book

AWS Certified Security – Specialty (SCS-C02) Exam Guide - Second Edition

Name: AWS Certified Security – Specialty (SCS-C02) Exam Guide - Second Edition
ISBN: 9781837633982

by Adam Book, Stuart Scott

April 2024

Intermediate to advanced

614 pages

14h 25m

English

Packt Publishing

Read now

Unlock full access

AWS Certified Security – Specialty (SCS-C02) Exam Guide
Second EditionContributorsAbout the AuthorsAbout the Reviewer
Preface
Who This Book Is ForWhat This Book CoversAWS Certified Security Specialty ExamOnline Practice ResourcesHow to access the resourcesDownload the Color ImagesConventions UsedGet in TouchDownload a Free PDF Copy of This Book
Section 1:AWS Security Fundamentals
Chapter 1: AWS Shared Responsibility Model
Making the Most Out of this Book – Your Certification and BeyondTechnical RequirementsAWS Shared Responsibility ModelShared Responsibility Model for Infrastructure ServicesShared Responsibility Model Example for Infrastructure ServicesShare Responsibility Model for Container ServicesShared Responsibility Model Example for Container ServicesShared Responsibility Model for Abstract ServicesShared Responsibility Model Example for Abstract ServicesAuditors and the Shared Responsibility ModelSummaryFurther ReadingExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 2: Fundamental AWS Services
Technical RequirementsAccount Management in AWSControl TowerCategories of BehaviorCategories of GuidanceSecurity Considerations for Control TowerAWS OrganizationsService Control PoliciesCloud Compute in AWSAmazon Elastic Compute Cloud (EC2)Understanding an Amazon Machine Image (AMI)Elastic Networking InterfacesElastic Block Store (EBS)AWS LambdaRoute 53Route 53 Health ChecksChecking the Health of a Specific EndpointCloud DatabasesRelational DatabasesRelational Database ServiceAmazon AuroraKey-Value DatabasesIn-Memory DatabasesDocument DatabasesMessage and Queueing SystemsSimple Notification Service (SNS)Simple Queue Service (SQS)Where Would You Use SNS or SQS?Simple Email Service (SES)API GatewaySecurity Considerations for API GatewayTrusted AdvisorReviewing Deviations Using Trusted AdvisorSummaryFurther ReadingExam Readiness Drill – Chapter Review Questions Exam Readiness DrillATTEMPT 1ATTEMPT 2 ATTEMPT 3 Working On Timing
Chapter 3: Understanding Attacks on Cloud Environments
Technical RequirementsUnderstanding the Top Cloud-Native Attacks on InfrastructureBusiness Continuity and ResilienceMitigation for Business Continuity and ResilienceDetection EvasionMitigation for Detection EvasionAWS Infrastructure ScanningMitigation for Infrastructure ScanningTop Cloud-Native Attacks on Software and DataUser Identity FederationMitigation for a Lack of Identity FederationVulnerable IAM PoliciesMitigation of Vulnerable IAM PoliciesVulnerable AWS CredentialsMitigation of Vulnerable AWS CredentialsDDoS ProtectionUnderstanding DDoS and Its Attack PatternsDDoS Attack PatternsSYN FloodsHTTP floodsPing of death (PoD)A Reflection AttackUsing AWS Web Application Firewall as a Response to AttacksAdding Layers of Defense with AWS ShieldThe Two Tiers of AWS ShieldStrengthening the Security Posture of Your AWS AccountSummaryFurther ReadingExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Section 2:Incident Response
Chapter 4: Incident Response
Technical RequirementsThe Goals of Incident ResponseThe AWS WAF Security PillarsWAF Security – Security FoundationsForensic AWS AccountIncident Response Guidance from AWSA Common Approach to an Infrastructure Security IncidentTechnology Tools to Guide Us in the Operations AspectDetectionLoggingAlertingVisibilityResponse/OperationUnauthorized Activity in Your AccountEC2 Resource IsolationSystems Manager Incident ManagerUsing Automation as a Response to Incident ResponseSummaryFurther ReadingExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 5: Managing Your Environment with AWS Config
Technical RequirementsThe Task of Internal Compliance and Audit TeamsUnderstanding Your AWS Environment through AWS ConfigCapabilities of AWS ConfigUnderstanding the Various Components of AWS ConfigAWS Config versus AWS CloudTrail and Their ResponsibilitiesConfiguration itemsThe Configuration RecorderThe Config RoleConfiguration StreamsBasic Setup of the Configuration RecorderAWS Config DashboardResource RelationshipAWS Config RulesAWS Config Managed RulesAWS Config Custom RulesEvaluating Config RulesAWS Config Conformance PacksConfiguration HistoryRemediating Non-Compliant Resources with ConfigReal-Life Example of Using Automated RemediationsMulti-Account and Multi-Region Data Aggregation with AWS ConfigTakeaways for the Certification ExamSummaryFurther ReadingExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 6: Event Management with Security Hub and GuardDuty
Technical RequirementsManaging Threat Detection with Amazon GuardDutyKey Features of GuardDutyData Sources for GuardDutyVPC Flow LogsAWS CloudTrail EventsDNS logsHow GuardDuty WorksWhat GuardDuty Can DetectUnderstanding the Differences between GuardDuty and Amazon MacieEnabling Amazon GuardDutyCustomizing GuardDutyTriggering GuardDutyReviewing the Findings in GuardDutyReviewing Findings in CloudWatch EventsPerforming Automatic RemediationPerforming Manual RemediationsSecurity Alerting with AWS Security HubEnabling AWS Security HubSecurity Standards versus Security Controls versus Security ChecksInsights in Security HubManaged InsightsCustom insightsA Real-World Example of Using AWS Security HubFindingsIntegrationsAutomated Remediation and Responses from Security HubSummaryFurther ReadingExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing

Section 3:Logging and Monitoring
Chapter 7: Logs Generated by AWS Services
Technical RequirementsS3 Access LogsTurning on Access LogsCreating Some Log FilesViewing the Access LogsS3 Object-Level LoggingVPC Flow Logs and Traffic MonitoringWhy Choose an S3 Bucket over CloudWatch Logs?Enabling VPC Flow LogsAccessing VPC Flow Logs for ReadingParsing the Content of VPC Flow LogsUnderstanding Flow Log LimitationsVPC Traffic MirroringElastic Load Balancer Access LogsLoad Balancer Access Log FilesWeb Application Firewall Visibility and AnalyticsAWS WAF Full LogsServices that Publish Logs to CloudWatch LogsIAM Permissions for Publishing Logs to CloudWatch LogsIAM Permissions for Publishing Logs to S3 BucketsIAM Permissions for Publishing Logs to Kinesis Data FirehoseLogging API Activity with CloudTrailTypes of CloudTrail EventsDefault Settings for CloudTrailCreating a New Trail in AWS CloudTrailData Events for S3 BucketsQuerying the Event History in CloudTrailCloudTrail LakeSummaryFurther ReadingExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 8: CloudWatch and CloudWatch Metrics
Technical RequirementsCloudWatch OverviewUnderstanding CloudWatch LogsCloudWatch Logs TerminologyRetaining and Expiring CloudWatch LogsInstalling and Using the CloudWatch Logging AgentCreating the Necessary RolesInstalling the CloudWatch Agent on an EC2 InstanceQuerying and Searching CloudWatch LogsPerforming a Search in CloudWatch LogsCloudWatch MetricsMetric Filters in CloudWatchCloudWatch AlarmsCreating a CloudWatch AlarmCloudWatch DashboardsEvent-Driven Applications with AWS EventBridgeUnderstanding Event-Driven ArchitectureUsing EventBridge with AWS Lambda and SNSConfiguring a Custom Event BusAdding a Rule to the Event BusRunning Events on a ScheduleSummaryFurther ReadingExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 9: Parsing Logs and Events with AWS Native Tools
Technical RequirementsLog Storage Options and Their Cost ImplicationsStoring Logs on S3Different Storage Tiers of S3S3 StandardS3 Intelligent-TieringS3 Standard Infrequent Access (S3 Standard-IA)S3 One Zone Infrequent Access (S3 One Zone-IA)S3 Glacier Instant RetrievalS3 Glacier Flexible RetrievalS3 Glacier Deep ArchiveUsing S3 Lifecycle Policies to Manage LogsCreating a Lifecycle Policy for an S3 BucketComparing Costs of Storing Logs in S3 versus CloudWatch LogsMoving Logs from CloudWatch LogsUsing CloudWatch Logs Subscription FiltersUsing Amazon Kinesis to Process LogsMoving Logs with Kinesis Data FirehoseRunning Queries with Amazon AthenaStoring and Searching Logs in Amazon OpenSearch ServiceSummaryFurther ReadingExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Section 4:Infrastructure Security
Chapter 10: Configuring Infrastructure Security
Technical RequirementsUnderstanding VPC SecurityAdding a New VPC to Your AWS AccountCreating a VPC with a CloudFormation TemplateExamining the VPC You CreatedSubnetsThe Description ScreenThe Flow Logs TabThe Route Table and Network ACL TabsThe CIDR Reservation and Sharing TabsThe Tags TabRoute TablesThe Details TabThe Routes TabThe Subnets Associations TabThe Route Propagation TabNACLsThe Details BoxThe Inbound and Outbound Rules TabsThe Subnets Associations TabThe Role of Security Groups in VPC SecurityThe Details TabThe Inbound Rules and Outbound Rules TabsPublic and Private SubnetsWhen to Use a Public SubnetUsing Bastion Hosts to Connect to Your VPCNetworking in a VPCAdding Internet Access to a Private SubnetVPCs TogetherWhat Is Peering When It Comes to VPCs?Limitations of VPC PeeringUsing Transit Gateway to Connect VPCsConnecting Your On-Premises Network to Your VPCUsing Direct Connect to Secure On-Premises ConnectivityConnecting with a VPN ConnectionConnecting to Your AWS Services without the InternetThe Different Types of Endpoints Available in VPCsCreating a VPC EndpointSummaryFurther ReadingExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 11: Securing EC2 Instances
Technical RequirementsSecuring Key Pairs for EC2 InstancesCreating and Securing EC2 Key PairsCreating Key PairsCreating Key Pairs during EC2 DeploymentCreating Key Pairs within the EC2 ConsoleDeleting a KeyDeleting a Key Using the AWS Management ConsoleBuilding a Hardened Bastion ServerAlternate Ways to Connect to a HostAccessing an EC2 Instance Using Session ManagerIsolating EC2 Instances for Forensic InspectionIsolationUnderstanding the Role of Amazon DetectiveUsing Systems Manager to Configure InstancesCreating Inventory in Systems ManagerUsing Systems Manager Run Command with DocumentsLetting Systems Manager Patch Your InstancesPerforming a Vulnerability Scan Using Amazon InspectorInstalling the Amazon Inspector AgentEnabling Amazon Inspector across the OrganizationSummaryFurther ReadingExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 12: Managing Key Infrastructure
Technical RequirementsA Basic Overview of EncryptionSymmetric Encryption versus Asymmetric EncryptionWorking with AWS KMSCustomer Master KeysAWS-Managed CMKsCustomer-Managed KeysData Encryption KeysKey MaterialImporting Your Own Key MaterialKey PoliciesGrantsEnvelope Encryption and KMSThe Roles of Key Management and Usage in KMSCreating a Key in KMSScoping Key Policies for KMS KeysUsing Only Key Policies to Control AccessAdding a Condition to the Key PolicyCross-Region Key ManagementReplicating a KMS Key in Another RegionChecking the Compliance of KMS keys with AWS ArtifactExploring CloudHSMCloudHSM ClustersUse cases for CloudHSM/HSMsStanding Up CloudHSMAWS CloudHSM UsersPrecrypto Office UserCrypto Office UserCrypto UserAppliance UserComparing CloudHSM to KMSSummaryFurther ReadingExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 13: Access Management
Technical RequirementsUnderstanding the Identity and Access Management (IAM) ServiceTerms to Understand for IAMAuthorization versus AuthenticationWays in Which IAM Can Authenticate with a PrincipalBest Practices for Using IAMThe Root AccountUsers versus Roles versus Groups in IAMCreating a GroupCreating a UserAdding Multi-Factor Authentication to Your UserSecurity Token ServiceObtaining Credentials with STSIAM Identity CenterSummaryFurther ReadingExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Section 5:Identity and Access Management
Chapter 14: Working with Access Policies
Technical RequirementsUnderstanding the Differences between Access Policy TypesIdentity-Based PoliciesResource-Based PoliciesPermissions BoundariesCreating a Permissions BoundarySeeing Where Effective Permissions ResideUnderstanding SCPsIdentifying Policy Structure and SyntaxUnderstanding the Use of Conditions in IAM PoliciesUnderstanding by ExampleKey Conditional Terms to KnowString OperatorsThe Bool Condition OperatorIP Address Condition OperatorsManaging your IAM policiesPermissionsEntities AttachedTagsPolicy VersionsAccess AdvisorConfiguring Cross-Account Access Using IAM PoliciesACLsUsing Roles to Provide Cross-Account AccessSummaryFurther ReadingExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 15: Federated and Mobile Access
Technical RequirementsWhat Is Federated Access?Reasons Not to Use Federated Access with Your AWS AccountEnabling SSO with Corporate Account Identities Using SAMLUsing Social FederationUnderstanding the Amazon Cognito ServiceWhen to Use Amazon CognitoUser PoolsIdentity PoolsHow User and Identity Pools Work TogetherSummaryFurther ReadingExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 16: Using Active Directory Services to Manage Access
Technical RequirementsUnderstanding the Different Active Directory Offerings in AWSAWS Managed Microsoft ADUse Cases for AWS Managed Microsoft ADAWS AD ConnectorAWS Simple AD – Not Quite Active DirectoryUse Cases for Simple ADDeciding Which Offering Is Right for Your OrganizationCommon Trust Scenarios with AWS Managed Microsoft ADScenario 1 – Allowing Allocated On-Premises Users Access to AWS Resources via Active DirectoryScenario 2 – Using AWS Managed Microsoft AD to Allow Different Departments in Different Accounts to Access FilesConnecting to a Current On-Premises Active DirectorySecurity and Active Directory in AWSSecuring AWS Directory ServicesSummaryFurther ReadingExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Section 6:Data Protection
Chapter 17: Protecting Data in Flight and at Rest
Technical RequirementsData Encryption IntroductionKeeping Data Stored on EBS Volumes Secure with EncryptionEncrypting an EBS VolumeEncrypting a New EBS VolumeCreating an Encrypted EBS Volume from an Unencrypted SnapshotHow to Re-Encrypt an Existing EBS Volume Using a New CMKHow to Apply Default Encryption for an EBS VolumeEncrypting Amazon EFSSituations When You Should Use Encryption with EFSEncrypting EFS at RestS3 Data Protection and Encryption OptionsEnforcing Encryption of Data in Transit to S3Using Gateway Endpoints to Protect Data in TransitCreating an S3 Gateway EndpointUnderstanding Object Lock in Amazon S3S3 Legal HoldUsing Amazon Macie to Discover PIIMaintaining Compliance with Amazon MacieClassifying Data Using Amazon MacieManaged Data Identifiers versus Custom Data IdentifiersProtecting Data Stored in Relational Database Service on AWSProtecting Data in Transit to and from RDSProtecting Data on Amazon DynamoDBDynamoDB Encryption OptionsSummaryFurther ReadingExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 18: Securely Connecting to Your AWS Environment
Technical RequirementsUnderstanding Your ConnectionUnderstanding AWS VPNA Quick Overview of VPNsUnderstanding IPsec tunnelsPros and Cons of AWS VPNUsing AWS VPN in your environmentConfiguring VPN Routing OptionsTransmitting Data Directly with AWS Direct ConnectBenefits of Using AWS Direct ConnectHow AWS Direct Connect Provides SecurityDirect Connect GatewayUnderstanding the Purpose of AWS CloudHubSummaryFurther ReadingExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 19: Using Certificates and Certificate Services in AWS
Technical RequirementsAWS Certificate Manager (ACM) OverviewCertificate Types in ACMDetermining the Difference between Public and Private CertificatesGaining a Deeper Understanding of the ACM Service and Its UsesUsing Public Certificates with the ACM ServiceReal-World Uses for Public Certificates Created by ACMSecuring Static Sites Hosted on Amazon S3Securing an Elastic Load Balancer with a Certificate Issued by ACMIssuing a Security Certificate via ACMAllowing ACM to Manage the Renewal of CertificatesPrivate Certificate Authorities in AWS ACMReal-World Uses for ACM Private CAUsing a Private Certificate from ACM in the Real WorldDisadvantages of Using Private CA with ACMSummaryFurther ReadingExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 20: Managing Secrets Securely in AWS
Technical RequirementsMitigating the Risk of Lost and Stolen CredentialsSecret Storage Systems in AWSAWS Secrets ManagerPros and Cons of the Secrets Manager ServiceCreating, Storing, and Retrieving a Secret in AWS Secrets ManagerRetrieving the Secret from Secrets ManagerSecrets Rotation in AWS Secrets ManagerUsing AWS Secrets Manager in Multiple RegionsAWS Systems Manager Parameter StorePros and Cons of SSM Parameter StoreUnderstanding the IAM Permissions Used with Parameter StoreStoring and Retrieving a Secret in Parameter StoreHow Providing an Auditable Trail from Secret Usage Helps in Security and ComplianceSummaryFurther ReadingExam Readiness Drill – Chapter Review QuestionsExam Readiness DrillATTEMPT 1ATTEMPT 2ATTEMPT 3Working On Timing
Chapter 21: Accessing the Online Practice Resources
How to Access These ResourcesPurchased from Packt Store (packtpub.com)Packt+ SubscriptionPurchased from Amazon and Other SourcesSTEP 1STEP 2STEP 3STEP 4STEP 5Troubleshooting Tips
Why subscribe?
Other Books You May EnjoyShare Your ThoughtsDownload a Free PDF Copy of This Book

Content preview from AWS Certified Security – Specialty (SCS-C02) Exam Guide - Second Edition

17 Protecting Data in Flight and at Rest

Data protection is one of the six domains in the AWS Certified Security Specialty Exam. Hence, understanding the concepts and execution of protecting data at rest, that is, when it is not in use on disk, and in flight, when it is being transferred from service to service or service to user, is imperative to successfully pass this test.

Storing non-encrypted data in the cloud poses significant security risks, leaving sensitive data vulnerable to unauthorized access, interception, and exploitation by malicious actors. Similarly, transmitting non-encrypted data from AWS (or any cloud provider) to another source, including an end user, exposes sensitive data to interception and eavesdropping, potentially ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

AWS Certified Security - Specialty (SCS-C02)

Publisher Resources

ISBN: 9781837633982

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

AWS Certified Security – Specialty (SCS-C02) Exam Guide - Second Edition

by Adam Book, Stuart Scott

17

Protecting Data in Flight and at Rest

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.