
Rate Limiting: Token Bucket vs Leaky Bucket on AWS WAF and API Gateway
Token buckets allow bursts; leaky buckets smooth traffic—WAF rate rules and API Gateway usage plans implement neither perfectly but both matter for layered defense.

Token buckets allow bursts; leaky buckets smooth traffic—WAF rate rules and API Gateway usage plans implement neither perfectly but both matter for layered defense.

A full TLS handshake on every API call adds RTTs your p99 cannot afford. This guide walks TLS 1.3 1-RTT resumption, ACM cert rotation, and security policies on ALB and CloudFront.

Control Tower gets you an org; it does not tell you how many OUs you need or which policy type owns VPC public access. Since re:Invent 2024 you have four layers — SCP, RCP, declarative, and tag policies — and RCP coverage grew through Feb 2026 (DynamoDB). A composite 60-account enterprise cut exception SCP attachments from 14 ad-hoc to 3 time-boxed RFCs in two quarters by moving accounts out of "temporary" prod OUs.

Security Hub detects control failures. It is not the compliance pipeline — and treating it as one is why teams still scramble for evidence at audit time. The four jobs are distinct: AWS Config detects drift, conformance packs deploy rules org-wide as immutable bundles, SSM Automation remediates the safe class, and evidence accrues via conformance-pack exports plus Security Hub control status (Audit Manager only if you onboarded before it closed to new customers on 30 April 2026). Here is the tool-per-job matrix, a conformance pack with auto-remediation, and the auto-remediation gotcha to design around.

Two 2025 shifts rewrite the IR playbook: GuardDuty Extended Threat Detection now emits a single critical attack-sequence finding instead of a pile of high findings, and AWS Security Incident Response moved to metered pricing (free first 10,000 findings/month, then $0.000676 each) on November 21, 2025. The lesson is to page humans on the <1% of correlated criticals, isolate instead of terminate, and let auto-triage absorb the rest. Here are the runbooks.

Most KMS guides stop at "enable encryption." The architecture decision that actually bites is the key boundary: split one CMK into 3,200 per-tenant keys and you pay ~$3,200/mo in key storage alone while still sharing a single 10,000 req/s symmetric quota. Here is the decision matrix, the throttle math, and the encryption-context pattern that gives per-tenant isolation without per-tenant keys.

CloudTrail Event History on the default plan isn't your audit trail — it's a 90-day story you tell auditors. A production CloudTrail setup with multi-region trails, KMS encryption, log file integrity validation, and CloudTrail Lake as the queryable layer for incident response and compliance evidence.

EBS encryption is one of the easiest controls to get right — and one of the most expensive to retrofit. Account-level default encryption, re-encrypting legacy volumes without downtime, blocking public snapshots, and operating the KMS key lifecycle without losing data to accidental deletion.

Service-by-service hardening for the AWS resources most often flagged by compliance scanners — DMS replication instances, OpenSearch encryption at rest, SageMaker network isolation, and Lambda runtime end-of-life management.

DORA (Regulation (EU) 2022/2554) on AWS — scope, the ICT risk-management framework, the third-party register, threat-led penetration testing under TIBER-EU, the major-incident reporting timeline, and the AWS-native control mapping for financial entities and their ICT service providers.

How to build a vulnerability management program that scales beyond CVE-counting. Inspector v2 deployment, CVSS + CISA KEV + reachability for risk-based prioritization, container and IaC scanning in CI/CD, and remediation SLAs that survive audits.

GDPR compliance on AWS for SaaS companies handling EU resident data. Region selection, the AWS DPA, data subject rights automation, RoPA documentation, breach notification, and the technical controls regulators expect.
We use cookies and similar technologies to analyze site traffic, personalize content, and provide social media features. By clicking “Accept,” you consent to our use of cookies. You can adjust your preferences at any time.