AWS Certified Security Specialty Exam Study Guide [SCS-C01]

AWS Certified Security Specialty Certification Study Guide

AWS Certified Security Exam Preparation

Preparing for the AWS Certified Security Specialty (SCS-C01) exam? Don’t know where to start? This post is the AWS Certified Security Specialty Certificate Study Guide (with links to each objective in the exam domain).

I have curated a detailed list of articles from AWS documentation and other blogs for each objective of the AWS Certified Security Specialty (SCS-C01) exam. Please share the post within your circles so it helps them to prepare for the exam.

Course on AWS Certified Security Specialty

Pluralsight (Free trial)AWS Cert. Security (SCS-C01) Learning Path
WhizlabsAWS Certified Security Online Course [2020]
UdemyAWS Security Specialty Certification Course

Practice Test for AWS Certified Security Specialty

Whizlabs Exam QuestionsAWS Security Specialty [260 questions]
Udemy Practice TestAWS Security Practice Tests (120+ questions)

AWS Certified Security Specialty Resources

LinkedIn Learning [Free Trial]AWS Security Concepts for Architects
CourseraAWS Fundamentals: Addressing Security Risk
Amazon e-book (PDF)AWS Security Examination Material

Check out all the other AWS certificate study guides

Full Disclosure: Some of the links in this post are affiliate links. I receive a commission when you purchase through them.

Domain 1: Incident Response – 12%

1.1 Given an AWS Abuse Notice, Evaluate the Suspected Compromised Instance or Exposed Access Keys

Given an AWS Abuse report about an EC2 instance, securely isolate the instance as part of a forensic investigation

Review and respond to an AWS abuse report

Automate incident response for EC2 instances

Analyze logs relevant to a reported instance to verify a breach, and collect relevant data

Detect and investigate security events

Analyze CloudTrail in Amazon CloudWatch

Capture a memory dump from a suspected instance for later deep analysis or for legal compliance reasons

Create a memory dump of an EC2 instance

Capture Linux EC2 Memory

Security incident: Be prepared with memory dumps

1.2 Verify That the Incident Response Plan Includes Relevant AWS Services

Review the AWS Security Incident Response Whitepaper

Building an Incident Response Plan

AWS Incident Response Best Practices

Determine if changes to baseline security configuration have been made

About predefined & custom patch baselines

Configuration management in EC2

Security baselining AWS accounts

Determine if the list omits services, processes, or procedures which facilitate Incident Response

AWS security incident response guide

Perform automated incident response in a multi-account environment

Recommend services, processes, procedures to remediate gaps

Automated response & remediation with AWS Security Hub

Remediate security gaps susceptible to ransomware

1.3 Evaluate the Configuration of Automated Alerting, and Execute Possible Remediation of Security-related Incidents and Emerging Issues

Automate evaluation of conformance with rules for new/changed/removed resources

Develop a custom rule for AWS Config

Evaluating resources with AWS Config rules

Use AWS Config rules to automatically remediate non-compliant resources

Remediate non-compliant AWS resources by AWS Config rules

Apply rule-based alerts for common infrastructure misconfiguration

Alert when security events, misconfiguration, & violations are detected

Detect & repair misconfigurations on AWS

Review previous security incidents and recommend improvements to the existing systems

AWS security incident response guide

Top 10 security items to improve in your AWS account

Resolve IT incidents faster

Introducing Incident Manager from AWS

Other articles related to automate alerting and remediation

Automate alerting:

Automate remediation steps:

aws certified security specialty

Amazon link (affiliate)

Domain 2: Logging and Monitoring – 20%

2.1 Design and Implement Security Monitoring and Alerting

Analyze architecture and identify monitoring requirements and sources for monitoring statistics

AWS reference architecture diagrams

How to monitor your applications?

Monitor your resources

Get statistics for a specific resource

Analyze architecture to determine which AWS services can be used to automate monitoring and alerting

Automate analysis of metrics using AWS DevOps dashboard

Automate monitoring of multi-account AWS environments

Processes for handling & remediating AWS Abuse alerts

Analyze the requirements for custom application monitoring, and determine how this could be achieved

Setup application monitoring for your workloads

Monitor your applications effectively

Set up automated tools/scripts to perform regular audits

Automate auditing of operational best practices for your account

Audit your AWS resources for security compliance

2.2 Troubleshoot Security Monitoring and Alerting

Given an occurrence of a known event without the expected alerting, analyze the service functionality and configuration and remediate

Using AWS Config for security analysis

Post-incident analysis

Incident management, & remediation in the cloud

Given an occurrence of a known event without the expected alerting, analyze the permissions and remediate

Identity-based policy examples for AWS Incident Manager

AWS managed policies for AWS Incident Manager

Given a custom application that is not reporting its statistics, analyze the configuration and remediate

Monitor your custom application metrics

Set up, and manage your application for monitoring

Remediate non-compliance using AWS Config rules

Review audit trails of system and user activity

Audit log to capture activities

Audit trail

2.3 Design and Implement a Logging Solution

Implement a logging solution

Send CloudTrail events to CloudWatch logs

Publish VPC flow logs to CloudWatch Logs

Capture information about the IP traffic moving in and out of the Virtual Private Network (VPC) & publish it to a centralized location

Collect logs & metrics from EC2 instances

Log DNS queries

Send logs directly to Amazon S3

Analyze architecture and identify logging requirements and sources for log ingestion

Security at scale: Logging in AWS

Logging ingestion and storage

Architecture overview: Centralized logging

Configure log sources for AWS

Analyze requirements and implement durable and secure log storage according to AWS best practices

Store and monitor OS & Application log files

AWS native_security_logging_capabilities

Analyze architecture to determine which AWS services can be used to automate log ingestion and analysis

Automate centralized logging & integrate with Datadog

Architecture overview: Centralized logging

2.4 Troubleshoot Logging Solutions

Given the absence of logs, determine the incorrect configuration and define remediation steps

Compliance as code and auto-remediation with Cloud Custodian

Automatically re-enable CloudTrail with a custom remediation rule

Analyze logging access permissions to determine the incorrect configuration and define remediation steps

Manage access permissions to your CloudWatch Logs resources

IAM for CloudWatch logs

Create an IAM policy to access CloudWatch Logs resources

Using IAM policies for CloudWatch logs

Based on the security policy requirements, determine the correct log level, type, and sources

Log levels in AWS

Working with security policies

Domain 3: Infrastructure Security – 26%

3.1 Design Edge Security on AWS

For a given workload, assess and limit the attack surface

Attack surface reduction

Help prepare for DDoS attacks by reducing your attack surface

Understand & harden the attack surface at the Edge

Reduce blast radius (e.g. by distributing applications across accounts and regions)

How AWS minimizes the blast radius of failures?

Reduce blast radius by using multiple AWS accounts

Choose appropriate AWS and/or third-party edge services such as WAF, CloudFront, and Route 53 to protect against DDoS or filter application-level attacks

Protect web apps against DDoS attacks with CloudFront & Route 53

Respond to DDoS events

Application layer defense

Block common attacks with AWS WAF

Given a set of edge protection requirements for an application, evaluate the mechanisms to prevent and detect intrusions for compliance and recommend required changes

Intrusion detection and prevention

Use Amazon GuardDuty to detect suspicious activity

AWS intrusion detection & prevention system

Test WAF rules to ensure they block malicious traffic

Testing web ACLs

Testing new rules: WAF workshop

Other security features on AWS CloudFront edge locations

3.2 Design and Implement a Secure Network Infrastructure

Disable any unnecessary network ports and protocols

Disable AWS EC2 ports

AWS server: Disable older protocols

Given a set of edge protection requirements, evaluate the security groups and NACLs of an application for compliance and recommend required changes

Security group rules for different use cases

Audit & limit security groups with AWS Firewall Manager

Network ACLs in Amazon Virtual Private cloud

How do Network ACLs work with transit gateways?

Given security requirements, decide on network segmentation (e.g. security groups and NACLs) that allow the minimum ingress/egress access required

Configure security groups for EC2

Securing ingress using security solutions

AWS Network ACL and subnets

Determine the use case for VPN or Direct Connect

AWS Direct Connect vs. VPN

Getting started with AWS Direct Connect

AWS VPN to securely access AWS & on-premises resources

Determine the use case for enabling VPC Flow Logs

Log and view network traffic flows

Work with flow logs

Publish flow logs to CloudWatch Logs

Learn from your VPC Flow Logs with additional metadata

Given a description of the network infrastructure for a VPC, analyze the use of subnets and gateways for secure operation

Work with VPCs and subnets

Gateway VPC endpoints in Amazon Virtual Private Cloud

Find the top contributors to traffic through a NAT Gateway

Analyze inbound internet traffic to a NAT Gateway

3.3 Troubleshoot a Secure Network Infrastructure

Determine where network traffic flow is being denied

VPC Flow Logs

Troubleshoot VPC Flow Logs

Given a configuration, confirm security groups and NACLs have been implemented correctly

Security group connection tracking

Fix connections to an AWS service

Troubleshooting AWS Network services

Troubleshooting AWS DirectConnect

Troubleshoot VPN tunnel connectivity

Debugging tools for network connectivity in VPC

Troubleshoot network issues between:

3.4 Design and Implement Host-based Security

Given security requirements, install and configure host-based protections including Inspector, SSM

Install Amazon Inspector agents

Set up Amazon Inspector

Manually install SSM Agent on EC2

Install SSM Agent on EC2 instances for Windows Server

Decide when to use a host-based firewall like iptables

Why have both security groups and iptables on EC2?

Using iptables on EC2 instances

Recommend methods for host hardening and monitoring

AWS hardening

Hardening an AWS EC2 instance

Domain 4: Identity and Access Management – 20%

4.1 Design and Implement a Scalable Authorization and Authentication System to Access AWS Resources

Given a description of a workload, analyze the access control configuration for AWS services and make recommendations that reduce risk

Using AWS IAM Access Analyzer

IAM Access Analyzer guides you toward least-privilege permissions

Given a description of how an organization manages its AWS accounts, verify the security of its root user

Secure AWS account root user

Lock away your AWS account root user access keys

AWS account root user

Given your organization’s compliance requirements, determine when to apply user policies and resource policies

Creating IAM policies

User policy examples

Identity-based policies & resource-based policies

Within an organization’s policy, determine when to federate directory services to IAM

Identity federation in AWS

Provide access to externally authenticated users

Establish federated access to your AWS resources

Design a scalable authorization model that includes users, groups, roles, and policies

How to scale your authorization needs?

Permissions required to access IAM resources

Identify and restrict individual users of data and AWS resources

Your AWS account identifiers

View account activity history for IAM users and roles

Review policies to establish that users/systems are restricted from performing functions beyond their responsibility, and also enforce proper separation of duties

Segregation of Duties on AWS

Apply the principle of separation of duties to shell access to EC2 instances

Validating IAM policies

Testing IAM Policies with the IAM policy simulator

4.2 Troubleshoot an Authorization and Authentication System to Access AWS Resources

Investigate a user’s inability to access S3 bucket contents

Troubleshooting IAM and Amazon S3

AWS S3 bucket permissions: Access denied

Investigate a user’s inability to switch roles to a different account

AWS Console: Cannot switch role

Switching to a role

Error trying to assume a cross-account IAM role

Investigate an Amazon EC2 instance’s inability to access a given AWS resource

Troubleshooting EC2 gateway connection issues

Troubleshoot an unresponsive website on EC2

Domain 5: Data Protection – 22%

5.1 Design and Implement Key Management and Use

Key management topics in AWS

What is the AWS Key Management Service (KMS)?

Understand the Key Management Service Concepts

Whitepaper: Key Management Service Best Practices

Analyze a given scenario to determine an appropriate key management solution

Key Management Service in AWS

AWS Key Management Service FAQs

Key Management Service features

Given a set of data protection requirements, evaluate key usage and recommend required changes

Determine past usage of a KMS key

Troubleshoot key access

Determine and control the blast radius of a key compromise event and design a solution to contain the same

Limit the blast radius of credential attacks

Minimize the encryption blast radius

5.2 Troubleshoot Key Management

Break down the difference between a KMS key grant and IAM policy

Using grants

Using IAM policies with AWS KMS

Understanding grants in AWS

Deduce the precedence given different conflicting policies for a given key

Policy evaluation logic

Determine when and how to revoke permissions for a user or service in the event of a compromise

Revoke IAM role temporary security credentials

Disabling permissions for temporary credentials

Revoke permissions

5.3 Design and Implement a Data Encryption Solution for Data at Rest and Data in Transit

Given a set of data protection requirements, evaluate the security of the data at rest in a workload and recommend required changes

Protecting data at rest

How do you protect your data at rest?

Verify policy on a key such that it can only be used by specific AWS services

Using key policies in AWS KMS

Validating IAM policies

Testing IAM Policies with the IAM policy simulator

Distinguish the compliance state of data through tag-based data classifications and automate remediation

Tag AWS services based on data classification

Leveraging AWS cloud to support data classification

S3 bucket compliance using AWS Config auto-remediation feature

Evaluate a number of transport encryption techniques and select the appropriate method (i.e. TLS, IPsec, client-side KMS encryption)

Transport encryption

How do you protect your data in transit?

Configure SSL/TLS with the Amazon Linux AMI

Amazon VPC IPSec VPNs

Amazon S3 client-side encryption with AWS KMS keys

Other articles related to data encryption in AWS

This brings us to the end of the AWS Certified Security Specialty [SCS-C01] Exam Preparation Study Guide.

What do you think? Let me know in the comments section if I have missed out on anything. Also, I love to hear from you about how your preparation is going on!

In case you are preparing for other AWS certification exams, check out the AWS study guides for those exams.

Get Updates on AWS Certified Security Exam


Want to be notified as soon as I post? Subscribe to the RSS feed / leave your email address in the subscribe section. Share the article to your social networks with the below links so it can benefit others.

Share the AWS Certified Security Study Guide

You may also like

4 Comments

  1. Thank you for the list, it is handy indeed.

    Do you have any self-made notes which can be useful?

    Many Thanks