4.4. Phase 4 Reflection Checkpoint

Key Takeaways:

1. Infrastructure security operates at three tiers: edge (WAF, Shield, CloudFront), compute (AMI hardening, scanning, patching), and network (SGs, NACLs, Network Firewall)
2. GenAI security (Bedrock Guardrails, OWASP Top 10 for LLMs) is new in C03 — expect exam questions on prompt injection and model access control
3. Security Groups are stateful (allow only), NACLs are stateless (allow + deny), Network Firewall provides deep packet inspection
4. Direct Connect is NOT encrypted by default — MACsec or VPN over Direct Connect is required for encrypted hybrid connectivity
5. Verified Access provides zero-trust application access without VPN; it's the C03 answer for "access without broad network exposure"

Connecting Forward: In Phase 5, you'll learn Identity and Access Management — the highest-weighted domain at 20% — covering authentication strategies, authorization models, and the critical new services like Verified Permissions and IAM Roles Anywhere.

Self-Check Questions:

• Can you explain when to use WAF rate-based rules vs. Bot Control vs. Shield Advanced?
• Can you describe the GenAI OWASP Top 10 risks and how Bedrock Guardrails mitigates them?
• Can you distinguish between Security Groups, NACLs, and Network Firewall by scope, state, and use case?