Introduction to AWS Security
-
Introduction
About the course and authors -
AWS cloud architecture
-
Security concerns with our architecture
-
Regions and Availability Zones (AZs)
-
Shared responsibility in the cloud
-
[Cheat Sheet] AWS Security Services
-
Create a billing alert to avoid surprise bills
-
Infrastructure SecurityVPC networks
-
Default VPCs
-
[DEMO] Creating VPCs and Subnets
-
How many VPCs should you use?
-
[DEMO] Subnet, Route Table, and Gateway Configurations
-
[LAB] [Challenge] Create a VPC with public and private subnets
-
[LAB] Launching an EC2 instance
-
[DEMO] Security Groups (SGs)
-
Security Groups Best Practices
-
[DEMO] Network Access Control Lists (NACLs)
-
[Cheat Sheet] SGs vs. NACLs
-
[LAB] [Challenge] Configure security groups and NACLs to specific requirements
-
Elastic Load Balancers
-
[DEMO] AWS WAF
-
[LAB] [Challenge] Deploy AWS WAF ACL for Application Load Balancer
-
[DEMO] AWS Network Firewall - Part 1
-
[DEMO] AWS Network Firewall - Part 2
-
AWS Shield for DDoS Protection
-
[LAB] Reduce AWS attack surface with port scanning and Security Groups
-
AWS Firewall Manager
-
Identity and Access Management (IAM)Key Concepts of IAM in AWS
-
[DEMO] Getting started with IAM in AWS
-
[DEMO] Creating our first admin user
-
Assigning permissions with policies
-
[Cheat Sheet] Anatomy of an AWS IAM Policy
-
[DEMO] Using Identity Center AWS SSO
-
IAM Roles
-
[DEMO] Creating a role for EC2 instances to access S3 buckets
-
End-User Management with Amazon Cognito
-
IAM Access Analyzer
-
[DEMO] IAM Access Analyzer Unused Access
-
[LAB] Check policies for new access before deployment with IAM Access Analyzer
-
[LAB] Check IAM policies against a deny list with IAM Access Analyzer
-
[LAB] IAM Credentials Report
-
Data ProtectionData protection in the cloud
-
EBS Data Protection and Encryption
-
[LAB] Encrypt Existing Unencrypted EBS Volumes and Snapshots
-
Amazon RDS Data Protection and Encryption
-
Key Management with AWS KMS
-
[Cheat Sheet] Getting Started with AWS KMS
-
[DEMO] Creating a Symmetric Encryption KMS Key
-
[Cheat Sheet] Encrypt and Decrypt Data with KMS and Data Keys
-
[LAB] Encrypt and Decrypt Data with KMS and Data Keys
-
Amazon S3 Bucket ProtectionUnderstanding Bucket Ownership
-
[LAB] Creating Buckets and Uploading Objects in S3
-
Managing Access to Buckets
-
[Cheat Sheet] S3 Bucket Policies vs. ACLs vs. IAM Policies
-
[LAB] [Challenge] Create an IAM role for secure access to S3 based on a scenario
-
Using Signed URLs
-
[LAB] S3 Presigned URLs
-
Encrypting S3 Data
-
[DEMO] Enable S3 Object Versioning
-
[Cheat Sheet] Amazon S3 Protection Summary
-
[Cheat Sheet] Create a least privilege S3 bucket policy
-
AWS Log Types and Auditing Options
-
Logging, Monitoring, and Incident Response[DEMO] Enable S3 Server Access Logs
-
AWS CloudTrail
-
Amazon CloudWatch
-
[DEMO] CloudTrail Security Automation with CloudWatch Logs and SNS
-
[LAB] Amazon VPC Flow Logs
-
Proper Logging and Monitoring
-
Amazon GuardDuty
-
[LAB] [DEMO] Enable Threat Detection with GuardDuty
-
[DEMO] Amazon EventBridge
-
AWS Config
-
AWS Systems Manager
-
[LAB] Secure EC2 Access with SSM Session Manager and KMS
-
[DEMO] AWS Config Automated Remediation with SSM
-
[LAB] Automated S3 Remediation to Enforce Block Public Access
-
[LAB] Remediate Open SSH Security Groups with AWS Config and SSM
-
Amazon Detective
-
[DEMO] Amazon Inspector
-
[LAB] Find vulnerable Lambda Functions with Amazon Inspector
-
About Amazon Macie
-
[DEMO] Deploying Amazon Macie
-
[DEMO] AWS Security Hub CSPM
-
[DEMO] Must-have AWS monitoring and alerting with SSK
-
[DEMO] AWS Organizations
-
Multi-Account Security[DEMO] Centrally managing root access
-
[DEMO] AWS SCPs and Management Policies
-
[DEMO] Resource Control Policies (RCPs)
-
AWS Control Tower
-
[DEMO] Using RAM to share resources across accounts
-
About IaC
-
Infrastructure as Code (IaC)[DEMO] Deploying resources with CloudFormation
-
[DEMO] Deploying a Lambda function with CloudFormation
-
[DEMO] Multi-account and multi-region deployments
-
[DEMO] Detecting drift
-
[LAB] CloudFormation Guard
-
[DEMO] Using AWS Service Catalog - Part 1
-
[DEMO] Using AWS Service Catalog - Part 2
-
[DEMO] Getting started with the Cloud Development Kit (CDK)
-
[DEMO] Deploying a project with the CDK
-
Wrap-up and Key TakeawaysWhat next?
Access the interactive diagram for this lesson here. (It may ask you to create a free account in order to view. You do not need paid features to view this course’s content so you can ignore that!)
Let’s take a look at what a typical AWS cloud architecture would look like.
Here we have the AWS cloud represented as a rectangle. Think of this as the space where we can launch AWS resources from within our own AWS accounts.

The main building block of AWS is called the Virtual Private Cloud, or VPC, which we’ll show as this big green rectangle in our diagram.

When you first create an AWS account and log in, AWS creates what’s called a “Default VPC” on your behalf. They do this to make it easier for everyone to create resources without having to spend a lot of time and effort into creating their own custom VPCs.
However, Default VPCs have very limited uses and most users will quickly grow out of them, which is why it’s important to understand how VPC networks work, and that’s going to be our first technical topic that we cover in this course.
Within a VPC, we can launch all kinds of resources. Not all AWS resources get launched in VPCs as we’ll see shortly, but many do.
For example, if we want to launch a cloud instance, known as an EC2 instance, we would launch that instance within our VPC.
However, to be able to do that, we first have to create sub networks, or subnets, within our VPC.



These subnets are multi-purpose, but overall, they help create logical network segmentation — this is similar to if you were to take network switches and create multiple separate networks with those switches. Segmentation like this is super helpful for a number of reasons:
- They provide a level of security — we can place private resources in private subnets that can’t be accessed from the open Internet, and completely control what traffic is allowed to flow in and out of these private subnets
- They help organize resources — by creating multiple different subnets, we can designate subnets to have specific purposes. For example, we could have a subnet dedicated to hosting databases, another subnet dedicated to hosting application servers, and another for web servers
There can also be resources that we can launch within our VPCs but that don’t need to be within one specific subnet, such as Amazon EFS which provides shared storage, Amazon ElastiCache which provides caching for applications, or even something like an Elastic Load Balancer, or ELB, which distributes traffic and load between instances.


Then, we can also create resources that don’t reside within a VPC, but that still live within the AWS cloud.
For example, we may need to have a storage service like Amazon S3 to store static files and backups.
We may need a Content Distribution Network, or CDN, such as Amazon CloudFront to sit in front of our web applications.
We may also want to deploy firewalls in front of our VPC and instances, such as the AWS WAF, or Web Application Firewall, and a DDoS protection service called AWS Shield.

Finally, we need a way of routing requests to and from the open Internet, which means we may want to use Amazon Route 53, which is their DNS service.

I’m sure this seems like a lot, especially if you’re new to AWS, but don’t let it overwhelm you. The reason we are starting out by showing a diagram and architecture like this is because this course is going to cover security aspects that cover each and every one of these layers, but we’re going to take it one step at a time.
By the time we are done with this course, you’ll be able to come back to this diagram and not only understand what’s going on, but also how to look at this from a security perspective, and how to apply it to your own architecture and environments.
Speaking of, let’s complete this lesson, and let’s move on to the next where we’ll talk about security concerns with this architecture.
Really helpful diagram !
Awesome, glad it helped and thank you for the feedback!
The diagram is simply brilliant for understanding.
Awesome!! I’m glad the diagram helps, thank you for letting me know
I am transitioning from Azure (EntraID) to AWS this diagram helped me to differentiate the names each platform uses:
VPC ==> VNET
EC2 ==> VM
AMAZON S3 ==> Blob Storage.
Nice! Appreciate you sharing. Feel free to do that with other services as well as you progress through the course, I’m sure it will help others in a similar situation!
nicely explained!
Thanks for the feedback!
I am from Network and Security, with foundation in cloud. This course explanation sounds good and I am very excited to learn more.