AWS Security – Whitepaper – Certification
📋 Important Update
The original AWS Security Whitepaper and the “Overview of Security Processes” whitepaper have been archived by AWS and marked as “historical reference only.” AWS now recommends the following current resources:
The core concepts below remain relevant for AWS certification exams, updated with current information.
Shared Security Responsibility Model
In the Shared Security Responsibility Model, AWS is responsible for securing the underlying infrastructure that supports the cloud (“Security of the Cloud”), and you’re responsible for anything you put on the cloud or connect to the cloud (“Security in the Cloud”).
AWS Security Responsibilities (“Security OF the Cloud”)
- AWS is responsible for protecting the global infrastructure that runs all of the services offered in the AWS cloud. This infrastructure is comprised of the hardware, software, networking, and facilities that run AWS services.
- AWS provides several reports from third-party auditors who have verified their compliance with a variety of computer security standards and regulations (available via AWS Artifact)
- AWS is responsible for the security configuration of its products that are considered managed services for e.g. RDS, DynamoDB, Lambda, Fargate
- For Managed Services, AWS will handle basic security tasks like guest operating system (OS) and database patching, firewall configuration, and disaster recovery.
- AWS infrastructure is built on the AWS Nitro System, which provides hardware-enforced isolation between instances and prohibits administrative access to customer data.
Customer Security Responsibilities (“Security IN the Cloud”)
- AWS Infrastructure as a Service (IaaS) products for e.g. EC2, VPC, S3 are completely under your control and require you to perform all of the necessary security configuration and management tasks.
- Management of the guest OS (including updates and security patches), any application software or utilities installed on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance
- For managed services, you are responsible for configuring logical access controls for the resources, protecting account credentials, and encrypting data at rest and in transit as applicable
- Identity and access management using AWS IAM, including MFA, password policies, IAM roles, and least-privilege access
- Data encryption at rest and in transit using services like AWS KMS, ACM, and S3 encryption options
Shared Responsibility Model Variations
- Infrastructure Services (EC2, EBS, VPC) – Customer manages OS, patching, firewall, encryption
- Container Services (RDS, ECS, EMR) – AWS manages OS/platform, customer manages access, firewall rules, data encryption
- Abstract Services (S3, DynamoDB, Lambda, SQS) – AWS manages platform entirely, customer manages data classification, IAM policies, and encryption options
AWS Global Infrastructure Security
AWS Nitro System
- The AWS Nitro System is the underlying platform for all modern EC2 instances, providing hardware-based security isolation
- Virtualization resources are offloaded to dedicated hardware and software, minimizing the attack surface
- Nitro System’s security model is locked down and prohibits administrative access, eliminating the possibility of human error and tampering
- Nitro Isolation Engine (GA 2025 on Graviton5) – The first commercially deployed formally verified hypervisor, providing mathematically proven isolation between virtual machines
- Nitro Enclaves – Provides isolated compute environments for processing highly sensitive data (e.g., PII, healthcare, financial data) with no persistent storage, interactive access, or external networking
AWS Compliance Program
AWS supports 143 security standards and compliance certifications, including:
- SOC 1, SOC 2, SOC 3 (covering 188 services as of Spring 2026)
- ISO 9001, ISO 27001:2022, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 20000-1
- CSA STAR CCM v4.0
- FedRAMP (High, Moderate)
- PCI DSS Level 1
- FIPS 140-3 (upgraded from FIPS 140-2)
- HIPAA
- GDPR
- NIST 800-171 (CMMC 2.0)
- C5 (Cloud Computing Compliance Criteria Catalogue)
- ITAR
- MTCS Level 3
- IRAP (Australia)
Compliance reports are available through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports and select online agreements.
Physical and Environmental Security
Storage Decommissioning
- When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals.
- AWS uses the techniques detailed in NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process.
- All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.
- Media that stored customer data is not removed from AWS control until it has been securely decommissioned.
Network Security
Amazon Corporate Segregation
- AWS Production network is segregated from the Amazon Corporate network and requires a separate set of credentials for logical access.
- Amazon Corporate network relies on user IDs, passwords, and Kerberos, while the AWS Production network requires SSH public-key authentication through a bastion host.
Network Monitoring & Protection
AWS utilizes a wide variety of automated monitoring systems to provide a high level of service performance and availability. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. The tools have the ability to set custom performance metrics thresholds for unusual activity.
AWS network provides protection against traditional network security issues:
- DDoS – AWS provides AWS Shield Standard (free, automatic L3/L4 DDoS protection for all AWS customers) and AWS Shield Advanced (paid, advanced L3/L4/L7 DDoS protection with 24/7 DDoS Response Team support, DDoS attack flow logs, and cost protection). AWS WAF now includes an Anti-DDoS Managed Rule Group (2025) for automatic application-layer (L7) DDoS mitigation.
- Man in the Middle attacks – AWS APIs are available via SSL/TLS-protected endpoints which provide server authentication. AWS Certificate Manager (ACM) provides free public SSL/TLS certificates.
- IP spoofing – AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
- Port Scanning – Unauthorized port scans by Amazon EC2 customers are a violation of the AWS Acceptable Use Policy. When unauthorized port scanning is detected by AWS, it is stopped and blocked.
- Packet Sniffing by other tenants – It is not possible for a virtual instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance. The Nitro System hypervisor will not deliver any traffic to them that is not addressed to them. Even two virtual instances that are owned by the same customer located on the same physical host cannot listen to each other’s traffic.
Penetration Testing
Updated Policy: AWS no longer requires prior approval for penetration testing on the following permitted services:
- Amazon EC2 instances, WAF, NAT Gateways, and Elastic Load Balancers
- Amazon RDS
- Amazon CloudFront
- Amazon Aurora
- Amazon API Gateway
- AWS Lambda and Lambda@Edge functions
- Amazon Lightsail
- AWS Elastic Beanstalk
Prohibited Activities (still require AWS approval): DNS zone walking, DoS/DDoS attacks, port flooding, protocol flooding, request flooding.
Secure Design Principles
- Secure software development best practices, which include formal design reviews by the AWS Security Team, threat modeling, and completion of a risk assessment
- Static code analysis tools are run as a part of the standard build process
- Recurring penetration testing performed by carefully selected industry experts
- AWS Nitro System hardware-level isolation with formally verified components
- Secure by Design principles documented in the 2024 AWS whitepaper “Building Security from the Ground Up”
AWS Account Security Features
AWS account security features include credentials for access control, HTTPS endpoints for encrypted data transmission, the creation of separate IAM user accounts, user activity logging for security monitoring, and Trusted Advisor security checks.
AWS Credentials
Individual User Accounts
Do not use the Root account; instead create an IAM User for each user (or use AWS IAM Identity Center, formerly AWS SSO, for centralized workforce identity management) and provide them with a unique set of credentials with least-privilege access required to perform their job function.
Secure HTTPS Access Points
Use HTTPS (TLS 1.2 minimum, TLS 1.3 recommended), provided by all AWS services, for data transmissions, which uses public-key cryptography to prevent eavesdropping, tampering, and forgery.
Security Logs
Use Amazon CloudTrail which provides logs of all requests for AWS resources within the account and captures information about every API call to every AWS resource you use, including sign-in events. CloudTrail logs can be sent to Amazon S3, CloudWatch Logs, or analyzed through Amazon Security Lake.
Trusted Advisor Security Checks
Use AWS Trusted Advisor which inspects your AWS environment and provides recommendations for cost optimization, performance, security, fault tolerance, service limits, and operational excellence. Security checks include open ports, MFA on root account, exposed access keys, and IAM usage.
AWS Security Services
AWS provides a comprehensive suite of security services that complement the infrastructure security:
Threat Detection & Monitoring
- Amazon GuardDuty – Intelligent threat detection service that continuously monitors for malicious activity and unauthorized behavior. Features Extended Threat Detection (2024) using AI/ML to identify attack sequences.
- AWS Security Hub – Centralized security posture management with near real-time risk analytics (GA Dec 2025). Unifies GuardDuty, Inspector, Macie, and IAM Access Analyzer findings. Extended plan (2026) offers full-stack enterprise security.
- Amazon Detective – Analyzes and visualizes security data to investigate potential security issues and identify root cause.
- AWS CloudTrail – Records API calls and account activity for governance, compliance, operational auditing, and risk auditing.
Identity & Access Management
- AWS IAM – Manage access to AWS services and resources securely with users, groups, roles, and policies.
- AWS IAM Identity Center (formerly AWS SSO) – Centrally manage workforce access to multiple AWS accounts and applications.
- IAM Access Analyzer – Identifies external access, internal access, and unused access to your resources. Generates least-privilege policies based on CloudTrail activity.
Data Protection
- AWS KMS – Create and manage encryption keys for data encryption across AWS services.
- AWS CloudHSM – Hardware security modules for regulatory compliance requirements.
- Amazon Macie – Uses machine learning to discover and protect sensitive data in S3.
- AWS Certificate Manager (ACM) – Provision, manage, and deploy public and private SSL/TLS certificates.
Network & Application Protection
- AWS WAF – Web application firewall to protect against common web exploits with Anti-DDoS Managed Rule Group.
- AWS Shield – Standard (free) and Advanced DDoS protection.
- AWS Network Firewall – Managed network firewall for VPC traffic filtering.
- AWS Firewall Manager – Centrally configure and manage firewall rules across accounts.
Compliance & Governance
- AWS Artifact – On-demand access to AWS compliance reports (SOC, ISO, PCI, etc.).
- AWS Config – Assess, audit, and evaluate configurations of AWS resources.
- AWS Audit Manager – Continuously audit AWS usage to simplify risk and compliance assessment.
AWS Certification Exam Practice Questions
- Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
- AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
- AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
- Open to further feedback, discussion and correction.
- In the shared security model, AWS is responsible for which of the following security best practices (check all that apply) :
- Penetration testing
- Operating system account security management (User responsibility)
- Threat modeling
- User group access management (User responsibility)
- Static code analysis (AWS development cycle responsibility)
- You are running a web-application on AWS consisting of the following components an Elastic Load Balancer (ELB) an Auto-Scaling Group of EC2 instances running Linux/PHP/Apache, and Relational DataBase Service (RDS) MySQL. Which security measures fall into AWS’s responsibility?
- Protect the EC2 instances against unsolicited access by enforcing the principle of least-privilege access (User responsibility)
- Protect against IP spoofing or packet sniffing
- Assure all communication between EC2 instances and ELB is encrypted (User responsibility)
- Install latest security patches on ELB, RDS and EC2 instances (User responsibility for EC2 OS patches; AWS responsibility for ELB and RDS platform patches)
- In AWS, which security aspects are the customer’s responsibility? Choose 4 answers
- Controlling physical access to compute resources (AWS responsibility)
- Patch management on the EC2 instances operating system
- Encryption of EBS (Elastic Block Storage) volumes
- Life-cycle management of IAM credentials
- Decommissioning storage devices (AWS responsibility)
- Security Group and ACL (Access Control List) settings
- Per the AWS Acceptable Use Policy, penetration testing of EC2 instances:
- May be performed by AWS, and will be performed by AWS upon customer request.
- May be performed by AWS, and is periodically performed by AWS.
- Are expressly prohibited under all circumstances.
- May be performed by the customer on their own instances without prior authorization from AWS.
- May be performed by the customer on their own instances, only if performed from EC2 instances
Note: AWS updated their penetration testing policy — prior approval is no longer required for permitted services including EC2, RDS, CloudFront, Aurora, API Gateway, Lambda, Lightsail, and Elastic Beanstalk. DoS/DDoS testing still requires approval.
- Which is an operational process performed by AWS for data security?
- AES-256 encryption of data stored on any shared storage device (User responsibility)
- Decommissioning of storage devices using industry-standard practices
- Background virus scans of EBS volumes and EBS snapshots (No virus scan is performed by AWS on User instances)
- Replication of data across multiple AWS Regions (AWS does not replicate data across regions unless done by User)
- Secure wiping of EBS data when an EBS volume is unmounted (data is not wiped off on EBS volume when unmounted and it can be remounted on other EC2 instance)
- Which AWS service provides on-demand access to AWS compliance reports such as SOC and ISO certifications?
- AWS Trusted Advisor
- AWS Config
- AWS Artifact
- Amazon Inspector
- Which of the following is a key security feature of the AWS Nitro System? (Select TWO)
- No administrative access to customer data is possible
- Automatic patching of customer operating systems
- Hardware-enforced isolation between instances
- Automatic encryption of all EBS volumes
- Built-in antivirus protection
- A company wants to centrally view and manage security findings across multiple AWS accounts. Which service should they use?
- Amazon GuardDuty
- AWS Security Hub
- AWS CloudTrail
- Amazon Detective
- Which AWS service provides intelligent threat detection by continuously monitoring for malicious activity using AI/ML?
- AWS WAF
- AWS Shield
- Amazon GuardDuty
- AWS Config
- Under the Shared Responsibility Model, for Amazon RDS, which of the following is the customer’s responsibility? (Select TWO)
- Patching the database engine (AWS responsibility for managed services)
- Managing database user accounts and permissions
- Physical security of the underlying hardware (AWS responsibility)
- Configuring Security Groups to control network access
- Replacing failed storage hardware (AWS responsibility)
References
