IAM for DevOps
- Pipeline role: least-privilege for each pipeline stage
- Cross-account: assume role pattern for deployments
- Permission boundaries: cap maximum permissions for CI/CD-created roles
- Service-linked roles: pre-defined for AWS service operations
KMS & Encryption
- CMK key policies + IAM policies = effective permissions
- Cross-account: grant + key policy allows external account usage
- Envelope encryption: data key encrypts data, CMK encrypts data key
- Automatic key rotation: every year for symmetric CMKs
Secrets Manager
- Automatic rotation via Lambda (native for RDS, Redshift, DocumentDB)
- Cross-account access: resource policy on the secret
- Versioning: AWSCURRENT, AWSPREVIOUS, AWSPENDING during rotation
- Replicate secrets to other regions for DR
Security Automation
- GuardDuty → EventBridge → Lambda for threat remediation
- Security Hub: aggregated findings, standards (CIS, PCI, AWS Best Practices)
- Config rules: detective controls with auto-remediation via SSM
- Inspector: continuous vulnerability scanning for EC2, Lambda, ECR
Practice Security Questions
Put your knowledge to the test with practice questions.