• IAM User: A permanent identity for a specific person or service
• IAM Role: A temporary set of permissions that can be assumed by users, applications, or AWS services

Roles are ideal for providing temporary access and don't have long-term credentials like passwords or access keys.

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior. It uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes events across multiple AWS data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs.

Customer Master Keys (CMKs) in AWS KMS are the primary resources in KMS. They are used to:

1. Encrypt and decrypt data keys
2. Generate data keys for use in client-side encryption
3. Perform cryptographic operations directly

CMKs can be AWS-managed or customer-managed. Customer-managed CMKs offer more control over the key lifecycle and permissions.

Amazon Inspector performs two types of assessments:

1. Network assessments: Evaluate network accessibility of EC2 instances and identify potential security issues in open ports.
2. Host assessments: Evaluate the security state of EC2 instances by checking for vulnerabilities and deviations from best practices.

AWS WAF helps protect web applications from common web exploits by:

1. Defining customizable web security rules
2. Controlling which traffic to allow or block
3. Filtering specific request patterns, such as SQL injection or cross-site scripting
4. Integrating with Amazon CloudFront, Application Load Balancer, or API Gateway
5. Creating rules based on IP addresses, HTTP headers, body, or URI strings

Amazon Macie is a fully managed data security and data privacy service that:

1. Uses machine learning and pattern matching to discover and protect sensitive data in AWS
2. Automatically detects sensitive data such as personally identifiable information (PII) or intellectual property
3. Provides dashboards and alerts for visibility into how this data is being accessed or moved
4. Assists in meeting compliance requirements for protecting sensitive data

AWS Shield Standard:

• Automatically enabled for all AWS customers at no additional cost
• Protects against common, most frequently occurring network and transport layer DDoS attacks

AWS Shield Advanced:

• Paid service providing enhanced DDoS protection
• Offers more sophisticated protection against larger and more complex attacks
• Provides 24/7 access to AWS DDoS response team (DRT)
• Offers cost protection for scaling during DDoS attacks

AWS CloudHSM (Hardware Security Module) provides:

1. Dedicated hardware security modules in the AWS Cloud
2. FIPS 140-2 Level 3 validated HSMs
3. Full control over encryption keys and cryptographic operations
4. Compliance with strict key management requirements
5. Integration with applications using standard APIs (PKCS#11, Java JCE, Microsoft CNG)

Amazon Cognito provides:

1. User pools for sign-up, sign-in, and user profile management
2. Identity pools for granting temporary AWS credentials to users
3. Support for social identity providers and enterprise identity federation
4. Multi-factor authentication (MFA)
5. Customizable UI for authentication flows
6. Integration with AWS services and custom backends

AWS Security Hub provides:

1. A comprehensive view of security alerts and security posture across AWS accounts
2. Aggregation, organization, and prioritization of security alerts from multiple AWS services and partner solutions
3. Automated security checks based on AWS best practices and industry standards
4. Consolidated view of compliance status
5. Integration with other AWS services for automated remediation actions