AWS Certified Security Exam Preparation
Preparing for the AWS Certified Security Specialty (SCS-C03) exam? Don’t know where to start? This post is the AWS Certified Security Specialty Certificate Study Guide (with links to each objective in the exam domain).
I have curated a detailed list of articles from AWS documentation and other blogs for each objective of the AWS Certified Security Specialty (SCS-C03) exam. Please share the post within your circles so it helps them to prepare for the exam.
Course on AWS Certified Security Specialty
| Whizlabs | AWS Certified Security Online Course |
| Udemy | AWS Security Specialty Certification Course |
| Coursera | AWS Certified Security – Specialty Specialization |
Check out all the other AWS certificate study guides
Full Disclosure: Some of the links in this post are affiliate links. I receive a commission when you purchase through them.
Content Domain 1: Detection
Task 1.1: Design and implement monitoring and alerting solutions for an AWS account or organization
Skill 1.1.1: Analyze workloads to determine monitoring requirements
SEC04-BP01 Configure service and application logging – Security Pillar
Security OU – Security Tooling account – AWS Prescriptive Guidance
Choosing AWS security, identity, and governance services
Skill 1.1.2: Design and implement workload monitoring strategies (for example, by configuring resource health checks)
Using Amazon CloudWatch alarms
AWS Health – your account health dashboard
Skill 1.1.3: Aggregate security and monitoring events
Security OU – Security Tooling account – AWS Prescriptive Guidance
Skill 1.1.4: Create metrics, alerts, and dashboards to detect anomalous data and events (for example, Amazon GuardDuty, Amazon Security Lake, AWS Security Hub, Amazon Macie)
Using Amazon CloudWatch dashboards
Skill 1.1.5: Create and manage automations to perform regular assessments and investigations (for example, by deploying AWS Config conformance packs, Security Hub, AWS Systems Manager State Manager)
Conformance packs – AWS Config
AWS Systems Manager State Manager
Automated response and remediation – AWS Security Hub
Task 1.2: Design and implement logging solutions
Skill 1.2.1: Identify sources for log ingestion and storage based on requirements
SEC04-BP01 Configure service and application logging – Security Pillar
Security OU – Log Archive account – AWS Prescriptive Guidance
Logging and events – AWS Security Incident Response User Guide
Skill 1.2.2: Configure logging for AWS services and applications (for example, by configuring an AWS CloudTrail trail for an organization, by creating a dedicated Amazon CloudWatch logging account, by configuring the Amazon CloudWatch Logs agent)
Creating a trail for an organization – AWS CloudTrail
What is Amazon CloudWatch Logs?
Collect metrics, logs, and traces using the CloudWatch agent
Skill 1.2.3: Implement log storage and log data lakes (for example, Security Lake) and integrate with third-party security tools
Adding an AWS service as an Amazon Security Lake source
Security OU – Log Archive account – AWS Prescriptive Guidance
Skill 1.2.4: Use AWS services to analyze logs (for example, CloudWatch Logs Insights, Amazon Athena, Security Hub findings)
Analyzing log data with CloudWatch Logs Insights
Skill 1.2.5: Use AWS services to normalize, parse, and correlate logs (for example, Amazon OpenSearch Service, AWS Lambda, Amazon Managed Grafana)
What is Amazon OpenSearch Service?
What is Amazon Managed Grafana?
Skill 1.2.6: Determine and configure appropriate log sources based on network design, threats, and attacks (for example, VPC Flow Logs, transit gateway flow logs, Amazon Route 53 Resolver logs)
Publish flow logs to Amazon CloudWatch Logs – Amazon VPC
Forwarding outbound DNS queries to your network – Amazon Route 53
Logging network traffic using VPC Flow Logs – Amazon VPC
SEC04-BP01 Configure service and application logging – Security Pillar
Task 1.3: Troubleshoot security monitoring, logging, and alerting solutions
Skill 1.3.1: Analyze the functionality, permissions, and configuration of resources (for example, Lambda function logging, Amazon API Gateway logging, health checks, Amazon CloudFront logging)
Accessing Amazon CloudWatch logs for AWS Lambda
Setting up CloudWatch logging for a REST API in API Gateway
Configuring and using standard logs (access logs) in Amazon CloudFront
Skill 1.3.2: Remediate misconfiguration of resources (for example, by troubleshooting CloudWatch Agent configurations, troubleshooting missing logs)
Collect metrics, logs, and traces using the CloudWatch agent
Troubleshoot the CloudWatch agent – Amazon CloudWatch
Content Domain 2: Incident Response
Task 2.1: Design and test an incident response plan
Skill 2.1.1: Design and implement response plans and runbooks to respond to security incidents (for example, Systems Manager OpsCenter, Amazon SageMaker AI notebooks).
AWS Systems Manager OpsCenter – AWS Systems Manager
Set up OpsCenter – AWS Systems Manager
Manage OpsItems – AWS Systems Manager
Integrate OpsCenter with other AWS services – AWS Systems Manager
Use Amazon SageMaker Studio Classic Notebooks – Amazon SageMaker AI
Skill 2.1.2: Use AWS service features and capabilities to configure services to be prepared for incidents (for example, by provisioning access, deploying security tools, minimizing the blast radius, configuring AWS Shield Advanced protections).
How AWS Shield and Shield Advanced work
AWS Shield Advanced capabilities and options
Adding AWS Shield Advanced protection to AWS resources
Adding and configuring resource protections with Shield Advanced
Setting up AWS Shield Advanced
Skill 2.1.3: Recommend procedures to test and validate the effectiveness of an incident response plan (for example, AWS Fault Injection Service, AWS Resilience Hub).
What is AWS Fault Injection Service? – AWS Fault Injection Service
Tutorials for AWS Fault Injection Service – AWS Fault Injection Service
What is AWS Resilience Hub? – AWS Resilience Hub
Managing AWS Fault Injection Service experiments – AWS Resilience Hub
Add an application to AWS Resilience Hub – AWS Resilience Hub
Skill 2.1.4: Use AWS services to automatically remediate incidents (for example, Systems Manager, Automated Forensics Orchestrator for Amazon EC2, AWS Step Functions, Amazon Application Recovery Controller, Lambda functions).
AWS Systems Manager Automation
A self-service Guidance to capture and examine data from EC2 instances
Architecture overview – Automated Forensics Orchestrator for Amazon EC2 and EKS
What is ARC? – Amazon Application Recovery Controller (ARC)
What is recovery control configuration in Amazon Application Recovery Controller (ARC)?
Task 2.2: Respond to security events
Skill 2.2.1: Capture and store relevant system and application logs as forensic artifacts.
Logging strategies for security incident response | AWS Security Blog
Collect metrics, logs, and traces using the CloudWatch agent
Skill 2.2.2: Search and correlate logs for security events across applications and AWS services.
CloudWatch Logs Insights language query syntax – Amazon CloudWatch Logs
Analyzing log data with CloudWatch Logs Insights – Amazon CloudWatch Logs
Sample queries – Amazon CloudWatch Logs
Skill 2.2.3: Validate findings from AWS security services to assess the scope and impact of an event.
Validate, scope, and assess impact of alert – AWS Security Incident Response User Guide
Reviewing finding details and history in Security Hub CSPM – AWS Security Hub
Assess and prioritize security findings – AWS Prescriptive Guidance
Skill 2.2.4: Respond to affected resources by containing and eradicating threats, and recover resources (for example, by implementing network containment controls, restoring backups).
Containment – AWS Security Incident Response User Guide
Source containment – AWS Security Incident Response User Guide
Destination containment – AWS Security Incident Response User Guide
Remediating a potentially compromised Amazon EC2 instance – Amazon GuardDuty
Skill 2.2.5: Describe methods to conduct root cause analysis (for example, Amazon Detective).
What is Amazon Detective? – Amazon Detective
How Detective is used for investigation – Amazon Detective
Detective Investigations report summary – Amazon Detective
Content Domain 3: Infrastructure Security
Task 3.1: Design, implement, and troubleshoot security controls for network edge services
Skill 3.1.1: Define and select edge security strategies based on anticipated threats and attacks.
Network and application layer protection
Foundational security principles and best practices
How AWS Shield and Shield Advanced work
Skill 3.1.2: Implement appropriate network edge protection (for example, CloudFront headers, AWS WAF, AWS IoT policies, protecting against OWASP Top 10 threats, Amazon S3 cross-origin resource sharing [CORS], Shield Advanced).
Understand response headers policies
Use AWS WAF to Mitigate OWASP’s Top 10 Web Application Vulnerabilities
Using cross-origin resource sharing (CORS)
Skill 3.1.3: Design and implement AWS edge controls and rules based on requirements (for example, geography, geolocation, rate limiting, client fingerprinting).
Geographic match rule statement
Using rate-based rule statements in AWS WAF
Aggregating rate-based rules in AWS WAF
AWS WAF adds JA4 fingerprinting and aggregation on JA3 and JA4 fingerprints for rate-based rules
Skill 3.1.4: Configure integrations with AWS edge services and third-party services (for example, by ingesting data in Open Cybersecurity Schema Framework [OCSF] format, by using third-party WAF rules).
Open Cybersecurity Schema Framework (OCSF) in Security Lake
Security Hub and the Open Cybersecurity Findings Format (OCSF)
Managed rules for AWS Web Application Firewall
Task 3.2: Design, implement, and troubleshoot security controls for compute workloads
Skill 3.2.1: Design and implement hardened Amazon EC2 AMIs and container images to secure compute workloads and embed security controls (for example, Systems Manager, EC2 Image Builder).
Use components to customize your Image Builder image
Skill 3.2.2: Apply instance profiles, service roles, and execution roles appropriately to authorize compute workloads.
Defining Lambda function permissions with an execution role
Amazon ECS task execution IAM role
Skill 3.2.3: Scan compute resources for known vulnerabilities (for example, scan container images and Lambda functions by using Amazon Inspector, monitor compute runtimes by using GuardDuty).
Scanning AWS Lambda functions with Amazon Inspector
Automated scan types in Amazon Inspector
Skill 3.2.4: Deploy patches across compute resources to maintain secure and compliant environments by automating update processes and by integrating continuous validation (for example, Systems Manager Patch Manager, Amazon Inspector).
AWS Systems Manager Patch Manager
How Patch Manager operations work
How security patches are selected
Patching managed nodes on demand
Skill 3.2.5: Configure secure administrative access to compute resources (for example, Systems Manager Session Manager, EC2 Instance Connect).
AWS Systems Manager Session Manager
Connect to a Linux instance using EC2 Instance Connect
Skill 3.2.6: Configure security tools to discover and remediate vulnerabilities within a pipeline (for example, Amazon Q Developer, Amazon CodeGuru Security).
Scanning your code with Amazon Q
Reviewing code with Amazon Q Developer
Starting a code review with Amazon Q Developer
Skill 3.2.7: Implement protections and guardrails for generative AI applications (for example, by applying GenAI OWASP Top 10 for LLM Applications protections).
How Amazon Bedrock Guardrails works
Detect and filter harmful content by using Amazon Bedrock Guardrails
Use cases for Amazon Bedrock Guardrails
Task 3.3: Design and troubleshoot network security controls
Skill 3.3.1: Design and troubleshoot appropriate network controls to permit or prevent network traffic as required (for example, security groups, network ACLs, AWS Network Firewall).
Control traffic to your AWS resources using security groups
Control subnet traffic with network access control lists
Infrastructure security in Amazon VPC
How AWS Network Firewall works
Skill 3.3.2: Design secure connectivity between hybrid and multi-cloud networks (for example, AWS Site-to-Site VPN, AWS Direct Connect, MAC Security [MACsec]).
How AWS Site-to-Site VPN works
MAC Security in Direct Connect
Encryption in AWS Direct Connect
Skill 3.3.3: Determine and configure security workload requirements for communication between hybrid environments and AWS (for example, by using AWS Verified Access).
Tutorial: Get started with Verified Access
Skill 3.3.4: Design network segmentation based on security requirements (for example, north/south and east/west traffic protections, isolated subnets).
Security best practices for your VPC
Ensure internetwork traffic privacy in Amazon VPC
Filter network traffic using AWS Network Firewall
What is Network Access Analyzer?
Skill 3.3.5: Identify unnecessary network access (for example, AWS Verified Access, Network Access Analyzer, Amazon Inspector network reachability findings).
What is Network Access Analyzer?
How Network Access Analyzer works
Network Access Scopes in Network Access Analyzer
Amazon Inspector finding types
Content Domain 4: Identity and Access Management
Task 4.1: Design, implement, and troubleshoot authentication strategies
Skill 4.1.1: Design and establish identity solutions for human, application, and system authentication (for example, AWS IAM Identity Center, Amazon Cognito, multi-factor authentication [MFA], identity provider [IdP] integration).
AWS Multi-factor authentication in IAM
Identity providers and federation into AWS
Use multi-factor authentication with your identities
Skill 4.1.2: Configure mechanisms to issue temporary credentials (for example, AWS STS, Amazon S3 presigned URLs).
Temporary security credentials in IAM
Request temporary security credentials
Use temporary credentials with AWS resources
Sharing objects with presigned URLs
Download and upload objects with presigned URLs
Skill 4.1.3: Troubleshooting authentication issues (for example, CloudTrail, Amazon Cognito, IAM Identity Center permission sets, AWS Directory Service).
Manage AWS accounts with permission sets
What is AWS Directory Service?
Task 4.2: Design, implement, and troubleshoot authorization strategies
Skill 4.2.1: Design and evaluate authorization controls for human, application, and system access (for example, Amazon Verified Permissions, IAM paths, IAM Roles Anywhere, resource policies for cross-account access, IAM role trust policies).
What is Amazon Verified Permissions?
What is AWS Identity and Access Management Roles Anywhere?
Cross account resource access in IAM
Skill 4.2.2: Design attribute-based access control (ABAC) and role-based access control (RBAC) strategies (for example, by configuring resource access based on tags or attributes).
Define permissions based on attributes with ABAC authorization
IAM tutorial: Define permissions to access AWS resources based on tags
Attribute-based access control
Skill 4.2.3: Design, interpret, and implement IAM policies by following the principle of least privilege (for example, permission boundaries, session policies).
Policies and permissions in AWS Identity and Access Management
Permissions boundaries for IAM entities
Permissions for temporary security credentials
Skill 4.2.4: Analyze authorization failures to determine causes or effects (for example, IAM Policy Simulator, IAM Access Analyzer).
IAM policy testing with the IAM policy simulator
Using AWS Identity and Access Management Access Analyzer
Skill 4.2.5: Investigate and correct unintended permissions, authorizations, or privileges granted to a resource, service, or entity (for example, IAM Access Analyzer).
Understand how IAM Access Analyzer findings work
Getting started with AWS Identity and Access Management Access Analyzer
IAM Access Analyzer supported resource types for external and internal access
Content Domain 5: Data Protection
Task 5.1: Design and implement controls for data in transit
Skill 5.1.1: Design and configure mechanisms to require encryption when connecting to connect to resources (for example, by configuring Elastic Load Balancing [ELB] security policies, by enforcing TLS configurations).
Secure listener settings for your Application Load Balancer
TLS listeners for your Network Load Balancer
Security policies for your Network Load Balancer
What is AWS Certificate Manager?
SEC09-BP02 Enforce encryption in transit
Skill 5.1.2: Design and configure mechanisms for secure and private access to resources (for example, AWS PrivateLink, VPC endpoints, AWS Client VPN, AWS Verified Access).
Access AWS services through AWS PrivateLink
Access an AWS service using an interface VPC endpoint
Skill 5.1.3: Design and configure inter-resource encryption in transit (for example, inter-node encryption configurations for Amazon EMR, Amazon Elastic Kubernetes Service [Amazon EKS], SageMaker AI, Nitro encryption).
Encryption options for Amazon EMR
Providing certificates for encrypting data in transit with Amazon EMR encryption
Protecting Data in Transit with Encryption
Protect Communications Between ML Compute Instances in a Distributed Training Job
Enforce VPC encryption in transit
Task 5.2: Design and implement controls for data at rest
Skill 5.2.1: Design, implement, and configure data encryption at rest based on specific requirements (for example, by selecting the appropriate encryption key service such as AWS CloudHSM or AWS Key Management Service [AWS KMS] or by selecting the appropriate encryption type such as client-side encryption or server-side encryption).
SEC08-BP01 Implement secure key management
Skill 5.2.2: Design and configure mechanisms to protect data integrity (for example, S3 Object Lock, S3 Glacier Vault Lock, versioning, digital code signing, file validation).
Locking objects with Object Lock
Using versioning in S3 buckets
Skill 5.2.3: Design automatic lifecycle management and retention solutions for data (for example, S3 Lifecycle policies, S3 Object Lock, Amazon Elastic File System [Amazon EFS] Lifecycle policies, Amazon FSx for Lustre backup policies).
Setting lifecycle configuration on a bucket
Locking objects with Object Lock
Amazon EFS lifecycle management
Skill 5.2.4: Design and configure secure data replication and backup solutions (for example, Amazon Data Lifecycle Manager, AWS Backup, ransomware protection, AWS DataSync).
Automate backups with Amazon Data Lifecycle Manager
Malware protection in AWS Backup
Task 5.3: Design and implement controls to protect confidential data, credentials, secrets, and cryptographic key materials
Skill 5.3.1: Design management and rotation of credentials and secrets (for example, AWS Secrets Manager).
Rotate AWS Secrets Manager secrets
Set up automatic rotation for AWS Secrets Manager secrets using the AWS CLI
Skill 5.3.2: Manage and use imported key material (for example, by managing and rotating imported key material, by managing and configuring external key stores).
Importing key material for AWS KMS keys
Perform on-demand key rotation
Skill 5.3.3: Describe the differences between imported key material and AWS generated key material.
Importing key material for AWS KMS keys
Skill 5.3.4: Mask sensitive data (for example, CloudWatch Logs data protection policies, Amazon Simple Notification Service [Amazon SNS] message data protection).
Help protect sensitive log data with masking
Understanding data protection policies
Message data protection in Amazon SNS
Creating data protection policies in Amazon SNS using the console
Skill 5.3.5: Create and manage encryption keys and certificates across a single AWS Region or multiple Regions (for example, AWS KMS customer managed AWS KMS keys, AWS Private Certificate Authority).
What is AWS Certificate Manager?
Content Domain 6: Security Foundations and Governance
Task 6.1: Develop a strategy to centrally deploy and manage AWS accounts
Skill 6.1.1: Deploy and configure organizations by using AWS Organizations.
Best practices for a multi-account environment
Best practices for managing organizational units (OUs) with AWS Organizations
Best practices for member accounts
Terminology and concepts for AWS Organizations
Skill 6.1.2: Implement and manage AWS Control Tower in new and existing environments, and deploy optional and custom controls.
Getting started with AWS Control Tower
Register an existing organizational unit with AWS Control Tower
Enroll an existing AWS account
Customize your AWS Control Tower landing zone
Skill 6.1.3: Implement organization policies to manage permissions (for example, SCPs, RCPs, AI service opt-out policies, declarative policies).
Managing organization policies with AWS Organizations
Service control policies (SCPs)
Resource control policies (RCPs)
Declarative policies in AWS Organizations
Skill 6.1.4: Centrally manage security services (for example, delegated administrator accounts).
Delegated administrator for AWS services that work with Organizations
AWS services that you can use with AWS Organizations
Using AWS Organizations with other AWS services
What is AWS Security Hub CSPM?
Skill 6.1.5: Manage AWS account root user credentials (for example, by centralizing root access for member accounts, managing MFA, designing break-glass procedures).
Centralize root access for member accounts
Root user best practices for your AWS account
Accessing member accounts in an organization with AWS Organizations
Task 6.2: Implement a secure and consistent deployment strategy for cloud resources
Skill 6.2.1: Use infrastructure as code (IaC) to deploy cloud resources consistently and securely across accounts (for example, CloudFormation stack sets, third-party IaC tools, CloudFormation Guard, cfn-lint).
Working with AWS CloudFormation StackSets
AWS CloudFormation StackSets and AWS Organizations
What is AWS CloudFormation Guard?
Activate trusted access for StackSets with AWS Organizations
Skill 6.2.2: Use tags to organize AWS resources into groups for management (for example, by grouping by department, cost center, environment).
Skill 6.2.3: Deploy and enforce policies and configurations from a central source (for example, AWS Firewall Manager).
AWS Firewall Manager prerequisites
Using AWS Firewall Manager policies
Declarative policies in AWS Organizations
Skill 6.2.4: Securely share resources across AWS accounts (for example, AWS Service Catalog, AWS Resource Access Manager [AWS RAM]).
What is AWS Resource Access Manager?
AWS Resource Access Manager and AWS Organizations
Task 6.3: Evaluate the compliance of AWS resources
Skill 6.3.1: Create or enable rules to detect and remediate noncompliant AWS resources and to send notifications (for example, by using AWS Config to aggregate alerts and remediate non-compliant resources, Security Hub).
Multi-Account Multi-Region Data Aggregation for AWS Config
Remediating Noncompliant Resources with AWS Config
What are Security Hub and Security Hub CSPM?
Introduction to AWS Security Hub CSPM
Skill 6.3.2: Use AWS audit services to collect and organize evidence (for example, AWS Audit Manager, AWS Artifact).
Skill 6.3.3: Use AWS services to evaluate architecture for compliance with AWS security best practices (for example, AWS Well-Architected Framework tool).
What is AWS Well-Architected Tool?
What is AWS Well-Architected Framework?
Defining a workload in AWS WA Tool
This brings us to the end of the AWS Certified Security Specialty [SCS-C03] Exam Preparation Study Guide.
What do you think? Let me know in the comments section if I have missed out on anything. Also, I love to hear from you about how your preparation is going on!
In case you are preparing for other AWS certification exams, check out the AWS study guides for those exams.
Get Updates on AWS Certified Security Exam
Want to be notified as soon as I post? Subscribe to the RSS feed / leave your email address in the subscribe section. Share the article to your social networks with the below links so it can benefit others.
4 Comments
Thank you for the list, it is handy indeed.
Do you have any self-made notes which can be useful?
Many Thanks
No, don’t have them
Thank you for the organised links, really helpful.
Welcome