation.

Key Benefits of AWS Security

 Strong data protection

AWS secures all customer data using advanced encryption and security tools. Data
is stored in highly secure data centers.
 Secure infrastructure
AWS builds security into the physical infrastructure — such as servers and networks
— used to run cloud services.
 Software-based security tools
Instead of managing physical security, customers use AWS tools to control access,
detect threats, and protect traffic.
 Cost savings
High-level security is provided without the need to buy or maintain physical security
systems or data centers.
 Flexible control
Customers can choose and configure their own security settings based on their
needs.

Shared Responsibility Model

In AWS, security is based on a shared responsibility model:

 AWS is responsible for security of the cloud – including data centers, servers,
storage, and networking.
 Customers are responsible for security in the cloud – such as managing user
access, securing applications, and configuring firewall settings.

This model gives customers full control over how to protect their data and resources.

Security Features and Tools Offered by AWS

 Network security – Includes firewall rules, private subnets, and security groups to
control traffic.
 Access control – IAM (Identity and Access Management) helps define who can
access what.
 Data encryption – All data can be encrypted at rest and in transit using AWS-
managed keys or customer-managed keys.
 Configuration management – Tools like AWS Config track resource changes and
compliance.
 Threat detection – Services like Amazon GuardDuty help detect suspicious activity.
Continuous Auditing and Certifications

AWS environments are regularly audited by independent organizations. AWS holds multiple
security certifications:

 SOC 1, 2, and 3
 ISO 27001, ISO 27017, ISO 27018
 PCI DSS Level 1 (for handling payment data)
 FedRAMP (for US government data)
 FISMA and others
These certifications prove that AWS follows international standards for data protection and
privacy.

Compliance in AWS

Compliance means meeting specific laws and industry regulations. AWS helps customers
meet these by:
 Offering tools and features designed to meet global compliance standards.
 Providing documentation, whitepapers, and third-party audit reports.
 Helping customers complete their own compliance requirements more easily.

Some examples of compliance programs AWS supports:

 HIPAA – For healthcare data

 PCI DSS – For financial/payment data
 GDPR – For data privacy in the EU
 ISO certifications – For information security management

Final Summary Points

 AWS integrates security deeply into its infrastructure and offers tools to help
customers meet their own security goals.
 The shared responsibility model helps divide duties clearly between AWS and the
customer.
 AWS security allows scaling without compromising protection, and costs only based
on usage.
 AWS follows global compliance standards and provides documentation to support
audits and regulatory needs.

AWS WAF:-

AWS WAF (Web Application Firewall)

AWS WAF is a security service that protects web applications from malicious traffic. It
monitors HTTP and HTTPS requests going to your applications and lets you control access
based on specific conditions. You can block, allow, or challenge requests depending on your
defined rules.
AWS WAF can protect several AWS resources such as:
 Amazon CloudFront distributions
 Application Load Balancers
  Amazon API Gateway REST APIs
 AWS AppSync GraphQL APIs
 Amazon Cognito user pools
 AWS App Runner services
 AWS Verified Access instances
 AWS Amplify

How AWS WAF Works

You create a Web ACL (Access Control List) or Protection Pack, then associate it with
your web application resources. These resources forward incoming requests to AWS WAF
for inspection. You then create rules that define what type of traffic is allowed, blocked,
counted, or challenged. Actions can include:
 Allow – Let the request reach your application
 Block – Stop the request and send an HTTP 403 (Forbidden)
 Count – Log the request without blocking
 CAPTCHA/Challenge – Verify if the requester is a human or a bot

AWS WAF Components

1. Web ACLs – Collections of rules that decide whether to allow, block, or count
requests. Also define a default action for unmatched requests.
2. Protection Packs – Same as Web ACLs but available in the updated console with
guided workflows and dashboards for easier management.
3. Rules – Define inspection criteria and actions.
4. Rule Groups – Collections of rules, either AWS-managed or customer-created.
5. WCUs (Web ACL Capacity Units) – A measurement of resources needed for your
rules to run.

Updated Console Features

The updated AWS WAF console offers an improved interface with guided workflows, making
it easier to set up protections. It also includes security dashboards that provide detailed
visibility into your security posture.
Dashboards can show:
 Traffic insights and recommendations – AWS analyzes allowed traffic over 2
weeks to suggest better rules.
 Summary views – Counts of all allowed, blocked, captcha, and challenge requests.
 Protection activity visualization – Shows how rules are ordered and their effects.
 Traffic flow views – Sequential or non-sequential rule processing impacts.
 Rule action totals – Graphs of total actions taken over time.
 Bot activity & anti-DDoS insights – Breakdown of bot detections and mitigation of
Layer 7 DDoS attacks.

Benefits of AWS WAF

 Protects against common web attacks (e.g., SQL injection, XSS, bots)
 Fully customizable rules for specific needs
 Works across multiple AWS services
 Real-time visibility and monitoring via dashboards
 Integrates with AWS Managed Rules for faster deployment
Summary
AWS WAF acts as a shield for your web applications, letting you control traffic with high
precision. Whether you want complete manual control through the standard console or
guided workflows with detailed dashboards in the updated console, AWS WAF provides the
flexibility to keep your applications safe while maintaining performance.

Aws Shield:-

AWS Shield
AWS Shield is a security service that protects AWS applications from Distributed Denial of
Service (DDoS) attacks. DDoS attacks flood your application with fake traffic, making it slow
or unavailable. AWS Shield provides automatic protection for all AWS customers at no extra
cost, and an advanced paid version for stronger defense.
Types of AWS Shield
1. AWS Shield Standard – Included for free with AWS services. Protects against
common DDoS attacks such as UDP reflection attacks and TCP SYN floods.
2. AWS Shield Advanced – Paid service that offers stronger protection, faster
detection, and 24/7 AWS DDoS Response Team (DRT) support. Includes advanced
monitoring, cost protection, and detailed attack reports.

How AWS Shield Works

 Shield automatically detects and mitigates attacks before they affect your application.
 For critical applications, Shield Advanced provides optimized rules, custom detection,
and AWS expert support during attacks.
 Protection is applied to internet-facing resources like Amazon CloudFront, Route 53,
Elastic Load Balancing, and EC2.

Benefits of AWS Shield

 Automatic protection against common volumetric DDoS attacks.
 No downtime for most attacks due to real-time detection and mitigation.
 Cost protection for scaling charges caused by DDoS in Shield Advanced.
 Integration with AWS WAF for more granular traffic filtering.

Best Practices for DDoS Resiliency

 Use AWS global infrastructure with services like CloudFront and Route 53.
 Distribute workloads across multiple regions and Availability Zones.
 Apply rate-based rules and traffic filtering with AWS WAF.
 For critical workloads, enable AWS Shield Advanced for faster response and expert
guidance.

Security and Compliance in AWS Shield

Security in AWS Shield follows the Shared Responsibility Model:
 Security of the cloud – AWS secures the infrastructure running its services,
including Shield. Their security is regularly audited and compliant with industry
standards.
  Security in the cloud – You secure your applications and configurations. This
includes following best practices, managing access control, and setting up proper
Shield protections.

Summary
AWS Shield acts like a bodyguard for your applications, blocking harmful traffic before it
reaches you. The Standard version gives free, automatic DDoS protection for everyone,
while Shield Advanced offers stronger, customized defense with AWS expert help. By
combining Shield with AWS WAF and following best practices, you can keep your
applications highly available and resilient even during large-scale attacks.

AWS Security Best Practices:-

AWS Security Best Practices

Security best practices are a set of proven guidelines that help you protect your
applications, data, and infrastructure in AWS. They are not strict rules, but recommended
actions that improve your security posture and reduce the risk of attacks or data loss. These
practices cover identity management, access control, monitoring, data protection, and
compliance.

How Security Best Practices Work

Security best practices work by identifying potential risks, then applying preventive and
detective measures. They are designed to protect your AWS environment from threats by:
 Controlling who can access your resources.
 Protecting sensitive data using encryption.
 Monitoring activities for unusual or suspicious behavior.
 Designing systems that remain available even during failures or attacks.

Key Features of AWS Security Best Practices

1. Identity and Access Management (IAM) – Use strong policies, enforce least
privilege, and enable multi-factor authentication (MFA).
2. Root User Protection – Avoid using the AWS root account for daily tasks; secure it
with MFA.
 3. Data Encryption – Use AWS KMS, S3 encryption, and TLS for protecting data at
rest and in transit.
4. Monitoring and Logging – Enable AWS CloudTrail, AWS Config, and Amazon
GuardDuty to track changes and detect threats.
5. Network Security – Use VPC security groups, NACLs, and AWS WAF to control
incoming and outgoing traffic.
6. Backup and Recovery – Use AWS Backup, snapshots, and disaster recovery plans
to ensure data availability.
7. Regular Updates and Patching – Keep all operating systems, applications, and
configurations up to date.

Importance of AWS Security Best Practices

 Risk Reduction – Minimizes chances of data breaches, unauthorized access, and
service downtime.
 Compliance – Helps meet industry standards and legal requirements.
 Business Continuity – Keeps systems available and resilient against failures or
attacks.
 Customer Trust – Protects sensitive customer data, improving reputation.

Best Practices in Action

For example, if you run a web application on AWS:
 You secure IAM so only specific team members can make changes.
 You encrypt customer data stored in Amazon S3.
 You use AWS Shield and WAF to defend against DDoS attacks.
 You monitor logs with CloudWatch to detect suspicious activity.
Summary
AWS Security Best Practices are like a playbook for safe cloud operations. They help you
plan ahead, limit damage from incidents, and maintain the trust of your users. By following
them—especially in identity management, encryption, monitoring, and network protection—
you can build applications that are not only functional but also secure and resilient.