Common security threats

Task Statement 4.1: Implement and maintain network features to meet security and compliance needs and requirements.

📘AWS Certified Advanced Networking – Specialty

1. Introduction

In AWS networking, security threats are any actions or events that can:

  • Steal data
  • Disrupt services
  • Gain unauthorized access
  • Damage systems

Understanding these threats is critical because AWS follows a shared responsibility model, where:

  • AWS secures the cloud infrastructure
  • You secure your applications, data, and configurations

2. Major Types of Security Threats

2.1 Distributed Denial of Service (DDoS)

What it is

A DDoS attack tries to overwhelm a system by sending a huge amount of traffic.

How it works (IT example)

  • Thousands of compromised machines send requests to a web server
  • The server becomes overloaded and stops responding to real users

Types

  • Volumetric attacks → Large traffic floods (bandwidth exhaustion)
  • Protocol attacks → Exploit network protocols (e.g., SYN floods)
  • Application layer attacks → Target specific applications (HTTP requests)

AWS Protection

  • AWS Shield (Standard & Advanced)
  • Amazon CloudFront (edge protection)
  • Elastic Load Balancer (traffic distribution)
  • AWS WAF (filter malicious requests)

2.2 Unauthorized Access

What it is

Access to systems or data without proper permission.

How it happens

  • Weak IAM policies
  • Exposed credentials (access keys)
  • Open security groups (e.g., port 22 open to the internet)

IT example

An attacker uses leaked AWS credentials to:

  • Launch EC2 instances
  • Access S3 buckets
  • Modify network configurations

Prevention

  • IAM least privilege principle
  • Multi-Factor Authentication (MFA)
  • Use IAM roles instead of long-term keys
  • Rotate credentials regularly

2.3 Data Interception (Man-in-the-Middle Attack)

What it is

An attacker intercepts communication between two systems.

How it works

  • Data is captured while traveling over the network
  • Sensitive data (passwords, API calls) can be stolen

IT example

Unencrypted HTTP traffic between a client and server is intercepted and modified.

Prevention

  • Use HTTPS (TLS encryption)
  • Use VPN or AWS Direct Connect with encryption
  • Enable encryption in transit

2.4 Data Exfiltration

What it is

Unauthorized transfer of data outside the network.

How it happens

  • Compromised EC2 instance sends data to external server
  • Misconfigured S3 bucket allows public download

IT example

Sensitive database records are copied and sent to an external IP.

Prevention

  • VPC Flow Logs (monitor traffic)
  • AWS CloudTrail (track API calls)
  • Restrict outbound traffic using NACLs and security groups
  • Use VPC endpoints (keep traffic inside AWS network)

2.5 DNS Attacks

What it is

Attacks targeting DNS systems like Amazon Route 53.

Types

  • DNS spoofing → Redirect users to fake websites
  • DNS amplification → Used in DDoS attacks

IT example

A user requests a domain, but DNS returns a malicious IP instead of the correct one.

Prevention

  • Use Route 53 DNSSEC
  • Use private hosted zones for internal services
  • Monitor DNS queries

2.6 Port Scanning and Reconnaissance

What it is

Attackers scan systems to find open ports and vulnerabilities.

How it works

  • Tools scan IP ranges to identify:
    • Open ports
    • Running services
    • Weak configurations

IT example

An attacker scans a VPC and finds:

  • Port 22 open → tries SSH brute force
  • Port 80 open → tests web vulnerabilities

Prevention

  • Close unused ports
  • Use security groups and NACLs
  • Enable AWS GuardDuty (detect suspicious scanning)

2.7 Malware and Ransomware

What it is

Malicious software that:

  • Steals data
  • Encrypts files (ransomware)
  • Disrupts systems

IT example

A compromised EC2 instance runs malware that:

  • Encrypts attached EBS volumes
  • Demands payment

Prevention

  • Use Amazon Inspector (vulnerability scanning)
  • Keep OS and software updated
  • Restrict internet access
  • Use endpoint protection tools

2.8 Insider Threats

What it is

Threats from authorized users misusing access.

Types

  • Malicious insiders
  • Accidental misconfigurations

IT example

An employee:

  • Deletes critical resources
  • Exposes S3 bucket publicly

Prevention

  • IAM role-based access
  • Logging with CloudTrail
  • Use AWS Organizations SCPs (Service Control Policies)

2.9 Misconfiguration (Very Important for Exam)

What it is

Incorrect setup of AWS resources leading to vulnerabilities.

Common examples

  • Public S3 buckets
  • Open security groups (0.0.0.0/0)
  • No encryption enabled
  • Over-permissive IAM roles

Why it matters

Most cloud security incidents are caused by misconfiguration.

Prevention

  • AWS Config (compliance checks)
  • AWS Security Hub
  • Use predefined security policies
  • Regular audits

2.10 IP Spoofing

What it is

An attacker pretends to be a trusted IP address.

How it works

  • Fake source IP address is used in packets
  • Used in DDoS and bypassing filters

Prevention

  • Use AWS Shield
  • Use security groups (stateful filtering)
  • Implement proper authentication instead of IP-based trust

3. AWS Native Security Detection Services

You must know these for the exam:

AWS GuardDuty

  • Detects:
    • Port scanning
    • Suspicious traffic
    • Compromised instances

AWS CloudTrail

  • Logs all API activity
  • Detects unauthorized access

VPC Flow Logs

  • Capture network traffic metadata
  • Useful for identifying:
    • Data exfiltration
    • Unusual traffic patterns

AWS Security Hub

  • Central dashboard for security alerts

4. Defense-in-Depth Strategy

AWS recommends multiple layers of security:

Network Layer

  • Security Groups (stateful)
  • NACLs (stateless)
  • VPC isolation

Edge Layer

  • AWS WAF
  • AWS Shield
  • CloudFront

Application Layer

  • Authentication & authorization
  • Input validation

Monitoring Layer

  • CloudWatch
  • GuardDuty
  • CloudTrail

5. Key Exam Tips

  • DDoS → AWS Shield + CloudFront
  • Unauthorized access → IAM + MFA
  • Data exfiltration → VPC Flow Logs + restrict outbound traffic
  • Misconfiguration → AWS Config + Security Hub
  • Reconnaissance → GuardDuty
  • Encryption → Always use TLS for data in transit

6. Summary

To pass the exam, remember:

  • Security threats target availability, confidentiality, and integrity
  • Most common threats include:
    • DDoS
    • Unauthorized access
    • Data interception
    • Misconfiguration
    • Malware
  • AWS provides built-in tools to detect and mitigate threats
  • Strong security comes from layered protection (defense-in-depth)
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by