Domain 1 of 4 · Chapter 2 of 3

Secure Workloads and Applications

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing AWS Certified Solutions Architect – Associate premium course — no separate purchase.

Included in this chapter:

  • WAF rule groups: managed vs custom, rate-based vs IP-set
  • Shield Advanced cost protection: when the $3 000/mo pays for itself
  • Security Group composition patterns: hub-and-spoke, mesh, transit
  • Network ACL ephemeral-port pitfalls + worked examples
  • Secrets Manager rotation Lambda: the 4-step contract + cross-account templates
  • VPC Endpoint policies: restricting which actions are allowed through an endpoint

Layered defenses compared

LayerScopeStateful?Allow / DenyBest for
WAFL7 HTTP/HTTPS in front of CloudFront / ALB / API GatewayManaged + custom rulesSQL injection, XSS, bad bots, geo-block, rate-based
Shield StandardNetwork-edge L3/L4 (CloudFront, Route 53, GA)Auto-protectCommon volumetric DDoS: free and on
Shield AdvancedSame + EIPs + ALB + custom resourcesShield Response Team (SRT)$3 000/mo; large-scale DDoS + cost protection
Security GroupENI (per-instance)StatefulAllow onlyPer-instance allow-list; return traffic auto-allowed
Network ACLSubnetStatelessAllow + DenySubnet-wide deny-list; needs explicit ephemeral-port rules
GuardDutyAccount-wide threat detectionFindings onlyAnomaly detection from VPC Flow Logs, CloudTrail, DNS
InspectorEC2 + ECR + Lambda vulnerability scanFindings onlySoftware vulnerabilities, network reachability
MacieS3 sensitive-data discoveryFindings onlyPII / PHI / financial detection across S3

Decision tree

What's the threat?Web app attackDDoSNetwork accessAWS WAF(L7: SQLi, XSS, bots)Large-scale + cost concern?Per-instance or subnet?YesNoPer-instanceSubnetShield Advanced($3 000/mo + SRT)Shield Standard(free, auto on)Security Group(stateful)Network ACL(stateless + deny)Always: enable GuardDuty + Security Hub for cross-account threat aggregation

Cheat sheet

  • Layer your security controls so one misconfig isn't game over
  • Keep in-VPC traffic to AWS services off the internet with VPC endpoints
  • Security groups are stateful; NACLs are stateless
  • Need credentials that rotate? Use Secrets Manager, not static secrets
  • WAF only attaches to CloudFront, ALB, API Gateway, and AppSync
  • Shield Advanced costs $3,000/month per payer account, not per linked account
  • Secrets Manager rotation runs on a configurable cron/rate schedule
  • GuardDuty detects and Security Hub aggregates, but neither remediates
  • Static config goes in Parameter Store; auto-rotating credentials go in Secrets Manager
  • Auto-remediate GuardDuty findings with EventBridge → Lambda
  • Inspector continuously scans EC2, ECR, and Lambda for you automatically
  • For VPC-level traffic inspection across subnets, use AWS Network Firewall
  • Need zero auth failures during rotation? Use the alternating-users strategy
  • For OWASP Top 10 coverage with no maintenance, use AWS Managed Rules
  • Throttle HTTP floods per source IP with WAF rate-based rules
  • For tier-to-tier traffic, reference a security group ID as the source instead of a CIDR
  • WAF evaluates the lowest priority number first, and Allow and Block are terminating
  • To exclude specific traffic from a managed rule group, use a scope-down statement
  • Custom NACLs deny everything until you add allows, and rule number sets precedence
  • Lock S3 access to one VPC endpoint with a bucket policy using aws:SourceVpce

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. Security groups for your VPC
  2. Network ACLs
  3. AWS WAF Developer Guide
  4. AWS Shield overview (Standard + Advanced)
  5. AWS Shield pricing
  6. Gateway endpoints (S3, DynamoDB)
  7. What is AWS PrivateLink
  8. AWS Secrets Manager User Guide
  9. Rotate AWS Secrets Manager secrets
  10. AWS KMS Developer Guide
  11. Managed rotation for AWS Secrets Manager secrets
  12. AWS Systems Manager Parameter Store
  13. How AWS WAF works
  14. Shield Response Team (SRT) support
  15. Schedule automatic rotation
  16. Rotation strategies (4-step Lambda contract)
  17. What is Amazon GuardDuty
  18. What is AWS Security Hub
  19. What is Amazon Inspector
  20. What is Amazon Macie
  21. What is Amazon EventBridge
  22. AWS Secrets Manager pricing
  23. GuardDuty findings via EventBridge
  24. What is AWS Network Firewall
  25. https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html
  26. AWS WAF rule types