AWS Certified Security Exam Preparation
Preparing for the AWS Certified Security Specialty (SCS-C01) exam? Don’t know where to start? This post is the AWS Certified Security Specialty Certificate Study Guide (with links to each objective in the exam domain).
I have curated a detailed list of articles from AWS documentation and other blogs for each objective of the AWS Certified Security Specialty (SCS-C01) exam. Please share the post within your circles so it helps them to prepare for the exam.
Course on AWS Certified Security Specialty
| Pluralsight (Free trial) | AWS Cert. Security (SCS-C01) Learning Path |
| Whizlabs | AWS Certified Security Online Course [2020] |
| Udemy | AWS Security Specialty Certification Course |
Practice Test for AWS Certified Security Specialty
| Whizlabs Exam Questions | AWS Security Specialty [260 questions] |
| Udemy Practice Test | AWS Security Practice Tests (120+ questions) |
AWS Certified Security Specialty Resources
| LinkedIn Learning [Free Trial] | AWS Security Concepts for Architects |
| Coursera | AWS Fundamentals: Addressing Security Risk |
| Amazon e-book (PDF) | AWS Security Examination Material |
Check out all the other AWS certificate study guides
Full Disclosure: Some of the links in this post are affiliate links. I receive a commission when you purchase through them.
Domain 1: Incident Response – 12%
1.1 Given an AWS Abuse Notice, Evaluate the Suspected Compromised Instance or Exposed Access Keys
Given an AWS Abuse report about an EC2 instance, securely isolate the instance as part of a forensic investigation
Review and respond to an AWS abuse report
Automate incident response for EC2 instances
Analyze logs relevant to a reported instance to verify a breach, and collect relevant data
Detect and investigate security events
Analyze CloudTrail in Amazon CloudWatch
Capture a memory dump from a suspected instance for later deep analysis or for legal compliance reasons
Create a memory dump of an EC2 instance
Security incident: Be prepared with memory dumps
1.2 Verify That the Incident Response Plan Includes Relevant AWS Services
Review the AWS Security Incident Response Whitepaper
Building an Incident Response Plan
AWS Incident Response Best Practices
Determine if changes to baseline security configuration have been made
About predefined & custom patch baselines
Configuration management in EC2
Security baselining AWS accounts
Determine if the list omits services, processes, or procedures which facilitate Incident Response
AWS security incident response guide
Perform automated incident response in a multi-account environment
Recommend services, processes, procedures to remediate gaps
Automated response & remediation with AWS Security Hub
Remediate security gaps susceptible to ransomware
1.3 Evaluate the Configuration of Automated Alerting, and Execute Possible Remediation of Security-related Incidents and Emerging Issues
Automate evaluation of conformance with rules for new/changed/removed resources
Develop a custom rule for AWS Config
Evaluating resources with AWS Config rules
Use AWS Config rules to automatically remediate non-compliant resources
Remediate non-compliant AWS resources by AWS Config rules
Apply rule-based alerts for common infrastructure misconfiguration
Alert when security events, misconfiguration, & violations are detected
Detect & repair misconfigurations on AWS
Review previous security incidents and recommend improvements to the existing systems
AWS security incident response guide
Top 10 security items to improve in your AWS account
Introducing Incident Manager from AWS
Other articles related to automate alerting and remediation
Automate alerting:
Automate remediation steps:
Amazon link (affiliate)
Domain 2: Logging and Monitoring – 20%
2.1 Design and Implement Security Monitoring and Alerting
Analyze architecture and identify monitoring requirements and sources for monitoring statistics
AWS reference architecture diagrams
How to monitor your applications?
Get statistics for a specific resource
Analyze architecture to determine which AWS services can be used to automate monitoring and alerting
Automate analysis of metrics using AWS DevOps dashboard
Automate monitoring of multi-account AWS environments
Processes for handling & remediating AWS Abuse alerts
Analyze the requirements for custom application monitoring, and determine how this could be achieved
Setup application monitoring for your workloads
Monitor your applications effectively
Set up automated tools/scripts to perform regular audits
Automate auditing of operational best practices for your account
Audit your AWS resources for security compliance
2.2 Troubleshoot Security Monitoring and Alerting
Given an occurrence of a known event without the expected alerting, analyze the service functionality and configuration and remediate
Using AWS Config for security analysis
Incident management, & remediation in the cloud
Given an occurrence of a known event without the expected alerting, analyze the permissions and remediate
Identity-based policy examples for AWS Incident Manager
AWS managed policies for AWS Incident Manager
Given a custom application that is not reporting its statistics, analyze the configuration and remediate
Monitor your custom application metrics
Set up, and manage your application for monitoring
Remediate non-compliance using AWS Config rules
Review audit trails of system and user activity
Audit log to capture activities
2.3 Design and Implement a Logging Solution
Implement a logging solution
Send CloudTrail events to CloudWatch logs
Publish VPC flow logs to CloudWatch Logs
Capture information about the IP traffic moving in and out of the Virtual Private Network (VPC) & publish it to a centralized location
Analyze architecture and identify logging requirements and sources for log ingestion
Security at scale: Logging in AWS
Architecture overview: Centralized logging
Analyze requirements and implement durable and secure log storage according to AWS best practices
Store and monitor OS & Application log files
AWS native_security_logging_capabilities
Analyze architecture to determine which AWS services can be used to automate log ingestion and analysis
Automate centralized logging & integrate with Datadog
Architecture overview: Centralized logging
2.4 Troubleshoot Logging Solutions
Given the absence of logs, determine the incorrect configuration and define remediation steps
Compliance as code and auto-remediation with Cloud Custodian
Automatically re-enable CloudTrail with a custom remediation rule
Analyze logging access permissions to determine the incorrect configuration and define remediation steps
Manage access permissions to your CloudWatch Logs resources
Create an IAM policy to access CloudWatch Logs resources
Using IAM policies for CloudWatch logs
Based on the security policy requirements, determine the correct log level, type, and sources
Working with security policies
Domain 3: Infrastructure Security – 26%
3.1 Design Edge Security on AWS
For a given workload, assess and limit the attack surface
Help prepare for DDoS attacks by reducing your attack surface
Understand & harden the attack surface at the Edge
Reduce blast radius (e.g. by distributing applications across accounts and regions)
How AWS minimizes the blast radius of failures?
Reduce blast radius by using multiple AWS accounts
Choose appropriate AWS and/or third-party edge services such as WAF, CloudFront, and Route 53 to protect against DDoS or filter application-level attacks
Protect web apps against DDoS attacks with CloudFront & Route 53
Block common attacks with AWS WAF
Given a set of edge protection requirements for an application, evaluate the mechanisms to prevent and detect intrusions for compliance and recommend required changes
Intrusion detection and prevention
Use Amazon GuardDuty to detect suspicious activity
AWS intrusion detection & prevention system
Test WAF rules to ensure they block malicious traffic
Testing new rules: WAF workshop
Other security features on AWS CloudFront edge locations
3.2 Design and Implement a Secure Network Infrastructure
Disable any unnecessary network ports and protocols
AWS server: Disable older protocols
Given a set of edge protection requirements, evaluate the security groups and NACLs of an application for compliance and recommend required changes
Security group rules for different use cases
Audit & limit security groups with AWS Firewall Manager
Network ACLs in Amazon Virtual Private cloud
How do Network ACLs work with transit gateways?
Given security requirements, decide on network segmentation (e.g. security groups and NACLs) that allow the minimum ingress/egress access required
Configure security groups for EC2
Securing ingress using security solutions
Determine the use case for VPN or Direct Connect
Getting started with AWS Direct Connect
AWS VPN to securely access AWS & on-premises resources
Determine the use case for enabling VPC Flow Logs
Log and view network traffic flows
Publish flow logs to CloudWatch Logs
Learn from your VPC Flow Logs with additional metadata
Given a description of the network infrastructure for a VPC, analyze the use of subnets and gateways for secure operation
Gateway VPC endpoints in Amazon Virtual Private Cloud
Find the top contributors to traffic through a NAT Gateway
Analyze inbound internet traffic to a NAT Gateway
3.3 Troubleshoot a Secure Network Infrastructure
Determine where network traffic flow is being denied
Given a configuration, confirm security groups and NACLs have been implemented correctly
Security group connection tracking
Fix connections to an AWS service
Troubleshooting AWS Network services
Troubleshooting AWS DirectConnect
Troubleshoot VPN tunnel connectivity
Debugging tools for network connectivity in VPC
Troubleshoot network issues between:
3.4 Design and Implement Host-based Security
Given security requirements, install and configure host-based protections including Inspector, SSM
Install Amazon Inspector agents
Manually install SSM Agent on EC2
Install SSM Agent on EC2 instances for Windows Server
Decide when to use a host-based firewall like iptables
Why have both security groups and iptables on EC2?
Using iptables on EC2 instances
Recommend methods for host hardening and monitoring
Domain 4: Identity and Access Management – 20%
4.1 Design and Implement a Scalable Authorization and Authentication System to Access AWS Resources
Given a description of a workload, analyze the access control configuration for AWS services and make recommendations that reduce risk
IAM Access Analyzer guides you toward least-privilege permissions
Given a description of how an organization manages its AWS accounts, verify the security of its root user
Lock away your AWS account root user access keys
Given your organization’s compliance requirements, determine when to apply user policies and resource policies
Identity-based policies & resource-based policies
Within an organization’s policy, determine when to federate directory services to IAM
Provide access to externally authenticated users
Establish federated access to your AWS resources
Design a scalable authorization model that includes users, groups, roles, and policies
How to scale your authorization needs?
Permissions required to access IAM resources
Identify and restrict individual users of data and AWS resources
View account activity history for IAM users and roles
Review policies to establish that users/systems are restricted from performing functions beyond their responsibility, and also enforce proper separation of duties
Apply the principle of separation of duties to shell access to EC2 instances
Testing IAM Policies with the IAM policy simulator
4.2 Troubleshoot an Authorization and Authentication System to Access AWS Resources
Investigate a user’s inability to access S3 bucket contents
Troubleshooting IAM and Amazon S3
AWS S3 bucket permissions: Access denied
Investigate a user’s inability to switch roles to a different account
AWS Console: Cannot switch role
Error trying to assume a cross-account IAM role
Investigate an Amazon EC2 instance’s inability to access a given AWS resource
Troubleshooting EC2 gateway connection issues
Troubleshoot an unresponsive website on EC2
Domain 5: Data Protection – 22%
5.1 Design and Implement Key Management and Use
Key management topics in AWS
What is the AWS Key Management Service (KMS)?
Understand the Key Management Service Concepts
Whitepaper: Key Management Service Best Practices
Analyze a given scenario to determine an appropriate key management solution
AWS Key Management Service FAQs
Key Management Service features
Given a set of data protection requirements, evaluate key usage and recommend required changes
Determine past usage of a KMS key
Determine and control the blast radius of a key compromise event and design a solution to contain the same
Limit the blast radius of credential attacks
Minimize the encryption blast radius
5.2 Troubleshoot Key Management
Break down the difference between a KMS key grant and IAM policy
Using IAM policies with AWS KMS
Deduce the precedence given different conflicting policies for a given key
Determine when and how to revoke permissions for a user or service in the event of a compromise
Revoke IAM role temporary security credentials
Disabling permissions for temporary credentials
5.3 Design and Implement a Data Encryption Solution for Data at Rest and Data in Transit
Given a set of data protection requirements, evaluate the security of the data at rest in a workload and recommend required changes
How do you protect your data at rest?
Verify policy on a key such that it can only be used by specific AWS services
Testing IAM Policies with the IAM policy simulator
Distinguish the compliance state of data through tag-based data classifications and automate remediation
Tag AWS services based on data classification
Leveraging AWS cloud to support data classification
S3 bucket compliance using AWS Config auto-remediation feature
Evaluate a number of transport encryption techniques and select the appropriate method (i.e. TLS, IPsec, client-side KMS encryption)
How do you protect your data in transit?
Configure SSL/TLS with the Amazon Linux AMI
Amazon S3 client-side encryption with AWS KMS keys
Other articles related to data encryption in AWS
How does Amazon DynamoDB use AWS KMS?
How does Amazon Elastic Block Store use AWS KMS?
How does Amazon S3 encrypt data at rest with AWS KMS?
How Amazon Redshift uses AWS Key Management Service?
How does Relational Database Service (RDS) encrypt data with AWS KMS?
…and pretty much every other AWS service in the documentation.
This brings us to the end of the AWS Certified Security Specialty [SCS-C01] Exam Preparation Study Guide.
What do you think? Let me know in the comments section if I have missed out on anything. Also, I love to hear from you about how your preparation is going on!
In case you are preparing for other AWS certification exams, check out the AWS study guides for those exams.
Get Updates on AWS Certified Security Exam
Want to be notified as soon as I post? Subscribe to the RSS feed / leave your email address in the subscribe section. Share the article to your social networks with the below links so it can benefit others.
4 Comments
Thank you for the list, it is handy indeed.
Do you have any self-made notes which can be useful?
Many Thanks
No, don’t have them
Thank you for the organised links, really helpful.
Welcome