# security ## Encryption ### Encryption in flight (SSL)

SSL

* Data is * encrypted before sending * decrypted after receiving * SSL certificates help with encryption (HTTPS) ### Encryption at rest (sever-side)

encryption at rest

* Data is * encrypted after being received by the server * decrypted before being sent * stored in an encrypted form (using data key). * The key is managed somewhere else. ### Client-side encryption

client side encryption

* Data is * encrypted by the client and never decrypted by the server * decrypted by a receiving client ## Secrets | Type of secret | Service | | ----------------------------- | ---------------------------------------------------------------------------------------- | | DB user/pass | [AWS Secret Manager](https://mamawhocode.gitbook.io/aws/services/security/secretmanager) | | AWS credentials | IAM | | Encryption keys | AWS KMS | | Private keys and certificates | AWS Certificate Manager | ## Inspector vs Guarduty | Aspect | AWS Inspector | AWS GuardDuty | | ----------------------------------- | --------------------------------------------------- | --------------------------------------------------- | | Purpose | Security and compliance assessments | Real-time threat detection and security alerts | | Use Cases | Assessing security and compliance of EC2 instances | Detecting potentially malicious activities | | Automated vs. Continuous Monitoring | On-demand or scheduled assessments | Continuous monitoring for threats | | Resource Coverage | EC2 instances and application assessments | A broader range of AWS resources | | Alerts and Notifications | Provides assessment reports and findings | Generates security alerts and findings in real-time | | Integration | Integrates with AWS Systems Manager for remediation | Integrates with various AWS services and SIEMs | | Pricing | Different pricing models based on volume | Different pricing models based on volume | *** ## Shield vs WAF Shield - Amazon Elastic Compute Cloud (EC2), *Elastic Load Balancing* (ELB), Amazon ***CloudFront***, AWS Global Accelerator, and Route 53. WAF - Amazon ***CloudFront***, the Application Load Balancer (*ALB*), Amazon API Gateway, and AWS AppSync *** ## Trivia * AWS **Shield** for DDOS * Amazon **Macie** for discover and protect sensitive data * Amazon GuardDuty for intelligent thread discovery to protect AWS account -> alert you when dectect a malicious activity * Amazon Inspector for automated security assessment. like known Vulnerability\ -> give you a report of findings after a Scan (scheduled or on-demand) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mamawhocode.gitbook.io/aws/services/security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.