Security is a shared responsibility in AWS, and mastering identity management, encryption, and compliance frameworks is essential for both exam success and real-world deployments. Day 6 focuses on securing AWS environments using IAM, KMS, and governance tools.
🎯 Study Objectives
- Understand IAM users, roles, policies, and groups.
- Learn about encryption at rest and in transit.
- Explore AWS Key Management Service (KMS) and Secrets Manager.
- Review compliance programs and the Shared Responsibility Model.
🔐 Identity and Access Management (IAM)
- Users: Individual identities with long-term credentials.
- Groups: Collections of users with shared permissions.
- Roles: Temporary credentials for services or federated access.
- Policies: JSON-based documents defining permissions.
Use IAM roles for EC2, Lambda, and cross-account access. Apply least privilege principles.
🔒 Encryption & Secrets Management
✅ AWS KMS
- Manages encryption keys for services like S3, EBS, RDS.
- Supports customer-managed keys and automatic rotation.
- Integrated with IAM for fine-grained access control.
✅ AWS Secrets Manager
- Securely stores API keys, passwords, and secrets.
- Supports automatic rotation and audit logging.
✅ Encryption Best Practices
| Layer | Method | Notes |
|---|---|---|
| At Rest | KMS, S3 SSE, EBS encryption | Enabled by default in many services |
| In Transit | TLS/SSL | Use HTTPS endpoints and secure protocols |
📋 Compliance & Governance
- Shared Responsibility Model:
- AWS secures the infrastructure.
- You secure your data, access, and configurations.
- AWS Artifact: Access compliance reports (e.g., ISO, SOC, PCI).
- AWS Organizations: Centralized account management and service control policies (SCPs).
- AWS Config: Tracks resource configurations and compliance status.
🧠 Exam Tips
- Know how IAM roles differ from users and when to use each.
- Understand how KMS integrates with other services.
- Be familiar with the Shared Responsibility Model and compliance boundaries.
- Expect scenario questions on access control, encryption, and audit trails.
🧪 Hands-On Labs
- Create IAM roles and attach policies for EC2 and Lambda.
- Enable S3 bucket encryption using KMS.
- Store and retrieve secrets using AWS Secrets Manager.
- Use AWS Config to track changes in security group rules.
📎 Resources
✅ Summary
Day 6 reinforces the importance of securing cloud environments. From IAM roles to encryption and compliance, these concepts are foundational for building trustworthy, audit-ready architectures in AWS.