Imagine your house has a lock on the front door. Why might you also want a security alarm and a fence?
In AWS, this idea is called defense in depth. Why is it important to have several security layers instead of just one?
Think about what happens if a single lock breaks.
Defense in depth means using multiple security layers so if one fails, others still protect your resources. This reduces risk and improves security.
Look at this AWS architecture:
- Public subnet with a web server behind a security group
- Private subnet with a database protected by a network ACL
- IAM roles controlling access to resources
- CloudTrail logging all API calls
Which of these is NOT a layer of defense in depth?
Think about what helps protect versus what weakens security.
Using a single password for all users is a security risk and not a protective layer. The other options are valid defense layers.
You set up a firewall (security group) to block all traffic except from your office IP. What risk remains if you do not add other security layers?
Consider what happens if the firewall rule is changed by mistake.
Relying only on perimeter security is risky because if it fails, there are no other protections inside the network.
You want to detect unusual API calls or access patterns in your AWS account. Which service helps add this layer of defense?
Think about which service records actions in your account.
AWS CloudTrail records API calls and helps detect suspicious activity, adding a monitoring layer to defense in depth.
You configure AWS WAF with rules to block SQL injection, cross-site scripting, and IP blacklists. What is the combined effect on incoming traffic?
Consider how firewall rules usually combine to protect.
AWS WAF blocks traffic that matches any configured rule, providing layered protection against different threats.