Explore a case study of a hacked server, highlighting how untrusted software and Docker images enabled compromise. Examine attacker patterns such as defacement, malicious attachments, and ransomware risks.

GuardDuty acts as a managed threat detection service in AWS, analyzing DNS logs, CloudTrail, and VPC flow logs to identify high-severity findings and potential breaches.

Explore how Amazon GuardDuty's malware protection uses an agentless scan of an EBS snapshot, detailing GuardDuty initiated versus on-demand malware scans, and considerations around cost and data privacy.

Learn to perform an on-demand malware scan with GuardDuty by setting up a test EC2 instance, deploying a malware sample, and reviewing the scan results and findings.

Centralize GuardDuty findings across multiple AWS accounts using a central administrator account. Invite member accounts, accept invitations, and view filtered findings from a unified dashboard.

Analyze how committing IAM access and secret keys to public or private GitHub repos triggers AWS compromised key quarantine policy, deny actions, automated notifications, and remediation steps like key rotation.

Identify exposed access and secret keys and assess their access level. Invalidate credentials, including temporary ones, restore access with new credentials, and review AWS account and cloud rail logs.

Discover Amazon Detective, a threat detection service that ingests CloudTrail, VPC Flow Logs, and GuardDuty findings to investigate root causes of security issues.

Amazon Security Lake collects security logs from various sources, normalizes them to the CSF/OCF format, and stores them in S3 for analysis with tools like Athena, OpenSearch, SageMaker, and Splunk.

Explore AWS security lake pricing, covering data ingestion and conversion charges, CloudTrail and other logs, Parquet conversion with gzip, and S3 storage cost implications.

Learn chaos engineering with AWS fault injection service, building and running an experiment template to stop and restart an EC2 instance, while reviewing logs and reports.

Explore security incident response using AWS Step Functions, triggering an admin access policy approval workflow via EventBridge and Lambda validators, with email approvals that retain or detach the policy.

Practice an automatic forensic orchestrator that uses a lambda to collect EBS snapshots and isolate EC2 instances with a forensic security group, tested with manual instance IDs.

Enable AWS inspector vulnerability scans to automatically discover resources and assess EC2 and ECR assets. Ensure SSM agent is running and push a vulnerable image to ECR for analysis.

Learn how CVE IDs and CVSS scores guide vulnerability management and patch prioritization, using the NVD and real-world examples to assess risk, severity, and remediation.

Centralize security findings from Inspector, GuardDuty, Config and more, and automate posture checks with CSPM against CIS, PCI DSS, and NIST standards.

Explore how AWS security hub's custom actions automate remediation workflows by triggering EventBridge rules that invoke Lambda or SNS, coordinating Macie findings from S3 and other services for automated responses.

Discover how AWS Security Hub integrates findings from Config, GuardDuty, Macie, and third-party products, centralizing data and enabling sending and receiving findings with Jira and Splunk.

Learn how to use cross-region aggregation in AWS Security Hub to centralize findings from multiple regions into a chosen home region, with linked regions configured in the console.

Configure AWS WAF by creating a web ACL, adding a geo location rule to block India, then attach it to an application load balancer and test with a fixed response.

Discover how AWS Systems Manager serves as a central command center to manage EC2 instances from a single console, using run command, parameter store, and more via the SSM agent.

Operate session manager to connect an EC2 instance, log commands to CloudWatch via SSM agent and IAM role, and configure idle timeout and KMS encryption for auditing.

Explore how AWS Systems Manager Run Command remotely executes scripts on managed instances, enabling antivirus installation across many instances with tag-based or manual targeting.

Explore AWS parameter store to securely save and manage configuration settings and secrets with string, string list, and secure string types, encrypted by KMS and decryptable with proper permissions.

Compare standard and advanced parameter store tiers, noting limits, policy availability, sharing, and costs. Learn to reference and organize parameters with the SSM syntax and hierarchical paths.

Automate operational tasks across AWS resources with AWS Systems Manager Automation, enabling quarantine of compromised EC2s, memory dumps, and scalable runbooks for EC2, S3, and RDS.

Automate patching with AWS Systems Manager Patch Manager, scanning for missing patches and applying updates. Configure baselines, maintenance windows, and exemptions to prioritize security patches and auto approval.

Explore AWS Systems Manager inventory to collect node metadata, including packages, services, network details, Windows registry, and CPU info, stored in S3 and queryable with Athena for enterprise insights.

Discover how the CloudWatch unified agent captures disk usage, memory, and logs on EC2. See how centralizing metrics with this single agent enables proactive alarms in CloudWatch.

Configure the unified CloudWatch agent on EC2 by creating an IAM role, installing the agent, running the configuration wizard, and starting data collection of metrics and logs.

Explore how CloudWatch Logs Insights searches across up to 50 log groups with a purpose-built query language, returning results and visualizations such as pie and bar charts for operational analysis.

Explore how CloudWatch metric filters search and filter log data, convert matches into numerical metrics, and trigger alarms with email notifications based on patterns.

Learn to use CloudWatch log subscription filters to forward log group data to destinations like Kinesis, Firehose, and Lambda, with patterns that selectively forward CloudTrail events.

Enable CloudWatch anomaly detection to replace static thresholds with machine learning that learns normal patterns from historical data, uses a confidence band, and reduces false positives while flagging true anomalies.

Use Amazon Athena to analyze cloud trail and CF logs in S3 with standard SQL queries, gaining quick results without traditional monitoring setups.

Discover how AWS Config records resource changes with a timeline, enforces audit and compliance through rules and conformance packs, and integrates with CloudTrail and EventBridge for alerts.

This lecture explains AWS config rule evaluation modes, comparing detective rules that check after changes with proactive rules that verify before creation to ensure compliant resources.

Discover how the AWS Config aggregator centralizes configuration and compliance data from multiple accounts and regions, including organizations, enabling centralized queries and resource visibility after cross-account authorization.

Demonstrates remediating non-compliant AWS config rules by integrating AWS config with SSM automation to encrypt S3 buckets and fix open security groups through automation documents.

Implement a practical remediation workflow using an AWS Config rule and SSM automation to automatically disable public SSH access on a non-compliant security group.

Explore CloudTrail event types: management, data, network activity, and insight events, and understand how they record AWS account activity from sign-ins and EC2 launches to S3 data access.

In this practical Amazon Macie session, create an S3 bucket in the North Virginia region, enable Macie, run a one-time sensitive data discovery job, and review high-severity findings.

Explore how S3 event notification sends bucket events, such as PUT uploads, to Lambda, SQS, or SNS, with setup steps and a Lambda-driven malware scan use case.

Understand how VPC flow logs act as a visitor register for AWS, capturing IP traffic to and from EC2 and outbound destinations, stored in CloudWatch logs and dashboards for security monitoring.

Explore VPC flow logs in detail, including interface-level capture, whole-VPC logging best practices, and the high-level format with source and destination IPs, ports, packets, bytes, and actions.

Learn to design a secure s3 bucket policy for centralized logging in cross-account CloudTrail setups. Use a conditional aws source with the exact CloudTrail arn to prevent unauthorized writes.

Learn how Amazon CodeGuru uses machine learning to improve code security, quality, and performance with CodeGuru Security, CodeGuru Profiler, and CodeGuru Reviewer, including detectors for OWASP Top 10.

Learn how S3 lifecycle policies automate data movement across storage classes such as Standard, Standard-IA, and Glacier, and manage deletions and versioning for cost and compliance.

Explore Amazon OpenSearch, forked from Elasticsearch, to ingest, search, and visualize data from log files, metrics, and documents, then build dashboards with sample data and insights into operating systems.

Learn how AWS Audit Manager automates evidence collection and continual compliance against PCI DSS and other frameworks, replacing point-in-time checks with continuous assessments using AWS Config, CloudTrail, and Security Hub.

Explore CloudFormation guard, an open source policy-as-code tool that enforces rules on CloudFormation templates, validating EC2 instance types in CI/CD pipelines using YAML or JSON.

Discover how CloudFormation dynamic references fetch values from Parameter Store or Secrets Manager at stack creation, improving security and keeping templates clean.

Demonstrate a practical CloudFormation workflow that creates a security group with a cost center tag sourced from Systems Manager parameter store using dynamic references, then deploy and clean up.

Learn how the Network Access Analyzer evaluates AWS network paths and produces findings to enforce organization subnet and internet access policies for EC2 resources.

Explore how VPC traffic mirroring copies network traffic from an elastic network interface to a centralized monitoring tool, enabling security analysis with tools like Splunk, IDS, or IPS.

Explore client VPN endpoint architectures for connecting to VPC subnets, peered VPCs, on-premise networks via site-to-site VPN, internet access through an internet gateway, and client-to-client communication with security group controls.

Learn how site-to-site vpn tunnels securely connect two networks across the internet, using a virtual private gateway for high availability with multiple tunnels and IPs.

Explore how VPC peering enables private communication between instances in different VPCs across regions and accounts, using non-overlapping CIDR blocks, and understand why it is not a transit VPC.

Examine how gateway VPC endpoints route private-subnet traffic to S3 or DynamoDB through a route table prefix-list, with AWS automatically managing CIDR ranges.

Implement a gateway VPC endpoint for S3 by configuring a private subnet, a route table, and an IAM role, then verify connectivity from private EC2 to S3 in Mumbai.

Master gateway VPC endpoint policies to control EC2 to S3 access with granular allow and deny rules, and learn how policy evaluation determines access.

Explore how interface VPC endpoints use an elastic network interface with private IP addresses in a subnet to route traffic to AWS services, with security group integration and on-premises connectivity.

Implement interface endpoints in a VPC, configure subnets and a security group, attach the endpoint to an EC2 instance, and observe traffic routing to the interface endpoint IP.

Learn to implement VPC endpoint services connecting a service consumer to a provider across two accounts over the AWS private network, using an interface endpoint and a network load balancer.

Learn to terminate endpoint resources in a service provider-consumer setup, including detaching interface endpoints, deleting endpoint services, and terminating load balancers and instances to avoid aws charges.

Learn how MAC security (MACsec) provides data confidentiality, integrity, and origin authentication over AWS Direct Connect, enabling high-speed encryption at 10 or 100 Gbps with compatible customer devices.

Understand how network ACL rule ordering works, evaluating the lowest numbered rule first and applying the first match. Learn inbound and outbound rules and ephemeral ports and port ranges.

Explore content delivery networks, caching at edge servers to boost performance, reduce origin load, and guard against DDoS and web threats with edge security features.

Learn how Amazon CloudFront functions as a content delivery network, connecting to S3, load balancers, API Gateway, and Lambda, with edge locations for global caching and security integrations.

Execute a practical CloudFront workflow using an S3 origin, create and deploy a distribution, access objects via the distribution domain, and learn disabling before deletion.

Explore how origin access control secures CloudFront to S3 by restricting access to a specific CloudFront distribution, preventing direct S3 access, and comparing OAC with the legacy OAI.

implement CloudFront origin access control in a practical setup, creating a CloudFront distribution for an S3 bucket, auto applying a bucket policy and testing GetObject access.

Demonstrates the practical workflow for CloudFront signed URLs, covering the S3 origin, trusted signer with public/private keys, key groups, and generating and testing URL access.

Use AWS managed prefix lists to restrict an application load balancer to CloudFront traffic, replacing manual IP whitelisting and attaching the CloudFront prefix list ID in security groups.

Scale for traffic surges with auto scaling; minimize attack surface by decoupling components; detect normal versus abnormal activity to plan DDoS mitigation with AWS Shield, CloudFront, Route 53, and WAF.

Explore the trade-offs between REST APIs and HTTP APIs in API Gateway, highlighting feature richness, security options (mutual TLS, WAF), and production readiness versus cost and simplicity.

Create a simple http api through api gateway that invokes a lambda function. Build a hello function in Node.js, configure the http api integration, and obtain the invoke url.

Integrate lambda with S3 by using S3 events to trigger a function on object created, and ensure proper execution role permissions to access and read the uploaded file.

Explore the AWS Artifact service and its role in evidence for the shared responsibility model, providing on-demand access to security and compliance reports and agreements.

Explore how lambda@edge runs lambda functions at four points, including viewer request, origin request, origin response, and viewer response, to customize CloudFront delivery, modify requests and responses, and handle errors.

Demonstrates how lambda@edge integrates with CloudFront to handle origin requests, auto-selecting between experiment A or B images when cookies are missing, and logs the outcome in CloudWatch.

Explore how VPC DNS attributes control public DNS host names and DNS resolution, compare enabled versus disabled settings across regions, and verify behavior with nslookup.

Learn how DNS query logging in AWS Route 53 captures every domain query, stores logs in CloudWatch, and links queries to a VPC and EC2 instances for security analysis.

Enable Route 53 query logging from scratch, set CloudWatch as the destination, create a log group, and test with EC2 using Log Insights for queries and visualization.

Explore how the AWS Network Firewall provides stateful protection for your VPC with domain and IP filtering, Suricata IPS rules, and deep packet inspection.

Deploy a network firewall in an AWS VPC, configure the firewall subnet and route tables, and create domain and IP filter rule groups to control traffic.

Learn how elastic network interfaces in a VPC serve as virtual network cards, carrying private IPv4 addresses, elastic IPs, MAC addresses, and security groups, with portability across EC2 instances.

Learn how to bring your own IP in AWS to preserve IP reputation during cloud migration, avoid whitelisting, and follow ARIN, RIPE, APNIC rules for IPv4/IPv6 ranges and elastic IPs.

Explore Amazon SES, the email platform for sending and receiving emails from verified addresses and domains, with dashboards, templates, and dedicated IPs.

Explore how to connect to a SES SMTP endpoint using TLS, compare STARTTLS and TLS wrapper, and review port options 25/587/2587 and 465/2465.

Explore how EC2 Image Builder automates creating golden hardened AMIs from base images using build components, CIS benchmarks, testing, and automated distribution across regions.

Explore the basics and advantages of Docker containers, an open platform, with an NGINX demo, and learn how build once, run anywhere enables cross-platform deployment by packaging dependencies inside containers.

Explore elastic container registry (ECR) as a fully managed container registry for storing and pulling Docker images, including private and public repositories and AWS integration.

Create a private ECR repository on EC2, install Docker, pull nginx, authenticate, tag, and push images to ECR using IAM roles and standard push commands.

Learn the basics of AWS tags to organize resources and enable identification across EC2 and S3. Explore tag structure with key and value and practical examples like env and costcenter.

Learn how AWS resource groups unite resources across services with tag-based grouping to view, manage, and automate team assets in a single console.

Discover Amazon Bedrock, a unified API hosting hundreds of foundational models from leading providers with managed infrastructure, plus playgrounds for chat and image testing and a model catalog for comparison.

Discover how gen AI guardrails in Amazon Bedrock enforce safety and compliance across foundational models, with content filters, denied topics, prompt attack detection, and PII data redaction.

Explore Amazon queue, a twofold offering with Q developer and Q business that helps build, secure, and analyze code while connecting to enterprise data sources and Bedrock models.

Record your AWS Management Console actions with console to code, and generate AWS CLI commands, CloudFormation YAML/JSON, or language-specific code for automation.

Explore how AWS IoT Core acts as the front door for IoT devices to securely send data and receive commands via MQTT, publish-subscribe, and certificate-based authentication with policy.

Learn the json structure of aws iam policies, including version, statement blocks (sid, effect, action, resource, condition), and inline, managed, and resource-based policy types.

Design and validate a targeted IAM policy to let a specific user start and stop a single EC2 instance by its ARN, ensuring the console and CLI compatibility.

Create an IAM policy from scratch to allow Alice to start and stop a specific EC2 instance using ARN constraints. Explore DescribeInstances limitations and testing via CLI for verification.

Enable tag policies in AWS organization, create a tag policy for the tag key team name with allowed values security and DevOps, apply it to all resources, and verify enforcement.

Learn how organizational units in AWS Organization group hundreds of accounts into development and production, and apply service control policies at the OU level, including nested structures.

Explore how to configure service control policies using deny list and allow list strategies, including the FullAWSAccess default, and review practical demos for root and member accounts.

Switch from a deny list to an allow list service control policy. Create and attach an allow list policy that permits EC2 and CloudWatch actions for root and sandbox accounts.

Understand IAM policy evaluation logic across identity-based, resource-based, and SCP policies, learn how explicit denies override defaults, and how permissions merge or intersect to grant access.

Explore how identity-based and resource-based policies combine to determine final S3 bucket permissions, illustrating explicit allow versus default deny through examples of Alice, Bob, and John.

Explore cross-account policy evaluation logic in iam, using trusted and trusting accounts, resource-based and identity-based policies to control access to an s3 bucket.

Design cross-account roles between an identity account and a sandbox destination account, create a user in the identity account, configure trust and policies, and enable users to assume and switch roles.

Explore how the condition element in IAM policies uses condition blocks, like source IP restrictions, to fine-tune access. Learn key condition operators and how policy editors simplify creation.

Apply a practical IAM policy using the IP address condition operator to restrict AWS actions by source IP, illustrated with inline policy creation, testing, and access control.

Learn how to use IAM policy variables to scale permissions, letting users create their own access keys and start or stop EC2 instances based on team tags.

Understand how external id works with cross-account IAM roles to securely access customer accounts, mitigating the confused deputy problem by requiring a unique external id alongside the role ARN.

Configure a cross-account IAM role secured by an external id across a security corp and client account, and practice assuming it with the AWS CLI to verify the trust policy.

Explore EC2 instance metadata and the instance metadata service to retrieve ami-id, instance-id, hostname, and IAM role. See how dynamic apps adjust resources based on instance type via metadata.

explore how to access EC2 instance metadata with curl at 169.254.169.254/latest/meta-data, understand enabling and disabling metadata, and compare version 1 and version 2 options with optional versus required tokens.

Learn to access the EC2 instance metadata service with IMDS v2 by generating a session token and including it in metadata requests, enabling authorized access.

Block access to the instance metadata service with iptables to protect sensitive IAM role credentials, and demonstrate two use cases restricting or permitting specific users.

Block access to the instance metadata service (169.254.169.254) using iptables rules for specific users (Alice, trustworthy-user) on Amazon Linux, with setup and testing.

Learn how AWS security token service issues temporary credentials—access key, secret key, and a session token—via assume role with the role’s permissions. Understand trust policies and cross-account access.

Explore federation, where external identities reside in a directory (LDAP, Active Directory) and users log in to service providers like AWS and Jenkins via an identity broker and STS tokens.

Explore AWS directory service, including AWS managed Microsoft AD, Simple AD, and AD Connector, to replace on-premise Active Directory with cloud-based directory provisioning, high availability, backups, and seamless cloud authentication.

Configure IAM Identity Center to replace AWS Single Sign-On, enable it with AWS Organizations, and use the access portal to test a new user with an administrator access permission set.

Explore how Amazon Cognito delivers authentication, authorization, and user management for web and mobile apps, covering user pools, identity pools, signup, social sign-in, email verification, MFA, and account recovery.

Explore how S3 bucket policies control access to buckets and objects, distinguish them from identity policies, and enable public or restricted access via HTTPS.

Regain access to a locked S3 bucket by removing a faulty deny policy that blocks non-IP CIDR access, using the root account to delete the policy.

Learn to configure a central cross-account s3 bucket to collect logs from multiple accounts using a bucket policy and minimal actions like get-object, put-object, and put-object-ACL.

Learn how canned ACL enables cross-account S3 access by applying bucket-owner-full-control, giving full control to object and bucket owners. Understand common canned ACL options and their effects on S3 buckets.

Discover how pre-signed URLs give time-limited access to private S3 objects, enabling subscribers to download purchased files via GUI, CLI, or SDK while the URL expires.

Explore how S3 batch operations manage billions of objects at scale with a few clicks and apply actions like tagging across an entire bucket using an inventory manifest.

Learn how S3 Object Lock implements the write once read many model to protect data from ransomware, with governance and compliance retention modes and per-object retention.

Explore how Amazon S3 inventory generates csv listings of objects and metadata on daily or weekly schedules, including bucket name, key, size, last modified, storage class, and encryption.

Explore S3 server access logging, which records detailed bucket requests with timestamps and client details in a target log bucket, enabling security audits, customer insights, and cost analysis.

Learn how to configure cross account replication in S3 by creating an IAM role in the source account, applying a destination bucket policy, and setting up a replication rule.

Implement cross-account S3 replication by using two accounts, enabling versioning, configuring a destination bucket policy, and creating a replication rule with an IAM role; test by uploading a file.

Troubleshooting Answers - Solution 01 demonstrates fixing an IAM inline policy by removing a duplicate resource key and using an array for multiple actions; validate JSON to catch errors.

Discover how policy variables affect IAM policies, why a valid JSON alone isn’t enough, and how explicitly setting the version to 2012 fixes access key permissions for the alice user.

Use a JSON validator to verify and fix IAM policy syntax, identifying and correcting missing commas after effect and action (allow and S3 star), ensuring policy four works.

Fix policy five by consolidating two json policy objects into one outer object. Convert multiple statements into an array within the IAM policy and review the policy for correct structure.

Explore how AWS service roles enable services to act on your behalf and how pass role restricts who can assign these roles to resources, using CloudFormation examples.

Explore Amazon WorkMail, a secure, managed business email service, with mailbox setup, sending and receiving emails, and user creation; learn when it suits simple email needs.

break glass access provides immediate emergency access to cloud accounts and apps when the identity provider fails, using emergency users to reach aws, jenkins, and hr systems.

Explore how IAM permission boundaries act as a fence, limiting rights even when an administrator access policy is attached, as shown with Alice and S3 full access.

Understand the IAM roles anywhere workflow, including PKI and trust anchors. See how client certificates from a trusted CA enable on premise servers to obtain temporary STS credentials via profiles.

practical end-to-end setup of IAM roles anywhere, from CA certificate and client certificates to trust anchors, profiles, and signer helper to obtain temporary credentials for on-prem servers.

Explore the basics of cryptography, including plaintext to ciphertext mappings and the crucial role of secret keys. Understand symmetric-key encryption, encryption algorithms, and why https protects data.

Discover how computer systems use common protocols to communicate, from TCP/IP three-way handshakes to file transfer and web protocols like DNS, HTTP, and SFTP.

Explore how AWS CloudHSM provides a cloud-based hardware security module to securely store encryption keys. Understand tamper resistance and FIPS 140-2 Level 3 validation for on-premises to cloud migration.

Enable secure VPC access with CloudHSM in your VPC to securely communicate with EC2. You control keys and cryptographic operations while AWS handles health and availability.

Create and manage a customer managed key in AWS KMS, assign an admin and a key user, then perform encryption and decryption using the AWS CLI, understanding plaintext and ciphertext.

Describe the KMS architecture and envelope encryption, showing how CMK and data keys generate plaintext and ciphertext, encrypt data, store keys securely, and decrypt via the decrypt interface.

Learn how asymmetric key encryption uses a public and private key to encrypt with one key and decrypt with the other, enabling secure email, SSH, and TLS.

Explore asymmetric keys in AWS KMS, compare with symmetric keys, and learn encrypt and decrypt, digital signing, and public-private key workflows using KMS.

Explore practical asymmetric key encryption with AWS KMS, creating an asymmetric CMK for encrypt and decrypt, obtaining the public key to encrypt data and decrypt with KMS private key.

Explore data key caching in AWS KMS, reusing data keys to reduce latency in envelope encryption. Weigh the performance gains against the security trade-offs of key reuse.

Understand how deleting a single customer master key (cmk) affects EBS encryption, including the data key lifecycle, memory storage, and decrypt failure when the cmk is unavailable.

Explore how the default key policy, automatically attached to a KMS CMK, delegates access control at the IAM level, enabling only users with explicit policies to encrypt or decrypt.

Explore how KMS key policies govern access and why the default policy matters. Deleting all authorized IAM users can create an unmanageable CMK, so preserve the default policy and manage IAM permissions carefully to reduce risk.

Alice can encrypt and decrypt using the KMS policy evaluation logic, and the video shows running AWS KMS encrypt and decrypt commands within an integrated IAM workflow.

For use case 02, Alice cannot encrypt but can decrypt under KMS policy evaluation. The decrypt succeeds, while IAM-level encrypt permissions have no impact due to the missing default policy.

Explore use case three of KMS policy evaluation. Determine whether Alice can encrypt or decrypt despite a deny in her IAM policy, given the KMS policy allows these actions.

Discover how KMS grants let trusted users perform specific operations on a CMK, such as encrypt, for a limited time without editing the key policy, using a grant token.

Demonstrate the end-to-end AWS KMS grants workflow by creating a KMS key, configuring Alice and Bob, generating a grant, using it to encrypt, and revoking the grant.

Learn how to import your own key material into a CMK in AWS KMS by selecting external and using a wrapping key and import token.

Demonstrate how KMS via:service restricts a CMK to specific AWS services by using a deny policy for EC2 calls and allow for services like RDS, shown with a demo key.

Learn how to migrate encrypted AWS data across regions by changing the KMS CMK to the destination region, covering EBS and RDS migrations and envelope encryption implications.

Learn how multi-region KMS enables cross-region encryption and decryption with the same key material by creating a primary key and replica keys across regions.

Explore AWS elastic load balancing, including application, network, gateway, and classic load balancers, and how they ensure high availability, security, and performance with seamless AWS service integration.

Explore classic load balancers, the original elastic load balancing option, and test a hands-on workflow with an EC2 nginx setup, comparing limitations to application and network load balancers.

Learn how an application load balancer uses http headers like host and user agent to route requests at the application layer, applying path-based and host-based rules and client-specific responses.

Discover how a load balancer uses listeners to handle HTTP and HTTPS requests on configured ports, apply rules, and forward traffic to target groups of EC2 instances or Lambda functions.

Launch an EC2 instance with Nginx, create a target group and application load balancer, configure an HTTP listener on port 80, test the traffic flow, then delete resources.

Discover how network load balancers operate at the transport layer to support non-http protocols like tcp, udp and tls, handling millions of requests per second.

Configure a network load balancer to forward TCP port 22 SSH traffic from an internet user to an EC2 instance using a TCP target group and NLB listener.

Enable ELB access logs to capture request details like IP, URI, and user agent, which are delivered to an S3 bucket for analysis with Splunk or ELK and visualizing patterns.

Enable ELB access logs by creating an S3 bucket, applying a bucket policy, and configuring the ALB to push logs to the bucket in the same region.

Use header-based verification to restrict access to the application load balancer so traffic comes only from CloudFront. CloudFront adds a secret header, X secret header, enforced by ALB listener rules.

CloudFront VPC origins keep private resources off the public internet, linking private ALB/ELB in a private subnet to CloudFront for traffic that is protected by WAF and shield.

Explain how https extends http with tls to encrypt client-server communication. Recognize certificates from authorities like Let's Encrypt and the handshake that exchanges a symmetric key via a public key.

Discover how AWS Certificate Manager issues and manages tls certificates for your domains and load balancers, simplifying trusted encryption and automatic renewals without exposing private keys.

Issuing a public certificate for your domain via AWS Certificate Manager, using DNS validation with a CNAME record. Deploy the issued certificate with CloudFront, ELB, and API Gateway.

Learn how HTTPS listeners in elastic load balancers enable client to ELB encryption using certificates, the implications for end-to-end encryption to EC2, and options with ALB, NLB, or CLB.

Master Glacier vaults and vault lock policies to protect archives with immutable controls. Configure IAM access, encryption, and vault lock to prevent archive deletion.

Explore how encryption context in AWS KMS uses an additional authenticated data set of key-value pairs to secure data and require matching context for decryption, preventing tampering like address swapping.

Store and rotate credentials with AWS Secrets Manager, avoiding hard-coded secrets. Integrate with AWS services and encryption, enabling auditing and access control.

See how the Route 53 resolver DNS firewall filters outbound DNS queries within a VPC, blocking blacklisted domains and preventing DNS exfiltration using rule groups and aws managed domain lists.

Configure a Route 53 dns firewall to block facebook.com and twitter.com by creating a blacklist domain list and a rule group, then associate with a vpc and validate with nslookup.

Explore DNS cache poisoning, where forged DNS responses mislead a resolver to cache attacker IP addresses and direct users to fake websites via UDP-based queries.

Enable dnssec in Route 53 hosted zone, create a kms-based key-signing key (ksk) via a cmk, and publish the public key at the registrar to establish the chain of trust.

Explore disk level encryption across BitLocker, FileVault, and LUKS, and learn how AWS EBS encryption with KMS secures data at rest, in transit, and encrypted snapshots.

Explore EBS encryption scenarios: encrypt volumes from unencrypted snapshots, copy unencrypted snapshots to encrypted ones, and re-encrypt volumes from encrypted snapshots with a CMK.

Explore elastic file system (efs): a scalable, fully managed shared storage that auto scales and attaches to ec2, lambda, eks; uses nfs with mount targets.

Create and configure an elastic file system in the AWS console, mount it on two EC2 instances via NFS, verify shared storage with server01.txt and server02.txt, and clean up.

Explore how to use EFS file system policies to restrict mount access, enforce read-only or in-transit encryption, and apply IAM role ARNs for granular, resource-based access control.

Enable encryption at rest for EFS and secure data in transit between EC2 and EFS with TLS and AES-256, via the EFS mount helper and optional KMS keys.

Enforce in-transit encryption for all EFS clients by using a file system policy that denies unencrypted connections, while supporting the mount helper with TLS and the traditional NFS mount.

learn how iam authentication enhances access control for efs by requiring a valid iam role and tls when mounting from ec2.

Identify if RDS encryption is enabled via console, CLI, or API, and enable encryption at creation with a CMK or AWS key; encryption covers storage, backups, replicas, snapshots, and logs.

Learn how to encrypt an existing unencrypted RDS by taking a snapshot, copying it with encryption using a KMS key, and restoring a new encrypted RDS from the snapshot.

Copy an encrypted RDS snapshot across regions and re-encrypt with the destination region key, then restore a new encrypted database using the appropriate KMS key.

Learn how to securely share encrypted RDS snapshots across accounts by using customer managed keys, updating KMS key policies, and re-encrypting with the destination account key.

Encrypt data on the client with a data key wrapped by a wrapping key using AWS Database Encryption SDK, so DynamoDB stores only encrypted data with end to end protection.

Nitro enclaves create isolated, hardened execution environments on supported EC2 Nitro instances to securely process highly sensitive data, with no ssh access, no external networking, and no persistent storage.

Learn to set up and test Nitro Enclaves on a compatible EC2 instance, enable enclave support, build via Docker, run and debug, then terminate to avoid charges.

Encrypt lambda environment variables with KMS to prevent plain text exposure, apply encryption in transit, and enforce KMS decrypt permissions for the lambda execution role.

Create a backup plan in AWS Backup using a template or new plan, define daily or monthly backups, retention, and on-demand backups, and assign resources like Aurora, S3, and RDS.

Use Resource Access Manager to securely share AWS resources across accounts, such as VPC subnets and prefix lists, via resource shares and invitations that are accepted across accounts.

Learn how AWS Control Tower simplifies setting up and governing a multi-account environment with AWS Organization, single sign-on, config rules, and automated guardrails to centralize logging and compliance.

Learn how firewall manager centralizes security rules across AWS accounts, applying WAF, network firewall, VPC security groups, and DNS Firewall for consistent protection.

Explore how AWS Service Catalog standardizes and secures development environments by provisioning through CloudFormation templates or Terraform, preventing overprovisioning and reducing costs.

Learn to use AWS Cost Explorer to visualize and manage your AWS costs and usage over time, leveraging pre-configured views, region and instance-type breakdowns, and CSV exports.

Explore AWS user notifications, including AWS managed and user configured notifications (ucns). Learn how EventBridge rules route events to delivery channels like email and chat apps as Chime, Teams, Slack.

Explore AWS Verified Access as a zero trust alternative to VPNs, enabling authentication-based, policy-driven access to internal applications via IAM Identity Center.

Explore AWS verified access concepts, including trust providers, identity providers, cedar policy language, and endpoint domains that enable secure access to private apps without a VPN.