AWS Certified Security - Specialty Exam Guide

AWS Certified Security - Specialty Exam Guide

by Stuart Scott
Released September 2020
Publisher(s): Packt Publishing
ISBN: 9781789534474

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Get to grips with the fundamentals of cloud security and prepare for the AWS Security Specialty exam with the help of this comprehensive certification guide

Key Features

  • Learn the fundamentals of security with this fast-paced guide
  • Develop modern cloud security skills to build effective security solutions
  • Answer practice questions and take mock tests to pass the exam with confidence

Book Description

AWS Certified Security – Specialty is a certification exam to validate your expertise in advanced cloud security. With an ever-increasing demand for AWS security skills in the cloud market, this certification can help you advance in your career. This book helps you prepare for the exam and gain certification by guiding you through building complex security solutions.

From understanding the AWS shared responsibility model and identity and access management to implementing access management best practices, you'll gradually build on your skills. The book will also delve into securing instances and the principles of securing VPC infrastructure. Covering security threats, vulnerabilities, and attacks such as the DDoS attack, you'll discover how to mitigate these at different layers. You'll then cover compliance and learn how to use AWS to audit and govern infrastructure, as well as to focus on monitoring your environment by implementing logging mechanisms and tracking data. Later, you'll explore how to implement data encryption as you get hands-on with securing a live environment. Finally, you'll discover security best practices that will assist you in making critical decisions relating to cost, security,and deployment complexity.

By the end of this AWS security book, you'll have the skills to pass the exam and design secure AWS solutions.

What you will learn

  • Understand how to identify and mitigate security incidents
  • Assign appropriate Amazon Web Services (AWS) resources to underpin security requirements
  • Work with the AWS shared responsibility model
  • Secure your AWS public cloud in different layers of cloud computing
  • Discover how to implement authentication through federated and mobile access
  • Monitor and log tasks effectively using AWS

Who this book is for

If you are a system administrator or a security professional looking to get AWS security certification, this book is for you. Prior experience in securing cloud environments is necessary to get the most out of this AWS book.

Table of contents

  1. Title Page
  2. Copyright and Credits
    1. AWS Certified Security – Specialty Exam Guide
  3. About Packt
    1. Why subscribe?
  4. Contributors
    1. About the author
    2. About the reviewer
    3. Packt is searching for authors like you
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Code in Action
    5. Download the color images
    6. Conventions used
    7. Get in touch
    8. Reviews
  6. Section 1: The Exam and Preparation
  7. AWS Certified Security - Specialty Exam Coverage
    1. The aim of the certification
    2. Intended audience
    3. Domains assessed
    4. Domain 1 – Incident response
    5. Domain 2 – Logging and monitoring
    6. Domain 3 – Infrastructure security
    7. Domain 4 – Identity and Access Management (IAM)
    8. Domain 5 – Data protection
    9. Exam details
    10. Summary
    11. Questions
    12. Further reading
  8. Section 2: Security Responsibility and Access Management
  9. AWS Shared Responsibility Model
    1. Technical requirements
    2. Shared responsibility model for infrastructure services
    3. Shared responsibility model for container services
    4. Shared responsibility model for abstract services
    5. Summary
    6. Questions
    7. Further reading
  10. Access Management
    1. Technical requirements
    2. Understanding Identity and Access Management (IAM) 
    3. Provisioning users, groups, and roles in IAM
    4. Creating users
    5. Creating groups
    6. Creating roles
    7. Service roles
    8. User roles
    9. Web identity federated roles
    10. SAML 2.0 federated roles
    11. Configuring Multi-Factor Authentication (MFA)
    12. Summary
    13. Questions
    14. Further reading
  11. Working with Access Policies
    1. Technical requirements
    2. Understanding the difference between policy types
    3. Identity-based policies
    4. Resource-based policies
    5. Permissions boundaries
    6. Access Control Lists (ACLs)
    7. Organization SCPs
    8. Identifying policy structure and syntax
    9. An example of policy structure
    10. The structure of a resource-based policy
    11. Configuring cross-account access
    12. Creating a cross-account access role
    13. Creating a policy to assume the cross-account role
    14. Assuming the cross-account role
    15. IAM policy management
    16. Permissions
    17. Policy usage
    18. Policy versions
    19. Access Advisor
    20. Policy evaluation
    21. Using bucket policies to control access to S3
    22. Summary
    23. Questions
    24. Further reading
  12. Federated and Mobile Access
    1. Technical requirements
    2. What is AWS federated access?
    3. Using SAML federation
    4. Gaining federated access to the AWS Management Console
    5. Using social federation
    6. Amazon Cognito
    7. User pools
    8. Identity pools
    9. Gaining access using user and identity pools
    10. Summary
    11. Questions
    12. Further reading
  13. Section 3: Security - a Layered Approach
  14. Securing EC2 Instances
    1. Technical requirements
    2. Performing a vulnerability scan using Amazon Inspector
    3. Installing the Amazon Inspector agent
    4. Configuring assessment targets
    5. Configuring an assessment template
    6. Running an assessment
    7. Viewing findings
    8. Creating and securing EC2 key pairs
    9. Creating key pairs
    10. Creating key pairs during EC2 deployment
    11. Creating key pairs within the EC2 console
    12. Deleting a key
    13. Deleting a key using the EC2 console
    14. Recovering a lost private key
    15. Connecting to a Linux-based instance with your key pair
    16. Connecting to a Windows-based instance with your key pair
    17. Isolating instances for forensic investigation
    18. AWS monitoring and logging services
    19. AWS CloudTrail
    20. AWS Config
    21. Amazon CloudWatch
    22. VPC Flow Logs
    23. Isolation
    24. Using Systems Manager to administer EC2 instances
    25. Creating resource groups in Systems Manager
    26. Built-in insights
    27. Actions
    28. Automation
    29. Run Command
    30. Session Manager
    31. Distributor 
    32. State Manager
    33. Patch Manager
    34. Use default patch baselines, or create your own
    35. Organize instances into patch groups (optional)
    36. Automate the patching schedule by using Maintenance Windows
    37. Monitor patch status to ensure compliance
    38. Summary
    39. Questions
    40. Further reading
  15. Configuring Infrastructure Security
    1. Technical requirements
    2. Understanding a VPC
    3. Creating a VPC using the wizard
    4. Understanding the VPC components
    5. Subnets
    6. The Description tab
    7. The Flow Logs tab
    8. The Route Table and Network ACL tabs
    9. The Tags tab
    10. Internet gateways
    11. Route tables
    12. The Summary tab
    13. The Routes tab
    14. The Subnet Associations tab
    15. The Route Propagation tab
    16. Network access control lists
    17. The Details tab
    18. The Inbound Rules and Outbound Rules tabs
    19. The Subnet associations tab
    20. Security groups
    21. The Description tab
    22. The Inbound Rules and Outbound Rules tabs
    23. The Tags tab
    24. Bastion hosts
    25. NAT instances and NAT gateways
    26. Virtual private gateways
    27. Building a multi-subnet VPC manually
    28. Creating a VPC
    29. Creating public and private VPCs
    30. Creating an IGW
    31. Creating a route table
    32. Creating a NAT gateway
    33. Creating security groups in our subnets
    34. Creating a security group for instances in Public_Subnet
    35. Creating a security group for instances in Private_Subnet
    36. Creating EC2 instances in our subnets
    37. Creating E2C instances in Private_Subnet
    38. Creating E2C instances in Public_Subnet
    39. Creating a route table for Private_Subnet
    40. Creating an NACL for our subnets
    41. Creating an NACL for the public subnet
    42. Creating an NACL for the private subnet
    43. Summary
    44. Questions
    45. Further reading
  16. Implementing Application Security
    1. Technical requirements
    2. Exploring AWS WAF
    3. Creating a web ACL
    4. Step 1 – describing the web ACL and associating it with AWS resources
    5. Step 2 – adding rules and rule groups
    6. Step 3 – setting rule priority
    7. Step 4 – configuring metrics
    8. Step 5 – reviewing and creating the web ACL
    9. Using AWS Firewall Manager
    10. Adding your AWS account to an AWS organization
    11. Selecting your primary account to act as the Firewall Manager administrative account
    12. Enabling AWS Config
    13. Creating and applying an AWS WAF policy to AWS Firewall Manager
    14. Managing the security configuration of your ELBs
    15. Types of AWS ELBs
    16. Managing encrypted requests  
    17. Requesting a public certificate using ACM
    18. Securing your AWS API Gateway
    19. Controlling access to APIs
    20. IAM roles and policies
    21. IAM tags
    22. Resource policies
    23. VPC endpoint policies
    24. Lambda authorizers
    25. Amazon Cognito user pools
    26. Summary
    27. Questions
    28. Further reading
  17. DDoS Protection
    1. Technical requirements
    2. Understanding DDoS and its attack patterns
    3. DDoS attack patterns
    4. SYN floods
    5. HTTP floods
    6. Ping of death (PoD)
    7. Protecting your environment using AWS Shield
    8. The two tiers of AWS Shield
    9. AWS Shield Standard
    10. AWS Shield Advanced
    11. Activating AWS Shield Advanced
    12. Configuring AWS Shield Advanced
    13. Selecting your resources to protect  
    14. Adding rate-based rules
    15. Adding support from the AWS DDoS Response Team (DRT)
    16. Additional services and features
    17. Summary  
    18. Questions
    19. Further reading
  18. Incident Response
    1. Technical requirements
    2. Where to start when implementing effective IR
    3. Making use of AWS features
    4. Logging
    5. Threat detection and management
    6. Responding to an incident
    7. A forensic AWS account
    8. Collating log information
    9. Resource isolation
    10. Copying data
    11. Forensic instances
    12. A common approach to an infrastructure security incident 
    13. Summary
    14. Questions
    15. Further reading
  19. Securing Connections to Your AWS Environment
    1. Technical requirements
    2. Understanding your connection
    3. Using an AWS VPN
    4. Configuring VPN routing options
    5. Configuring your security groups
    6. Using AWS Direct Connect
    7. Virtual interfaces
    8. Controlling Direct Connect access using policies
    9. Summary
    10. Questions
  20. Section 4: Monitoring, Logging, and Auditing
  21. Implementing Logging Mechanisms
    1. Technical requirements
    2. Implementing logging
    3. Amazon S3 logging
    4. Enabling S3 server access logging
    5. S3 object-level logging
    6. Implementing flow logs
    7. Configuring a VPC flow log for a particular VPC subnet
    8. Understanding the log file format
    9. Understanding log file limitations
    10. VPC Traffic Mirroring
    11. Using AWS CloudTrail logs
    12. Creating a new trail 
    13. Configuring CloudWatch integration with your trail
    14. Understanding CloudTrail logs
    15. Consolidating multiple logs from different accounts into a single bucket
    16. Making your logs available to Amazon Athena 
    17. Using the CloudWatch logging agent
    18. Creating new roles
    19. Downloading and configuring the agent
    20. Installing the agent on your remaining EC2 instances
    21. Summary
    22. Questions
    23. Further reading
  22. Auditing and Governance
    1. Technical requirements
    2. What is an audit?
    3. Understanding AWS Artifact
    4. Accessing reports and agreements
    5. Securing AWS using CloudTrail
    6. Encrypting log files with SSE-KMS
    7. Enabling log file validation
    8. Understanding your AWS environment through AWS Config
    9. Configuration items
    10. Configuration streams
    11. Configuration history
    12. Configuration snapshot
    13. Configuration recorder
    14. AWS Config rules
    15. Resource relationships
    16. AWS Config role
    17. The AWS Config process
    18. Maintaining compliance with Amazon Macie
    19. Classifying data using Amazon Macie
    20. Support vector machine-based classifier
    21. Content type 
    22. File extension
    23. Theme
    24. Regex
    25. Amazon Macie data protection
    26. AWS CloudTrail events
    27. AWS CloudTrail errors
    28. Summary
    29. Questions
  23. Section 5: Best Practices and Automation
  24. Automating Security Detection and Remediation
    1. Technical requirements
    2. Using CloudWatch Events with AWS Lambda and SNS
    3. Detecting events with CloudWatch 
    4. Configuring a response to an event
    5. Configuring cross-account events using Amazon CloudWatch
    6. Using Amazon GuardDuty
    7. Enabling Amazon GuardDuty
    8. Performing automatic remediation
    9. Using AWS Security Hub
    10. Enabling AWS Security Hub
    11. Insights
    12. Findings
    13. Security standards
    14. Performing automatic remediation
    15. Summary
    16. Questions
  25. Discovering Security Best Practices
    1. Technical requirements
    2. Common security best practices 
    3. Using AWS Trusted Advisor
    4. Understanding the availability of AWS Trusted Advisor 
    5. Reviewing deviations using AWS Trusted Advisor
    6. Yellow alert
    7. Red alert
    8. Penetration testing in AWS
    9. Summary
    10. Questions
  26. Section 6: Encryption and Data Security
  27. Managing Key Infrastructure
    1. Technical requirements
    2. A simple overview of encryption
    3. Symmetric encryption versus asymmetric encryption
    4. Exploring AWS Key Management Service (KMS)
    5. Understanding the key components of AWS KMS
    6. Customer master keys
    7. AWS-owned CMKs
    8. AWS-managed CMKs
    9. Customer-managed CMKs
    10. Data encryption keys (DEKs)
    11. Encryption
    12. Decryption
    13. KMS key material
    14. Importing your own key material
    15. Key policies
    16. Using only key policies to control access
    17. Using key policies in addition to IAM
    18. Using key policies with grants
    19. Exploring AWS CloudHSM
    20. CloudHSM clusters
    21. Creating a CloudHSM cluster
    22. AWS CloudHSM users
    23. Precrypto Office
    24. Crypto Office
    25. Crypto User
    26. Appliance User
    27. AWS Secrets Manager
    28. Summary
    29. Questions
    30. Further reading
  28. Managing Data Security
    1. Technical requirements
    2. Amazon EBS encryption
    3. Encrypting an EBS volume
    4. Encrypting a new EBS volume
    5. Encrypting a volume from an unencrypted snapshot
    6. Re-encrypting a volume from an existing snapshot with a new CMK
    7. Applying default encryption to a volume
    8. Amazon EFS
    9. Encryption at rest
    10. Encryption in transit
    11. Amazon S3
    12. Server-side encryption with S3-managed keys (SSE-S3)
    13. Server-side encryption with KMS-managed keys (SSE-KMS)
    14. Server-side encryption with customer-managed keys (SSE-C)
    15. Client-side encryption with KMS-managed keys (CSE-KMS)
    16. Client-side encryption with customer-managed keys (CSE-C)
    17. Amazon RDS
    18. Encryption at rest
    19. Encryption in transit 
    20. Amazon DynamoDB
    21. Encryption at rest 
    22. DynamoDB encryption options
    23. Encryption in transit 
    24. Summary
    25. Questions
  29. Mock Tests
    1. Mock exam 1
    2. Answers
    3. Mock exam 2
    4. Answers
  30. Assessments
    1. Chapter 1
    2. Chapter 2
    3. Chapter 3
    4. Chapter 4
    5. Chapter 5
    6. Chapter 6
    7. Chapter 7
    8. Chapter 8
    9. Chapter 9
    10. Chapter 10
    11. Chapter 11
    12. Chapter 12
    13. Chapter 13
    14. Chapter 14
    15. Chapter 15
    16. Chapter 16
    17. Chapter 17
  31. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: AWS Certified Security - Specialty Exam Guide
  • Author(s): Stuart Scott
  • Release date: September 2020
  • Publisher(s): Packt Publishing
  • ISBN: 9781789534474