AWS Certified Security Specialty All-in-One Exam Guide (Exam SCS-C01)

AWS Certified Security Specialty All-in-One Exam Guide (Exam SCS-C01)

by Tracy Pierce, Aravind Kodandaramaiah, Rafael Koike, Alex Rosa
Released February 2021
Publisher(s): McGraw-Hill
ISBN: 9781260461732

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

This self-study resource offers complete coverage of every topic on the AWS Certified Security Specialty exam

Take the AWS Certified Security – Specialty exam with confidence using the detailed information contained in this effective self-study resource. Written by a team of AWS insiders, the book shows how to develop, deploy, and maintain robust security protocols on Amazon Web Services. AWS Certified Security Specialty All-in-One Exam Guide (Exam SCS-C01) covers every objective for the exam and provides comprehensive content on cloud-based security. To aid in study, each chapter includes exam tips, chapter summaries, and practice questions that simulate those on the live test. Designed to help you pass the exam with ease, this hands-on guide also serves as an ideal on-the-job reference.

Covers all exam topics, including:

  • Cloud security event investigation
  • Cloud security event remediation and planning
  • Monitoring with Amazon CloudWatch
  • Enhanced security monitoring and compliance with AWS services
  • Logging on AWS
  • AWS cryptographic services and tools
  • Designing edge security on AWS
  • Designing and implementing a secure network infrastructure
  • Troubleshooting a secure network infrastructure
  • Designing and implementing host-based security
  • AWS identity and access management
  • Troubleshooting authorization and authentication services

Online content includes:

  • 130 practice exam questions
  • Fully customizable exam engine
  • Downloadable code


Table of contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. Dedication
  5. Contents
  6. Acknowledgments
  7. Introduction
  8. Chapter 1 Introduction to AWS Security
    1. The Five Pillars of the Well-Architected Framework
      1. Operational Excellence
      2. Security
      3. Reliability
      4. Performance Efficiency
      5. Cost Optimization
    2. Focusing on the Security Pillar and the Shared Responsibility Model
      1. Identity and Access Management
      2. Detective Controls
      3. Infrastructure Protection
      4. Data Protection
      5. Incident Response
    3. Chapter Review
      1. Questions
      2. Answers
    4. Additional Resources
  9. Chapter 2 Cloud Security Event Investigation
    1. What AWS Services Should I Consider for an Incident Response Plan?
      1. AWS Shield
      2. AWS WAF
      3. AWS Firewall Manager
      4. AWS Config
      5. AWS CloudTrail, Amazon CloudWatch Logs, and Amazon VPC Flow Logs
      6. Amazon Athena, Amazon EMR, and Amazon Kinesis
      7. Amazon GuardDuty, AWS Security Hub, Amazon Detective, and Amazon Macie
    2. What to Look for as an Indicator of a Cloud Security Event
      1. Logs and Monitors
      2. Billing Activity
      3. Partner Tools
      4. AWS Outreach
      5. One-Time Contact
    3. Determining the RCA of a Cloud Security Event
      1. How to Read an AWS Abuse Notice
      2. How to Review Available Logs
      3. How to Review Findings
    4. Chapter Review
      1. Questions
      2. Answers
    5. Additional Resources
  10. Chapter 3 Cloud Security Event Remediation and Planning
    1. Automating Alerts and Remediation
    2. Remediation of a Cloud Security Event
      1. Responding to an AWS Abuse Notice
      2. Exercise 3-1: Automating PHD Alerts Through Amazon EventBridge
      3. Remediating Compromised EC2 Instances
      4. Exercise 3-2: Automating Compromised Amazon EC2 Instance Response
      5. Remediating Compromised Security Credentials
      6. Exercise 3-3: Preventing Accidental Commits of Sensitive Information to GitHub
    3. Best Practices to Avoid Security Incidents
      1. Utilizing Forward Secrecy and AWS ALBs
      2. Exercise 3-4: Setting Up an AWS Application Load Balancer with Perfect Forward Secrecy
      3. Utilizing the AWS API Gateway with Throttling and Caching
      4. Utilizing AWS Systems Manager
      5. Exercise 3-5: Automating Amazon EC2 Commands Using AWS Systems Manager
    4. Chapter Review
      1. Questions
      2. Answers
    5. Additional Resources
  11. Chapter 4 Monitor with Amazon CloudWatch
    1. Introduction to Monitoring on AWS
      1. Goals of Monitoring
    2. Monitoring the AWS Infrastructure Using Amazon CloudWatch
      1. CloudWatch Metrics
      2. Exercise 4-1: Publishing Custom Metrics
      3. Exercise 4-2: Finding Your Custom Metric in the CloudWatch Console
      4. CloudWatch Alarms
      5. Exercise 4-3: Creating a CloudWatch Alarm Based on a Static Threshold
      6. CloudWatch Events
      7. Exercise 4-4: Creating a CloudWatch Events Rule
    3. Monitoring Applications Using Amazon CloudWatch
      1. Introduction to CloudWatch ServiceLens
      2. Introduction to Amazon CloudWatch Synthetics
    4. Chapter Review
      1. Questions
      2. Answers
    5. Additional Resources
  12. Chapter 5 Enhanced Security Monitoring and Compliance with AWS Services
    1. Monitoring Resource Configuration Using AWS Config
      1. Exercise 5-1: Setting Up AWS Config
      2. Config Aggregator
      3. Exercise 5-2: Creating an Aggregator
      4. AWS Config Components
      5. Exercise 5-3: Creating a Managed Rule: Encrypted-Volume
      6. Exercise 5-4: Creating a Custom Rule
      7. Exercise 5-5: Remediating the Noncompliant Security Groups
    2. Threat Detection Using Amazon GuardDuty
      1. GuardDuty Data Sources
      2. Enable Amazon GuardDuty
      3. Explore All of GuardDuty’s Findings
      4. Exercise 5-6: Simulating an Attack
      5. Configuring GuardDuty for Multiple Accounts
    3. Discover, Classify, and Protect Sensitive Data with Amazon Macie
      1. Exercise 5-7: Discovering, Classifying, and Protecting Sensitive Data Using the New Amazon Macie
      2. Customize Data Identifiers for Your Intellectual Property in the New Amazon Macie
      3. Exercise 5-8: Discovering S3 Objects with IP Addresses Using the New Amazon Macie
      4. Monitoring and Processing Macie Findings in the New Amazon Macie
    4. Introduction to AWS Security Hub
      1. Configuring Security Hub for Multiple Accounts
      2. Exercise 5-9: Enabling AWS Security Hub
      3. Review Security Hub Findings
      4. Responding to Security Hub Findings
    5. Introduction to Amazon Trusted Advisor
      1. Monitoring Trusted Advisor Checks
    6. Chapter Review
      1. Questions
      2. Answers
    7. Additional Resources
  13. Chapter 6 Log on AWS
    1. Introduction to Logging on AWS
      1. Log Sources
      2. Overview of AWS Service Logging Capabilities
    2. Implement Governance and Risk Auditing of AWS Accounts with AWS CloudTrail
      1. AWS CloudTrail Building Blocks
      2. Configuring AWS CloudTrail
      3. Controlling Access to AWS CloudTrail Logs Using AWS IAM and S3 Bucket Policies
      4. Configure AWS CloudTrail to Deliver Log Files from Multiple Regions
      5. Sharing CloudTrail Log Files Between AWS Accounts
      6. Exercise 6-1: Sharing CloudTrail Log Files Between AWS Accounts
      7. Securing CloudTrail Logs
      8. Validating CloudTrail Log File Integrity
    3. Monitoring CloudTrail Logs with Amazon CloudWatch Logs
      1. Exercise 6-2: Monitoring Privilege Escalation Using AWS CloudTrail and Amazon CloudWatch Logs
      2. Logging Non-API Service Events and Console Sign-in Events
      3. AWS CloudTrail Notifications
    4. Application and System Monitoring with Amazon CloudWatch Logs
      1. Amazon CloudWatch Logs Components
      2. CloudWatch Logs Insights
      3. Monitoring Application and System Logs Using the CloudWatch Logs Agent
      4. Exercise 6-3: Monitoring EC2 Instance Memory Metrics and Failed SSH Login Attempts Using Amazon CloudWatch Logs
    5. Logging of AWS Services
      1. VPC Flow Logs
      2. Elastic Load Balancer Access Logs
      3. Amazon CloudFront Access Logs
      4. Amazon S3 Access Logs
    6. Chapter Review
      1. Questions
      2. Answers
    7. Additional Resources
  14. Chapter 7 AWS Cryptographic Services
    1. AWS Key Management Service
      1. AWS KMS Concepts
      2. Key Management, Authentication, and Access Control
      3. Exercise 7-1: Creating a Symmetric CMK and Modifying the Key Policy
      4. Exercise 7-2: Scheduling a CMK for Deletion
      5. Symmetric vs. Asymmetric Keys and Uses
      6. Key Rotation
      7. Custom Key Store
      8. Monitoring
    2. AWS CloudHSM
      1. AWS CloudHSM Use Cases and Concepts
      2. Cluster, User, and Key Management
      3. Exercise 7-3: Setting Up an AWS CloudHSM Cluster
      4. Utilities, Authentication, and Access Control
      5. Software Libraries
      6. Monitoring
    3. Chapter Review
      1. Questions
      2. Answers
    4. Additional Resources
  15. Chapter 8 AWS Cryptographic-Related Services
    1. AWS Secrets Manager
      1. AWS Secrets Manager Concepts
      2. Managing Secrets, Authentication, and Access Control
      3. Exercise 8-1: Creating a Basic Secret
      4. Exercise 8-2: Modifying a Secret’s Resource-Based Policy
      5. Rotating and Replicating Secrets
      6. Exercise 8-3: Enabling Secret Rotation for an Amazon RDS Database
      7. Monitoring
      8. Exercise 8-4: Creating an AWS Config Rule to Ensure Rotation Is Enabled
    2. AWS Certificate Manager
      1. Public Certificates
      2. Exercise 8-5: Requesting a Public AWS ACM Certificate
      3. Private Certificates
      4. Exercise 8-6: Setting Up an AWS ACM Private CA
      5. Exercise 8-7: Creating an End-Entity Certificate from Your AWS ACM Private CA
    3. Chapter Review
      1. Questions
      2. Answers
    4. Additional Resources
  16. Chapter 9 AWS Cryptographic Tools
    1. AWS Encryption SDK
      1. Concepts
      2. Using Keyrings
      3. Supported Algorithm Suites and Programming Languages
      4. Data Key Caching
    2. DynamoDB Encryption Client
      1. The Differences Between Client-side and Server-side
      2. Which Fields Are Encrypted or Signed?
      3. How the Amazon DynamoDB Encryption Client Works
      4. Concepts
      5. Choosing Your Cryptographic Materials Provider
      6. Supported Programming Languages
    3. Chapter Review
      1. Questions
      2. Answers
    4. Additional Resources
  17. Chapter 10 Design Edge Security on AWS
    1. Introduction
    2. Amazon Route 53
      1. DNS Hosted Zones
      2. Common Attacks on the DNS Service
    3. Amazon CloudFront
      1. Behaviors
      2. Origins
      3. Alternate Domain Names and SSL Certificates
      4. Using Signed Cookies or Signed URLs to Restrict Access to Content
      5. Caching Content on Amazon CloudFront
      6. Less Attack Surface
      7. Using Amazon CloudFront to Protect Against DDoS Attacks
      8. Using CloudFront with S3 Securely
      9. CloudFront Geo Restriction
      10. Lambda@Edge
    4. Amazon API Gateway
      1. REST API
      2. API Gateway Endpoints
      3. API Gateway Integration Types
      4. Request Validation
      5. Throttling
      6. API Gateway Authorization
      7. VPC Link
      8. Custom Domains and TLS Version
      9. Client Certificates
    5. Elastic Load Balancer
      1. Classic Load Balancer
      2. Application Load Balancer
      3. Network Load Balancer
      4. Security Policies and Forward Secrecy
      5. Logging
      6. Server Name Indicator
      7. Authorizing Requests with ALB
      8. ALB vs. NLB
    6. AWS Web Application Firewall
      1. AWS WAF Classic and WAFv2
      2. Common Threats for Web Applications
      3. AWS WAF Classic
      4. AWS WAFv2
    7. AWS Shield
      1. AWS Shield Advanced
      2. AWS DDoS Response Team
    8. Chapter Review
      1. Questions
      2. Answers
    9. Additional Resources
  18. Chapter 11 Design and Implement a Secure Network Infrastructure
    1. AWS Global Infrastructure
      1. Regions
      2. Availability Zones
      3. Edge Locations
      4. Direct Connect Locations
      5. AWS Local Zones, AWS Wavelength, and AWS Outposts
      6. Public vs. VPC Attached Services
      7. AWS Services Availability
    2. Virtual Private Cloud
      1. Subnets
      2. Route Tables
      3. Internet Gateway
      4. NAT Gateway
      5. Egress-Only Internet Gateway
      6. VPC Peering
      7. Shared VPCs
      8. DNS Resolution Inside the VPC
      9. Elastic Network Interface
      10. Elastic IP Addresses
    3. Controlling Access to the Network
      1. Network Access Lists
      2. Security Groups
    4. VPC Endpoints
      1. Interface Endpoints
      2. Gateway Endpoints
      3. VPC Endpoint Policies
      4. VPC Endpoint for a Custom Service
    5. Connecting a VPC to On-Premises Networks
      1. AWS Direct Connect
      2. Types of Direct Connect Connections
      3. Site-to-Site VPN
      4. AWS Direct Connect and VPN
      5. Software VPN
      6. Transit VPC
      7. AWS CloudHub
    6. AWS Transit Gateway
      1. Attachments
      2. Transit Gateway Route Table
      3. Associations
      4. Route Propagation
      5. Routing Example
    7. Chapter Review
      1. Questions
      2. Answers
  19. Chapter 12 Troubleshoot a Secure Network Infrastructure
    1. Troubleshooting AWS Ingress: Common Patterns
      1. Bastion Instance in a Public Subnet
      2. Website Delivered Using Amazon CloudFront
    2. Troubleshooting AWS Egress: Common Patterns
      1. Public EC2 Instance Egressing to the Internet Using the Internet Gateway
      2. VPC Egress to the Internet with NAT Gateway
    3. Chapter Review
      1. Questions
      2. Answers
  20. Chapter 13 Design and Implement Host-Based Security
    1. Host-Based Security
      1. HIDS/HIPS
      2. Increasing Security in a DevOps World
      3. Exercise 13-1: Configuring a Remote Access with Session Manager
    2. Chapter Review
      1. Questions
      2. Answers
    3. Additional Resources
  21. Chapter 14 Identity and Access Management on AWS
    1. Authentication
      1. AWS Root User
      2. IAM Users and Groups
      3. Amazon Resource Name
      4. Unique Identifiers
      5. IAM Role
      6. Retrieving Credentials from an EC2 Instance with the IAM Role
      7. Application Authentication
      8. Federation
    2. Authorization
      1. Identity-Based Policies
      2. Resource-Based Policies
    3. Temporary Credentials with STS
      1. Access Control Lists
    4. Amazon Cognito
    5. AWS Organizations
      1. Automate AWS Account Creation and Management
      2. Consolidated Billing for All Member Accounts
      3. Service Control Policies
      4. Tag Policies for Member Accounts
      5. Hierarchical Grouping with Organization, Root OU, OU Entities, and Accounts
      6. Integration with Other Services
    6. AWS Single Sign-On
    7. Chapter Review
      1. Questions
      2. Answers
    8. Additional Resources
  22. Chapter 15 Troubleshoot Authorization and Authentication Systems
    1. Troubleshooting S3 Bucket Policies
      1. Resource Owner
      2. Access Control List
      3. IAM Users
    2. Enforcing Security Controls with S3 Bucket Policies
    3. S3 Lifecycle Policies
      1. How to Configure S3 Lifecycle Policies
    4. AWS Organizations and Secure Control Policies
    5. Troubleshooting Authentication
    6. Troubleshooting Federation
    7. Chapter Review
      1. Questions
      2. Answers
    8. Additional Resources
  23. Appendix A Objective Map
  24. Appendix B About the Online Content
    1. System Requirements
    2. Your Total Seminars Training Hub Account
      1. Privacy Notice
    3. Single User License Terms and Conditions
    4. TotalTester Online
    5. Technical Support
  25. Glossary Acronyms and Glossary
    1. Acronyms
    2. Glossary
  26. Index

Product information

  • Title: AWS Certified Security Specialty All-in-One Exam Guide (Exam SCS-C01)
  • Author(s): Tracy Pierce, Aravind Kodandaramaiah, Rafael Koike, Alex Rosa
  • Release date: February 2021
  • Publisher(s): McGraw-Hill
  • ISBN: 9781260461732