AWS Network Firewall & Traffic Inspection – IDS/IPS, TLS & GWLB

AWS Network Firewall & Traffic Inspection — Overview

Network Firewall covers the “infrastructure security” domain of SCS-C03 (18% of exam). Questions test deep packet inspection, North-South vs East-West traffic patterns, centralized firewall deployment with Transit Gateway, and integration with third-party IDS/IPS tools via Traffic Mirroring.

Centralized Inspection Architecture (Transit Gateway)
Spoke VPC A
(Workload)
Spoke VPC B
(Workload)
Spoke VPC C
(Workload)
↕ ↕ ↕
Transit Gateway
Route tables route ALL traffic through Inspection VPC before reaching destination
Inspection VPC (Network Firewall)
Stateful Rules
IDS/IPS signatures
Domain filtering
Protocol detection
Stateless Rules
IP allow/deny
Port filtering
Protocol matching
TLS Inspection
Decrypt → inspect → re-encrypt
ACM certificate
Exempt trusted domains
Internet Gateway
(North-South)
On-Premises
(VPN/DX)

AWS Network Firewall — Features

Feature Details
Stateless rules Evaluated first. Match on IP, port, protocol. Actions: pass, drop, forward to stateful engine. Like NACLs but more powerful.
Stateful rules Deep packet inspection. Suricata-compatible IDS/IPS signatures. Domain list filtering. Protocol detection (HTTP, TLS, DNS).
TLS inspection Decrypt HTTPS traffic, inspect, re-encrypt. Uses ACM certificate. Can exempt specific domains (banking, healthcare).
Domain filtering Allow/deny traffic to specific domains (e.g., allow only *.amazonaws.com). Works with HTTP Host header or TLS SNI.
Managed rule groups AWS-managed threat intelligence feeds. Block known malicious IPs/domains automatically.
Logging Flow logs + alert logs → S3, CloudWatch, Kinesis Firehose. See which rules matched.

North-South vs East-West Traffic

Direction Definition Inspection Options
North-South Traffic entering/leaving VPC (internet, on-premises) Network Firewall in Inspection VPC, WAF on ALB/CloudFront, Security Groups
East-West Traffic between VPCs, between subnets, between services Network Firewall via TGW routing, Security Groups, VPC Lattice service policies

Deployment Patterns

Pattern 1: Centralized Inspection (TGW)

  • Single Inspection VPC with Network Firewall
  • TGW route tables force ALL inter-VPC and internet-bound traffic through the Inspection VPC
  • Best for: Multi-account environments needing consistent inspection
  • Managed by: Central security team via Firewall Manager

Pattern 2: Distributed (Per-VPC)

  • Network Firewall endpoints in each VPC
  • VPC route tables direct traffic through firewall endpoints
  • Best for: Single-account or when latency-sensitive (avoids TGW hop)

Pattern 3: Gateway Load Balancer (Third-Party)

  • GWLB distributes traffic to third-party firewall appliances (Palo Alto, Fortinet, Check Point)
  • Transparent inspection — traffic flows through appliance without source IP change
  • Best for: Organizations with existing third-party IDS/IPS investments

VPC Traffic Mirroring

  • What: Copy network traffic from ENIs to monitoring targets (out-of-band inspection)
  • Use case: IDS/IPS that needs to see raw packets but shouldn’t be inline (passive monitoring)
  • Targets: NLB (distributes mirrored traffic to monitoring fleet) or another ENI
  • Filters: Mirror only specific traffic (source/dest IPs, ports, protocols)
  • Limitation: Not supported on all instance types (requires Nitro). Additional network bandwidth cost.
  • Exam note: “Passive inspection without affecting traffic flow” → Traffic Mirroring. “Inline inspection” → Network Firewall or GWLB.

Network Firewall vs Security Groups vs NACLs vs WAF

Control Layer Inspection Depth Use
Security Groups Instance (ENI) IP/Port only (stateful) Per-instance access control
NACLs Subnet IP/Port only (stateless) Subnet-level deny rules
Network Firewall VPC Deep packet (L3-L7, IDS/IPS, domain, TLS) Centralized inspection, compliance
WAF Application (L7) HTTP request inspection (headers, body, URI) Web application protection (SQLi, XSS)

Exam Tips

Exam Key Points
SCS-C03 “Deep packet inspection” → Network Firewall (stateful rules). “Domain filtering” → Network Firewall (allow list). “IDS/IPS signatures” → Network Firewall (Suricata rules). “Third-party firewall appliance” → Gateway Load Balancer. “Passive monitoring without inline” → VPC Traffic Mirroring. “Inspect encrypted traffic” → Network Firewall TLS inspection. “Centralized inspection across VPCs” → TGW + Inspection VPC pattern.

AWS Certification Exam Practice Questions

Question 1:

A company needs to inspect all traffic between VPCs (East-West) for malicious patterns using IDS/IPS signatures. They have 20 spoke VPCs connected via Transit Gateway. Which architecture provides centralized inspection?

  1. Deploy Network Firewall in each spoke VPC
  2. Create a dedicated Inspection VPC with Network Firewall, configure TGW route tables to route all inter-VPC traffic through it
  3. Use Security Groups with deny rules between VPCs
  4. Enable VPC Flow Logs and analyze with GuardDuty
Show Answer

Answer: B — The centralized inspection pattern: Inspection VPC hosts Network Firewall with IDS/IPS rules. TGW route tables direct all inter-VPC traffic through the Inspection VPC before reaching the destination. This provides single-pane management and consistent policy. Per-VPC deployment (A) is costly and hard to manage at 20 VPCs. Security Groups (C) can’t do deep packet inspection. GuardDuty (D) detects threats but doesn’t inspect inline traffic.

Question 2:

A security team needs to allow EC2 instances to access only specific approved domains (e.g., *.github.com, *.amazonaws.com) and block all other outbound internet traffic. Which service provides this domain-based filtering?

  1. Security Groups with domain names in rules
  2. AWS Network Firewall with stateful domain list rules
  3. Route 53 Resolver DNS Firewall with block rules
  4. NACLs with domain-based rules
Show Answer

Answer: B — Network Firewall stateful rules can filter by domain (using HTTP Host header for HTTP or TLS SNI for HTTPS). You create an allow list of approved domains and set default action to drop. Security Groups (A) and NACLs (D) only work with IPs, not domains. DNS Firewall (C) blocks DNS resolution but doesn’t prevent direct IP access — the instance could bypass it by using IP addresses directly.

Question 3:

A company uses third-party Palo Alto firewall appliances for deep inspection. They want to route VPC traffic through these appliances transparently without changing source/destination IPs. Which AWS service enables this?

  1. Network Load Balancer in front of firewall instances
  2. Gateway Load Balancer (GWLB) with GENEVE encapsulation
  3. ALB with forwarding rules to firewall targets
  4. Transit Gateway with static routes to firewall instances
Show Answer

Answer: B — Gateway Load Balancer uses GENEVE encapsulation to transparently insert third-party appliances into the traffic path. Traffic flows through the appliance with original source/destination IPs preserved (bumps-in-the-wire). GWLB handles scaling, HA, and load distribution across appliance fleet. NLB (A) would change the destination IP. TGW (D) requires complex routing and doesn’t provide appliance load balancing.

Question 4:

A security team needs to passively monitor network traffic on specific EC2 instances for forensic analysis without affecting application performance or traffic flow. Which approach achieves this?

  1. Deploy Network Firewall inline with alerting-only mode
  2. Configure VPC Traffic Mirroring from the instance ENIs to a monitoring NLB target
  3. Enable enhanced VPC Flow Logs with packet capture
  4. Install tcpdump on each instance and send to S3
Show Answer

Answer: B — VPC Traffic Mirroring copies network packets (out-of-band) to a monitoring target without affecting the original traffic flow or adding latency. NLB distributes mirrored traffic to a fleet of monitoring/IDS tools. VPC Flow Logs (C) capture metadata only (IPs, ports), not packet content. Network Firewall (A) is inline (adds latency). tcpdump (D) consumes instance resources and doesn’t scale.

Question 5:

A company’s compliance requires inspecting HTTPS traffic for data exfiltration. They need to decrypt outbound TLS, inspect the content, then re-encrypt before forwarding. Certain financial and healthcare domains must be exempted from inspection. Which solution provides this?

  1. CloudFront with Lambda@Edge inspecting request bodies
  2. AWS Network Firewall with TLS inspection policy and domain exception list
  3. WAF with body inspection rules on all outbound traffic
  4. Install proxy servers (Squid) on EC2 instances with SSL bump
Show Answer

Answer: B — Network Firewall TLS inspection decrypts outbound HTTPS traffic using an ACM certificate, inspects the decrypted content with stateful rules, then re-encrypts before forwarding. You can configure exception domains (bypass inspection for banking/healthcare). This is the managed AWS solution for TLS inspection. WAF (C) only works on inbound HTTP at ALB/CloudFront, not outbound. Squid (D) works but is self-managed overhead.

Related Posts

References

Frequently Asked Questions

Network Firewall vs WAF — when to use which?

Network Firewall: Inspects all network traffic (any protocol, any direction). Works at VPC level. Use for IDS/IPS, domain filtering, TLS inspection, East-West traffic. WAF: Inspects HTTP/HTTPS requests only. Works at ALB/CloudFront/API Gateway. Use for web application attacks (SQLi, XSS, bot control). Most architectures need both: WAF for web-layer protection, Network Firewall for network-layer inspection.

What is Gateway Load Balancer used for?

GWLB transparently inserts third-party network appliances (Palo Alto, Fortinet, Check Point) into your traffic path. It handles scaling, HA, and traffic distribution across appliance fleet. Traffic passes through appliances with original source/destination IPs preserved (GENEVE encapsulation). Use when you have existing third-party security tools or need features not available in AWS Network Firewall.

Can Network Firewall inspect encrypted (HTTPS) traffic?

Yes — Network Firewall supports TLS inspection. It decrypts traffic using an ACM certificate, inspects the decrypted content with your stateful rules, then re-encrypts before forwarding. You can exempt specific domains from inspection (compliance requirement for financial/healthcare traffic). Without TLS inspection, Network Firewall can still filter by TLS SNI (domain name) but cannot inspect the encrypted payload.

AWS Secrets & Certificate Management – Secrets Manager, ACM & Rotation Patterns

AWS Secrets & Certificate Management — Overview

Secrets management appears in 81+ questions across SCS-C03 (Data Protection) and SAP-C02/DOP-C02. The core decisions are: Secrets Manager vs Parameter Store (when to use which), automatic rotation patterns, ACM certificate management, and mTLS enforcement. This post covers all patterns exam questions test.

Secrets Manager vs Parameter Store — Decision
AWS Secrets Manager
✅ Built-in rotation (Lambda)
✅ RDS/Redshift/DocumentDB native rotation
✅ Cross-account access via resource policy
✅ Automatic versioning (AWSCURRENT/AWSPREVIOUS)
✅ Random password generation
💰 $0.40/secret/month + $0.05/10K API calls
Best: DB credentials, API keys needing rotation
SSM Parameter Store
✅ Free tier (Standard parameters)
✅ Hierarchical paths (/app/prod/db/password)
✅ SecureString (KMS encrypted)
✅ Change notifications (EventBridge)
❌ No built-in rotation
💰 Free (Standard) / $0.05/10K (Advanced)
Best: Config values, feature flags, non-rotating secrets
Rule of thumb: Need automatic rotation? → Secrets Manager. Non-sensitive config or tight budget? → Parameter Store. Can reference Secrets Manager secrets FROM Parameter Store path: /aws/reference/secretsmanager/my-secret

Detailed Comparison

Feature Secrets Manager Parameter Store
Rotation Built-in with Lambda (native for RDS/Redshift/DocumentDB) Not built-in (must implement yourself)
Cross-account Yes (resource policy on secret) No resource policy (must use cross-account IAM role)
Encryption Always encrypted (KMS required) Optional (String vs SecureString)
Size limit 64 KB per secret 4 KB (Standard) / 8 KB (Advanced)
Versioning Automatic (AWSCURRENT, AWSPREVIOUS, AWSPENDING) Labels on parameter versions
Throughput 10,000 TPS 1,000 TPS (Standard) / 10,000 (Advanced)
CloudFormation Dynamic references resolve at deploy time Dynamic references resolve at deploy time

Secrets Rotation — How It Works

Secrets Manager rotation uses a Lambda function that executes 4 steps:

  1. createSecret: Generate new credentials, store as AWSPENDING version
  2. setSecret: Update the database/service with the new credentials
  3. testSecret: Verify the new credentials work (connect to DB)
  4. finishSecret: Move AWSPENDING → AWSCURRENT, old current → AWSPREVIOUS

Rotation Strategies

Strategy How Downtime Risk
Single user Change password of the same user Brief — between password change and app refresh
Alternating users Two users (user_1, user_2). Alternate which is active. Zero — one user always works while the other is being rotated

AWS Certificate Manager (ACM)

Feature ACM Public Certificates ACM Private CA
Cost Free $400/month per CA + per-certificate fee
Validation DNS or Email validation No external validation needed
Renewal Automatic (DNS-validated certs auto-renew) Automatic (configurable validity)
Export private key No (cannot export) Yes (can export for on-premises use)
Use with ELB, CloudFront, API Gateway, Amplify ELB, CloudFront, API Gateway, EC2, on-premises, IoT
Use case Public-facing HTTPS websites/APIs Internal services, mTLS, IoT devices, code signing

mTLS (Mutual TLS) Patterns

  • API Gateway + mTLS: Configure custom domain with mutual TLS. Upload truststore (CA bundle) to S3. Clients present certificate signed by your CA.
  • ALB + mTLS: ALB verifies client certificates. Configure trust store with your CA. Supports certificate revocation (CRL/OCSP).
  • Service Mesh (App Mesh): Envoy proxies handle mTLS between microservices automatically. ACM Private CA issues short-lived certificates.
  • Exam note: “Verify client identity at API level” → mTLS. “Verify client identity at network level” → VPN with certificate auth.

Integration Patterns

  • RDS + Secrets Manager: Native rotation for MySQL, PostgreSQL, Oracle, SQL Server, MariaDB. Secrets Manager auto-manages the DB password.
  • Lambda + Secrets Manager: Cache secrets using AWS Parameters and Secrets Lambda Extension (reduces API calls, adds caching layer).
  • ECS + Secrets Manager: Reference secrets in task definition as environment variables. ECS agent fetches at container start.
  • CloudFormation + Secrets Manager: Generate random password at deploy: {{resolve:secretsmanager:my-secret:SecretString:password}}
  • CodePipeline/CodeBuild: Reference Parameter Store/Secrets Manager for build secrets. Never hardcode in buildspec.

Exam Tips

Exam Key Points
SCS-C03 “Automatic rotation of DB credentials” → Secrets Manager. “Free config storage” → Parameter Store (Standard). “Cross-account secret access” → Secrets Manager resource policy. “mTLS for API” → API Gateway custom domain + truststore. “Internal certificates for microservices” → ACM Private CA. “Cannot export private key” → ACM Public (use Private CA if export needed). “Alternating users” = zero-downtime rotation.

AWS Certification Exam Practice Questions

Question 1:

A company’s application connects to an RDS MySQL database using hardcoded credentials in the application configuration file. The security team requires automatic credential rotation every 30 days without application downtime. Which solution meets these requirements with the LEAST development effort?

  1. Store credentials in SSM Parameter Store SecureString, write a Lambda function to rotate the DB password and update the parameter every 30 days
  2. Enable Secrets Manager with native RDS rotation using the alternating users strategy, update application to retrieve credentials from Secrets Manager at runtime
  3. Use IAM database authentication instead of passwords
  4. Store credentials in a KMS-encrypted S3 file, rotate manually every 30 days
Show Answer

Answer: B — Secrets Manager provides native RDS rotation with pre-built Lambda functions for MySQL (zero development effort for the rotation logic). Alternating users strategy ensures zero downtime — one user is always valid while the other rotates. The application calls Secrets Manager API at startup/periodically to get current credentials. Parameter Store (A) requires you to write the rotation Lambda yourself. IAM auth (C) has connection limits and doesn’t work for all DB engines/configurations.

Question 2:

Multiple AWS accounts in an Organization need to access a shared database credential stored in a central security account. The credential must be accessible without creating IAM users or access keys in the security account. Which approach enables this?

  1. Store in Parameter Store and share via RAM
  2. Store in Secrets Manager and add a resource policy allowing the member accounts’ roles to retrieve it
  3. Replicate the secret to each account using Secrets Manager multi-Region replication
  4. Store in S3 with a bucket policy allowing cross-account access
Show Answer

Answer: B — Secrets Manager supports resource policies (like S3 bucket policies). Add a policy allowing specific IAM roles in member accounts to call secretsmanager:GetSecretValue. The member account role assumes its own role and directly accesses the secret cross-account — no credentials needed in the security account. Parameter Store (A) doesn’t support resource policies or RAM sharing. Multi-region replication (C) is for HA, not cross-account sharing.

Question 3:

A company needs to issue short-lived certificates for internal microservices running on ECS. The certificates must be automatically rotated, and the private keys must be exportable so the application can use them directly. Public CAs should NOT be involved. Which service provides this?

  1. ACM public certificates with auto-renewal
  2. ACM Private CA issuing short-lived certificates (configured with 1-7 day validity)
  3. Self-signed certificates generated by a Lambda function
  4. Let’s Encrypt certificates with certbot automation
Show Answer

Answer: B — ACM Private CA creates your own internal CA. You can issue short-lived certificates (hours to days) for service-to-service mTLS. Private keys are exportable (unlike ACM public certificates). No public CA involved — fully private. Works with ECS, EKS, EC2, App Mesh. Self-signed (C) doesn’t provide centralized management or revocation. Let’s Encrypt (D) is public and has rate limits.

Question 4:

A security engineer discovers that application developers are storing database passwords in Lambda environment variables (visible in the console). They need a solution that encrypts secrets at rest, restricts access via IAM, and allows the Lambda function to retrieve the secret without code changes to the environment variable approach. Which solution achieves this?

  1. Encrypt environment variables using a KMS key and grant Lambda’s execution role kms:Decrypt
  2. Store secrets in Secrets Manager, reference them in Lambda environment variables using dynamic resolution
  3. Use the AWS Parameters and Secrets Lambda Extension to cache Secrets Manager values, update code to read from extension cache
  4. Store secrets in S3 encrypted with KMS, have Lambda download at startup
Show Answer

Answer: A — Lambda environment variables can be encrypted with a KMS key. The values appear encrypted in the console (not visible). The Lambda execution role needs kms:Decrypt permission. At runtime, Lambda automatically decrypts the environment variables — no code changes needed. This is the “without code changes” approach. Secrets Manager (B, C) is better long-term but requires code changes. The extension (C) requires reading from a different source.

Question 5:

A company requires that their API Gateway verifies the identity of each calling client using certificates (not just API keys or tokens). Clients must present a certificate issued by the company’s internal CA. How should this be configured?

  1. Configure API Gateway with a Lambda authorizer that validates certificate headers
  2. Configure a custom domain on API Gateway with mutual TLS enabled, upload the company’s CA certificate bundle as a truststore to S3
  3. Put CloudFront in front of API Gateway and configure CloudFront to validate client certificates
  4. Configure a VPN connection and require VPN client certificates
Show Answer

Answer: B — API Gateway supports mutual TLS (mTLS) on custom domains. Upload your CA bundle (truststore) to S3, reference it in the custom domain configuration. API Gateway will verify that each client presents a valid certificate signed by your CA. No additional authentication layer needed. CloudFront (C) doesn’t natively validate client certificates for API Gateway origins. Lambda authorizer (A) would need custom certificate parsing logic.

Related Posts

References

Frequently Asked Questions

When should I use Secrets Manager vs Parameter Store?

Use Secrets Manager when you need: automatic rotation (especially for RDS), cross-account access (resource policy), or built-in password generation. Use Parameter Store for: configuration values (not secrets), feature flags, when cost matters (free tier), or when you need hierarchical paths. You can reference Secrets Manager secrets from Parameter Store paths for compatibility.

How does Secrets Manager rotation work without downtime?

Use the alternating users strategy: create two DB users (user_1, user_2). Secrets Manager rotates one at a time. While user_1’s password is being changed, user_2 still works. Applications that cache credentials continue working with the previous valid user until they refresh. The AWSPREVIOUS version remains valid during the rotation window.

Can I use ACM certificates on EC2 instances?

ACM public certificates cannot be exported (no private key access), so they can’t be installed directly on EC2. They work only with integrated services (ELB, CloudFront, API Gateway). ACM Private CA certificates CAN be exported and installed on EC2, on-premises servers, IoT devices, or anywhere you need the private key.

AWS DDoS & Edge Protection Architecture – WAF, Shield & CloudFront Security

AWS DDoS & Edge Protection Architecture — Overview

Edge protection is tested across SCS-C03 (Domain 3: Infrastructure Security) and SAP-C02. The architecture combines CloudFront (CDN/edge), AWS WAF (Layer 7 rules), AWS Shield (DDoS mitigation), and AWS Firewall Manager (centralized management). This post covers the full defense stack, rule design, and automated response patterns.

Multi-Layer DDoS & Edge Protection
INTERNET (Attackers + Legitimate Traffic)
Layer 1: AWS Shield (Always On)
Shield Standard (free): Automatic L3/L4 DDoS protection. SYN floods, UDP reflection, DNS amplification.
Shield Advanced ($3K/month): L3/L4/L7 protection, DRT team, cost protection, real-time metrics, health-based detection.
Layer 2: CloudFront (Edge Network)
400+ edge locations absorb traffic. Geo-restrictions. Origin isolation (origin never exposed). TLS termination at edge. Caching reduces origin load.
Layer 3: AWS WAF (Layer 7 Rules)
Rate limiting (per IP)
Geo blocking
IP reputation lists
OWASP Top 10 (SQLi, XSS)
Bot control
Layer 4: Application (ALB / API Gateway / AppSync)
Security Groups restrict to CloudFront IPs only. Application-level auth (Cognito). Input validation.
Firewall Manager: Central policy → deploys WAF rules, Shield Advanced, Security Groups across all accounts/regions automatically

AWS WAF — Rule Types & Strategy

Rule Type What It Does Use Case
Rate-based Counts requests per IP in 5-min window; blocks when exceeds threshold Brute force prevention, DDoS mitigation, API abuse
IP Set Allow/Block specific IP addresses or CIDR ranges Threat intelligence feeds, allowlisting corporate IPs
Geo Match Match by country of origin Block countries, route to regional content
SQL Injection Detects SQLi patterns in query strings, body, headers OWASP Top 10 — SQL injection prevention
XSS Detects cross-site scripting patterns OWASP Top 10 — XSS prevention
Size Constraint Block requests exceeding size limits Prevent large payload attacks
Managed Rule Groups Pre-built rules by AWS or marketplace sellers AWSManagedRulesCommonRuleSet (OWASP), BotControl, ATPProtection
Custom Response Return custom HTTP response (403, 429) with custom body Friendly error pages, CAPTCHA challenges

AWS Shield — Standard vs Advanced

Feature Shield Standard Shield Advanced
Cost Free (included with all AWS accounts) $3,000/month + data transfer fees
Protection Layer 3/4 (network/transport) Layer 3/4/7 (+ application layer)
DRT Access No Yes — AWS DDoS Response Team assists during attacks
Cost Protection No Refund for scaling costs caused by DDoS attacks
Resources Protected All (automatic) CloudFront, ALB, NLB, EIP, Global Accelerator, Route 53
Health-based Detection No Yes — uses Route 53 health checks to detect application-layer attacks
Automatic L7 Mitigation No Yes — auto-creates WAF rules during L7 attacks

AWS Firewall Manager — Centralized Policy

  • Purpose: Deploy and manage security rules across ALL accounts in an Organization from a single admin account
  • Manages: WAF rules, Shield Advanced protections, Security Groups, Network Firewall rules, Route 53 Resolver DNS Firewall
  • Auto-remediation: Automatically applies policies to new resources/accounts (no manual setup per account)
  • Prerequisite: AWS Organizations + Config enabled in all accounts
  • Exam key: “Deploy WAF rules consistently across all accounts” → Firewall Manager

Protection Patterns by Attack Type

Attack Layer Mitigation
SYN Flood L3/4 Shield Standard (automatic). Put behind CloudFront/ALB.
UDP Reflection/Amplification L3/4 Shield Standard. Security groups (block UDP if not needed).
DNS Amplification L3/4 Route 53 (inherently scalable). Shield protects Route 53.
HTTP Flood L7 WAF rate-based rules. CloudFront caching. Shield Advanced auto-mitigation.
Slowloris L7 ALB (handles connection pooling). CloudFront times out slow connections.
SQL Injection L7 WAF SQLi rule set. Input validation at application.
Bot/Scraper L7 WAF Bot Control (managed rule). CAPTCHA challenges. Client fingerprinting.

Best Practice Architecture

  • Always front with CloudFront: Absorbs volumetric attacks at edge, hides origin IP, enables WAF without additional latency
  • Origin protection: Security group on ALB allows only CloudFront managed prefix list IPs + custom origin header validation
  • WAF on CloudFront: Deploy WAF at CloudFront (not ALB) — blocks attacks at the edge before they reach your region
  • Rate limiting at multiple levels: WAF rate rules (per-IP), API Gateway throttling (per-API key), application-level
  • Auto-scaling behind protection: Even with DDoS protection, ensure ASG/ALB can handle legitimate traffic spikes

Exam Tips

Exam Key Points
SCS-C03 “L3/L4 DDoS” → Shield Standard (free, automatic). “L7 DDoS + cost protection + DRT” → Shield Advanced. “Block SQL injection” → WAF SQLi rule. “Rate limit per IP” → WAF rate-based rule. “Deploy WAF across all accounts” → Firewall Manager. “Hide origin from internet” → CloudFront + SG restricting to CF IPs. “OWASP Top 10” → AWS Managed Rules Common Rule Set. “Automatic L7 mitigation” → Shield Advanced.

AWS Certification Exam Practice Questions

Question 1:

A company’s web application behind an ALB is experiencing an HTTP flood attack (thousands of requests per second from distributed IPs targeting the /login endpoint). Shield Standard is not mitigating it. What combination provides the fastest protection?

  1. Enable Shield Advanced on the ALB and wait for automatic mitigation
  2. Add a WAF rate-based rule on the ALB limiting requests to /login per IP, and deploy CloudFront in front of the ALB
  3. Increase ALB capacity and add more EC2 instances behind the ASG
  4. Block all international traffic using Security Group rules
Show Answer

Answer: B — Shield Standard only handles L3/L4 attacks, not L7 HTTP floods. A WAF rate-based rule (e.g., 100 requests per 5 minutes per IP to /login) blocks excessive requesters. CloudFront absorbs the volumetric load at the edge before it reaches the ALB. Shield Advanced (A) would help long-term but takes time to onboard. Scaling (C) increases cost without solving the attack. SG rules (D) can’t block distributed IPs easily.

Question 2:

A company needs to deploy identical WAF rules (OWASP protections + rate limiting) across 30 AWS accounts in their Organization. When new accounts are added, the rules must be automatically applied. Which approach requires the LEAST ongoing effort?

  1. Create a CloudFormation StackSet that deploys WAF WebACLs to all accounts
  2. Use AWS Firewall Manager with a WAF policy applied to the Organization
  3. Create a central Lambda function that deploys WAF rules to each account via cross-account roles
  4. Document the WAF rules and require each account team to implement them manually
Show Answer

Answer: B — Firewall Manager automatically applies WAF policies to all accounts in the Organization. When new accounts are added, policies are automatically applied. When new resources (ALBs, CloudFront distributions) are created, WAF is automatically associated. CloudFormation StackSets (A) work but require manual triggering for new accounts/resources.

Question 3:

A company wants to ensure their ALB origin is NEVER directly accessible from the internet — all traffic must flow through CloudFront. They also want to verify that requests actually came from their CloudFront distribution (not someone else’s). Which controls achieve this?

  1. ALB security group allowing only CloudFront managed prefix list + custom origin header in CloudFront that ALB validates
  2. Private ALB in a private subnet with no internet gateway
  3. WAF on ALB blocking requests without CloudFront headers
  4. Shield Advanced protecting the ALB directly
Show Answer

Answer: A — Two layers: (1) Security group restricts ALB ingress to only the CloudFront managed prefix list IPs (no direct internet access). (2) CloudFront adds a custom origin header (secret value), ALB or application validates it — ensures the request came from YOUR distribution (not any random CloudFront distribution). Private ALB (B) wouldn’t receive CloudFront traffic either. WAF (C) alone doesn’t prevent direct IP access.

Question 4:

During a DDoS attack, a company’s Auto Scaling group scales up significantly, tripling their EC2 and data transfer costs. They have Shield Advanced. After the attack, how can they recover these costs?

  1. File a support ticket requesting a general AWS credit
  2. Request DDoS cost protection credit through Shield Advanced — AWS refunds scaling costs attributed to the DDoS attack
  3. Shield Advanced automatically credits the account without any action
  4. Costs cannot be recovered; Shield Advanced only prevents future attacks
Show Answer

Answer: B — Shield Advanced includes DDoS cost protection. After an attack, you can request service credits for scaling charges (EC2, ELB, CloudFront, Route 53, Global Accelerator) caused by the DDoS event. You must file a request within 15 days of the billing cycle. It’s not automatic (C is wrong) — you must submit a request with evidence that the scaling was DDoS-related.

Question 5:

A security engineer needs to block requests from a specific list of 10,000 malicious IPs updated daily by a threat intelligence feed. The block must apply to CloudFront distributions across all accounts. What is the most operationally efficient solution?

  1. Manually update Security Groups daily in each account
  2. Create a WAF IP set, use a Lambda function to update it daily from the threat feed, deploy via Firewall Manager across all accounts
  3. Use Network Firewall with stateful rules in each VPC
  4. Configure Route 53 to not resolve DNS for those IPs
Show Answer

Answer: B — WAF IP sets can hold up to 10,000 IPs. Lambda (triggered daily by EventBridge) fetches the threat feed and updates the IP set via the WAF API. Firewall Manager deploys the WAF policy with this IP set rule across all accounts/distributions automatically. Security Groups (A) have a 60-rule limit and don’t apply to CloudFront. Network Firewall (C) doesn’t protect CloudFront. Route 53 (D) doesn’t block by source IP.

Related Posts

References

Frequently Asked Questions

Do I need Shield Advanced if I have WAF?

Shield Standard (free) handles L3/L4 DDoS automatically. WAF handles L7 (application) attacks with rules you define. Shield Advanced adds: L7 automatic mitigation, DRT team access during attacks, cost protection (refund for DDoS-caused scaling), and near real-time visibility. For most applications, Shield Standard + WAF is sufficient. Shield Advanced is for high-profile targets needing DRT support and cost protection.

Where should I deploy WAF — on CloudFront or ALB?

Deploy WAF on CloudFront when possible. Attacks are blocked at the edge (closer to attacker, further from your infrastructure). If you need different WAF rules per path/domain on the same ALB, add WAF on ALB too. CloudFront WAF is global (one WebACL for all edge locations). ALB WAF is regional. You can have WAF on both simultaneously.

What is the difference between WAF rate-based rules and API Gateway throttling?

WAF rate-based rules: Block by source IP when requests exceed threshold (e.g., 100 per 5 minutes). Applied at CloudFront/ALB level. API Gateway throttling: Limit by API key, stage, or method (e.g., 1000 req/sec per API key). Applied per API. Use both: WAF for DDoS/abuse protection, API Gateway for fair-use rate limiting per customer.

AWS IAM Security Architecture – SCPs, Permission Boundaries & ABAC

AWS IAM Security Architecture — Overview

IAM is the largest exam domain on SCS-C03 (20%) and appears heavily on SAP-C02. This post covers the layered access control model: SCPs (organization guardrails) → Permission Boundaries (delegation limits) → Identity Policies (actual permissions) → Resource Policies (resource-level control). Understanding policy evaluation order and interaction is critical.

AWS Access Control Layers (Evaluation Order)
Layer 1: Organization SCPs (Deny Guardrails)
Maximum permissions for ALL principals in the account. Cannot GRANT — only RESTRICT.
Layer 2: Resource Control Policies (RCPs)
Control what external principals can do with resources in the account.
Layer 3: Permission Boundaries (Delegation Safety)
Maximum permissions a SPECIFIC principal can have. Set by admin, limits what identity policy can grant.
Layer 4: Identity Policies (IAM Policies)
Actual permissions granted to the user/role. INTERSECTS with boundaries and SCPs.
Layer 5: Resource Policies
Attached to resources (S3 bucket, KMS key, SQS queue). Can grant cross-account access directly.
Result: Effective permissions = SCP ∩ RCP ∩ Boundary ∩ Identity Policy (∪ Resource Policy for cross-account)

Service Control Policies (SCPs)

Feature Details
What they do Set maximum available permissions for ALL principals in an account (including root!). Cannot grant permissions — only restrict.
Applied to OUs or individual accounts (inherited from parent OU → child OU → account)
Do NOT affect Management account (always exempt), service-linked roles, CloudFront key pairs
Strategy: Deny list Start with FullAWSAccess, add explicit Deny statements for restricted actions (most common approach)
Strategy: Allow list Remove FullAWSAccess, explicitly allow only approved services (more restrictive, harder to manage)

Common SCP Patterns (Exam Favorites)

  • Prevent leaving Organization: Deny organizations:LeaveOrganization
  • Prevent disabling CloudTrail: Deny cloudtrail:StopLogging, cloudtrail:DeleteTrail
  • Prevent deleting GuardDuty: Deny guardduty:DeleteDetector, guardduty:DisassociateFromMasterAccount
  • Restrict regions: Deny all actions unless aws:RequestedRegion is in allowed list (with exceptions for global services)
  • Require encryption: Deny s3:PutObject unless s3:x-amz-server-side-encryption is present
  • Prevent root user access: Deny all actions when aws:PrincipalArn matches root (doesn’t affect management account)

Permission Boundaries

  • Purpose: Allow administrators to delegate user/role creation safely. The boundary sets maximum permissions that any identity policy can grant.
  • Intersection model: Effective permissions = Identity Policy ∩ Permission Boundary. If boundary doesn’t allow s3:*, even AdministratorAccess policy can’t grant S3.
  • Use case: DevOps team can create roles for their applications, but boundary ensures they can’t create roles with more permissions than they have themselves (privilege escalation prevention).
  • Exam trap: Permission boundaries ONLY affect identity-based policies. Resource policies (like S3 bucket policy) bypass the boundary check.

ABAC (Attribute-Based Access Control)

Approach How Best For
RBAC (traditional) One policy per role per resource. Explicit ARNs in policies. Small, static environments
ABAC (tag-based) Policy uses conditions: aws:ResourceTag/Project = ${aws:PrincipalTag/Project} Dynamic, large environments. No policy changes when new resources are created.
  • ABAC advantage: One policy works for all projects/teams. Tag a user with Project=Alpha, resources with Project=Alpha → access granted automatically.
  • ABAC + SCPs: Use SCP to require tags on resource creation (aws:RequestTag must include Project)
  • Session tags: SAML federation can pass tags (department, team) from IdP → IAM role → ABAC policy evaluation

IAM Policy Evaluation Logic

For same-account requests:

  1. Explicit Deny? → DENIED (anywhere in any policy = final denial)
  2. SCP allows? → If SCP doesn’t allow, DENIED
  3. Resource policy allows? → If resource policy grants access (same-account), ALLOWED (skip remaining checks)
  4. Permission boundary allows? → If boundary set and doesn’t include action, DENIED
  5. Session policy allows? → If session policy set and doesn’t include action, DENIED
  6. Identity policy allows? → If identity policy grants, ALLOWED. Otherwise, implicit DENIED.

For cross-account requests:

  • BOTH sides must allow: Account A’s identity policy (or resource policy) must allow AND Account B’s resource policy must allow
  • Exception: If Account B’s resource policy specifies Account A’s role ARN directly, Account A’s identity policy is not needed
  • SCPs apply to the requesting principal’s account

Session Policies & Roles Anywhere

  • Session policies: Passed when assuming role (AssumeRole API). Further restricts the role’s permissions for that session only. Effective = Role Policy ∩ Session Policy.
  • IAM Roles Anywhere: Workloads OUTSIDE AWS (on-premises servers) can get temporary credentials by presenting a certificate from a registered CA trust anchor. Eliminates long-term access keys for hybrid workloads.
  • Amazon Verified Permissions: Fine-grained authorization for applications using Cedar policy language. Externalize authorization logic from application code.

Exam Tips

Exam Key Points
SCS-C03 “Prevent region usage” → SCP with aws:RequestedRegion. “Delegate role creation safely” → Permission Boundaries. “Dynamic access based on tags” → ABAC. “Cross-account access” → both identity + resource policy (or resource policy alone). “Management account” = exempt from SCPs. “Explicit Deny always wins”. “Permission boundary doesn’t affect resource policies”.

AWS Certification Exam Practice Questions

Question 1:

A company wants to allow their development team to create IAM roles for Lambda functions, but prevent them from creating roles with more permissions than their own (privilege escalation). The solution must not require security team approval for each role creation. Which approach achieves this?

  1. Create an SCP denying iam:CreateRole for the development OU
  2. Require developers to attach a specific permission boundary to any role they create, enforced by a condition in their IAM policy
  3. Create a Lambda execution role and require all functions use only this role
  4. Use AWS Service Catalog to manage approved role configurations
Show Answer

Answer: B — Permission boundaries solve the delegation problem. The developer’s policy allows iam:CreateRole, iam:AttachRolePolicy BUT with a condition: iam:PermissionsBoundary must equal the approved boundary ARN. Any role they create is automatically limited to the boundary’s permissions — they cannot escalate. SCP (A) blocks all role creation. Single role (C) doesn’t scale. Service Catalog (D) requires approval overhead.

Question 2:

An organization wants to ensure NO AWS account (except the management account) can disable CloudTrail or leave the organization, regardless of what IAM permissions exist in those accounts. How should this be implemented?

  1. Remove iam:* from all accounts to prevent admin access
  2. Apply an SCP at the organization root denying cloudtrail:StopLogging, cloudtrail:DeleteTrail, and organizations:LeaveOrganization
  3. Create AWS Config rules to detect and auto-remediate these actions
  4. Create EventBridge rules in each account to block these API calls
Show Answer

Answer: B — SCPs are preventive controls that set maximum available permissions. A Deny in an SCP overrides any Allow in any identity policy, even AdministratorAccess. Applied at the root OU, it affects all member accounts. The management account is automatically exempt (cannot SCP itself). Config rules (C) and EventBridge (D) are detective/reactive — they detect after the fact, not prevent. Removing iam:* (A) breaks everything.

Question 3:

A company uses SAML federation from their on-premises Active Directory. They need engineers tagged with “Department=Engineering” in AD to only access EC2 instances tagged with “Department=Engineering” — without creating separate policies per department. Which approach provides this?

  1. Create separate IAM roles per department, each with hardcoded resource ARNs
  2. Use SAML session tags to pass Department attribute, then use ABAC policy with aws:PrincipalTag/Department condition matching aws:ResourceTag/Department
  3. Use permission boundaries per department limiting resource access
  4. Create resource policies on each EC2 instance allowing specific department groups
Show Answer

Answer: B — ABAC with session tags: The SAML IdP passes the Department attribute as a session tag during federation. The IAM policy condition checks aws:ResourceTag/Department == ${aws:PrincipalTag/Department}. One policy works for ALL departments. New departments automatically work without policy changes — just tag users and resources. This scales infinitely without per-department roles (A) or policies.

Question 4:

Account B has an S3 bucket with a bucket policy allowing Account A’s role to PutObject. However, when Account A’s role tries to upload, it gets AccessDenied. The role has s3:* in its identity policy. Account A has an SCP that allows all S3 actions. What is the most likely cause?

  1. The bucket policy needs to specify the role ARN, not the account
  2. Account B’s SCP is blocking the PutObject action
  3. Account A’s permission boundary on the role doesn’t include s3:PutObject
  4. S3 requires the request to include server-side encryption headers
Show Answer

Answer: C — For cross-account access where the identity policy allows the action, a permission boundary on the role will still restrict it. Even though the identity policy has s3:* and the SCP allows it, the boundary creates an additional intersection. If the boundary doesn’t include s3:PutObject, the effective permission is denied. Note: if only the resource policy (bucket policy) grants access and the identity policy doesn’t have the action, boundaries don’t apply — but here the identity policy also has s3:*.

Question 5:

A company has on-premises servers that need to call AWS APIs (S3, DynamoDB) without storing long-term access keys on the servers. The servers have certificates issued by the company’s private CA. Which solution eliminates long-term credentials?

  1. Create an IAM user with access keys, rotate keys every 90 days
  2. Set up a Site-to-Site VPN and use the VPC’s IAM capabilities
  3. Configure IAM Roles Anywhere with the company’s private CA as trust anchor, servers present certificates to get temporary credentials
  4. Use AWS SSO (IAM Identity Center) with SAML for machine-to-machine auth
Show Answer

Answer: C — IAM Roles Anywhere enables workloads outside AWS to obtain temporary credentials by presenting an X.509 certificate. Register your CA as a trust anchor, create a profile with the desired IAM role. Servers present their certificate → Roles Anywhere validates against the CA → issues temporary STS credentials. No long-term keys stored. SSO/Identity Center (D) is for human users, not machine-to-machine.

Related Posts

References

Frequently Asked Questions

What is the difference between SCPs and Permission Boundaries?

SCPs apply to an entire AWS account (all principals within it). They set the maximum permissions for the account. Permission Boundaries apply to a specific IAM user or role. They limit what that specific principal can do. SCPs are set by the Organization admin; boundaries are set by the account admin. Both use the intersection model — effective permissions must be allowed by both.

Does the management account get restricted by SCPs?

No. The management account is always exempt from SCPs. This is by design — you can’t accidentally lock yourself out of the Organization. Because of this, best practice is to NOT run workloads in the management account. Use it only for Organization management, billing, and account creation.

How does ABAC scale better than RBAC?

With RBAC, you need N policies for N projects/teams (one policy per team specifying resource ARNs). With ABAC, you need ONE policy that uses tag conditions. When a new project starts, just tag the resources and users — no policy changes. The policy Condition: aws:ResourceTag/Project == ${aws:PrincipalTag/Project} automatically works for all current and future projects.

AWS Data Encryption Architecture – KMS vs CloudHSM, Key Policies & Rotation

AWS Data Encryption Architecture — Overview

Data encryption is the largest topic on the SCS-C03 exam (Domain 5: 18%). Every scenario involves choosing between KMS and CloudHSM, selecting the right key type, designing cross-account key access, and implementing rotation. This post covers the complete encryption decision framework — from key hierarchy to cross-account patterns to exam traps around key policies.

AWS Key Management — Decision Tree
Do you need FIPS 140-2 Level 3 or single-tenant HSM?
YES → CloudHSM
FIPS 140-2 Level 3 validated
Single-tenant dedicated HSM
You control keys (AWS cannot access)
Custom key store for KMS
Oracle TDE, SSL offloading
~$1.50/hr per HSM
NO → AWS KMS
AWS Managed Key
aws/s3, aws/ebs, aws/rds
Auto-created per service
Cannot manage rotation
Cannot use cross-account
Free (no monthly fee)
Customer Managed Key
You create & manage
Full key policy control
Cross-account sharing ✅
Auto-rotation (configurable)
$1/month + $0.03/10K requests
Imported Key Material
Bring your own key
You manage durability
Can set expiration
Manual rotation only
Delete & re-import
Custom Key Store: KMS interface + CloudHSM backend. Get KMS API convenience with CloudHSM security. Keys never leave your HSM.

KMS vs CloudHSM — Detailed Comparison

Feature AWS KMS CloudHSM
FIPS Level FIPS 140-2 Level 2 (Level 3 in some modules) FIPS 140-2 Level 3
Tenancy Multi-tenant (shared infrastructure) Single-tenant (dedicated HSM in your VPC)
Key Access AWS manages HSM; you control via key policy You have full exclusive control (AWS cannot access keys)
Key Types Symmetric (AES-256), Asymmetric (RSA, ECC) Symmetric, Asymmetric, + custom algorithms
Integration Native AWS service integration (S3, EBS, RDS, etc.) Custom application integration, Oracle TDE, SSL/TLS offload
Cross-account Yes (via key policy + IAM) Not directly (must share via network/VPC peering)
HA Built-in (multi-AZ by default) You must deploy cluster (min 2 HSMs across AZs)
Cost $1/key/month + API calls ~$1.50/hr per HSM (~$1,100/month per HSM)

KMS Key Policy — The Critical Exam Topic

KMS key policies are the #1 exam trap. Unlike all other AWS resources, KMS keys have their own resource policy that MUST explicitly grant access — IAM policies alone are insufficient unless the key policy allows it.

  • Default key policy: Allows the root principal to perform all actions → enables IAM policies to control access
  • Without root principal statement: IAM policies cannot grant access to the key (even AdministratorAccess won’t work!)
  • Key administrators: Can manage the key (enable/disable, delete, rotate) but CANNOT use it for encrypt/decrypt
  • Key users: Can use the key for encrypt/decrypt/generate data key operations
  • Grants: Delegated, temporary access to a key (used by AWS services internally, e.g., EBS attaching encrypted volume)

Cross-Account KMS Key Access

Two things must be true for cross-account KMS access:

  1. Key policy in Account A must allow Account B’s root (or specific role): "Principal": {"AWS": "arn:aws:iam::ACCOUNT_B:root"}
  2. IAM policy in Account B must allow the role to use the key: "Resource": "arn:aws:kms:region:ACCOUNT_A:key/key-id"

Exam trap: If the key policy only lists specific principals (no root principal), IAM policies in Account A won’t work either. The key policy is the primary gatekeeper.

Key Rotation

Key Type Auto-Rotation Manual Rotation Exam Notes
AWS Managed Automatic (every year) — cannot change N/A You cannot control rotation period
Customer Managed (KMS-generated) Optional, configurable (90-2560 days) Create new key + update alias Old key material kept (decrypt old data). Key ID unchanged. Only new data uses new material.
Imported Key Material ❌ Not supported Delete → re-import new material Must manage externally. Can set expiration date. Use alias for transparent rotation.
CloudHSM You manage entirely Application-level rotation Full customer responsibility

Encryption Patterns — At Rest

Service SSE Options Key Decision
S3 SSE-S3 (default), SSE-KMS, SSE-C, CSE SSE-KMS for audit trail (CloudTrail logs each decrypt). SSE-C when you manage keys externally. CSE for client-side.
EBS AES-256 (KMS) Enable default encryption per region. Snapshots inherit key. Cross-account: re-encrypt with shared key.
RDS AES-256 (KMS) Must enable at creation (cannot encrypt existing). Encrypted snapshots → encrypted restore. Cross-region: re-encrypt with target region key.
DynamoDB AWS owned, AWS managed, Customer managed Customer managed for cross-account access control and audit. AWS owned is free.

Encryption in Transit

  • ELB: Configure security policies (TLS 1.2+ enforced). Use ACM certificates. ALB terminates TLS, can re-encrypt to backend.
  • S3: Bucket policy with aws:SecureTransport: false denies HTTP. Forces HTTPS only.
  • RDS: rds.force_ssl = 1 (MySQL) or rds.force_ssl = true (PostgreSQL). Download RDS CA bundle.
  • API Gateway: HTTPS only by default. Can configure mutual TLS (mTLS) with custom domain.
  • VPC: VPN (IPsec) or PrivateLink for private connectivity. All inter-region VPC peering is encrypted.

Envelope Encryption (Data Key Pattern)

  • How it works: KMS generates a Data Encryption Key (DEK). Plaintext DEK encrypts your data. KMS encrypts the DEK with the CMK. Store encrypted DEK alongside encrypted data.
  • Why: KMS has a 4KB limit on direct encrypt. Envelope encryption allows encrypting any size data. Only the small DEK crosses the network to KMS.
  • GenerateDataKey: Returns both plaintext DEK (use to encrypt) and encrypted DEK (store alongside data)
  • Decrypt flow: Send encrypted DEK to KMS → get plaintext DEK → decrypt data locally
  • Exam relevance: “Encrypt 1GB file with KMS” → must use envelope encryption (GenerateDataKey), NOT Encrypt API

Exam Tips

Exam Key Points
SCS-C03 “FIPS 140-2 Level 3” → CloudHSM. “Cross-account encryption” → Customer managed KMS key + key policy allowing other account. “Audit who decrypted” → SSE-KMS (CloudTrail logs Decrypt calls). “Imported key material” → manual rotation only, you manage durability. “Key policy allows root principal” = enables IAM policies. “Encrypt large file with KMS” → envelope encryption (GenerateDataKey). “Cannot encrypt existing RDS” → snapshot, copy with encryption, restore.

AWS Certification Exam Practice Questions

Question 1:

A company stores sensitive financial data in S3. Compliance requires that all decryption events are logged in CloudTrail, the encryption key can be disabled immediately if compromised, and only specific IAM roles can decrypt. Which encryption configuration meets ALL these requirements?

  1. SSE-S3 (Amazon S3-managed keys)
  2. SSE-KMS with an AWS managed key (aws/s3)
  3. SSE-KMS with a customer managed key and restrictive key policy
  4. SSE-C (customer-provided keys)
Show Answer

Answer: C — Customer managed KMS key provides: (1) CloudTrail logging of every Decrypt/Encrypt call. (2) Ability to disable the key immediately (renders all data inaccessible). (3) Key policy controls exactly which roles can decrypt. AWS managed keys (B) log decrypt events but cannot be disabled and don’t allow custom key policy. SSE-S3 (A) doesn’t log individual decrypt events. SSE-C (D) requires customer to manage key delivery on every request.

Question 2:

Account A has an encrypted EBS snapshot that needs to be shared with Account B. The snapshot is encrypted with a customer managed KMS key. What steps are required for Account B to use this snapshot?

  1. Share the snapshot with Account B. Account B copies it using their own KMS key. No key policy change needed.
  2. Modify the KMS key policy to allow Account B access. Share the snapshot. Account B creates a volume or copies with their own key.
  3. Create an unencrypted copy of the snapshot, then share the unencrypted version with Account B.
  4. Export the KMS key to Account B using key material import.
Show Answer

Answer: B — For cross-account encrypted snapshot sharing: (1) The KMS key policy must grant Account B permission to use the key (kms:Decrypt, kms:CreateGrant). (2) Share the snapshot with Account B. (3) Account B can then copy the snapshot to their account, re-encrypting with their own CMK. Without key policy change, Account B cannot decrypt the snapshot even after it’s shared. You cannot create an unencrypted copy of an encrypted snapshot (C is wrong).

Question 3:

A company’s compliance team requires that encryption keys used for sensitive workloads are stored in hardware that AWS personnel cannot access, while still using the KMS API for integration with AWS services. Which configuration achieves this?

  1. KMS with customer managed keys (standard)
  2. KMS with imported key material
  3. KMS custom key store backed by CloudHSM cluster
  4. Client-side encryption with keys stored in Secrets Manager
Show Answer

Answer: C — Custom key store connects KMS to your CloudHSM cluster. You get the KMS API (integrates with S3, EBS, RDS, etc.) but keys are generated and stored in your single-tenant CloudHSM (AWS personnel cannot access). Standard KMS (A) uses multi-tenant AWS-managed HSMs. Imported keys (B) still reside in AWS HSMs after import. This is the best-of-both-worlds approach.

Question 4:

A developer tries to use a KMS key to encrypt data but receives “AccessDeniedException.” Their IAM policy has kms:* on the key ARN. The key policy only contains a statement allowing the key administrator to manage the key. What is the issue?

  1. The IAM policy must specify the exact actions (kms:Encrypt) not wildcard
  2. The key policy does not include the root principal statement, so IAM policies cannot grant access
  3. The developer needs to be added as a key administrator
  4. KMS keys require explicit Deny removal before access works
Show Answer

Answer: B — This is the #1 KMS exam trap. KMS key policies are the primary access control. If the key policy does not include a statement allowing the account’s root principal (which enables IAM policies to work), then NO IAM policy can grant access — even kms:* will fail. The fix: add {"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::ACCOUNT:root"}, "Action": "kms:*", "Resource": "*"} to the key policy.

Question 5:

A company needs to encrypt a 50MB file using KMS. When they call the kms:Encrypt API with the file, they receive an error that the payload exceeds the 4KB limit. How should they encrypt this file?

  1. Split the file into 4KB chunks and encrypt each chunk separately with kms:Encrypt
  2. Use kms:GenerateDataKey to get a data encryption key, encrypt the file locally with the plaintext key, store the encrypted key alongside the encrypted file
  3. Increase the KMS payload limit through a service quota increase request
  4. Use CloudHSM instead, which has no payload size limit
Show Answer

Answer: B — This is envelope encryption. KMS’s Encrypt API has a 4KB payload limit. For larger data: (1) Call GenerateDataKey → get plaintext DEK + encrypted DEK. (2) Use plaintext DEK to encrypt the 50MB file locally (AES-256). (3) Discard plaintext DEK from memory. (4) Store encrypted DEK alongside encrypted file. To decrypt: send encrypted DEK to KMS (Decrypt API) → get plaintext DEK → decrypt file locally. The 4KB limit cannot be increased (C is wrong).

Related Posts

References

Frequently Asked Questions

When should I use CloudHSM vs KMS?

Use KMS for most workloads — it integrates natively with 100+ AWS services, is fully managed, and costs $1/key/month. Use CloudHSM when you need: FIPS 140-2 Level 3 compliance, single-tenant HSM (regulatory requirement), full exclusive key control (AWS cannot access), or custom cryptographic algorithms. You can combine both via KMS Custom Key Store.

Can I use one KMS key across multiple accounts?

Yes, but both the key policy AND an IAM policy must allow it. The key policy grants the other account’s root principal (or specific role) access. Then an IAM policy in the consuming account allows the role to call KMS. Without BOTH, cross-account access fails. AWS managed keys (aws/s3, aws/ebs) cannot be shared cross-account — only customer managed keys.

What happens when I rotate a KMS key?

AWS creates new key material but keeps the old material. The key ID and ARN don’t change. New data encrypts with new material. Old data still decrypts fine (KMS tracks which version encrypted each ciphertext). You don’t need to re-encrypt existing data. This is automatic and transparent — no application changes needed.

AWS Centralized Logging Architecture – CloudTrail, Security Lake & SIEM

AWS Centralized Logging Architecture — Overview

Centralized logging is a foundational security requirement across all AWS certifications. The SCS-C03 exam tests your ability to design multi-account logging architectures that aggregate, correlate, and alert on security events. This post covers the complete logging pipeline: from source collection (CloudTrail, VPC Flow Logs, DNS logs) through aggregation (Security Lake, CloudWatch) to analysis (Athena, OpenSearch, SIEM).

Centralized Security Logging Architecture
LOG SOURCES (All Accounts)
CloudTrail (API)
VPC Flow Logs
Route 53 DNS
GuardDuty
WAF Logs
S3 Access
ELB Access
Config
↓ ↓ ↓
Path A: S3 + Athena
CloudTrail Org Trail → S3 (Log Archive Account)
VPC Flow Logs → S3
Athena queries for ad-hoc analysis
Glue Catalog for schema
Cost: Lowest | Query: Ad-hoc
Path B: Security Lake (OCSF)
Auto-collects from 80+ sources
Normalizes to OCSF schema
S3 storage (Apache Iceberg)
Query via Athena or 3rd-party SIEM
Cost: Medium | Schema: Unified
Path C: CloudWatch + OpenSearch
CloudWatch Logs (real-time)
Subscription filters → OpenSearch
Dashboards + Alerts
Cross-account log aggregation
Cost: Highest | Real-time: Yes
↓ ↓ ↓
Detection & Alerting
EventBridge Rules → SNS/Lambda
CloudWatch Alarms
GuardDuty Findings
Automated Response
Lambda remediation
Step Functions playbooks
Systems Manager runbooks
Investigation
Amazon Detective
Athena queries
OpenSearch dashboards

Log Sources — What to Collect

Source What It Captures Destination Options Key Exam Points
CloudTrail All API calls (who did what, when, from where) S3, CloudWatch Logs Organization trail covers ALL accounts. Management events on by default. Data events (S3/Lambda) must be explicitly enabled.
VPC Flow Logs Network traffic metadata (src/dst IP, port, action) S3, CloudWatch Logs Does NOT capture packet content. Transit Gateway flow logs for inter-VPC. Enable in ALL VPCs.
Route 53 Resolver Logs DNS queries from VPCs S3, CloudWatch Logs, Kinesis Firehose Detects DNS exfiltration, C2 communication. Share via RAM to Log Archive account.
GuardDuty Findings Threat detections (recon, compromise, crypto-mining) EventBridge, S3 (export) Delegated admin aggregates all member findings. Auto-archives after 90 days.
AWS Config Resource configuration changes, compliance S3, SNS Aggregator for multi-account/region view. Config rules for compliance detection.
S3 Access Logs Bucket-level access (who accessed what object) S3 (target bucket) Different from CloudTrail S3 data events. Best-effort delivery. Use for audit trails.
ELB Access Logs Request details (client IP, latency, status codes) S3 Captures client IP even behind CloudFront. Useful for forensics.
WAF Logs Web requests matched/blocked by WAF rules S3, CloudWatch Logs, Kinesis Firehose Full request headers, rule matched. Essential for tuning WAF rules.

Organization CloudTrail Trail

  • Setup: Create from the management account → automatically applies to ALL member accounts
  • Storage: Central S3 bucket in Log Archive account with bucket policy allowing organization trail delivery
  • Protection: S3 Object Lock (WORM), MFA Delete, bucket policy denying s3:DeleteObject, KMS encryption
  • Validation: CloudTrail log file integrity validation (SHA-256 hash chain). Detects if log files are modified/deleted.
  • Key exam trap: Member accounts can see the trail but CANNOT modify or delete it. Only the management account can.

Cross-Account Log Aggregation Patterns

Pattern How Best For
Org Trail to Central S3 Organization trail → S3 bucket in Log Archive account CloudTrail API logs (cheapest, simplest)
CloudWatch Cross-Account Source accounts → CloudWatch Logs destination (Kinesis/Firehose) → Central account Real-time application logs, Lambda logs
Security Lake (Delegated Admin) Delegated admin auto-collects from all member accounts Unified OCSF schema, SIEM integration
Kinesis Firehose Cross-Account Source account → cross-account Firehose delivery stream → S3/OpenSearch High-volume streaming logs (VPC Flow, custom)

Amazon Security Lake (OCSF)

  • What: Centralized security data lake that automatically collects logs from 80+ AWS and third-party sources
  • Schema: Normalizes ALL data to Open Cybersecurity Schema Framework (OCSF) — single schema regardless of source
  • Storage: S3 with Apache Iceberg tables (efficient querying, time-travel)
  • Sources: CloudTrail, VPC Flow Logs, Route 53, Security Hub, Lambda execution, S3 data events, EKS audit, WAF
  • Subscribers: Query via Athena, or grant data access to third-party SIEMs (Splunk, Datadog, CrowdStrike)
  • Multi-account: Delegated administrator collects from all Organization member accounts automatically
  • Regions: Rollup regions — aggregate from multiple regions into one central region
  • Exam relevance: “Normalize logs from multiple sources into a unified schema” → Security Lake

CloudWatch Logs — Real-Time Analysis

  • Metric Filters: Parse log events → extract metrics → create alarms (e.g., count of “UnauthorizedAccess” → alarm if > 5/min)
  • Subscription Filters: Stream logs in real-time to Lambda, Kinesis, Firehose, or OpenSearch
  • Cross-Account Subscriptions: Source account creates subscription filter → sends to destination in central account (Kinesis/Firehose)
  • Insights Queries: SQL-like queries across log groups. Find patterns, anomalies, top talkers.
  • Data Protection: Mask sensitive data (SSN, credit cards) in logs automatically using data protection policies
  • Retention: Configure per log group (1 day to 10 years, or never expire). Exam: default is never expire (costs money!).

Log Protection — Integrity & Access Control

Control Implementation Purpose
Immutability S3 Object Lock (Governance or Compliance mode) Prevent log deletion/modification (WORM)
Encryption SSE-KMS with customer-managed key Encrypt logs at rest, control access via key policy
Integrity Validation CloudTrail log file validation (digest files) Detect if logs were tampered with
Access Separation Log Archive account with restricted access (separate from workload accounts) Least privilege — ops teams can’t delete logs
Alerting on Tampering EventBridge rule for StopLogging/DeleteTrail API calls Detect if someone tries to disable logging

Exam Tips

Exam Key Points
SCS-C03 “Centralized logging across all accounts” → Organization CloudTrail trail + S3 in Log Archive. “Normalize logs from multiple sources” → Security Lake (OCSF). “Real-time alerting on API calls” → CloudTrail → CloudWatch Logs → Metric Filter → Alarm. “Prevent log tampering” → S3 Object Lock + separate Log Archive account + log file integrity validation. “Detect disabled logging” → EventBridge rule on StopLogging. “Third-party SIEM integration” → Security Lake subscriber or Kinesis Firehose.
SAP-C02 “Multi-account logging strategy” → Organization trail + dedicated Log Archive account. “Query logs across accounts” → Athena on centralized S3 or Security Lake.

AWS Certification Exam Practice Questions

Question 1:

A security engineer needs to ensure that API activity logs from all 50 AWS accounts in the organization cannot be modified or deleted, even by administrators in those accounts. The logs must be retained for 7 years. Which solution meets these requirements?

  1. Create individual CloudTrail trails in each account sending to a local S3 bucket with versioning enabled
  2. Create an organization trail sending to an S3 bucket in a dedicated Log Archive account with S3 Object Lock in Compliance mode
  3. Create an organization trail sending to CloudWatch Logs with a 7-year retention policy
  4. Create individual trails with log file integrity validation enabled and MFA Delete on each bucket
Show Answer

Answer: B — An organization trail automatically collects logs from ALL member accounts. Storing in a separate Log Archive account means workload account admins cannot access the bucket. S3 Object Lock in Compliance mode prevents ANYONE (including root) from deleting objects until retention expires (7 years). Member accounts cannot modify or delete the organization trail. Individual trails (A, D) can be modified by account admins.

Question 2:

A company needs to detect within 1 minute when someone disables CloudTrail logging in any account. The detection must trigger an automated Lambda function to re-enable the trail. Which approach achieves this?

  1. AWS Config rule checking CloudTrail status with auto-remediation via SSM
  2. Organization trail → CloudWatch Logs → metric filter for StopLogging → alarm → SNS → Lambda
  3. EventBridge rule in each member account for StopLogging/DeleteTrail events → central event bus → Lambda
  4. GuardDuty finding for “Stealth:IAMUser/CloudTrailLoggingDisabled” → EventBridge → Lambda
Show Answer

Answer: C — EventBridge rules can detect CloudTrail API events (StopLogging, DeleteTrail) in near real-time. With organization-wide EventBridge rules forwarding to a central event bus, the Lambda function can re-enable the trail immediately. GuardDuty (D) also detects this but has a delay (typically 5-15 minutes). Config (A) checks periodically (not within 1 minute). CloudWatch metric filter (B) works but requires CloudTrail to be sending to CloudWatch Logs first — if the trail is stopped, no new events flow.

Question 3:

A company wants to aggregate security logs from CloudTrail, VPC Flow Logs, Route 53 DNS logs, and GuardDuty findings into a single data store. They need to query all sources with a unified schema. Third-party security tools must also access this data. Which solution provides this?

  1. Send all logs to a central S3 bucket, create Glue crawlers for each source, query with Athena
  2. Send all logs to CloudWatch Logs in a central account, use CloudWatch Logs Insights
  3. Enable Amazon Security Lake with delegated administrator, configure subscriber access for third-party tools
  4. Send all logs to Amazon OpenSearch Service with custom index templates per source
Show Answer

Answer: C — Security Lake automatically collects from all listed sources, normalizes to OCSF (unified schema), stores in S3 with Apache Iceberg tables, and supports subscribers (third-party SIEMs get direct data access). Option A requires manual schema management per source (no unified schema). CloudWatch Insights (B) doesn’t provide a unified schema or third-party access. OpenSearch (D) requires custom integration for each source.

Question 4:

A security team needs to analyze VPC Flow Logs across 100 accounts to find connections to known malicious IPs. The logs are stored in S3 in a central account. They want the lowest-cost query solution that doesn’t require infrastructure management. Which approach is best?

  1. Import logs into Amazon OpenSearch Service and create dashboards
  2. Use Amazon Athena with partitioned tables (by account, date, region) to query directly from S3
  3. Stream to Amazon Kinesis Data Analytics for real-time threat detection
  4. Load into Amazon Redshift for analytics queries
Show Answer

Answer: B — Athena is serverless (no infrastructure), queries S3 directly, and charges only per data scanned. Partitioning by account/date/region minimizes scan cost. OpenSearch (A) and Redshift (D) require provisioned infrastructure. Kinesis (C) is for real-time streaming, not ad-hoc historical analysis. This is the standard pattern for cost-effective log analysis.

Question 5:

A company’s CloudWatch Logs contain sensitive PII (Social Security numbers) from application logs. The security team needs to ensure PII is masked in log output while still allowing full log access for authorized incident responders. Which approach meets both requirements?

  1. Create a Lambda function to process logs before ingestion, redacting PII patterns
  2. Configure CloudWatch Logs data protection policy to mask SSN patterns, grant unmask permission to incident response IAM role
  3. Encrypt logs with KMS key accessible only to incident responders
  4. Create two separate log groups — one with PII (restricted) and one without (general access)
Show Answer

Answer: B — CloudWatch Logs data protection policies automatically detect and mask sensitive data (SSN, credit cards, etc.) using managed data identifiers. The logs:Unmask permission can be granted to specific IAM roles — allowing incident responders to see full data while regular users see masked output. This is a built-in feature requiring no custom code (unlike A) and doesn’t require separate log groups (unlike D).

Related Posts

References

Frequently Asked Questions

What is the difference between CloudTrail and VPC Flow Logs?

CloudTrail logs API calls (who created/modified/deleted AWS resources). VPC Flow Logs capture network traffic metadata (source/destination IPs, ports, accepted/rejected). CloudTrail tells you “who changed the security group rule.” Flow Logs tell you “what traffic is flowing through the network.” Both are essential for security — they answer different questions.

Security Lake vs manually sending logs to S3?

Security Lake automatically collects from 80+ sources, normalizes everything to the OCSF schema (unified format), partitions data for efficient querying, and supports direct subscriber access for SIEMs. Manual S3 aggregation requires you to set up each source individually, manage different schemas, and build custom integrations. Security Lake is the managed approach for organizations with multiple log sources and SIEM requirements.

How do I protect logs from being deleted by compromised admin accounts?

Three layers: (1) Separate Log Archive account — workload account admins have no access. (2) S3 Object Lock Compliance mode — even root cannot delete until retention expires. (3) Organization trail — member accounts cannot modify or delete it. Additionally, enable log file integrity validation to detect tampering, and create EventBridge rules to alert on any StopLogging/DeleteTrail API calls.

AWS Migration Architecture – 7Rs, Migration Hub & Application Migration Service

AWS Migration Architecture — Overview

Migration to AWS follows a structured lifecycle: Assess → Mobilize → Migrate → Modernize. AWS provides purpose-built tools for each phase. Domain 4 of SAP-C02 (20% of the exam) focuses entirely on migration strategy selection, tool choice, and modernization decisions.

AWS Migration Lifecycle & Tools
ASSESS
Migration Hub
Discovery Service
Migration Evaluator
(TCO analysis)
Portfolio assessment
MOBILIZE
Landing Zone (Control Tower)
Direct Connect
IAM/SSO setup
Migration Factory
Wave planning
MIGRATE
Application Migration Svc
Database Migration (DMS)
DataSync / Transfer Family
Snow Family (offline)
VMware Cloud on AWS
MODERNIZE
Containers (ECS/EKS)
Serverless (Lambda)
Managed databases
Event-driven
Microservices
Migration Hub — Central tracking across all tools | 7 Rs — Strategy per workload | Wave Planning — Group by dependency

The 7 Rs — Migration Strategy Selection

Strategy What Example When
Rehost (Lift & Shift) Move as-is to EC2 On-prem VM → EC2 instance Speed priority, no app changes, large-scale migrations
Replatform (Lift & Reshape) Minor optimizations during move MySQL → RDS MySQL, self-managed → managed Quick wins without refactoring (managed DB, Elastic Beanstalk)
Refactor (Re-architect) Redesign for cloud-native Monolith → microservices on ECS/Lambda Business need for agility, scale, or cloud-native features
Repurchase Move to SaaS On-prem CRM → Salesforce, Email → SES Commercial product is better than self-managed
Relocate Move VMware to AWS without changes VMware vSphere → VMware Cloud on AWS VMware investment, need speed, keep same operations
Retain Keep on-premises (not ready yet) Mainframe with 1000+ dependencies Too complex, regulatory, or not cost-justified to move now
Retire Decommission Legacy app with 5 users No longer needed, redundant, or being replaced

Discovery & Assessment Tools

Tool How It Works Data Collected
Agentless Collector (OVA) Deploy virtual appliance in VMware vCenter VM inventory, CPU/RAM utilization, disk allocation (no network/process data)
Discovery Agent Install on each server (Windows/Linux) CPU, RAM, disk, network connections, running processes — full detail
Migration Hub Central dashboard for all migration tracking Server grouping, application mapping, migration status per tool
Migration Evaluator TCO analysis and business case Cost comparison: on-prem vs AWS for your specific workloads

Exam tip: Agentless Collector = VMware only, less detailed. Discovery Agent = any OS, full detail (processes, network connections). Use Agent when you need network dependency mapping to group servers into applications.

Migration Tools — Which to Use When

Tool Migrates How Best For
Application Migration Service (MGN) Entire servers (OS + apps + data) Continuous block-level replication → launch EC2 on cutover Rehost (lift & shift) of physical/virtual servers
Database Migration Service (DMS) Databases Full load + CDC (ongoing changes) Database migration with minimal downtime
AWS DataSync Files / NFS / SMB / HDFS / object storage Agent-based, scheduled or one-time transfer NAS migration, file server to S3/EFS/FSx, ongoing sync
Snow Family Large data (TBs to PBs) Physical device shipped, load data → ship to AWS Limited bandwidth, 10TB+, edge computing
Transfer Family Files via SFTP/FTPS/FTP Managed SFTP endpoint → S3/EFS Partners using legacy file transfer protocols
VMware Cloud on AWS VMware workloads vMotion or HCX (live migration) Relocate strategy — keep VMware operations as-is

Large-Scale Migration Patterns

Wave Planning

Group servers into migration waves based on dependencies and priority:

  • Wave 1: Simple, independent apps (prove the process)
  • Wave 2-N: Increasingly complex apps, grouped by dependency
  • Final wave: Most critical/complex applications

Migration Factory

Standardized, repeatable migration process for large-scale (100+ servers):

  • Playbooks — Step-by-step runbooks per application type
  • Automation — CloudFormation/CDK for landing zone, MGN for replication, SSM for post-migration config
  • Testing — Non-disruptive test launches from MGN before cutover
  • Cutover windows — Scheduled maintenance windows with rollback plan

Zero-Downtime Server Migration (MGN)

  1. Install replication agent on source servers → continuous block replication to AWS staging area
  2. Test launches — Launch test EC2 instances from replicated data. Validate. Terminate test instances.
  3. Cutover — Stop source server → Final sync (seconds) → Launch production EC2 → Update DNS/LB
  4. Downtime — Only during final sync + DNS switch (minutes)

Data Transfer Decision Guide

Data Size Available Bandwidth Recommended Tool
<10 TB Internet / Direct Connect DataSync (over network)
10-80 TB Limited (<100 Mbps) Snowball Edge
80 TB – PB Any Snowball Edge (multiple) or Snowmobile
Ongoing sync Direct Connect / VPN DataSync (scheduled) or DMS CDC (for databases)

Rule of thumb: If transfer over network takes >1 week, consider Snow Family. Formula: Data(TB) × 1024 × 8 / Bandwidth(Mbps) / 86400 = days.

Post-Migration Modernization Path

  • Rehost first, then modernize: Get to AWS fast (lift & shift), then iteratively improve
  • Database: EC2-hosted DB → RDS (managed) → Aurora Serverless (auto-scale) → DynamoDB (if key-value)
  • Compute: EC2 → Containers (ECS/Fargate) → Serverless (Lambda) where appropriate
  • Decouple: Monolith → Extract services using SQS/SNS/EventBridge for async communication
  • Storage: Block (EBS) → Object (S3) for unstructured data, shared file (EFS/FSx) for lift-and-shift NAS

Exam Tips

Exam Key Points
SAP-C02 “Lift and shift servers” → Application Migration Service (MGN). “Migrate database with minimal downtime” → DMS + CDC. “Migrate file servers” → DataSync. “50TB+ limited bandwidth” → Snow Family. “VMware to AWS without changes” → VMware Cloud on AWS (Relocate). “Understand dependencies” → Discovery Agent (not Agentless). “Track all migrations” → Migration Hub. “Minimize code changes” = Rehost/Replatform. “Cloud-native benefits” = Refactor.

AWS Certification Exam Practice Questions

Question 1:

A company needs to migrate 500 on-premises VMs to AWS with minimal downtime. They want to replicate servers continuously and perform non-disruptive test launches before the actual cutover. Which service provides this?

  1. AWS DataSync with scheduled replication
  2. AWS Application Migration Service (MGN) with continuous replication and test mode
  3. VM Import/Export to create AMIs from each VM
  4. AWS Database Migration Service with full load
Show Answer

Answer: B — Application Migration Service (MGN) continuously replicates server block storage to AWS. You can launch test instances at any time without affecting the source servers (non-disruptive testing). At cutover, it performs a final sync and launches production instances. This is the standard tool for rehost (lift-and-shift) migrations at scale. DataSync is for files/NFS. VM Import creates static AMIs (no continuous replication).

Question 2:

A company has 80TB of file data on an on-premises NAS (NFS). Their internet bandwidth is 200 Mbps. They need the data in S3 within 2 weeks and want ongoing daily synchronization after the initial transfer. What approach is MOST efficient?

  1. AWS DataSync over the internet for initial + ongoing sync
  2. AWS Snowball Edge for initial bulk load + DataSync for ongoing daily sync
  3. S3 Transfer Acceleration for initial upload + S3 replication for ongoing
  4. Direct Connect provisioning + DataSync over Direct Connect
Show Answer

Answer: B — At 200 Mbps, transferring 80TB over network would take: 80,000 GB × 8 / 200 Mbps / 86,400 = ~37 days. Exceeds the 2-week deadline. Snowball Edge (80TB capacity) handles the initial bulk load in ~1 week (load + ship + import). Once initial data is in S3, DataSync handles ongoing daily incremental sync over the 200 Mbps link (only new/changed files). Direct Connect takes weeks to provision — won’t help the deadline.

Question 3:

A company is planning migration of 1,000 servers across 50 applications. They need to understand server dependencies (which servers communicate with which) to group them into migration waves. Their infrastructure is a mix of physical servers and VMware VMs. Which discovery approach provides this information?

  1. Deploy the Agentless Collector virtual appliance in VMware vCenter
  2. Deploy the AWS Application Discovery Agent on each server
  3. Use AWS Migration Hub import template with manually gathered data
  4. Run AWS Config in the on-premises environment
Show Answer

Answer: B — The Discovery Agent collects network connections (which servers talk to which, on which ports), running processes, CPU, RAM, and disk details. This network dependency data is essential for grouping servers into applications for wave planning. The Agentless Collector only works for VMware VMs (not physical servers) and doesn’t capture network connections or processes. The company has physical servers too.

Question 4:

A company runs 200 VMware VMs on-premises. Their operations team is heavily invested in VMware tools (vCenter, NSX, vSAN). They want to move to AWS quickly without retraining the team or changing their operational model. Which migration strategy and service fits?

  1. Rehost — Use Application Migration Service to migrate each VM to EC2
  2. Relocate — Use VMware Cloud on AWS with HCX for live migration
  3. Replatform — Convert VMs to containers on ECS Fargate
  4. Refactor — Rebuild applications as serverless on Lambda
Show Answer

Answer: B — Relocate strategy uses VMware Cloud on AWS, which runs the full VMware stack (vCenter, NSX, vSAN) on dedicated AWS hardware. HCX enables live migration (vMotion) of VMs with zero downtime. The ops team continues using the same VMware tools — no retraining. Application Migration Service (Rehost) would move to EC2 instances, changing the operational model away from VMware.

Question 5:

After migrating a monolithic web application to EC2 (rehost), a company wants to modernize it incrementally. The application has a tightly coupled order processing module that causes cascading failures. What is the recommended FIRST modernization step?

  1. Rewrite the entire application as Lambda functions
  2. Extract the order processing module into a separate service, decouple with SQS
  3. Move the entire application to EKS with microservices
  4. Replace the application with a SaaS solution
Show Answer

Answer: B — The Strangler Fig pattern: extract one service at a time from the monolith, starting with the one causing the most problems. Decoupling with SQS prevents cascading failures (if order processing is slow/down, the main app continues — orders queue). This is incremental modernization without the risk of a full rewrite. Complete rewrites (A, C) are high-risk and unnecessary when you can modernize incrementally.

Related Posts

References

Frequently Asked Questions

What is the difference between Application Migration Service and DMS?

Application Migration Service (MGN) migrates entire servers (OS, applications, data) by replicating block storage — the result is an EC2 instance running the same workload. DMS migrates only database data between database engines with optional schema conversion. Use MGN for server migration (lift-and-shift). Use DMS for database-specific migration with schema conversion or engine change.

When should I use Snowball vs DataSync?

Use DataSync when your network can transfer the data within your timeframe (typically <10TB or adequate bandwidth). Use Snowball when network transfer would take too long (>1 week at available bandwidth) or when you have 10TB+ with limited connectivity. The break-even point depends on your bandwidth — calculate transfer time first.

How do I start a migration to AWS?

Follow the migration lifecycle: (1) Assess — Deploy Discovery Agent/Agentless Collector, gather data in Migration Hub, evaluate TCO with Migration Evaluator. (2) Decide strategy — Apply 7Rs per application (most will be Rehost initially). (3) Set up landing zone — Control Tower for multi-account, networking, security baseline. (4) Pilot — Migrate 2-3 simple apps to validate process. (5) Scale — Migration Factory for remaining waves.

AWS Serverless API Architecture – API Gateway, Lambda, DynamoDB & RDS Proxy

AWS Serverless API Architecture — Overview

The serverless API pattern is the most common modern application architecture on AWS — combining API Gateway for routing, Lambda for compute, and DynamoDB or Aurora+RDS Proxy for data. It provides zero server management, automatic scaling, and pay-per-request pricing. This architecture appears in 20%+ of SAP-C02 questions and is foundational for SAA-C03.

Serverless API Architecture on AWS
Client
(Web/Mobile)
CloudFront
(CDN + WAF)
API Gateway
REST / HTTP API
Auth + Throttle
Lambda
Business Logic
Auto-scales
Data Layer
DynamoDB (serverless)
Aurora + RDS Proxy
Auth: Cognito / Lambda Authorizer / IAM
Cache: API GW Cache / DAX / CloudFront
Observe: X-Ray / CloudWatch / Logs
Async: SQS buffer for spikes / Step Functions

API Gateway — REST vs HTTP API vs WebSocket

Feature REST API HTTP API WebSocket API
Cost $3.50/million requests $1.00/million requests (70% cheaper) $1.00/million messages + connection-minutes
Auth options IAM, Cognito, Lambda Authorizer, API Keys IAM, Cognito (JWT), Lambda Authorizer IAM, Lambda Authorizer
Caching ✅ Built-in (0.5-237 GB) ❌ (use CloudFront)
Usage Plans/API Keys
Request validation ✅ (parameter validation)
Latency Higher (~30ms overhead) Lower (~10ms overhead) Persistent connection
Best for Full-featured APIs needing caching, usage plans, API keys Modern APIs prioritizing cost and latency Real-time: chat, notifications, gaming

Exam tip: Default to HTTP API unless you specifically need REST API features (caching, usage plans, API keys, request/response transformation). HTTP API is 70% cheaper with lower latency.

Lambda — Patterns & Pitfalls

Connection Pooling Problem (Lambda + RDS)

The #1 tested Lambda anti-pattern: Lambda scales to hundreds of concurrent executions, each opening a database connection → overwhelms RDS connection limit → 5xx errors.

  • Solution: RDS Proxy — Sits between Lambda and RDS. Maintains a connection pool. Hundreds of Lambda instances share a few dozen actual DB connections. Handles connection multiplexing transparently.
  • Alternative: DynamoDB — HTTP-based connections, no connection limit. Truly serverless-native.

Cold Starts

  • Problem: First invocation after idle period requires container initialization (100ms-10s depending on runtime/dependencies)
  • Mitigation:
    • Provisioned Concurrency — Pre-warm N instances (eliminates cold starts, costs money)
    • SnapStart (Java only) — Snapshot after init, restore from snapshot on cold start (~10x faster)
    • Keep functions warm — CloudWatch scheduled rule pings function every 5 min (hacky, not recommended)
    • Smaller packages — Reduce deployment package size and dependencies
    • ARM (Graviton) — 20% cheaper + 10% faster startup on arm64

Lambda Best Practices

  • Initialize outside handler — DB connections, SDK clients, config loaded once and reused across invocations
  • Environment variables — Store config (not secrets) in env vars. Secrets → Secrets Manager with caching.
  • Use Powertools — AWS Lambda Powertools provides structured logging, tracing, metrics, idempotency out of the box
  • Right-size memory — More memory = more CPU. Use AWS Lambda Power Tuning to find optimal setting.

Database Layer — DynamoDB vs Aurora + RDS Proxy

Factor DynamoDB Aurora + RDS Proxy
Connection model HTTP API (no connection limit) TCP connections (need RDS Proxy to pool)
Scaling Infinite (on-demand or provisioned+auto-scale) Vertical (instance size) + read replicas
Data model Key-value / Document (single-table design) Relational (SQL, joins, transactions)
Consistency Eventually consistent (strongly consistent optional) Strongly consistent (ACID transactions)
Cost model Pay per request (on-demand) or per RCU/WCU Instance-hour + RDS Proxy per-connection
Choose when Key-value access patterns, extreme scale, serverless-native Complex queries, existing relational schema, ACID needed

Authentication & Authorization

Method How Best For
Cognito User Pool JWT token validation at API GW (no Lambda invoke for auth) Standard user auth (sign-up, MFA, OAuth/OIDC, social login)
Lambda Authorizer Custom Lambda validates token → returns IAM policy Custom auth logic, third-party tokens, bearer tokens from non-Cognito IdPs
IAM Authorization SigV4 signed requests, verified by API GW Service-to-service (machine-to-machine), internal APIs
API Keys x-api-key header (REST API only) Rate limiting per client (NOT security — for usage tracking/throttling)

Scaling & Limits

Component Default Limit Handling Spikes
API Gateway 10,000 RPS (account-level, adjustable) Throttling returns 429. Use usage plans for per-client limits.
Lambda 1,000 concurrent (scales +500/min after) Reserved concurrency for critical functions. SQS buffer for overflow.
DynamoDB (on-demand) 40K RCU / 40K WCU per table (adjustable) Auto-scales instantly. Previous peak × 2 pre-provisioned.
API GW timeout 29 seconds max (hard limit) For long tasks: API → SQS → Lambda (async). Return 202 Accepted + poll for result.

Handling the 29-Second Timeout

API Gateway has a hard 29-second timeout. For longer operations:

  • Async pattern: API → SQS → Lambda (no timeout). Return 202 + task ID immediately. Client polls a status endpoint.
  • WebSocket: Client opens WebSocket connection → receives result when ready (push-based).
  • Step Functions: API → Step Functions (async) → callback when complete.

Cost Optimization

  • HTTP API over REST API: 70% cheaper ($1/M vs $3.50/M). Use unless you need REST-specific features.
  • Lambda ARM (Graviton): 20% cheaper, 10% faster. Switch with one config change.
  • API Gateway caching: Reduces Lambda invocations for repeated requests (REST API only). $0.02-$3.80/hr depending on cache size.
  • DynamoDB on-demand: Best for unpredictable traffic. Switch to provisioned + auto-scaling for predictable patterns to save 50%+.
  • Lambda right-sizing: Use Power Tuning to find optimal memory. Over-provisioned memory wastes money; under-provisioned increases duration (= higher cost).
  • CloudFront caching: Cache static responses and semi-dynamic content at edge. Each cache hit avoids API GW + Lambda invoke.
  • Reserved Concurrency: Free (limits max scale). Provisioned Concurrency costs money (use only where cold starts matter).

Exam Tips

Exam Key Points
SAP-C02 “Lambda + RDS connection errors under load” → RDS Proxy. “29s timeout” → async with SQS. “Reduce API cost” → HTTP API. “Eliminate cold starts” → Provisioned Concurrency. “Serverless + SQL” → Aurora Serverless + RDS Proxy.
SAA-C03 Basic pattern: API GW → Lambda → DynamoDB. Auth: Cognito. “Cheapest” → HTTP API + DynamoDB on-demand. “Key-value at scale” → DynamoDB. “Complex queries” → Aurora.

AWS Certification Exam Practice Questions

Question 1:

A serverless application uses Lambda functions and an Amazon RDS PostgreSQL database. Under peak load, the application returns intermittent 5xx errors. CloudWatch shows Lambda concurrency reaching 500 while RDS shows max connections exhausted. What is the MOST operationally efficient fix?

  1. Increase the RDS instance size to allow more connections
  2. Add Amazon RDS Proxy between Lambda and the database
  3. Reduce Lambda reserved concurrency to 50
  4. Replace RDS with DynamoDB
Show Answer

Answer: B — RDS Proxy maintains a connection pool and multiplexes hundreds of Lambda connections into a small number of actual database connections. This solves the connection exhaustion without changing application code, reducing Lambda concurrency (which affects throughput), or migrating databases. It’s the purpose-built solution for Lambda-RDS scaling.

Question 2:

A company’s API Gateway REST API costs $10,000/month due to high request volume. Most requests (80%) hit the same 5 endpoints with identical responses for any given 5-minute window. The team wants to reduce costs without changing the application. What should they do?

  1. Enable API Gateway caching with a 300-second TTL
  2. Switch from REST API to HTTP API
  3. Add CloudFront in front of API Gateway with caching
  4. Move to Application Load Balancer with Lambda targets
Show Answer

Answer: A — API Gateway caching (REST API) caches responses for the specified TTL. With 80% of requests being cacheable with 5-minute TTL, cache hits don’t invoke Lambda and reduce both API GW request charges and Lambda invocation costs by up to 80%. Switching to HTTP API saves 70% on per-request cost but still invokes Lambda for every request. CloudFront also works but adds complexity.

Question 3:

A serverless API has a Lambda function that takes 45 seconds to process complex report generation requests. Clients receive timeout errors. The API must return results to the client. Which architecture solves this?

  1. Increase API Gateway timeout to 60 seconds
  2. Use API Gateway → SQS → Lambda (async). Return 202 with task ID. Client polls a separate status endpoint for results.
  3. Use Lambda Provisioned Concurrency to speed up processing
  4. Switch to Application Load Balancer (120s timeout) with Lambda target
Show Answer

Answer: B — API Gateway has a hard 29-second timeout (cannot be increased). The async pattern: accept the request immediately (202 + task ID), process in background via SQS → Lambda, client polls a GET /status/{taskId} endpoint. ALB has 900s timeout which works technically but the question specifies serverless architecture. The async pattern is the AWS-recommended approach for long-running serverless operations.

Question 4:

A mobile app needs user authentication with social login (Google, Facebook), MFA, and email verification. After authentication, users access an API Gateway API. Which is the SIMPLEST authentication setup?

  1. Lambda Authorizer that validates OAuth tokens from social providers
  2. Amazon Cognito User Pool with social identity providers, configured as API Gateway authorizer
  3. IAM authentication with Cognito Identity Pool for temporary credentials
  4. Custom authentication microservice on ECS behind the same API Gateway
Show Answer

Answer: B — Cognito User Pool natively supports social login (Google, Facebook, Apple), MFA, email verification, and issues JWT tokens. API Gateway validates JWTs from Cognito directly without invoking Lambda for auth. This is the simplest managed solution — no custom code for authentication logic. Lambda Authorizers work but require custom code to validate each provider’s tokens.

Question 5:

A DynamoDB table serves a serverless API. Traffic is highly spiky — near zero at night, 50,000 WCU during flash sales (lasting 30 minutes, 2-3 times per month). The table currently uses provisioned capacity with auto-scaling but users experience throttling during the first minutes of each flash sale. What change eliminates the throttling?

  1. Pre-scale the table manually before each flash sale
  2. Switch to DynamoDB on-demand capacity mode
  3. Increase the auto-scaling target utilization to 90%
  4. Add DynamoDB Accelerator (DAX) for write caching
Show Answer

Answer: B — DynamoDB on-demand mode instantly accommodates up to double the previous peak throughput. It handles spiky, unpredictable workloads without throttling or pre-provisioning. Auto-scaling (provisioned) takes 5-15 minutes to react — too slow for sudden flash sales. DAX caches reads, not writes. Manual pre-scaling works but has operational overhead and requires knowing the exact timing.

Related Posts

References

Frequently Asked Questions

When should I use serverless vs containers?

Use serverless (Lambda) for event-driven, short-duration tasks (<15 min), variable traffic with periods of zero load, and when you want zero infrastructure management. Use containers (ECS/EKS) for long-running processes, consistent high throughput, specific runtime requirements, or when you need persistent connections (WebSocket servers, gRPC).

What is the difference between HTTP API and REST API?

HTTP API is 70% cheaper, lower latency, and simpler — supports JWT auth, Lambda/HTTP integrations, and CORS. REST API adds caching, usage plans/API keys, request/response transformation, WAF integration, and resource policies. Use HTTP API unless you specifically need a REST API feature.

How do I handle tasks longer than 29 seconds?

API Gateway’s maximum timeout is 29 seconds (hard limit). For longer tasks: (1) Accept request and return 202 immediately, (2) Process asynchronously via SQS → Lambda or Step Functions, (3) Client polls a status endpoint or receives a WebSocket/callback notification when complete. This is the standard async API pattern.

AWS Multi-Region Active-Active Architecture – Route 53, DynamoDB Global & Aurora

AWS Multi-Region Active-Active Architecture — Overview

A multi-region active-active architecture serves traffic from multiple AWS regions simultaneously, providing near-zero RTO/RPO, global low-latency access, and resilience against full region failures. This is the most advanced availability pattern and is heavily tested on SAP-C02 for mission-critical workloads.

Multi-Region Active-Active Architecture
Global Layer
Route 53 (latency/weighted routing + health checks) | CloudFront (edge caching) | Global Accelerator (anycast)
Region A (us-east-1)
ALB → ECS/EKS (full production scale)
Aurora Global (Writer) or DynamoDB Global
ElastiCache (session store)
S3 (CRR to Region B)
← Replication →
DynamoDB: multi-master
Aurora: <1s async
S3: async CRR
Region B (eu-west-1)
ALB → ECS/EKS (full production scale)
Aurora Global (Reader→promote) or DynamoDB Global
ElastiCache (session store)
S3 (CRR from Region A)
Failover: Route 53 health check detects Region A failure → removes from DNS → Region B absorbs all traffic
Challenge: Data consistency, conflict resolution, split-brain prevention, session management across regions

Data Layer — Active-Active Options

Service Multi-Region Model Consistency Failover
DynamoDB Global Tables Multi-master (read-write in all regions) Eventually consistent cross-region (~1s). Last-writer-wins conflict resolution. Automatic — other regions continue serving read-write
Aurora Global Database Single writer + read replicas in other regions <1s replication lag. Strong consistency in writer region. Managed failover promotes secondary to writer (~1 min). Planned switchover with zero data loss.
Aurora DSQL Multi-region active-active with strong consistency Strongly consistent across regions (distributed transactions) Automatic — no failover needed, all regions active
ElastiCache Global Datastore Active primary + read replicas cross-region Async replication (<1s typical) Promote secondary to primary (~minutes)
S3 Cross-Region Replication Async object replication (one-way or bidirectional) Eventually consistent (seconds to minutes for replication) Access replica bucket directly — no failover action needed

When to Use Which Database

  • DynamoDB Global Tables: True active-active (write in any region), key-value/document workloads, can tolerate eventual consistency and last-writer-wins
  • Aurora Global: Relational workloads needing SQL/joins, single-writer acceptable (reads globally), fast managed failover
  • Aurora DSQL: Need strong consistency with active-active writes across regions (newest option, distributed SQL)

Global Traffic Routing

Service How It Routes Failover Mechanism Best For
Route 53 Latency Routing Routes to region with lowest latency for user Health checks remove unhealthy region Latency-optimized global distribution
Route 53 Weighted Routing Split traffic by percentage (e.g., 70/30) Health checks remove 0-weight Gradual migration, canary between regions
Route 53 Failover Routing Primary → Secondary (active-passive) Health check fails → switch to secondary Active-passive DR (not active-active)
CloudFront Edge caching + origin failover Origin group: primary fails → secondary origin Static/dynamic content with edge caching
Global Accelerator Anycast IPs → nearest healthy endpoint Health checks → instant reroute (no DNS TTL delay) TCP/UDP apps needing static IPs + instant failover

Route 53 vs Global Accelerator for Failover

  • Route 53: DNS-based — failover speed depends on TTL (typically 60s). Client caches DNS. Good for most web applications.
  • Global Accelerator: Network-layer — failover in seconds (no DNS caching issue). Static anycast IPs never change. Better for latency-sensitive or non-HTTP applications.

Key Challenges & Solutions

1. Data Consistency

  • Problem: Two regions writing to the same record simultaneously → conflict
  • DynamoDB solution: Last-writer-wins (timestamp-based). Application must tolerate this. Use conditional writes for critical operations.
  • Aurora solution: Single writer region eliminates write conflicts. Use write-forwarding for reads-everywhere, writes-to-primary.
  • Aurora DSQL: Distributed transactions with strong consistency (no conflicts, correctness guaranteed)

2. Session Management

  • Problem: User session created in Region A, next request routes to Region B
  • Solutions:
    • ElastiCache Global Datastore for cross-region session replication
    • DynamoDB Global Tables for session storage (available everywhere)
    • Sticky sessions (Route 53 geo/latency keeps user in same region)
    • Stateless JWT tokens (no server-side session needed)

3. Split-Brain Prevention

  • Problem: Network partition between regions — both think they’re the primary
  • Solution: DynamoDB Global Tables handle this natively (multi-master, no split-brain). Aurora uses managed failover with fencing (old writer is demoted). For custom logic: use DynamoDB conditional writes as a distributed lock.

4. Deployment Consistency

  • Problem: Application versions must be identical across regions
  • Solution: CI/CD pipeline deploys to all regions simultaneously (CodePipeline cross-region actions). Use CloudFormation StackSets for infrastructure. Container images replicated via ECR cross-region replication.

Cost Considerations

  • Compute: Full production capacity in 2+ regions (2x baseline compute cost)
  • Data transfer: Cross-region replication incurs data transfer fees ($0.02/GB between regions)
  • DynamoDB Global Tables: Pay for write capacity in each replica region (replicated writes charged)
  • Aurora Global: Read replicas in secondary region are cheaper than full writer clusters
  • Optimization: Use CloudFront to reduce origin requests (cache hit → no cross-region call). Compress data before replication.

Active-Active vs Active-Passive

Aspect Active-Active Active-Passive
Traffic Both regions serve production traffic simultaneously Only primary serves traffic; secondary is standby
RTO Near-zero (no failover action needed) Minutes (failover must be triggered)
RPO Near-zero (data in both regions) Seconds-minutes (replication lag)
Cost 2x (full infrastructure in both regions) 1.3-1.5x (reduced standby in secondary)
Complexity High (consistency, conflicts, session management) Medium (straightforward failover)
Use case Mission-critical (financial, global SaaS, healthcare) Important but can tolerate brief outage

Exam Tips

Exam Key Points
SAP-C02 “Zero downtime even during region failure” → Active-Active. “Read-write in any region” → DynamoDB Global Tables. “Relational + fast failover” → Aurora Global. “Instant failover without DNS delay” → Global Accelerator. “Lowest latency for global users” → Route 53 latency + CloudFront. Watch for data consistency trade-offs in answers.

AWS Certification Exam Practice Questions

Question 1:

A global financial platform requires users in US and Europe to have read-write access to the same data with sub-5ms latency. The system must continue operating with zero downtime even if an entire AWS region fails. Which database architecture supports this?

  1. Aurora Global Database with write-forwarding from European reader
  2. DynamoDB Global Tables with replicas in us-east-1 and eu-west-1
  3. RDS Multi-AZ with cross-region read replicas and manual promotion
  4. ElastiCache Global Datastore with application-level write routing
Show Answer

Answer: B — DynamoDB Global Tables provide multi-master replication: both regions accept writes with single-digit millisecond latency locally. If one region fails, the other continues with zero intervention. Aurora Global only has one writer region (write-forwarding adds latency). RDS read replicas require manual promotion (downtime).

Question 2:

A company uses Route 53 latency-based routing for multi-region active-active. During a regional outage, they notice some users still route to the failed region for up to 60 seconds due to DNS TTL caching. How can they achieve faster failover?

  1. Reduce Route 53 TTL to 1 second
  2. Replace Route 53 with AWS Global Accelerator
  3. Add CloudFront in front with origin failover group
  4. Use Route 53 health checks with faster interval (10s)
Show Answer

Answer: B — Global Accelerator uses anycast IPs at the network layer (not DNS). When a region fails, traffic is rerouted at the AWS edge in seconds without waiting for DNS TTL expiry. The static anycast IPs never change for clients. Reducing DNS TTL helps but can’t eliminate the caching delay entirely (resolvers may not honor very low TTLs).

Question 3:

A multi-region active-active application using DynamoDB Global Tables discovers that two regions occasionally write to the same item simultaneously, causing data inconsistency. The business logic requires that only the FIRST write wins (not last). How should they handle this?

  1. Switch to Aurora Global Database (single writer prevents conflicts)
  2. Use DynamoDB conditional writes with version attribute (reject if version changed)
  3. Configure DynamoDB Global Tables to use first-writer-wins instead of last-writer-wins
  4. Add SQS queue to serialize all writes through a single region
Show Answer

Answer: B — DynamoDB conditional writes with a version attribute (optimistic locking) ensure that a write only succeeds if the item hasn’t been modified since it was last read. The first write succeeds; the second write’s condition fails (version mismatch) and the application can retry or reject. DynamoDB Global Tables only support last-writer-wins natively — you must implement first-writer-wins at the application level.

Question 4:

A company wants to deploy a multi-region active-active web application. They need users globally to experience <50ms response time for static content and <200ms for dynamic API calls. Which combination of services achieves this?

  1. Route 53 latency routing → ALB in each region (both static and dynamic)
  2. CloudFront (static + dynamic caching) + Route 53 latency routing → ALB for API + Global Accelerator for WebSocket
  3. Global Accelerator for everything (static + dynamic)
  4. CloudFront with Lambda@Edge processing all requests
Show Answer

Answer: B — CloudFront caches static content at 400+ edge locations (<50ms globally). For dynamic API calls, Route 53 latency routing directs to the nearest region’s ALB (<200ms). Global Accelerator handles WebSocket/TCP connections needing static IPs and instant failover. This layered approach optimizes each traffic type differently.

Question 5:

An active-active application stores user sessions in ElastiCache Redis. When a user’s requests route to a different region (due to Route 53 latency changes), they lose their session and must re-authenticate. How should this be fixed?

  1. Use sticky sessions in Route 53 (geolocation routing to keep user in one region)
  2. Replace ElastiCache with DynamoDB Global Tables for session storage
  3. Use ElastiCache Global Datastore to replicate sessions cross-region
  4. Store sessions in client-side JWT tokens (stateless, no server session)
Show Answer

Answer: D — Stateless JWT tokens stored client-side eliminate the cross-region session problem entirely. The token is sent with every request regardless of which region handles it. DynamoDB Global Tables (B) and ElastiCache Global Datastore (C) also work but add latency and complexity. JWTs are the simplest and most scalable solution for active-active session management.

Related Architecture Patterns

Related Posts

References

Frequently Asked Questions

Does active-active mean both regions handle writes?

It depends on the database. With DynamoDB Global Tables: yes, both regions accept writes (multi-master). With Aurora Global: only one region writes (single-master), other regions serve reads with fast failover to become writer. True multi-region active-active writes require DynamoDB Global Tables or Aurora DSQL.

How much does active-active cost compared to single-region?

Roughly 2x for compute (full capacity in both regions) + cross-region data transfer fees ($0.02/GB). DynamoDB Global Tables charge for replicated write capacity. The cost premium is justified only for mission-critical workloads where any downtime has severe business impact. Consider Warm Standby (1.3x cost) as a cheaper alternative if minutes of RTO is acceptable.

What is the difference between Global Accelerator and CloudFront for multi-region?

CloudFront is a CDN that caches content at edge locations — best for HTTP/HTTPS with cacheable content. Global Accelerator is a network-layer accelerator with static anycast IPs — best for non-cacheable traffic, TCP/UDP applications, or when you need instant failover without DNS delays. Use both together: CloudFront for static/cacheable, Global Accelerator for real-time APIs/WebSocket.

AWS Config vs CloudTrail vs CloudWatch – Monitoring & Compliance Compared

AWS Config vs CloudTrail vs CloudWatch — Overview

These three services are frequently confused because they all relate to “monitoring.” However, each serves a distinct purpose: CloudWatch monitors performance metrics and logs, CloudTrail audits API activity (who did what), and Config tracks resource configuration compliance (is it configured correctly). This is a common SAP-C02 and SCS-C03 question.

Config vs CloudTrail vs CloudWatch — What Each Monitors
Amazon CloudWatch
“How is it performing?”
Metrics: CPU, memory, disk, network, custom
Logs: Application logs, VPC Flow Logs
Alarms: Threshold → SNS/Auto Scaling
Dashboards: Real-time visualization
Synthetics: Canary endpoint checks
Performance & operational health
AWS CloudTrail
“Who did what, when?”
API logging: Every AWS API call recorded
Who: IAM identity (user/role/service)
What: Action (RunInstances, PutObject)
When: Timestamp + source IP
Lake: SQL queries on audit events
Audit trail & accountability
AWS Config
“Is it configured correctly?”
Configuration recording: Track state of all resources
Rules: Evaluate compliance (is EBS encrypted?)
Remediation: Auto-fix non-compliant resources
History: How was a resource configured at any point?
Conformance Packs: Collection of rules as template
Configuration compliance
Together: CloudWatch tells you something is wrong (alarm) → CloudTrail tells you who changed it (audit) → Config tells you what changed from compliant state (drift)

Detailed Comparison

Aspect CloudWatch CloudTrail Config
Question answered Is my application healthy? Who made this change? Is this resource compliant?
Data type Metrics, logs, traces API events (management + data events) Resource configuration state
Real-time? Yes (1-sec metrics, real-time logs) Near real-time (~5 min delay typically) Near real-time (triggered on change)
Alerting Alarms (threshold, anomaly, composite) Via EventBridge on specific API calls Non-compliant notification via SNS/EventBridge
History Metric data (up to 15 months), logs (configurable retention) 90 days (console) or unlimited (S3/Lake) Full resource configuration timeline
Scope Performance of AWS resources + applications All AWS API calls across all services Configuration of supported AWS resources
Remediation Alarm → Auto Scaling, SNS, Lambda No built-in (use EventBridge → Lambda) Built-in auto-remediation (SSM Automation)
Compliance Not compliance-focused Audit compliance (prove who did what) Configuration compliance (CIS, PCI, custom rules)

When to Use Which

Scenario Service
“Alert me when CPU exceeds 80% for 5 minutes” CloudWatch (metric alarm)
“Who deleted the S3 bucket at 3 AM?” CloudTrail (API event log)
“Are all EBS volumes encrypted?” Config (rule: encrypted-volumes)
“What was the Security Group configuration last Tuesday?” Config (configuration timeline)
“Send me application error logs” CloudWatch Logs
“Which IAM user created this EC2 instance?” CloudTrail
“Auto-fix any S3 bucket that becomes public” Config (rule + auto-remediation)
“Alert when someone calls DeleteTrail API” CloudTrail → EventBridge (rule on specific API)
“Dashboard showing request latency across microservices” CloudWatch (dashboard + X-Ray)

How They Work Together

A common scenario illustrating all three:

  1. CloudWatch alarm fires: RDS CPU at 95% for 10 minutes
  2. Investigation via CloudTrail: Who modified the RDS instance? → Shows IAM user changed instance type from db.r5.xlarge to db.t3.micro 2 hours ago
  3. Config shows: The RDS instance is now non-compliant with the “minimum-rds-instance-size” Config rule → Configuration timeline shows exact before/after
  4. Resolution: Config auto-remediation triggers SSM Automation to resize back to compliant instance type

CloudWatch Deep Dive

  • Metrics: Standard (5-min, free) + Detailed (1-min, paid) + Custom (put your own). Up to 1-second resolution with high-resolution metrics.
  • Logs: Log Groups → Log Streams. Metric filters extract metrics from log data. Logs Insights for SQL-like queries.
  • Alarms: Metric alarms (threshold), composite alarms (combine multiple), anomaly detection (ML-based).
  • Synthetics: Canary scripts that test endpoints on a schedule (availability monitoring).
  • Application Signals: APM — auto-discovery of services, SLO tracking, correlated metrics/traces/logs.

CloudTrail Deep Dive

  • Management events: Control plane operations (CreateBucket, RunInstances, AttachRolePolicy). Enabled by default.
  • Data events: Data plane operations (GetObject, PutObject, InvokeFunction). Must be explicitly enabled (high volume).
  • Insights events: Detect unusual API activity patterns (spike in API calls, error rate anomalies).
  • Organization Trail: Single trail covers all accounts in the organization → centralized to Log Archive S3 bucket.
  • CloudTrail Lake: SQL-based querying of trail events (up to 7 years retention in Lake).

AWS Config Deep Dive

  • Configuration Recorder: Records the configuration of supported resources whenever changes occur.
  • Config Rules: Managed rules (180+) or custom Lambda rules. Evaluate on change or on schedule.
  • Auto-Remediation: Link a rule to an SSM Automation document → auto-fix non-compliant resources.
  • Conformance Packs: Collection of rules deployed as a unit (e.g., “PCI-DSS pack” with 30 rules).
  • Aggregator: Aggregate compliance data from multiple accounts/regions into single dashboard.
  • Advanced Queries: SQL-like queries across all recorded resource configurations.

Exam Tips

Exam Key Points
SAP-C02 “Monitor performance” → CloudWatch. “Audit who changed” → CloudTrail. “Ensure compliance” → Config. “Track configuration history” → Config. “Detect unusual API patterns” → CloudTrail Insights.
SCS-C03 Organization Trail (immutable, centralized), Config rules for security compliance (encryption, public access), CloudTrail Lake for security investigations, Config auto-remediation for security drift, CloudWatch for operational security alerts.

AWS Certification Exam Practice Questions

Question 1:

A security team needs to answer: “Which IAM user terminated the production EC2 instance last night at 11 PM?” Which service provides this information?

  1. CloudWatch Logs
  2. AWS CloudTrail
  3. AWS Config
  4. VPC Flow Logs
Show Answer

Answer: B — CloudTrail records ALL AWS API calls including TerminateInstances. The event shows: who (IAM identity), what (ec2:TerminateInstances), when (timestamp), where (source IP), and which resource (instance ID). This is the audit trail for accountability.

Question 2:

A compliance requirement states: “All RDS instances must have encryption enabled. Any unencrypted RDS instance must be automatically flagged and the team notified.” Which service implements this?

  1. CloudWatch alarm on RDS metrics
  2. CloudTrail monitoring CreateDBInstance events
  3. AWS Config rule (rds-storage-encrypted) with SNS notification on non-compliance
  4. GuardDuty RDS Protection
Show Answer

Answer: C — AWS Config rule “rds-storage-encrypted” continuously evaluates all RDS instances and marks unencrypted ones as NON_COMPLIANT. Config can trigger SNS notification on compliance state changes. It can also auto-remediate. CloudWatch monitors performance (not configuration). CloudTrail records the creation event but doesn’t evaluate compliance.

Question 3:

An architect needs to view how a Security Group was configured 3 weeks ago, before someone changed it and broke the application. Which service provides this historical configuration view?

  1. CloudTrail (shows the API call that changed it)
  2. AWS Config (shows the actual configuration at any point in time)
  3. CloudWatch (shows metrics from 3 weeks ago)
  4. VPC Flow Logs (shows network traffic history)
Show Answer

Answer: B — Config maintains a configuration timeline for each recorded resource. You can view the EXACT configuration of the Security Group at any point in time (what rules it had 3 weeks ago). CloudTrail would show WHO changed it and WHAT API was called, but not the full before/after configuration snapshot. Config gives you both the timeline and the diff.

Question 4:

A company wants to detect when someone disables CloudTrail logging in any account (a potential indicator of compromise). What is the FASTEST way to detect and alert on this?

  1. AWS Config rule checking CloudTrail status hourly
  2. EventBridge rule matching the CloudTrail StopLogging API event → SNS alert
  3. CloudWatch metric on CloudTrail event count dropping to zero
  4. GuardDuty Stealth finding for CloudTrail disabled
Show Answer

Answer: B — EventBridge receives CloudTrail management events in near real-time. A rule matching {“source”: [“aws.cloudtrail”], “detail”: {“eventName”: [“StopLogging”, “DeleteTrail”]}} triggers instantly and sends an SNS alert. This is faster than Config (evaluates on schedule/change) and more specific than GuardDuty (which may detect this but with broader context and potential delay).

Question 5:

A company needs a unified view of resource compliance across 100 accounts and 4 regions. They want to see compliance percentages for CIS benchmarks, PCI-DSS, and custom rules in a single dashboard. Which approach is MOST efficient?

  1. AWS Config Aggregator in a central account collecting from all accounts/regions
  2. Security Hub with compliance standards enabled across all accounts
  3. Custom dashboard querying CloudWatch metrics from each account
  4. CloudTrail Lake with compliance-focused SQL queries
Show Answer

Answer: B — Security Hub provides built-in compliance standards (CIS, PCI-DSS, NIST, AWS Foundational Best Practices) with automated scoring. It aggregates across all accounts (delegated admin) and all regions (cross-region aggregation). It provides compliance percentages, tracks trends, and shows specific non-compliant resources. Config Aggregator works for Config rules but doesn’t have pre-built compliance frameworks or the unified scoring dashboard.

Related Architecture Patterns

Related Posts

References

Frequently Asked Questions

Can CloudTrail replace CloudWatch Logs?

No — they serve different purposes. CloudTrail logs AWS API calls (control plane: who created/deleted/modified resources). CloudWatch Logs stores application logs, VPC Flow Logs, and custom log data (data plane: what happened inside your application). You need both for complete observability.

AWS Config vs CloudTrail — both track changes, what’s the difference?

CloudTrail answers “WHO made the API call and WHEN” (event-focused). Config answers “WHAT is the resource’s configuration NOW and BEFORE” (state-focused). CloudTrail gives you the action; Config gives you the resulting state. Config also evaluates compliance against rules — CloudTrail doesn’t.

Do I need all three services?

For production workloads: yes. CloudWatch for operational health and alerting. CloudTrail for security audit and accountability. Config for compliance and configuration drift detection. Most organizations enable all three as baseline. They’re complementary, not alternatives.