Security in AWS is not one service you enable. It is a layer of specialized tools that each cover a different part of the attack surface: encryption keys, API audit trails, threat detection, DDoS protection, web traffic filtering, vulnerability scanning, and data classification. Understanding which service does what is exactly what the SAA-C03 exam tests, because the scenarios describe a security problem and expect you to know which tool addresses it. KMS manages encryption keys. CloudTrail records who called what API. GuardDuty detects active threats using machine learning. Shield protects against volumetric attacks. WAF filters malicious web requests. Inspector finds software vulnerabilities. Macie finds sensitive data in S3.
Practice this topic
AWS Key Management Service (KMS) creates, stores, and controls cryptographic keys used to encrypt data across AWS services. When you encrypt an S3 object, an EBS volume, a Secrets Manager secret, or a DynamoDB table, KMS is the service holding the key. KMS keys never leave KMS unencrypted: AWS uses envelope encryption, where KMS generates a data key, you use that data key to encrypt your data locally, and then KMS encrypts the data key itself with your KMS key before storing it.
Key types matter for the exam. AWS managed keys are created and managed by AWS for use with specific services. You cannot rotate, delete, or set policies on them directly. Customer managed keys (CMK) give you full control: you set the key policy, define who can use and administer the key, enable automatic annual rotation, and can disable or schedule deletion. AWS owned keys are entirely managed by AWS for its own use and you have no visibility into them.
Secrets Manager stores and automatically rotates credentials like database passwords, API keys, and OAuth tokens. It integrates with RDS, Redshift, and DocumentDB to rotate credentials automatically without application restarts. Parameter Store in Systems Manager is a lower-cost alternative for configuration values and non-sensitive parameters, with an optional SecureString type that uses KMS encryption.
CloudTrail records every API call made in your AWS account: who called it, from which IP, what parameters were passed, and what the response was. This is the audit trail for security investigations and compliance. CloudTrail logs go to S3 for long-term retention and to CloudWatch Logs for real-time alerting. Without CloudTrail enabled, you have no record of what happened if an incident occurs.
GuardDuty uses machine learning to analyze CloudTrail logs, VPC Flow Logs, and DNS logs for signs of malicious activity: unusual API calls from unexpected locations, known malicious IP addresses communicating with your resources, crypto mining behavior, or compromised credentials. GuardDuty is threat detection, not prevention: it generates findings that you investigate and respond to. It does not block traffic.
Shield protects against DDoS attacks. Shield Standard is automatically enabled for all AWS customers at no charge and protects against common volumetric attacks at Layers 3 and 4. Shield Advanced is a paid subscription that adds protection for more sophisticated attacks, dedicated DDoS response team access, cost protection for AWS charges incurred during an attack, and enhanced visibility into attacks. WAF (Web Application Firewall) filters HTTP requests based on rules you define: block requests from specific IP ranges, countries, or requests matching SQL injection or cross-site scripting patterns. WAF attaches to ALB, API Gateway, CloudFront, or AppSync.
KMS: encryption key creation and management. Envelope encryption: data key encrypts data, KMS key encrypts the data key.
CloudTrail: API audit log. Who called what, when, from where. Required for security investigations and compliance.
GuardDuty: ML-based threat detection from CloudTrail, VPC Flow Logs, DNS logs. Findings only, no blocking.
Shield Standard: automatic, free, Layer 3/4 DDoS protection. Shield Advanced: paid, sophisticated attacks, DRT access.
WAF: HTTP request filtering at ALB, API Gateway, CloudFront. Rules for IPs, geo-blocking, OWASP patterns.
Inspector: automated vulnerability assessment for EC2 instances and container images in ECR.
Macie: uses ML to discover, classify, and protect sensitive data (PII, credentials) in S3 buckets.
Security Hub: aggregates findings from GuardDuty, Inspector, Macie, and other services into a single dashboard.
| Service | What it protects | How it works |
|---|---|---|
| KMS | Data at rest across AWS services | Manages encryption keys, envelope encryption |
| CloudTrail | API audit trail | Logs all API calls to S3 and/or CloudWatch Logs |
| GuardDuty | Account and workload threats | ML analysis of CloudTrail, VPC Flow Logs, DNS logs |
| Shield Standard | All resources (free) | Automatic Layer 3/4 DDoS mitigation |
| Shield Advanced | Protected resources (paid) | Enhanced DDoS protection, DRT access, cost protection |
| WAF | HTTP/HTTPS endpoints | Rule-based filtering of web requests |
| Inspector | EC2 and container images | Automated CVE vulnerability scanning |
| Macie | S3 buckets | ML-based sensitive data discovery and classification |
GuardDuty blocks malicious traffic automatically when it detects a threat.
GuardDuty is a detection service, not a prevention service. It generates findings (alerts) describing suspicious activity but does not block anything on its own. Automated remediation requires EventBridge rules that trigger Lambda functions or Security Hub automations in response to GuardDuty findings.
Enabling CloudTrail alone is sufficient for security monitoring.
CloudTrail records API calls but does not analyze them for suspicious patterns. You need GuardDuty to analyze CloudTrail logs for threats, CloudWatch alarms or CloudTrail Insights to detect anomalous API activity, and Security Hub to aggregate findings. CloudTrail is the data source, not the detection layer.
AWS WAF and Shield protect the same threats.
Shield protects against DDoS attacks: volumetric floods, protocol attacks, and resource exhaustion at the network and transport layer. WAF protects against application-layer attacks: SQL injection, XSS, bad bots, and malicious HTTP patterns. Most production deployments use both together because they address different threat vectors.
Try free AWS Security Services practice questions with explanations, topic links and progress tracking.