Preparing for the AWS Certified Security Specialty (SCS-C01) exam? Don’t know where to start? This post is the AWS Certified Security Specialty Certificate Study Guide (with links to each objective in the exam domain).
I have curated a detailed list of articles from AWS documentation and other blogs for each objective of the AWS Certified Security Specialty (SCS-C01) exam. Please share the post within your circles so it helps them to prepare for the exam.
AWS Certified Security Specialty Course
Pluralsight (Free trial) AWS Certified Security (SCS-C01) Learning Path Whizlabs AWS Certified Security Online Course [2020] Udemy AWS Security Specialty Certification Course
AWS Certified Security Specialty Practice Test
Whizlabs Exam Questions AWS Security Specialty [260 questions] Udemy Practice Test AWS Security Practice Tests (180 questions)
AWS Certified Security Specialty Preparation
LinkedIn Learning [Free Trial] AWS Advanced Security Concepts for Architects Coursera AWS Fundamentals: Addressing Security Risk Amazon e-book (PDF) AWS Security Examination Material
To view other AWS certificate study guides, click here.
Full Disclosure: Some of the links in this post are affiliate links. I receive a commission when you purchase through them.
Incident Response - 12%
Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys
Verify that the Incident Response plan includes relevant AWS services
Evaluate the configuration of automated alerting, and execute possible remediation of security-related incidents and emerging issues
Automate alerting:
1. Automate notifications when AMI permissions are updated
2. Automate AWS Security Hub Alerts
Automate remediation steps:
1. YouTube video on Automating Incident Response
2. Automate Remediation with AWS Security Hub
3. Automate processes for remediating AWS Abuse alerts
4. Automatically remediate unintended permissions in AWS S3 Object ACLs
5. Automate remediation actions for Amazon EC2 notifications
6. Remediate Amazon Inspector Security Findings Automatically
Amazon link (affiliate)
Logging and Monitoring - 20%
Design and implement security monitoring and alerting
Implement security monitoring with Amazon GuardDuty:
1. Continuously monitor security & threat detection
2. What Amazon GuardDuty can detect?
3. Threat Response Scenarios Using Amazon GuardDuty
Other tools for monitoring security & implementing alerts:
1. Amazon Inspector: An automated Security Assessment Service
2. AWS Config: Continuously monitor & record the AWS resource configurations
3. Amazon CloudWatch Events: Describe changes in AWS resources
4. Amazon CloudWatch Logs: Monitor, store & access log files
Troubleshoot security monitoring and alerting
Design and implement a logging solution
Review the whitepaper on Logging in AWS
Amazon CloudWatch Logs (store & query log files from AWS resources)
Stream CloudWatch logs to a centralized location
Implement a logging solution:
1. Send CloudTrail events to CloudWatch logs
2. Publish VPC flow logs to CloudWatch Logs
Capture information about the IP traffic moving in and out of the Virtual Private Network (VPC) & publish to a centralized location
3. Collect logs & metrics from EC2 instances
5. Send Logs Directly to Amazon S3
Centralized Logging: To combine logs from multiple AWS accounts
Troubleshoot logging solutions
Infrastructure Security - 26%
Design edge security on AWS
Services resident at the AWS edge locations (provide a security perimeter for your apps):
1. Amazon CloudFront (Content Delivery Network)
Think of CloudFront as the front door to your app. So, effectively, you are moving the attack surface from your infrastructure (with sensitive data) to the edge.
2. AWS Shield (Protects against DDoS attacks)
3. AWS Web Application Firewall (protect web applications from threats)
4. Amazon Route 53 (DNS Web service)
Security features on AWS CloudFront edge locations:
1. Using SSL/TLS to deliver your content
2. AWS Certificate Manager to create a custom SSL certificate for CloudFront
3. Serving Private Content with Signed URLs
4. Serving Private Content with Signed Cookies
5. Advanced CloudFront Security (Full/half bridge HTTPS connections, OCSP stapling)
6. CloudFront Field-level Encryption
For encrypting sensitive data (like the Credit card details) using field-specific encryption keys
Design and implement a secure network infrastructure
Troubleshoot a secure network infrastructure
Design and implement host-based security
Identity and Access Management - 20%
Design and implement a scalable authorization and authentication system to access AWS resources
Troubleshoot an authorization and authentication system to access AWS resources
Data Protection - 22%
Design and implement key management and use
Troubleshoot key management
Design and implement a data encryption solution for data at rest and data in transit
How do you protect your data at rest?
How do you protect your data in transit?
Encryption At Rest (KMS with different AWS services):
1. How Amazon DynamoDB uses AWS KMS?
2. How Amazon Elastic Block Store uses AWS KMS?
3. How Amazon S3 encrypts data at rest with AWS KMS?
4. How Amazon Redshift uses AWS Key Management Service?
5. How Relational Database Service (RDS) encrypts data with AWS KMS?
…and pretty much every other AWS service in the documentation.
Protecting Data in Transit
This brings us to the end of the AWS Certified Security Specialty [SCS-C01] Exam Preparation Study Guide.
What do you think? Let me know in the comments section if I have missed out on anything. Also, I love to hear from you about how your preparation is going on!
In case you are looking for other AWS certificate exams study guides, check out this page
Follow/Like ravikirans.com to receive updates
Sign up for Newsletter
Want to be notified as soon as I post? Subscribe to RSS feed / leave your email address in the subscribe section. Share the article to your social networks with the below links so it can benefit others.
