Learning AWS Security: My 3-Year Experience and What I Discovered

I want to share something with you - when I first started working with AWS three years ago, security configurations made me very confused. There were so many services and so many options to choose! But after making many mistakes and finally passing the AWS Security Specialty certification, I learned some important things. Let me share what I discovered.

How I Learned to Stop Worrying About Cloud Security

Like many developers when they start, I had wrong ideas:

• "Security is something only the operations team should worry about"
• "AWS will handle everything automatically for me"
• "I will just turn on everything and hope it works correctly"

But reality hit me hard during my first security audit at work. We had missing MFA settings, roles with too many permissions, S3 buckets without encryption... it was really bad. That experience made me decide to study AWS security seriously. Here's what I think is most important:

The Main Security Components That I Found Important

Instead of trying to learn every single service at once, I found it better to group them by what they actually do for you:

1. Who Can Access What? (Access Control)

• IAM: This is like the security guard for your AWS account. I learned to create separate users for each person (never share accounts!) and give only the minimum permissions they need
• MFA: You should enable this everywhere, but especially for the root account. I learned this the hard way
• Roles: This became my preferred choice for EC2 and Lambda because they use temporary credentials instead of permanent ones

2. Protecting Your Data (Data Protection)

• KMS: Encryption was confusing at first, but KMS makes it easier. I recommend starting with AWS-managed keys before trying customer-managed keys
• S3 Bucket Policies: I spent almost a whole week trying to understand these when I started. But they are very important for preventing public access to your data
• Secrets Manager: This helped me stop putting passwords directly in my code (I'm embarrassed to say I used to do this in my first job)

3. Watching for Problems (Monitoring & Response)

• CloudTrail: I think of this like security camera recordings - it tracks everything that happens in your account
• GuardDuty: This service once found suspicious API calls from strange locations. Later I realized it was just me working from a different city with VPN
• Security Hub: This gives you one place to see all security problems and helps you decide what to fix first

Security Practices That Actually Work in Real Life

Instead of trying to follow perfect theoretical advice, here's what I found actually works when you have limited time:

Managing User Access

• I created IAM user groups with clear names (Admin, ReadOnly, DevOps) to make permissions easier to understand
• I now use roles instead of long-term access keys whenever possible because they are more secure
• I learned to enable MFA delete for important S3 buckets after accidentally deleting some files once

Network Security

• Security Groups: I always start by blocking everything, then only open the specific ports I need
• WAF: This helps block common attacks like SQL injection and XSS. I had to read the documentation several times to understand how to configure it properly
• Private Subnets: I put anything that doesn't need internet access in private subnets

Preventing Security Problems

• I use AWS Config rules to automatically check for security issues because I often forget to check manually
• I set calendar reminders to rotate credentials regularly (this is easy to forget!)
• I try to test our disaster recovery plan every three months, though sometimes work gets busy and I delay it

What I Learned While Studying for the Certification

When I was preparing for the AWS Security Specialty exam, I had to learn many things that I didn't understand before:

1. I actually read the entire IAM policy reference documentation (it was more helpful than I expected)
2. I finally understood the shared responsibility model clearly - what AWS does vs what I need to do
3. I learned how to set up proper logging retention policies (before this, I was just keeping logs forever)
4. I discovered service control policies (SCPs) in AWS Organizations, which I didn't even know existed

The biggest surprise for me was discovering how much I didn't understand about KMS key policies and cross-account access. These topics seemed very complicated at first. Now when I need to implement something complex, I always draw a diagram first to understand the relationships.

How to Keep Security Simple and Manageable

Here are the things I wish someone had told me when I started:

• Begin with AWS Well-Architected Framework security pillar instead of trying to learn everything randomly
• Use infrastructure-as-code like CloudFormation or Terraform to keep things consistent (manual changes always cause problems later)
• Set up monthly "security health checks" in your calendar
• Don't try to implement everything at the same time - it will overwhelm you

I learned that security is not about being perfect. It's about making steady improvements over time. Every quarter, I choose one area to focus on. Last quarter I worked on S3 security, this quarter I'm working on monitoring. Small improvements really add up!

One resource I found very valuable: AWS's own Security Best Practices whitepaper has excellent guidance.

I'm still learning new things about AWS security all the time. If you have security practices that work well for you, I would love to hear about them!