Just studying with Claude here and got a little too excited about a cheat sheet . ... title: "AWS Security & Storage — Actually Explained" No corporate speak. No filler. Just what these things do and when to reach for them. Imagine a security camera pointed at your AWS resources, taking a snapshot every time something changes. That's Config. Your S3 bucket was private Monday, public Tuesday — Config caught both states, logged the diff, and knows exactly who did it. You can add rules like "S3 buckets must never be public." Break the rule, get flagged as non-compliant. This is called drift detection — your resource wandered away from desired state, and Config is the auditor that noticed. Config doesn't prevent changes (that's IAM and SCPs). It records and evaluates them. 📋 Exam trigger words "audit resource changes over time" · "compliance rules" · "who changed this resource" · "configuration history" → Config The free bouncer at the door. Stops the most common brute-force network floods (L3/L4). Always on, you do nothing, costs nothing. The paid security team with specialists. Handles sophisticated DDoS including application-layer attacks — think HTTP floods that look like real traffic. You also get: A dedicated DDoS Response Team you can actually call Cost protection if an attack causes runaway scaling costs Real-time attack visibility Protects exactly 5 resource types — EC2, ELB, CloudFront, Route 53, Global Accelerator. API Gateway, Lambda, Elastic Beanstalk? Not covered. 🧠 Mnemonic — Shield Advanced's 5 protected resources Every Elastic Cloud Runs Globally EC2 · ELB · CloudFront · Route 53 · Global Accelerator WAF doesn't care about flood volume. It reads the content of HTTP/HTTPS requests and blocks based on rules you write: Specific IPs or IP ranges SQL injection patterns Requests from specific countries AWS Managed Rules (pre-built OWASP Top 10, bot protection, etc.) Attaches to: CloudFront, ALB, API Gateway, AppSync — not EC2 directly. All block traffic. Completely different jobs. WAF NACLs Security Groups Layer L7 (HTTP/HTTPS content) L3/L4 (IP, port) L3/L4 (IP, port) Reads URL, headers, body, cookies IP address, port IP address, port Lives on CloudFront / ALB / API Gateway VPC subnet boundary EC2 instance Rules Allow/block by content Allow AND deny Allow only Stateful? — ❌ Stateless ✅ Stateful 💡 The one-liner WAF = what's inside the request. NACLs + Security Groups = where it comes from and on what port. Separate tools, separate problems, often used together. Acts like a hard drive plugged into your EC2 instance. One instance, one AZ. Your OS formats and mounts it. Data persists after stop. 🧠 Think: "My server's hard drive" Acts like a shared network drive. Multiple EC2 instances across multiple AZs can mount it simultaneously. Auto-scales, no capacity to manage. 🧠 Think: "Shared folder that all my servers can access" Not a file system — an object store. You don't mount it, you call an API (PUT, GET). Flat blobs with URL keys. Massive scale, globally accessible, cheap. 🧠 Think: "A giant bucket of files accessible over the internet" 📋 Quick pick Temp files on one server → EBS · Shared config files across servers → EFS · User photos accessible anywhere → S3 Every EC2 host machine has real physical disks attached to it. Instance Store lets your instance use those disks directly — no network hop, just raw disk. EBS feels local but still goes over the network. That's why Instance Store wins on speed. The catch: data only exists while the instance runs. Stop it, terminate it, or if the hardware fails — gone. Not a debate, just gone. It's included in the EC2 instance price — no extra charge. 📋 Exam trigger words "fault-tolerant" · "can handle failures" · "distributed architecture" · "highest I/O performance" · "lowest latency storage" → Instance Store Think of it as a massive CSV delivered to an S3 bucket with every single charge broken down by hour, resource, tag, and account. The most granular billing data AWS produces — built for analysts and BI tools. Billing tools ranked by detail level: Pricing Calculator → estimate before you build (no real data) Budgets → set thresholds, get alerts Cost Explorer → charts/graphs of actual spend, up to 13 months back Cost & Usage Report → raw data firehose, most detailed of all ⬅ this one 📋 Exam trigger words "detailed cost breakdown per resource" · "feed billing data into a BI tool" → Cost & Usage Report Service One job Shield Protects against DDoS volume attacks WAF Reads HTTP content and blocks bad web requests GuardDuty ML-powered threat detection — watches logs, finds suspicious behavior Inspector Scans your EC2/containers for known software vulnerabilities (CVEs) Macie Finds sensitive data (PII, credentials) hiding in your S3 buckets 🧠 GuardDuty vs Inspector — the most common mix-up GuardDuty watches behavior — someone is doing something suspicious. Reactive/detective. Inspector looks at what's installed — this software has a known vulnerability. Proactive/preventive. Macie trigger: any question mentioning "PII" or "sensitive data in S3" → it's Macie, every time. That's the whole picture. Bookmark it, share it, argue with it in the comments.