AWS Certified Security Specialty Exam Study Guide [SCS-C01]

AWS Certified Security Specialty Exam Study Guide [SCS-C01]

Preparing for the AWS Certified Security Specialty (SCS-C01) exam? Don't know where to start? This post is the AWS Certified Security Specialty Certificate Study Guide (with links to each objective in the exam domain).

I have curated a detailed list of articles from AWS documentation and other blogs for each objective of the AWS Certified Security Specialty (SCS-C01) exam. Please share the post within your circles so it helps them to prepare for the exam.

AWS Certified Security Specialty Practice Test

Whizlabs Exam QuestionsAWS Security Specialty [260 questions]
Udemy Practice TestAWS Security Practice Tests (180 questions)

AWS Certified Security Specialty Preparation

LinkedIn Learning [Free Trial]AWS Advanced Security Concepts for Architects
CourseraAWS Fundamentals: Addressing Security Risk
Amazon e-book (PDF)AWS Security Examination Material

To view other AWS certificate study guides, click here.

Full Disclosure: Some of the links in this post are affiliate links. I receive a commission when you purchase through them.

aws certified security specialty

Amazon link (affiliate)

Logging and Monitoring – 20%

Design and implement security monitoring and alerting

Implement security monitoring with Amazon GuardDuty:

1. Continuously monitor security & threat detection

2. What Amazon GuardDuty can detect?

3. Threat Response Scenarios Using Amazon GuardDuty

Other tools for monitoring security & implementing alerts:

1. Amazon Inspector: An automated Security Assessment Service

2. AWS Config: Continuously monitor & record the AWS resource configurations

3. Amazon CloudWatch Events: Describe changes in AWS resources

4. Amazon CloudWatch Logs: Monitor, store & access log files

5. Configure Amazon S3 event notifications

6. AWS CloudTrail: Records actions in your AWS account

Troubleshoot security monitoring and alerting

Troubleshoot Amazon CloudWatch Events

SNS notifications: Troubleshoot failed deliveries

Troubleshoot CloudWatch Agent

AWS Config: Troubleshoot error messages

Design and implement a logging solution

Review the whitepaper on Logging in AWS

Demo: AWS CloudTrail Logging

Amazon CloudWatch Logs (store & query log files from AWS resources)

Stream CloudWatch logs to a centralized location

Implement a logging solution:

1. Send CloudTrail events to CloudWatch logs

2. Publish VPC flow logs to CloudWatch Logs

Capture information about the IP traffic moving in and out of the Virtual Private Network (VPC) & publish to a centralized location

3. Collect logs & metrics from EC2 instances

4. Log DNS queries

5. Send Logs Directly to Amazon S3

Centralized Logging: To combine logs from multiple AWS accounts

Troubleshoot logging solutions

Troubleshoot Pushing Log Data to CloudWatch

Troubleshooting the CloudWatch Agent

Troubleshooting VPC Flow logs

Troubleshoot AWS Centralized Logging

Infrastructure Security – 26%

Design edge security on AWS

Services resident at the AWS edge locations (provide a security perimeter for your apps):

1. Amazon CloudFront (Content Delivery Network)

Think of CloudFront as the front door to your app. So, effectively, you are moving the attack surface from your infrastructure (with sensitive data) to the edge.

2. AWS Shield (Protects against DDoS attacks)

3. AWS Web Application Firewall (protect web applications from threats)

4. Amazon Route 53 (DNS Web service)

Security features on AWS CloudFront edge locations:

1. Using SSL/TLS to deliver your content

2. AWS Certificate Manager to create a custom SSL certificate for CloudFront

3. Serving Private Content with Signed URLs

4. Serving Private Content with Signed Cookies

5. Advanced CloudFront Security (Full/half bridge HTTPS connections, OCSP stapling)

6. CloudFront Field-level Encryption

For encrypting sensitive data (like the Credit card details) using field-specific encryption keys

Design and implement a secure network infrastructure

Amazon Virtual Private Cloud (VPC) design

AWS Security Groups (Firewall that allows/blocks traffic at the instance level)

Network ACLs (additional security to SG, but operates at the subnet level)

Connecting networks:

1. VPC Peering

2. AWS Site-to-Site VPN

3. AWS Client VPN

4. AWS DirectConnect

4. AWS VPN CloudHub (Multiple Remote sites can connect with each other)

Finally, review security best practices

Troubleshoot a secure network infrastructure

Troubleshooting AWS DirectConnect

Troubleshoot VPN tunnel connectivity

Debugging tools for network connectivity in VPC

Troubleshoot network issues between:

1. EC2 Windows instance in a VPC & an on-premises host

2. EC2 Linux instance in a VPC & an on-premises host

Design and implement host-based security

Host-Based Intrusion Detection System on EC2

IDS & IPS systems for EC2 Instances

This brings us to the end of the AWS Certified Security Specialty [SCS-C01] Exam Preparation Study Guide.

What do you think? Let me know in the comments section if I have missed out on anything. Also, I love to hear from you about how your preparation is going on!

In case you are looking for other AWS certificate exams study guides, check out this page

Follow/Like to receive updates

Sign up for Newsletter

Want to be notified as soon as I post? Subscribe to RSS feed / leave your email address in the subscribe section. Share the article to your social networks with the below links so it can benefit others.

Sharing is Caring

  • 1

You may also like

Leave a Reply

Your e-mail address will not be published. Required fields are marked *