Security, Identity, and Compliance

Others

Focused AWS Solutions Architect Associate notes from the Security, Identity, and Compliance domain.

Others#

AWS Artifact#

  • Definition: A self-service portal for on-demand access to AWS compliance reports and agreements.
  • Key Features:
    • Provides SOC, PCI, HIPAA, ISO reports, and agreements like BAA and NDA.
    • Accessible via AWS Management Console or API, no additional cost.
    • Supports audit preparation and compliance validation.
  • Use Cases: Obtain HIPAA report for healthcare, PCI report for retail, share with auditors.
  • Updates (2024–2025): Enhanced report formats for auditors (October 2024).
  • Cost: Free.
  • Exam Tip: Use for compliance evidence, not active security.

AWS Audit Manager#

  • Definition: A service that automates evidence collection to assess AWS usage for compliance.
  • Key Features:
    • Prebuilt/custom frameworks (e.g., PCI DSS, CIS) for audits.
    • Collects evidence from Security Hub, CloudTrail, Config.
    • Generates audit-ready reports.
  • Use Cases: Automate HIPAA audit, monitor PCI compliance, assess multi-account compliance.
  • Updates (2024–2025): Improved Security Hub integration for consolidated findings (January 2025).
  • Cost: Based on resource assessments ($0.30–$2/assessment).
  • Exam Tip: Compare with Security Hub; Audit Manager focuses on compliance reporting.

AWS CloudHSM#

  • Definition: A cloud-based hardware security module (HSM) for generating and managing cryptographic keys.
  • Key Features:
    • Provides dedicated HSMs for key storage and cryptographic operations.
    • Supports FIPS 140-2 Level 3 compliance.
    • Integrates with KMS, RDS, Redshift for encryption.
  • Use Cases: Secure banking apps, encrypt sensitive data, comply with FIPS standards.
  • Updates (2024–2025): Enhanced key export controls (March 2024).
  • Cost: $1.45/hour per HSM (~$1,000/month).
  • Exam Tip: Use CloudHSM for dedicated HSMs vs. KMS for managed keys.

AWS Directory Service#

  • Definition: A managed service for Microsoft Active Directory (AD) or simple AD in the cloud.
  • Key Features:
    • AWS Managed Microsoft AD: Full AD for EC2, RDS, SSO.
    • Simple AD: Lightweight AD for smaller workloads.
    • AD Connector: Proxy to on-premises AD.
    • Integrates with IAM, SSO, and WorkSpaces.
  • Use Cases: Enable SSO for AWS apps, manage EC2 AD authentication.
  • Updates (2024–2025): Improved SSO integration with third-party apps (October 2024).
  • Cost: ~$0.04–$0.40/hour based on size.
  • Exam Tip: Choose Managed AD for enterprise, Simple AD for small setups.

AWS Firewall Manager#

  • Definition: A security management service to centrally configure and manage firewall rules across AWS accounts.
  • Key Features:
    • Manages WAF rules, Shield Advanced, Network Firewall, DNS Firewall, and VPC security groups.
    • Integrates with AWS Organizations for multi-account policies.
    • Sends findings to Security Hub.
  • Use Cases: Enforce WAF rules for APIs, manage VPC security groups across accounts.
  • Updates (2024–2025): Enhanced DNS Firewall rule management (January 2025).
  • Cost: $100/month per policy + resource costs.
  • Exam Tip: Use with Organizations for centralized firewall management.

AWS Resource Access Manager (AWS RAM)#

  • Definition: A service to securely share AWS resources across accounts or within an organization.
  • Key Features:
    • Shares resources like subnets, Route 53 zones, KMS keys, and Aurora clusters.
    • Uses resource-based policies for access control.
    • Integrates with AWS Organizations for simplified sharing.
  • Use Cases: Share VPC subnets with dev accounts, provide Aurora read replicas.
  • Updates (2024–2025): Improved resource tagging for shared resources (October 2024).
  • Cost: Free (resource usage costs apply).
  • Exam Tip: Use RAM for resource sharing vs. manual duplication.

AWS Security Hub#

  • Definition: A centralized security service that aggregates and prioritizes security findings across AWS accounts.
  • Key Features:
    • Collects findings from GuardDuty, Inspector, Macie, Firewall Manager, and IAM Access Analyzer.
    • Supports standards like CIS, PCI DSS, AWS Foundational Security Best Practices.
    • Integrates with EventBridge, Lambda for automation.
  • Use Cases: Monitor multi-account security, automate remediation, ensure CIS compliance.
  • Updates (2024–2025): Enhanced cross-account finding aggregation (January 2025).
  • Cost: $0.001–$0.01/finding, ~$0.25/500K events.
  • Exam Tip: Central hub for security findings, not active threat mitigation.

Comparison#

ServiceTypeFocusCost
ArtifactComplianceCompliance reportsFree
Audit ManagerComplianceEvidence collection, audits$0.30–$2/assessment
CloudHSMCryptographyDedicated HSM, key management~$1,000/month/HSM
Directory ServiceIdentityManaged AD, SSO$0.04–$0.40/hour
Firewall ManagerSecurity ManagementCentralized firewall rules$100/month/policy
RAMResource SharingCross-account resource accessFree
Security HubSecurity MonitoringAggregates security findings~$0.25/500K events

Study Tips#

  • Hands-On: Download Artifact report, set up Audit Manager assessment, configure CloudHSM, use Managed AD, manage WAF rules with Firewall Manager, share subnet with RAM, monitor findings in Security Hub.
  • Scenarios:
    • Compliance reports = Artifact.
    • Audit evidence = Audit Manager.
    • Dedicated HSM = CloudHSM.
    • AD/SSO = Directory Service.
    • Firewall rules = Firewall Manager.
    • Resource sharing = RAM.
    • Security findings = Security Hub.
  • Memorize: Costs, integrations, use cases.

Found an issue? Improve this note in the GitHub repo.