AWS Certified Security Study Guide Specialty (SCS-C01) Exam

Get prepared for the AWS Certified Security Specialty certification with this excellent resource

By earning the AWS Certified Security Specialty certification, IT professionals can gain valuable recognition as cloud security experts. The AWS Certified Security Study Guide: Specialty (SCS-C01) Exam helps cloud security practitioners prepare for success on the certification exam. It’s also an excellent reference for professionals, covering security best practices and the implementation of security features for clients or employers.

Architects and engineers with knowledge of cloud computing architectures will find significant value in this book, which offers guidance on primary security threats and defense principles. Amazon Web Services security controls and tools are explained through real-world scenarios. These examples demonstrate how professionals can design, build, and operate secure cloud environments that run modern applications.

The study guide serves as a primary source for those who are ready to apply their skills and seek certification. It addresses how cybersecurity can be improved using the AWS cloud and its native security services. Readers will benefit from detailed coverage of AWS Certified Security Specialty Exam topics.

• Covers all AWS Certified Security Specialty exam topics
• Explains AWS cybersecurity techniques and incident response
• Covers logging and monitoring using the Amazon cloud
• Examines infrastructure security
• Describes access management and data protection

With a single study resource, you can learn how to enhance security through the automation, troubleshooting, and development integration capabilities available with cloud computing. You will also discover services and tools to develop security plans that work in sync with cloud adoption.

ABOUT THE AUTHORS

DARIO GOLDFARB is a Security Solutions Architect at Amazon Web Services in Latin America. He has more than 15 years of experience in cybersecurity.

ALEXANDRE M.S.P. MORAES is a Director of Teltec, a Brazilian systems integrator that is highly specialized in Network Design, Security Architectures and Cloud Computing.

THIAGO MORAIS is the leader of Solutions Architecture teams at Amazon Web Services in Brazil. He has more than 20 years of experience in the IT industry.

MAURICIO MUÑOZ is a Sr. Manager of a Specialist Solutions Architects team at Amazon Web Services in Latin America. He's worked in IT for more than 20 years, specializing in Information Security.

MARCELLO ZILLO NETO is a Chief Security Advisor and a former Chief Information Security Officer (CISO) in Latin America. He has over 20 years of experience in cybersecurity and incident response.

GUSTAVO A. A. SANTANA is the leader of the Specialist and Telecommunications Solutions Architecture teams at Amazon Web Services in Latin America.

FERNANDO SAPATA is a Principal Business Development Manager for Serverless at Amazon Web Services in Latin America. He has more than 19 years of experience in the IT industry.

Introduction xxiii

Assessment Test xxviii

Chapter 1 Security Fundamentals 1

Introduction 2

Understanding Security 2

Basic Security Concepts 6

Vulnerability, Threat, and Security Risk 6

Security Countermeasures and Enforcement 6

Confidentiality, Integrity, and Availability 7

Accountability and Nonrepudiation 7

Authentication, Authorization, and Accounting 8

Visibility and Context 8

Foundational Networking Concepts 9

The OSI Reference Model 9

The TCP/IP Protocol Stack 11

Main Classes of Attacks 14

Reconnaissance 15

Password Attacks 15

Eavesdropping Attacks 15

IP Spoofing Attacks 16

Man-in-the-Middle Attacks 16

Denial-of-Service Attacks 16

Malware Attacks 17

Phishing Attacks 18

Risk Management 18

Important Security Solutions and Services 18

Well-Known Security Frameworks and Models 27

Sample Practical Models for Guiding Security Design and Operations 28

The Security Wheel 28

The Attack Continuum Model 29

The Zero-Trust Model 32

Summary 33

Exam Essentials 33

Review Questions 36

Chapter 2 Cloud Security Principles and Frameworks 39

Introduction 40

Cloud Security Principles Overview 40

The Shared Responsibility Model 41

Different Powers, Different Responsibilities 44

AWS Compliance Programs 47

AWS Artifact Portal 50

AWS Well-Architected Framework 54

Using the AWS Well-Architected Tool 55

AWS Marketplace 58

Summary 59

Exam Essentials 60

Review Questions 61

Chapter 3 Identity and Access Management 65

Introduction 66

IAM Overview 66

How AWS IAM Works 67

Principals 67

IAM Roles 73

AWS Security Token Services 74

Access Management with Policies and Permissions 77

Access Management in Amazon S3 82

Policy Conflicts 86

Secure Data Transport in Amazon S3 86

Cross-Region Replication in Amazon S3 89

Amazon S3 Pre-signed URLs 90

Identity Federation 91

Amazon Cognito 92

Multi-Account Management with AWS Organizations 94

Service Control Policies 96

AWS Single Sign-On 97

Microsoft AD Federation with AWS 97

Protecting Credentials with AWS Secrets Manager 98

Secrets Permission Management 99

Automatic Secrets Rotation 99

Choosing between AWS Secrets Manager and AWS Systems Manager Parameter Store 100

Summary 100

Exam Essentials 101

Review Questions 104

Chapter 4 Detective Controls 107

Introduction 108

Stage 1: Resources State 110

AWS Config 111

AWS Systems Manager 117

Stage 2: Events Collection 118

AWS CloudTrail 118

Amazon CloudWatch Logs 126

Amazon CloudWatch 130

AWS Health 132

Stage 3: Events Analysis 132

AWS Config Rules 133

Amazon Inspector 135

Amazon GuardDuty 136

AWS Security Hub 139

AWS Systems Manager: State Manager, Patch Manager, and Compliance 142

AWS Trusted Advisor 143

Stage 4: Action 144

AWS Systems Manager: Automation 144

AWS Config Rules: Remediation 144

Amazon EventBridge 146

Summary 151

Exam Essentials 152

Review Questions 155

Chapter 5 Infrastructure Protection 159

Introduction 160

AWS Networking Constructs 160

Network Address Translation 172

Security Groups 178

Network Access Control Lists 184

Elastic Load Balancing 190

VPC Endpoints 196

VPC Flow Logs 200

AWS Web Application Firewall 202

AWS Shield 208

Summary 209

Exam Essentials 209

Review Questions 211

Chapter 6 Data Protection 215

Introduction 216

Symmetric Encryption 217

Asymmetric Encryption 218

Hash Algorithms 219

AWS Key Management Service 221

AWS KMS Components 223

Creating a Customer Master Key in AWS KMS 233

Creating a Key Using the Console 234

Deleting Keys in AWS KMS 236

Rotating Keys in KMS 238

Understanding the Cloud Hardware Security Module 246

Using CloudHSM with AWS KMS 250

SSL Offload Using CloudHSM 250

AWS Certificate Manager 251

Protecting Your S3 Buckets 253

Default Access Control Protection 253

Bucket and Object Encryption 254

Amazon Macie 272

AWS CloudTrail Events 274

Summary 276

Exam Essentials 276

Review Questions 278

Chapter 7 Incident Response 281

Introduction 282

Incident Response Maturity Model 283

Incident Response Best Practices 289

Develop 289

Implement 290

Monitor and Test 291

Update 292

Reacting to Specific Security Incidents 292

Abuse Notifications 292

Insider Threat and Former Employee Access 294

Amazon EC2 Instance Compromised by Malware 294

Credentials Leaked 295

Application Attacks 296

Summary 296

Exam Essentials 297

Review Questions 297

Chapter 8 Security Automation 301

Introduction 302

Security Automation Overview 302

Event-Driven Security 303

Using AWS Lambda for Automated Security Response 306

Isolating Instances with Malware on Botnets 308

Automated Termination for Self-Healing Using Auto Scaling Groups 312

Automating Isolation of Bad Actors’ Access to Web Applications 313

Automating Actions upon Changes Detected by AWS CloudTrail 314

WAF Security Automations 314

AWS Config Auto Remediation 316

Amazon S3 Default Encryption with AWS Config 318

Automating Resolution of Findings Using AWS Security Hub 323

Automated Reasoning to Detect and Correct Human Mistakes 325

Aggregate and Resolve Issues with AWS Systems Manager 332

AWS Systems Manager: OpsCenter 332

AWS Systems Manager: State Manager 332

Automating Security Hygiene with AWS

Systems Manager 333

Summary 333

Exam Essentials 334

Review Questions 335

Chapter 9 Security Troubleshooting on AWS 339

Introduction 340

Using Troubleshooting Tools and Resources 341

AWS CloudTrail 341

Amazon CloudWatch Logs 344

Amazon CloudWatch Events 345

Amazon EventBridge 345

Common Access Control Troubleshooting Scenarios 345

Permissions Boundary 346

Service Control Policies 348

Identity Federation Problems 348

Encryption and Decryption Troubleshooting Scenarios 349

Network and Connectivity Troubleshooting Scenarios 349

VPC Security and Filtering 350

Route Tables 351

Network Gateways 352

VPC Peering 355

VPC Flow Logs 357

Summary 359

Exam Essentials 359

Review Questions 361

Chapter 10 Creating Your Security Journey in AWS 363

Introduction 364

Where to Start? 365

Mapping Security Controls 365

Security Journey Phased Example 366

Phase 1: Infrastructure Protection 367

Phase 2: Security Insights and Workload Protection 369

Phase 3: Security Automation 370

Summary 370

Exam Essentials 371

Review Questions 372

Appendix A Answers to Review Questions 375

Chapter 1: Security Fundamentals 376

Chapter 2: Cloud Security Principles and Frameworks 377

Chapter 3: Identity and Access Management 378

Chapter 4: Detective Controls 379

Chapter 5: Infrastructure Protection 380

Chapter 6: Data Protection 381

Chapter 7: Incident Response 382

Chapter 8: Security Automation 384

Chapter 9: Security Troubleshooting on AWS 385

Chapter 10: Creating Your Security Journey in AWS 387

Appendix B AWS Security Services Portfolio 389

Amazon Cognito 390

Amazon Detective 391

Amazon GuardDuty 392

Amazon Inspector 393

Amazon Macie 393

AWS Artifact 394

AWS Certificate Manager 395

AWS CloudHSM 396

AWS Directory Service 396

AWS Firewall Manager 397

AWS Identity and Access Management 398

AWS Key Management Service 399

AWS Resource Access Manager 399

AWS Secrets Manager 400

AWS Security Hub 401

AWS Shield 401

AWS Single Sign-On 402

AWS Web Application Firewall 403

Appendix C DevSecOps in AWS 405

Introduction 406

Cultural Philosophies 407

Practices 407

Tools 409

Dev + Sec + Ops 410

Tenets of DevSecOps 411

AWS Developer Tools 411

AWS CodeCommit 412

AWS CodeBuild 412

AWS CodeDeploy 413

AWS X-Ray 413

Amazon CloudWatch 414

AWS CodePipeline 415

AWS Cloud9 415

AWS CodeStar 416

Creating a CI/CD Using AWS Tools 416

Creating a CodeCommit Repository 416

Creating an AWS CodePipeline Pipeline 419

Evaluating Security in Agile Development 432

Creating the Correct Guardrails Using SAST and DAST 435

Security as Code: Creating Guardrails and Implementing Security by Design 436

The Top 10 Proactive Controls 436

The 10 Most Critical Web Application Security Risks 439

Index 443

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.