The AWS Security Specialty certification sits at the intersection of two of the hottest trends in technology today the cloud and security. If you work in the security arena, then taking your security knowledge and applying it to the cloud is a logical next step in expanding your expertise. If you work more on the cloud architecture and development side of the equation, understanding cloud security can help you design more secure systems. Building security into an application from the beginning is much easier than trying to retrofit security after the application has been built
As per the certification standard set by AWS, a minimum of 5 years of experience in IT, Cloud, and security is to be obtained as a requirement by the certification undertaking candidate.
AWS Certified Security – Speciality (SCS-C01) exam is the focusing on the AWS Security and Compliance concepts. It validates underneath standards.
- An understanding of specialized data classifications and AWS data protection mechanisms.
- An understanding of data-encryption methods and AWS mechanisms to implement them.
- An understanding of secure Internet protocols and AWS mechanisms to implement them.
- Working knowledge of AWS security services and features of services to provide a secure production environment.
- Competency gained from two or more years of production deployment experience using AWS security services and features.
- The ability to make tradeoff decisions with regard to cost, security, and deployment complexity is given a set of application requirements. An understanding of security operations and risks
|Exam Pattern||Multiple Choice and Multiple Response|
|Exam Duration||180 minutes|
|No. of Questions||65|
|Current Version Expiry||—|
|Exam provider||Pearson Vue & PSI Exams|
|Certification Cost||Nearly 341 $ including tax|
|Certification Validity||3 Years|
|Exam Type||Online Remote Proctoring or Exam Centre|
|Domain 1: Incident Response||12%|
|Domain 2: Logging and Monitoring||20%|
|Domain 3: Infrastructure Security||26%|
|Domain 4: Identity and Access Management||20%|
|Domain 5: Data Protection||22%|
AWS Certified Security – Speciality (SCS-C01) Exam Summary
- AWS Certified Security – Speciality exam, as its name suggests, covers a lot of Security and compliance concepts for VPC, EBS, S3, IAM, and KMS services
- To be precise, the following are the contents covered in the certification
- Security, Identity & Compliance
- Make sure you know all the services and deep dive into IAM, and KMS.
- Identity and Access Management (IAM)
- Understand IAM in depth
- Understand IAM Roles
- Understand Identity Providers & Federation
- Understand IAM Policies
- Deep dive into Key Management Service (KMS). There would be quite a few questions on this.
- Understand how KMS works
- Understand IAM Policies, Key Policies, Grants
- Know KMS are regional and how to use them in other regions.
- Understand the difference between CMK with generated and imported key material esp. in rotating keys
- Know KMS usage with VPC Endpoint
- Know KMS ViaService condition
- Understand AWS Cognito esp. User Pools
- Know AWS GuardDuty as managed threat detection service
- Know AWS Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS
- Know Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS
- Know AWS Artifact as a central resource for compliance-related information that provides on-demand access to AWS’ security and compliance reports and select online agreements
- Know AWS Certificate Manager (ACM) for certificate management.
- Know Cloud HSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud
- Know AWS Secrets Manager to protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle
- Know AWS Shield. the Shield Advanced option and the features it provides
- Know WAF as Web Traffic Firewall
- Security, Identity & Compliance
- Networking & Content Delivery
- Understand VPC
- Understand VPC
- Understand Security Groups, NACLs
- Understand VPC Peering
- Understand VPC Endpoints esp. services supported by Gateway and Interface Endpoints. Interface Endpoints are also called Private Links.
- Understand VPC Flow Logs to capture information about the IP traffic going to and from network interfaces in the VPC
- Know Virtual Private Network & Direct Connect to establish connectivity secured, low latency access between the on-premises data center and AWS VPC
- Understand CloudFront esp. with S3
- Know Elastic Load Balancer at high-level esp—end End encryption.
- Understand VPC
- Management & Governance Tools
- Understand AWS CloudWatch for Logs and Metrics. Also, CloudWatch Events offers more real-time alerts as compared to CloudTrail
- Understand CloudTrail for audit and governance
- Understand AWS Config and its use cases
- Understand CloudTrail provides the WHO and Config provides the WHAT.
- Understand Systems Manager
- Systems Managers provide parameter stores that can be used to manage secrets
- Systems Manager provides agent-based and agentless modes.
- Systems Manager Patch Manager helps select and deploy the operating system and software patches automatically across large groups of EC2 or on-premises instances
- Systems Manager Run Command provides safe, secure remote management of your instances at scale without logging into the servers, replacing the need for bastion hosts, SSH, or remote PowerShell
- Understand AWS Organizations to control what member accounts can do.
- Know AWS Trusted Advisor
- Know S3 Data Protection & S3 Access Control
- Know EBS Encryption
- Know Glacier Vault Lock
- Know EC2 access to services using IAM Role and Lambda using Execution role.
- Integration Tools
- Know how CloudWatch integration with SNS and Lambda can help in notification
Scenarios & Solutions
|A company requires a solution that will automatically detect and enable disabled VPC Flow Logs.||Create an AWS Config rule that will detect disabled VPC Flow Logs. Create a CloudWatch event based on that Config Rule to trigger a Lambda Function for enabling VPC Flow Logs.|
|Verify if EC2 instances are using approved AMI. Create a notification if non-compliant instances are detected.||Utilize the approved-ami-by-id managed rule in AWS Config to check if running instances are using an approved AMI. Use CloudWatch Alarms for notification.|
|A Security Analyst needs to remediate the risks of having security groups that allow inbound traffic for the 0.0.0.0/0 CIDR range (Anywhere). The security group must only allow inbound traffic for the company’s firewall IP address.||Create an AWS Config rule that will automatically detect security groups that allow inbound traffic from the 0.0.0.0/0 CIDR range. Associate a Lambda function in the Config rule to update the security group’s inbound rule with the company’s firewall IP address.|
|You need to build a solution that will allow the Security team to review the IAM policy assigned to an IAM user before and after a security incident has occurred.||Use AWS Config|
|Automatically detect and remediate an incident where API logging is disabled||Create an AWS Config rule to detect disabled CloudTrail settings. Configure the rule to use an AWS Systems Manager Automation document to automatically re-enable CloudTrail logs.|
|Detect if someone is using the AWS account’s root access in creating new API keys without proper approval.||Set up an AWS Config rule to track the usage of the create-api-key command by the root IAM user.|
|A company requires a CMK that automatically rotates every year.||Create a CMK with AWS-generated key material.|
|A company needs to rotate a CMK with imported key material||Create a new CMK with the new imported key material and point the existing alias to the new CMK.|
|A company has to manage the access control for hundreds of CMKs without having to edit key policies||Use grants in AWS KMS.|
|A Security Specialist must use additional authenticated data (AAD) to prevent tampering with the ciphertext.||Add the km: EncryptionContext condition when defining the key policy for the CMK.|
|A company needs to migrate AWS resources encrypted with KMS into another region.||Use a new CMK in the target region.|
|Resource||AWS WAF, AWS Shield|
|An application hosted on an EC2 instance needs protection from common web exploits. Also, the outgoing traffic from the instance should be restricted only to trusted URLs.||Use AWS WAF for common web exploits protection and use a third-party solution to whitelist URLs for outbound traffic.|
|A Security Specialist needs to block high-volume requests from the specific user-agent HTTP header||Use AWS WAF rate-based rule to limit the number of requests.|
|Which AWS Services has direct integration with AWS WAF?||Amazon CloudFront & Application Load Balancer|
|A company is serving static content using Amazon CloudFront, Amazon S3, and Amazon Route53. They must respond to DDoS attacks at L7, L4, and L3.||Use AWS Shield Advanced|
|Protect CloudTrail Logs from tampering and unauthorized access||Enable the CloudTrail log file validation|
|Some AWS accounts can’t send CloudTrail logs in a centralized logging account. What are the steps to troubleshoot the issue?||1. Check if the AWS Account IDs are included within the Central account’s S3|
2. Check if the AWS Accounts are using the correct S3 bucket name for centralized logging.
3. Check if all trails are active
|A Security Specialist has updated the log file prefix for a trail but encountered a “There is a problem with the bucket policy.” error||First, update the new log file prefix in the S3 bucket policy, then specify the updated log file prefix in the CloudTrail Console.|
|A Security Engineer needs to review user activities from a specific access key within the past 3 months.||Review the user activities through the CloudTrail Console|
|Some EC2 instances stop sending CloudWatch logs after a security incident. What are the steps to troubleshoot this issue?||1. Check if the CloudWatch Logs agent is active and running in the EC2 instances.|
2. Check if the EC2 instances have Internet access.
3. Check the validity of the OS Log rotation rules.
|After an update to IAM policy, an application stops sending custom metrics to AWS CloudWatch.||Add the cloud watch:putMetricData permission in the IAM policy|
|A Security Engineer must build a near real-time logging solution to collect logs from different AWS Accounts.||Use the Amazon CloudWatch cross-account log data sharing with subscriptions. Use Amazon Kinesis Data Firehose to deliver the logs.|
|A company has set up a notification system using CloudWatch and CloudTrail that will alert a Security Team when new access keys are created. The team is not receiving notifications.||Make sure that the value of consecutive periods alarm threshold is equal to or greater than 1.|
|A company needs a threat detection system for monitoring malicious activities in an AWS Account||Use Amazon GuardDuty|
|A company is using an Active Directory server to resolve DNS for EC2 instances in a VPC. A security engineer noticed that one of the instances is being used for command-and-control (C2C) operations but GuardDuty has failed to recognize it.||GuardDuty does not recognize DNS requests coming from third-party DNS servers.|
|A company wants to perform a network port scan against EC2 instances in VPC but does not want to get alerts for specific instances.||Add the EIP of the specific instances to the trusted IP lists in Amazon GuardDuty.|
|A company has complex connectivity rules for Amazon EC2 instances. How should they manage these connection rules with no additional cost?||Implement the rules using the built-in host-based firewall such as iptables|
|A Security Engineer needs to inspect packet data.||1. Use proxy software hosted on an EC2 instance.|
2. Use a host-based agent on an EC2 instance. Note that you can only perform packet data analysis with third-party solutions.
|A Security Engineer has a virtual security appliance. The Engineer is using a security group and NACL to comply with security requirements. How can he allow traffic through the virtual security appliance?||Disable the Source/Destination check of the Elastic Network Interface (ENI) associated with the virtual security appliance.|
|A Security Engineer needs to remediate the risk of users exploiting the instance metadata service to access AWS resources in other accounts.||Restrict the access to the instance metadata service using iptables.|
AWS Certified Security – Speciality (SCS-C01) Exam Resources
- Online Courses
- Practice tests
- Braincert AWS Certified Security – Speciality Practice Exams
- Whizlabs AWS Certified Security Specialists Practice Exam
- AWSlagi Practise Test