AWS & CloudBảo mật theo layers (defense in depth):
Edge layer — CloudFront với AWS WAF để filter malicious requests (SQL injection, XSS, OWASP Top 10 rules), rate limiting, geo-blocking; Shield Standard (miễn phí, auto) chống DDoS L3/L4, Shield Advanced ($3000/month) cho L7 DDoS mitigation tự động với support team 24/7.
Network layer — VPC với public/private subnets, Security Groups strict, NACLs, VPC Flow Logs để audit traffic; không expose database ra public; dùng AWS Network Firewall cho stateful inspection.
Compute layer — EC2/Lambda trong private subnet, IMDSv2 (Instance Metadata Service v2) bắt buộc để chống SSRF, least privilege IAM roles, SSM Session Manager thay vì SSH (không cần port 22 mở).
Data layer — encrypt at rest bằng KMS (S3, RDS, DynamoDB), encrypt in transit (HTTPS, TLS 1.2+), Secrets Manager cho credentials, S3 Block Public Access account-level.
Identity layer — IAM least privilege, MFA, Cognito cho app authentication, no long-term credentials.
Monitoring — GuardDuty (threat detection ML-based, detect compromised EC2/credentials, crypto mining, unusual API calls), Security Hub (aggregate findings từ GuardDuty, Inspector, Macie, Config thành single dashboard với compliance score), AWS Config (resource configuration compliance, detect drift), CloudTrail (audit log mọi API call). Inspector — vulnerability scanning cho EC2 và Lambda packages tự động.