Book description
Get to grips with the fundamentals of cloud security and prepare for the AWS Security Specialty exam with the help of this comprehensive certification guide
Key Features
- Learn the fundamentals of security with this fast-paced guide
- Develop modern cloud security skills to build effective security solutions
- Answer practice questions and take mock tests to pass the exam with confidence
Book Description
AWS Certified Security – Specialty is a certification exam to validate your expertise in advanced cloud security. With an ever-increasing demand for AWS security skills in the cloud market, this certification can help you advance in your career. This book helps you prepare for the exam and gain certification by guiding you through building complex security solutions.
From understanding the AWS shared responsibility model and identity and access management to implementing access management best practices, you'll gradually build on your skills. The book will also delve into securing instances and the principles of securing VPC infrastructure. Covering security threats, vulnerabilities, and attacks such as the DDoS attack, you'll discover how to mitigate these at different layers. You'll then cover compliance and learn how to use AWS to audit and govern infrastructure, as well as to focus on monitoring your environment by implementing logging mechanisms and tracking data. Later, you'll explore how to implement data encryption as you get hands-on with securing a live environment. Finally, you'll discover security best practices that will assist you in making critical decisions relating to cost, security,and deployment complexity.
By the end of this AWS security book, you'll have the skills to pass the exam and design secure AWS solutions.
What you will learn
- Understand how to identify and mitigate security incidents
- Assign appropriate Amazon Web Services (AWS) resources to underpin security requirements
- Work with the AWS shared responsibility model
- Secure your AWS public cloud in different layers of cloud computing
- Discover how to implement authentication through federated and mobile access
- Monitor and log tasks effectively using AWS
Who this book is for
If you are a system administrator or a security professional looking to get AWS security certification, this book is for you. Prior experience in securing cloud environments is necessary to get the most out of this AWS book.
Table of contents
- Title Page
- Copyright and Credits
- About Packt
- Contributors
- Preface
- Section 1: The Exam and Preparation
- AWS Certified Security - Specialty Exam Coverage
- Section 2: Security Responsibility and Access Management
- AWS Shared Responsibility Model
-
Access Management
- Technical requirements
- Understanding Identity and Access Management (IAM)
- Provisioning users, groups, and roles in IAM
- Creating users
- Creating groups
- Creating roles
- Service roles
- User roles
- Web identity federated roles
- SAML 2.0 federated roles
- Configuring Multi-Factor Authentication (MFA)
- Summary
- Questions
- Further reading
-
Working with Access Policies
- Technical requirements
- Understanding the difference between policy types
- Identity-based policies
- Resource-based policies
- Permissions boundaries
- Access Control Lists (ACLs)
- Organization SCPs
- Identifying policy structure and syntax
- An example of policy structure
- The structure of a resource-based policy
- Configuring cross-account access
- Creating a cross-account access role
- Creating a policy to assume the cross-account role
- Assuming the cross-account role
- IAM policy management
- Permissions
- Policy usage
- Policy versions
- Access Advisor
- Policy evaluation
- Using bucket policies to control access to S3
- Summary
- Questions
- Further reading
- Federated and Mobile Access
- Section 3: Security - a Layered Approach
-
Securing EC2 Instances
- Technical requirements
- Performing a vulnerability scan using Amazon Inspector
- Installing the Amazon Inspector agent
- Configuring assessment targets
- Configuring an assessment template
- Running an assessment
- Viewing findings
- Creating and securing EC2 key pairs
- Creating key pairs
- Creating key pairs during EC2 deployment
- Creating key pairs within the EC2 console
- Deleting a key
- Deleting a key using the EC2 console
- Recovering a lost private key
- Connecting to a Linux-based instance with your key pair
- Connecting to a Windows-based instance with your key pair
- Isolating instances for forensic investigation
- AWS monitoring and logging services
- AWS CloudTrail
- AWS Config
- Amazon CloudWatch
- VPC Flow Logs
- Isolation
- Using Systems Manager to administer EC2 instances
- Creating resource groups in Systems Manager
- Built-in insights
- Actions
- Automation
- Run Command
- Session Manager
- Distributor
- State Manager
- Patch Manager
- Use default patch baselines, or create your own
- Organize instances into patch groups (optional)
- Automate the patching schedule by using Maintenance Windows
- Monitor patch status to ensure compliance
- Summary
- Questions
- Further reading
-
Configuring Infrastructure Security
- Technical requirements
- Understanding a VPC
- Creating a VPC using the wizard
- Understanding the VPC components
- Subnets
- The Description tab
- The Flow Logs tab
- The Route Table and Network ACL tabs
- The Tags tab
- Internet gateways
- Route tables
- The Summary tab
- The Routes tab
- The Subnet Associations tab
- The Route Propagation tab
- Network access control lists
- The Details tab
- The Inbound Rules and Outbound Rules tabs
- The Subnet associations tab
- Security groups
- The Description tab
- The Inbound Rules and Outbound Rules tabs
- The Tags tab
- Bastion hosts
- NAT instances and NAT gateways
- Virtual private gateways
- Building a multi-subnet VPC manually
- Creating a VPC
- Creating public and private VPCs
- Creating an IGW
- Creating a route table
- Creating a NAT gateway
- Creating security groups in our subnets
- Creating a security group for instances in Public_Subnet
- Creating a security group for instances in Private_Subnet
- Creating EC2 instances in our subnets
- Creating E2C instances in Private_Subnet
- Creating E2C instances in Public_Subnet
- Creating a route table for Private_Subnet
- Creating an NACL for our subnets
- Creating an NACL for the public subnet
- Creating an NACL for the private subnet
- Summary
- Questions
- Further reading
-
Implementing Application Security
- Technical requirements
- Exploring AWS WAF
- Creating a web ACL
- Step 1 – describing the web ACL and associating it with AWS resources
- Step 2 – adding rules and rule groups
- Step 3 – setting rule priority
- Step 4 – configuring metrics
- Step 5 – reviewing and creating the web ACL
- Using AWS Firewall Manager
- Adding your AWS account to an AWS organization
- Selecting your primary account to act as the Firewall Manager administrative account
- Enabling AWS Config
- Creating and applying an AWS WAF policy to AWS Firewall Manager
- Managing the security configuration of your ELBs
- Types of AWS ELBs
- Managing encrypted requests
- Requesting a public certificate using ACM
- Securing your AWS API Gateway
- Controlling access to APIs
- IAM roles and policies
- IAM tags
- Resource policies
- VPC endpoint policies
- Lambda authorizers
- Amazon Cognito user pools
- Summary
- Questions
- Further reading
-
DDoS Protection
- Technical requirements
- Understanding DDoS and its attack patterns
- DDoS attack patterns
- SYN floods
- HTTP floods
- Ping of death (PoD)
- Protecting your environment using AWS Shield
- The two tiers of AWS Shield
- AWS Shield Standard
- AWS Shield Advanced
- Activating AWS Shield Advanced
- Configuring AWS Shield Advanced
- Selecting your resources to protect
- Adding rate-based rules
- Adding support from the AWS DDoS Response Team (DRT)
- Additional services and features
- Summary
- Questions
- Further reading
-
Incident Response
- Technical requirements
- Where to start when implementing effective IR
- Making use of AWS features
- Logging
- Threat detection and management
- Responding to an incident
- A forensic AWS account
- Collating log information
- Resource isolation
- Copying data
- Forensic instances
- A common approach to an infrastructure security incident
- Summary
- Questions
- Further reading
- Securing Connections to Your AWS Environment
- Section 4: Monitoring, Logging, and Auditing
-
Implementing Logging Mechanisms
- Technical requirements
- Implementing logging
- Amazon S3 logging
- Enabling S3 server access logging
- S3 object-level logging
- Implementing flow logs
- Configuring a VPC flow log for a particular VPC subnet
- Understanding the log file format
- Understanding log file limitations
- VPC Traffic Mirroring
- Using AWS CloudTrail logs
- Creating a new trail
- Configuring CloudWatch integration with your trail
- Understanding CloudTrail logs
- Consolidating multiple logs from different accounts into a single bucket
- Making your logs available to Amazon Athena
- Using the CloudWatch logging agent
- Creating new roles
- Downloading and configuring the agent
- Installing the agent on your remaining EC2 instances
- Summary
- Questions
- Further reading
-
Auditing and Governance
- Technical requirements
- What is an audit?
- Understanding AWS Artifact
- Accessing reports and agreements
- Securing AWS using CloudTrail
- Encrypting log files with SSE-KMS
- Enabling log file validation
- Understanding your AWS environment through AWS Config
- Configuration items
- Configuration streams
- Configuration history
- Configuration snapshot
- Configuration recorder
- AWS Config rules
- Resource relationships
- AWS Config role
- The AWS Config process
- Maintaining compliance with Amazon Macie
- Classifying data using Amazon Macie
- Support vector machine-based classifier
- Content type
- File extension
- Theme
- Regex
- Amazon Macie data protection
- AWS CloudTrail events
- AWS CloudTrail errors
- Summary
- Questions
- Section 5: Best Practices and Automation
-
Automating Security Detection and Remediation
- Technical requirements
- Using CloudWatch Events with AWS Lambda and SNS
- Detecting events with CloudWatch
- Configuring a response to an event
- Configuring cross-account events using Amazon CloudWatch
- Using Amazon GuardDuty
- Enabling Amazon GuardDuty
- Performing automatic remediation
- Using AWS Security Hub
- Enabling AWS Security Hub
- Insights
- Findings
- Security standards
- Performing automatic remediation
- Summary
- Questions
- Discovering Security Best Practices
- Section 6: Encryption and Data Security
-
Managing Key Infrastructure
- Technical requirements
- A simple overview of encryption
- Symmetric encryption versus asymmetric encryption
- Exploring AWS Key Management Service (KMS)
- Understanding the key components of AWS KMS
- Customer master keys
- AWS-owned CMKs
- AWS-managed CMKs
- Customer-managed CMKs
- Data encryption keys (DEKs)
- Encryption
- Decryption
- KMS key material
- Importing your own key material
- Key policies
- Using only key policies to control access
- Using key policies in addition to IAM
- Using key policies with grants
- Exploring AWS CloudHSM
- CloudHSM clusters
- Creating a CloudHSM cluster
- AWS CloudHSM users
- Precrypto Office
- Crypto Office
- Crypto User
- Appliance User
- AWS Secrets Manager
- Summary
- Questions
- Further reading
-
Managing Data Security
- Technical requirements
- Amazon EBS encryption
- Encrypting an EBS volume
- Encrypting a new EBS volume
- Encrypting a volume from an unencrypted snapshot
- Re-encrypting a volume from an existing snapshot with a new CMK
- Applying default encryption to a volume
- Amazon EFS
- Encryption at rest
- Encryption in transit
- Amazon S3
- Server-side encryption with S3-managed keys (SSE-S3)
- Server-side encryption with KMS-managed keys (SSE-KMS)
- Server-side encryption with customer-managed keys (SSE-C)
- Client-side encryption with KMS-managed keys (CSE-KMS)
- Client-side encryption with customer-managed keys (CSE-C)
- Amazon RDS
- Encryption at rest
- Encryption in transit
- Amazon DynamoDB
- Encryption at rest
- DynamoDB encryption options
- Encryption in transit
- Summary
- Questions
- Mock Tests
- Assessments
- Other Books You May Enjoy
Product information
- Title: AWS Certified Security - Specialty Exam Guide
- Author(s):
- Release date: September 2020
- Publisher(s): Packt Publishing
- ISBN: 9781789534474
You might also like
book
AWS Certified Security Specialty All-in-One Exam Guide (Exam SCS-C01)
This self-study resource offers complete coverage of every topic on the AWS Certified Security Specialty exam …
video
AWS Certified Security - Specialty
Enable security as part of your AWS architecture and prepare your response to security events like …
video
AWS Certified Security - Specialty
6 Hours of Video Instruction Description Six hours of video instruction for AWS security professionals. The …
book
AWS Certified Cloud Practitioner All-in-One Exam Guide (Exam CLF-C01)
This effective study guide offers 100% coverage of every objective for the AWS Certified Cloud Practitioner …