Compute Security
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing AWS Certified Security - Specialty premium course — no separate purchase.
Included in this chapter:
- Harden the image so every instance is born compliant
- Authorize workloads with roles, never embedded keys
- Find vulnerabilities continuously, patch on a baseline
- Keyless admin access and pipeline + GenAI guardrails
Compute security controls by purpose
| Need | Image Builder | Inspector | Patch Manager | Session Manager | GuardDuty Runtime | Bedrock Guardrails |
|---|---|---|---|---|---|---|
| When it acts | Build time | Continuous post-deploy | Scheduled window | On admin connect | Live runtime | Per model request |
| Targets | AMIs + container images | EC2 / ECR / Lambda | EC2 + on-prem managed nodes | EC2 + managed nodes | EC2 / ECS / EKS | Bedrock FM calls |
| Primary job | Bake hardened baseline | Find CVEs (SBOM-based) | Apply patches to baseline | Logged keyless shell | Detect runtime threats | Filter unsafe input/output |
| Finds vs fixes | Prevents drift | Finds | Fixes | Access path | Detects | Blocks |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
References
- What is EC2 Image Builder?
- Amazon managed STIG hardening components for Image Builder
- Use an IAM role to grant permissions to applications running on Amazon EC2 instances
- Use the Instance Metadata Service to access instance metadata (IMDSv2)
- What is AWS Identity and Access Management Roles Anywhere?
- What is Amazon Inspector?
- Export SBOMs with Amazon Inspector
- GuardDuty Runtime Monitoring
- AWS Systems Manager Patch Manager
- AWS Systems Manager Session Manager
- Connect to a Linux instance using EC2 Instance Connect
- Amazon CodeGuru
- Amazon Q Developer security scans
- OWASP Top 10 for LLM Applications Whitepaper
- Amazon Bedrock Guardrails