AWS Certified Security Specialty Exam Study Guide [SCS-C01]

Preparing for the AWS Certified Security Specialty (SCS-C01) exam? Don’t know where to start? This post is the AWS Certified Security Specialty Certificate Study Guide (with links to each objective in the exam domain).

I have curated a detailed list of articles from AWS documentation and other blogs for each objective of the AWS Certified Security Specialty (SCS-C01) exam. Please share the post within your circles so it helps them to prepare for the exam.

AWS Certified Security Specialty Course

Pluralsight (Free trial)	AWS Cert. Security (SCS-C01) Learning Path
Whizlabs	AWS Certified Security Online Course [2020]
Udemy	AWS Security Specialty Certification Course

AWS Certified Security Specialty Practice Test

Whizlabs Exam Questions	AWS Security Specialty [260 questions]
Udemy Practice Test	AWS Security Practice Tests (180 questions)

AWS Certified Security Specialty Preparation

LinkedIn Learning [Free Trial]	AWS Security Concepts for Architects
Coursera	AWS Fundamentals: Addressing Security Risk
Amazon e-book (PDF)	AWS Security Examination Material

To view other AWS certificate study guides, click here

Full Disclosure: Some of the links in this post are affiliate links. I receive a commission when you purchase through them.

Incident Response - 12%

Given an AWS Abuse Notice, Evaluate the Suspected Compromised Instance or Exposed Access Keys

Reporting abuse of your AWS resources

How to deal with account compromise/abuse notice?

1. Resolution for AWS abuse notice

2. Resolution to AWS account compromise

Reviewing the Security Incident response whitepaper

Dealing with the compromised AWS access keys

Dealing with compromised ec2 instance

Verify That the Incident Response Plan Includes Relevant AWS Services

Review the AWS Security Incident Response Whitepaper

Building an Incident Response Plan

AWS Incident Response Best Practices

Watch this video on AWS Incident Response

Evaluate the Configuration of Automated Alerting, and Execute Possible Remediation of Security-related Incidents and Emerging Issues

Automate alerting:

1. Automate notifications when AMI permissions are updated

2. Automate AWS Security Hub Alerts

Automate remediation steps:

1. YouTube video on Automating Incident Response

2. Automate Remediation with AWS Security Hub

3. Automate processes for remediating AWS Abuse alerts

4. Automatically remediate unintended permissions in AWS S3 Object ACLs

5. Automate remediation actions for Amazon EC2 notifications

6. Remediate Amazon Inspector Security Findings Automatically

7. Remediating Security Issues Discovered by GuardDuty

Amazon link (affiliate)

Logging and Monitoring - 20%

Design and Implement Security Monitoring and Alerting

Implement security monitoring with Amazon GuardDuty:

1. Continuously monitor security & threat detection

2. What Amazon GuardDuty can detect?

3. Threat Response Scenarios Using Amazon GuardDuty

Other tools for monitoring security & implementing alerts:

1. Amazon Inspector: An automated Security Assessment Service

2. AWS Config: Continuously monitor & record the AWS resource configurations

3. Amazon CloudWatch Events: Describe changes in AWS resources

4. Amazon CloudWatch Logs: Monitor, store & access log files

5. Configure Amazon S3 event notifications

6. AWS CloudTrail: Records actions in your AWS account

Troubleshoot Security Monitoring and Alerting

Troubleshoot Amazon CloudWatch Events

SNS notifications: Troubleshoot failed deliveries

Troubleshoot CloudWatch Agent

AWS Config: Troubleshoot error messages

Design and Implement a Logging Solution

Review the whitepaper on Logging in AWS

Demo: AWS CloudTrail Logging

Amazon CloudWatch Logs (store & query log files from AWS resources)

Stream CloudWatch logs to a centralized location

Implement a logging solution:

1. Send CloudTrail events to CloudWatch logs

2. Publish VPC flow logs to CloudWatch Logs

Capture information about the IP traffic moving in and out of the Virtual Private Network (VPC) & publish to a centralized location

3. Collect logs & metrics from EC2 instances

4. Log DNS queries

5. Send Logs Directly to Amazon S3

Centralized Logging: To combine logs from multiple AWS accounts

Troubleshoot Logging Solutions

Troubleshoot Pushing Log Data to CloudWatch

Troubleshooting the CloudWatch Agent

Troubleshooting VPC Flow logs

Troubleshoot AWS Centralized Logging

Infrastructure Security - 26%

Design Edge Security on AWS

Services resident at the AWS edge locations (provide a security perimeter for your apps):

1. Amazon CloudFront (Content Delivery Network)

Think of CloudFront as the front door to your app. So, effectively, you are moving the attack surface from your infrastructure (with sensitive data) to the edge.

2. AWS Shield (Protects against DDoS attacks)

3. AWS Web Application Firewall (protect web applications from threats)

4. Amazon Route 53 (DNS Web service)

Security features on AWS CloudFront edge locations:

1. Using SSL/TLS to deliver your content

2. AWS Certificate Manager to create a custom SSL certificate for CloudFront

3. Serving Private Content with Signed URLs

4. Serving Private Content with Signed Cookies

5. Advanced CloudFront Security (Full/half bridge HTTPS connections, OCSP stapling)

6. CloudFront Field-level Encryption

For encrypting sensitive data (like the Credit card details) using field-specific encryption keys

Design and Implement a Secure Network Infrastructure

Amazon Virtual Private Cloud (VPC) design

AWS Security Groups (Firewall that allows/blocks traffic at the instance level)

Network ACLs (additional security to SG, but operates at the subnet level)

Connecting networks:

1. VPC Peering

2. AWS Site-to-Site VPN

3. AWS Client VPN

4. AWS DirectConnect

4. AWS VPN CloudHub (Multiple Remote sites can connect with each other)

Finally, review security best practices

Troubleshoot a Secure Network Infrastructure

Troubleshooting AWS DirectConnect

Troubleshoot VPN tunnel connectivity

Debugging tools for network connectivity in VPC

Troubleshoot network issues between:

1. EC2 Windows instance in a VPC & an on-premises host

2. EC2 Linux instance in a VPC & an on-premises host

Design and Implement Host-based Security

Host-Based Intrusion Detection System on EC2

IDS & IPS systems for EC2 Instances

Identity and Access Management - 20%

Design and Implement a Scalable Authorization and Authentication System to Access AWS Resources

AWS Identity & Access Management (IAM)

Understand AWS IAM Policies

Identities & Roles in AWS IAM

Review High-Availability IAM Design Patterns

Security Best Practices in IAM

Identity Federation:

1. Web Identity Federation

2. SAML 2.0 Federation

Troubleshoot an Authorization and Authentication System to Access AWS Resources

Troubleshoot IAM Policies

Troubleshooting IAM Roles

Troubleshoot IAM:

1. When working with Amazon EC2

2. When working with Amazon S3

Troubleshoot SAML 2.0 Federation with AWS

Troubleshooting AWS KMS Key Access

Data Protection - 22%

Design and Implement Key Management and Use

What is the AWS Key Management Service (KMS)?

Understand the Key Management Service Concepts

Whitepaper: Key Management Service Best Practices

Share Customer Master Keys (CMKs) across multiple AWS accounts

Program with the AWS KMS API

Troubleshoot Key Management

Troubleshooting key access

Troubleshoot a custom key store

Losing your Access keys

A few troubleshooting scenarios with Amazon S3:

1. ‘Access Denied’ errors when accessing a bucket encrypted by KMS key

2. ‘Access Denied’ error when uploading files to S3 bucket with KMS encryption

Design and Implement a Data Encryption Solution for Data at Rest and Data in Transit

How do you protect your data at rest?

How do you protect your data in transit?

Encryption At Rest (KMS with different AWS services):

1. How Amazon DynamoDB uses AWS KMS?

2. How Amazon Elastic Block Store uses AWS KMS?

3. How Amazon S3 encrypts data at rest with AWS KMS?

4. How Amazon Redshift uses AWS Key Management Service?

5. How Relational Database Service (RDS) encrypts data with AWS KMS?

…and pretty much every other AWS service in the documentation.

Protecting Data in Transit

1. Amazon Redshift

2. Amazon SageMaker

3. Amazon EMR

Encrypting & Decrypting data with AWS Encryption CLI

What are the AWS Encryption SDKs?

This brings us to the end of the AWS Certified Security Specialty [SCS-C01] Exam Preparation Study Guide.

What do you think? Let me know in the comments section if I have missed out on anything. Also, I love to hear from you about how your preparation is going on!

In case you are looking for other AWS certificate exams study guides, check out this page

Follow/Like ravikirans.com to Receive Updates

Want to be notified as soon as I post? Subscribe to RSS feed / leave your email address in the subscribe section. Share the article to your social networks with the below links so it can benefit others.

Share the Article in Your Social Media Networks

1
1
Share

4 Comments

Shahsays:
November 15, 2020 at 10:26 pm
Thank you for the list, it is handy indeed.
Do you have any self-made notes which can be useful?
Many Thanks
1. ravikiranssays:
  November 18, 2020 at 1:35 am
  No, don’t have them
ashsays:
October 19, 2020 at 8:00 pm
Thank you for the organised links, really helpful.
1. ravikiranssays:
  October 23, 2020 at 2:21 pm
  Welcome