32,39 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
- Veröffentlichungsjahr: 2024
The AWS Certified Security – Specialty exam validates your expertise in advanced cloud security, a crucial skill set in today's cloud market. With the latest updates and revised study material, this second edition provides an excellent starting point for your exam preparation.
You’ll learn the fundamentals of core services, which are essential prerequisites before delving into the six domains covered in the exam. The book addresses various security threats, vulnerabilities, and attacks, such as DDoS attacks, offering insights into effective mitigation strategies at different layers. You’ll learn different tools available in Amazon Web Services (AWS) to secure your Virtual Private Cloud and allow the correct traffic to travel securely to your workloads. As you progress, you’ll explore the intricacies of AWS EventBridge and IAM services. Additionally, you’ll get lifetime access to supplementary online resources, including mock exams with exam-like timers, detailed solutions, interactive flashcards, and invaluable exam tips, all accessible across various devices such as PCs, tablets, and smartphones.
Ultimately, armed with the knowledge and skills acquired from this AWS security guide, you'll be well-prepared to pass the exam and design secure AWS solutions with confidence.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 762
Ähnliche
AWS Certified Security – Specialty (SCS-C02) Exam Guide
Second Edition
Get all the guidance you need to pass the AWS (SCS-C02) exam on your first attempt
Adam Book
Stuart Scott
AWS Certified Security – Specialty (SCS-C02) Exam Guide
Second Edition
Copyright © 2024 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Authors: Adam Book and Stuart Scott
Reviewer: Naman Jaswani
Publishing Product Manager: Anindya Sil
Senior-Development Editor Name: Megan Carlisle
Development Editor: Shubhra Mayuri
Presentation Designer: Salma Patel
Editorial Board: Vijin Boricha, Megan Carlisle, Simon Cox, Ketan Giri, Saurabh Kadave, Alex Mazonowicz, Gandhali Raut, and Ankita Thakur
First Published: September 2020
Second edition: April 2024
Production Reference: 1150424
Published by Packt Publishing Ltd.
Grosvenor House
11 St Paul’s Square
Birmingham
B3 1RB
ISBN: 978-1-83763-398-2
www.packtpub.com
Contributors
About the Authors
Adam Book has been programming since the age of six and has been constantly tapped by founders and CEOs as one of the pillars to start their online or cloud businesses.
Adam has developed applications and websites. He’s been professionally involved in cloud computing and data center transformation since 1996, focusing on bringing the benefits of cloud computing to his clients. He’s led technology teams in transformative changes such as the shift to Infrastructure as Code and implementing Automation.
As a distinguished engineer by trade, Adam is a cloud evangelist with a track record of migrating thousands of applications to the cloud and guiding businesses in understanding cloud economics to create use cases and identify operating model gaps. Adam ran the local AWS user group in Atlanta for over 6 years. He has been certified on AWS since 2014 and holds many of the AWS Certifications and the CISSP and CCSK security certifications.
Stuart Scott has an extensive career spanning over two decades in the IT industry; he has expertise across various technological domains, with a particular interest for Amazon Web Services (AWS). Currently serving as the AWS Content Director at Cloud Academy, Stuart has written over 250 courses, enriching the learning experiences of more than 1.3 million students. His instructional content covers a diverse spectrum of topics, ranging from compute to cutting-edge generative AI solutions. A focal point of Stuart's professional interest lies in AWS security, identity, and compliance, wherein he delves into the intricacies of implementing and configuring AWS services to safeguard and monitor customer data within AWS.
Beyond his role at Cloud Academy, Stuart is a member of the AWS Community Builder program which provides technical resources, mentorship, and networking opportunities to AWS enthusiasts and emerging thought leaders who are passionate about sharing knowledge and connecting with the technical community. Furthermore, Stuart has contributed significantly to the AWS community by delivering talks at AWS community events hosted by AWS User Group Leaders and making appearances on the AWS Twitch channel to discuss cloud education.
About the Reviewer
Naman Jaswani is a seasoned Cyber Security Senior Consultant with over half a decade of experience. He specializes in AWS Security and boasts proficiency in Cloud Security, Application Security, and other Cyber Security domains. Outside of his consulting role, he dabbles in programming, and is particularly intrigued by Blockchain technology. Naman is not only passionate about his professional pursuits but also enjoys indulging in his hobbies of reading, traveling, and photography.
Table of Contents
Preface
Section 1: AWS Security Fundamentals
1
AWS Shared Responsibility Model
Making the Most Out of this Book – Your Certification and Beyond
Technical Requirements
AWS Shared Responsibility Model
Shared Responsibility Model for Infrastructure Services
Shared Responsibility Model Example for Infrastructure Services
Share Responsibility Model for Container Services
Shared Responsibility Model Example for Container Services
Shared Responsibility Model for Abstract Services
Shared Responsibility Model Example for Abstract Services
Auditors and the Shared Responsibility Model
Summary
Further Reading
Exam Readiness Drill – Chapter Review Questions
2
Fundamental AWS Services
Technical Requirements
Account Management in AWS
Control Tower
Categories of Behavior
Categories of Guidance
Security Considerations for Control Tower
AWS Organizations
Service Control Policies
Cloud Compute in AWS
Amazon Elastic Compute Cloud (EC2)
Understanding an Amazon Machine Image (AMI)
Elastic Networking Interfaces
Elastic Block Store (EBS)
AWS Lambda
Route 53
Route 53 Health Checks
Checking the Health of a Specific Endpoint
Cloud Databases
Relational Databases
Relational Database Service
Amazon Aurora
Key-Value Databases
In-Memory Databases
Document Databases
Message and Queueing Systems
Simple Notification Service (SNS)
Simple Queue Service (SQS)
Where Would You Use SNS or SQS?
Simple Email Service (SES)
API Gateway
Security Considerations for API Gateway
Trusted Advisor
Reviewing Deviations Using Trusted Advisor
Summary
Further Reading
Exam Readiness Drill – Chapter Review Questions
3
Understanding Attacks on Cloud Environments
Technical Requirements
Understanding the Top Cloud-Native Attacks on Infrastructure
Business Continuity and Resilience
Mitigation for Business Continuity and Resilience
Detection Evasion
Mitigation for Detection Evasion
AWS Infrastructure Scanning
Mitigation for Infrastructure Scanning
Top Cloud-Native Attacks on Software and Data
User Identity Federation
Mitigation for a Lack of Identity Federation
Vulnerable IAM Policies
Mitigation of Vulnerable IAM Policies
Vulnerable AWS Credentials
Mitigation of Vulnerable AWS Credentials
DDoS Protection
Understanding DDoS and Its Attack Patterns
DDoS Attack Patterns
SYN Floods
HTTP floods
Ping of death (PoD)
A Reflection Attack
Using AWS Web Application Firewall as a Response to Attacks
Adding Layers of Defense with AWS Shield
The Two Tiers of AWS Shield
Strengthening the Security Posture of Your AWS Account
Summary
Further Reading
Exam Readiness Drill – Chapter Review Questions
Section 2: Incident Response
4
Incident Response
Technical Requirements
The Goals of Incident Response
The AWS WAF Security Pillars
WAF Security – Security Foundations
Forensic AWS Account
Incident Response Guidance from AWS
A Common Approach to an Infrastructure Security Incident
Technology Tools to Guide Us in the Operations Aspect
Detection
Logging
Alerting
Visibility
Response/Operation
Unauthorized Activity in Your Account
EC2 Resource Isolation
Systems Manager Incident Manager
Using Automation as a Response to Incident Response
Summary
Further Reading
Exam Readiness Drill – Chapter Review Questions
5
Managing Your Environment with AWS Config
Technical Requirements
The Task of Internal Compliance and Audit Teams
Understanding Your AWS Environment through AWS Config
Capabilities of AWS Config
Understanding the Various Components of AWS Config
AWS Config versus AWS CloudTrail and Their Responsibilities
Configuration items
The Configuration Recorder
The Config Role
Configuration Streams
Basic Setup of the Configuration Recorder
AWS Config Dashboard
Resource Relationship
AWS Config Rules
AWS Config Managed Rules
AWS Config Custom Rules
Evaluating Config Rules
AWS Config Conformance Packs
Configuration History
Remediating Non-Compliant Resources with Config
Real-Life Example of Using Automated Remediations
Multi-Account and Multi-Region Data Aggregation with AWS Config
Takeaways for the Certification Exam
Summary
Further Reading
Exam Readiness Drill – Chapter Review Questions
6
Event Management with Security Hub and GuardDuty
Technical Requirements
Managing Threat Detection with Amazon GuardDuty
Key Features of GuardDuty
Data Sources for GuardDuty
VPC Flow Logs
AWS CloudTrail Events
DNS logs
How GuardDuty Works
What GuardDuty Can Detect
Understanding the Differences between GuardDuty and Amazon Macie
Enabling Amazon GuardDuty
Customizing GuardDuty
Triggering GuardDuty
Reviewing the Findings in GuardDuty
Reviewing Findings in CloudWatch Events
Performing Automatic Remediation
Performing Manual Remediations
Security Alerting with AWS Security Hub
Enabling AWS Security Hub
Security Standards versus Security Controls versus Security Checks
Insights in Security Hub
Managed Insights
Custom insights
A Real-World Example of Using AWS Security Hub
Findings
Integrations
Automated Remediation and Responses from Security Hub
Summary
Further Reading
Exam Readiness Drill – Chapter Review Questions
Section 3: Logging and Monitoring
7
Logs Generated by AWS Services
Technical Requirements
S3 Access Logs
Turning on Access Logs
Creating Some Log Files
Viewing the Access Logs
S3 Object-Level Logging
VPC Flow Logs and Traffic Monitoring
Why Choose an S3 Bucket over CloudWatch Logs?
Enabling VPC Flow Logs
Accessing VPC Flow Logs for Reading
Parsing the Content of VPC Flow Logs
Understanding Flow Log Limitations
VPC Traffic Mirroring
Elastic Load Balancer Access Logs
Load Balancer Access Log Files
Web Application Firewall Visibility and Analytics
AWS WAF Full Logs
Services that Publish Logs to CloudWatch Logs
IAM Permissions for Publishing Logs to CloudWatch Logs
IAM Permissions for Publishing Logs to S3 Buckets
IAM Permissions for Publishing Logs to Kinesis Data Firehose
Logging API Activity with CloudTrail
Types of CloudTrail Events
Default Settings for CloudTrail
Creating a New Trail in AWS CloudTrail
Data Events for S3 Buckets
Querying the Event History in CloudTrail
CloudTrail Lake
Summary
Further Reading
Exam Readiness Drill – Chapter Review Questions
8
CloudWatch and CloudWatch Metrics
Technical Requirements
CloudWatch Overview
Understanding CloudWatch Logs
CloudWatch Logs Terminology
Retaining and Expiring CloudWatch Logs
Installing and Using the CloudWatch Logging Agent
Creating the Necessary Roles
Installing the CloudWatch Agent on an EC2 Instance
Querying and Searching CloudWatch Logs
Performing a Search in CloudWatch Logs
CloudWatch Metrics
Metric Filters in CloudWatch
CloudWatch Alarms
Creating a CloudWatch Alarm
CloudWatch Dashboards
Event-Driven Applications with AWS EventBridge
Understanding Event-Driven Architecture
Using EventBridge with AWS Lambda and SNS
Configuring a Custom Event Bus
Adding a Rule to the Event Bus
Running Events on a Schedule
Summary
Further Reading
Exam Readiness Drill – Chapter Review Questions
9
Parsing Logs and Events with AWS Native Tools
Technical Requirements
Log Storage Options and Their Cost Implications
Storing Logs on S3
Different Storage Tiers of S3
S3 Standard
S3 Intelligent-Tiering
S3 Standard Infrequent Access (S3 Standard-IA)
S3 One Zone Infrequent Access (S3 One Zone-IA)
S3 Glacier Instant Retrieval
S3 Glacier Flexible Retrieval
S3 Glacier Deep Archive
Using S3 Lifecycle Policies to Manage Logs
Creating a Lifecycle Policy for an S3 Bucket
Comparing Costs of Storing Logs in S3 versus CloudWatch Logs
Moving Logs from CloudWatch Logs
Using CloudWatch Logs Subscription Filters
Using Amazon Kinesis to Process Logs
Moving Logs with Kinesis Data Firehose
Running Queries with Amazon Athena
Storing and Searching Logs in Amazon OpenSearch Service
Summary
Further Reading
Exam Readiness Drill – Chapter Review Questions
Section 4: Infrastructure Security
10
Configuring Infrastructure Security
Technical Requirements
Understanding VPC Security
Adding a New VPC to Your AWS Account
Creating a VPC with a CloudFormation Template
Examining the VPC You Created
Subnets
The Description Screen
The Flow Logs Tab
The Route Table and Network ACL Tabs
The CIDR Reservation and Sharing Tabs
The Tags Tab
Route Tables
The Details Tab
The Routes Tab
The Subnets Associations Tab
The Route Propagation Tab
NACLs
The Details Box
The Inbound and Outbound Rules Tabs
The Subnets Associations Tab
The Role of Security Groups in VPC Security
The Details Tab
The Inbound Rules and Outbound Rules Tabs
Public and Private Subnets
When to Use a Public Subnet
Using Bastion Hosts to Connect to Your VPC
Networking in a VPC
Adding Internet Access to a Private Subnet
VPCs Together
What Is Peering When It Comes to VPCs?
Limitations of VPC Peering
Using Transit Gateway to Connect VPCs
Connecting Your On-Premises Network to Your VPC
Using Direct Connect to Secure On-Premises Connectivity
Connecting with a VPN Connection
Connecting to Your AWS Services without the Internet
The Different Types of Endpoints Available in VPCs
Creating a VPC Endpoint
Summary
Further Reading
Exam Readiness Drill – Chapter Review Questions
11
Securing EC2 Instances
Technical Requirements
Securing Key Pairs for EC2 Instances
Creating and Securing EC2 Key Pairs
Creating Key Pairs
Creating Key Pairs during EC2 Deployment
Creating Key Pairs within the EC2 Console
Deleting a Key
Deleting a Key Using the AWS Management Console
Building a Hardened Bastion Server
Alternate Ways to Connect to a Host
Accessing an EC2 Instance Using Session Manager
Isolating EC2 Instances for Forensic Inspection
Isolation
Understanding the Role of Amazon Detective
Using Systems Manager to Configure Instances
Creating Inventory in Systems Manager
Using Systems Manager Run Command with Documents
Letting Systems Manager Patch Your Instances
Performing a Vulnerability Scan Using Amazon Inspector
Installing the Amazon Inspector Agent
Enabling Amazon Inspector across the Organization
Summary
Further Reading
Exam Readiness Drill – Chapter Review Questions
12
Managing Key Infrastructure
Technical Requirements
A Basic Overview of Encryption
Symmetric Encryption versus Asymmetric Encryption
Working with AWS KMS
Customer Master Keys
AWS-Managed CMKs
Customer-Managed Keys
Data Encryption Keys
Key Material
Importing Your Own Key Material
Key Policies
Grants
Envelope Encryption and KMS
The Roles of Key Management and Usage in KMS
Creating a Key in KMS
Scoping Key Policies for KMS Keys
Using Only Key Policies to Control Access
Adding a Condition to the Key Policy
Cross-Region Key Management
Replicating a KMS Key in Another Region
Checking the Compliance of KMS keys with AWS Artifact
Exploring CloudHSM
CloudHSM Clusters
Use cases for CloudHSM/HSMs
Standing Up CloudHSM
AWS CloudHSM Users
Precrypto Office User
Crypto Office User
Crypto User
Appliance User
Comparing CloudHSM to KMS
Summary
Further Reading
Exam Readiness Drill – Chapter Review Questions
13
Access Management
Technical Requirements
Understanding the Identity and Access Management (IAM) Service
Terms to Understand for IAM
Authorization versus Authentication
Ways in Which IAM Can Authenticate with a Principal
Best Practices for Using IAM
The Root Account
Users versus Roles versus Groups in IAM
Creating a Group
Creating a User
Adding Multi-Factor Authentication to Your User
Security Token Service
Obtaining Credentials with STS
IAM Identity Center
Summary
Further Reading
Exam Readiness Drill – Chapter Review Questions
Section 5: Identity and Access Management
14
Working with Access Policies
Technical Requirements
Understanding the Differences between Access Policy Types
Identity-Based Policies
Resource-Based Policies
Permissions Boundaries
Creating a Permissions Boundary
Seeing Where Effective Permissions Reside
Understanding SCPs
Identifying Policy Structure and Syntax
Understanding the Use of Conditions in IAM Policies
Understanding by Example
Key Conditional Terms to Know
String Operators
The Bool Condition Operator
IP Address Condition Operators
Managing your IAM policies
Permissions
Entities Attached
Tags
Policy Versions
Access Advisor
Configuring Cross-Account Access Using IAM Policies
ACLs
Using Roles to Provide Cross-Account Access
Summary
Further Reading
Exam Readiness Drill – Chapter Review Questions
15
Federated and Mobile Access
Technical Requirements
What Is Federated Access?
Reasons Not to Use Federated Access with Your AWS Account
Enabling SSO with Corporate Account Identities Using SAML
Using Social Federation
Understanding the Amazon Cognito Service
When to Use Amazon Cognito
User Pools
Identity Pools
How User and Identity Pools Work Together
Summary
Further Reading
Exam Readiness Drill – Chapter Review Questions
16
Using Active Directory Services to Manage Access
Technical Requirements
Understanding the Different Active Directory Offerings in AWS
AWS Managed Microsoft AD
Use Cases for AWS Managed Microsoft AD
AWS AD Connector
AWS Simple AD – Not Quite Active Directory
Use Cases for Simple AD
Deciding Which Offering Is Right for Your Organization
Common Trust Scenarios with AWS Managed Microsoft AD
Scenario 1 – Allowing Allocated On-Premises Users Access to AWS Resources via Active Directory
Scenario 2 – Using AWS Managed Microsoft AD to Allow Different Departments in Different Accounts to Access Files
Connecting to a Current On-Premises Active Directory
Security and Active Directory in AWS
Securing AWS Directory Services
Summary
Further Reading
Exam Readiness Drill – Chapter Review Questions
Section 6: Data Protection
17
Protecting Data in Flight and at Rest
Technical Requirements
Data Encryption Introduction
Keeping Data Stored on EBS Volumes Secure with Encryption
Encrypting an EBS Volume
Encrypting a New EBS Volume
Creating an Encrypted EBS Volume from an Unencrypted Snapshot
How to Re-Encrypt an Existing EBS Volume Using a New CMK
How to Apply Default Encryption for an EBS Volume
Encrypting Amazon EFS
Situations When You Should Use Encryption with EFS
Encrypting EFS at Rest
S3 Data Protection and Encryption Options
Enforcing Encryption of Data in Transit to S3
Using Gateway Endpoints to Protect Data in Transit
Creating an S3 Gateway Endpoint
Understanding Object Lock in Amazon S3
S3 Legal Hold
Using Amazon Macie to Discover PII
Maintaining Compliance with Amazon Macie
Classifying Data Using Amazon Macie
Managed Data Identifiers versus Custom Data Identifiers
Protecting Data Stored in Relational Database Service on AWS
Protecting Data in Transit to and from RDS
Protecting Data on Amazon DynamoDB
DynamoDB Encryption Options
Summary
Further Reading
Exam Readiness Drill – Chapter Review Questions
18
Securely Connecting to Your AWS Environment
Technical Requirements
Understanding Your Connection
Understanding AWS VPN
A Quick Overview of VPNs
Understanding IPsec tunnels
Pros and Cons of AWS VPN
Using AWS VPN in your environment
Configuring VPN Routing Options
Transmitting Data Directly with AWS Direct Connect
Benefits of Using AWS Direct Connect
How AWS Direct Connect Provides Security
Direct Connect Gateway
Understanding the Purpose of AWS CloudHub
Summary
Further Reading
Exam Readiness Drill – Chapter Review Questions
19
Using Certificates and Certificate Services in AWS
Technical Requirements
AWS Certificate Manager (ACM) Overview
Certificate Types in ACM
Determining the Difference between Public and Private Certificates
Gaining a Deeper Understanding of the ACM Service and Its Uses
Using Public Certificates with the ACM Service
Real-World Uses for Public Certificates Created by ACM
Securing Static Sites Hosted on Amazon S3
Securing an Elastic Load Balancer with a Certificate Issued by ACM
Issuing a Security Certificate via ACM
Allowing ACM to Manage the Renewal of Certificates
Private Certificate Authorities in AWS ACM
Real-World Uses for ACM Private CA
Using a Private Certificate from ACM in the Real World
Disadvantages of Using Private CA with ACM
Summary
Further Reading
Exam Readiness Drill – Chapter Review Questions
20
Managing Secrets Securely in AWS
Technical Requirements
Mitigating the Risk of Lost and Stolen Credentials
Secret Storage Systems in AWS
AWS Secrets Manager
Pros and Cons of the Secrets Manager Service
Creating, Storing, and Retrieving a Secret in AWS Secrets Manager
Retrieving the Secret from Secrets Manager
Secrets Rotation in AWS Secrets Manager
Using AWS Secrets Manager in Multiple Regions
AWS Systems Manager Parameter Store
Pros and Cons of SSM Parameter Store
Understanding the IAM Permissions Used with Parameter Store
Storing and Retrieving a Secret in Parameter Store
How Providing an Auditable Trail from Secret Usage Helps in Security and Compliance
Summary
Further Reading
Exam Readiness Drill – Chapter Review Questions
21
Accessing the Online Practice Resources
Other Books You May Enjoy
Preface
This book aims to provide you with a comprehensive understanding of the AWS Certified Security Specialty exam services. It includes sample architectures and case studies of those sample architectures so you can visualize how AWS services work. There are also plenty of hands-on exercises to try out in your own AWS account. You will find some very helpful use cases and anti-patterns presented for the different services in the book. It’s important to be aware of anti-patterns when preparing for an exam; an exam question may present a service as a potential solution, but that service may actually be an anti-pattern and should not be used. Knowing where a service fits best and where it doesn’t will help you choose the right answers in the exam.
Many certification books assume you will read them once, pass the test, and then place them on your bookshelf or pass them on to a colleague, and both their content and structure reflect this. In contrast, this book has been put together in such a way that you can hopefully use it as a reference guide in your duties as a security professional working in an AWS environment. You will find that extra information that may not necessarily appear in the exam has been added to the book. Once you pass the exam, you will be expected to be able to practically apply the topics you have learned about in the real world. The extra information in the book will help you tackle real-world, high-pressure security events, which can sometimes be harder than cracking the exam.
Who This Book Is For
This book is for anyone who wishes to achieve the Certified Security Specialty certification offered by Amazon Web Services (AWS). Apart from that, this book will also be useful for security professionals looking to gain a more comprehensive understanding of the security aspects of AWS, as well as for AWS users looking to enhance the security of their offerings. The most common roles looking to achieve this certification are as follows:
Cloud security consultantCloud security architectCloud security engineerDevSecOps engineerCloud security specialistThis exam assumes you have some basic knowledge of security principles and concepts of information technology or cloud security or a background in IT security and governance.
The AWS Certified Security Specialty certification recommends a minimum of two years of practical AWS production deployment experience for the test taker. This requirement reflects the depth and technical proficiency expected from the candidate.
What This Book Covers
Chapter 1, AWS Shared Responsibility Model, discusses the different shared responsibility models that define where your responsibilities as a customer implementing, controlling, and managing security in AWS start and those of AWS itself, which controls the security of the cloud, begin.
Chapter 2, Fundamental AWS Services, briefly covers the core AWS services that will be discussed throughout the book. This chapter aims to ensure that you have a robust understanding of the core services before diving deep into the domains of the Security Specialty certification material.
Chapter 3, Understanding Attacks on Cloud Environments, shows you how the skills acquired from this book can translate into protecting you and your customers’ environments from bad actors seeking to take advantage of unprotected environments. It discusses some of the top cloud-native attacks on software and infrastructure, as well as different AWS services that can be used to combat those attacks, are discussed.
Chapter 4, Incident Response, explains how you can prepare for and react to incidents manually and automatically. You will learn the value of using a separate security forensic account for quarantine and containment. You will also review several AWS tools designed to help in various incident response situations.
Chapter 5, Managing Your Environment with AWS Config, takes a deep dive into the AWS Config service. It will show you how to use automation to maintain compliance in your AWS environment, as well as how AWS Config can be used across multiple regions and accounts. You will also learn how to use Lambda functions to automatically remediate items that violate your compliance policies using Config’s remediation feature.
Chapter 6, Event Management with Security Hub and GuardDuty, discusses threat detection and security management across one or more accounts with native tooling available in AWS, AWS Security Hub, and AWS GuardDuty. You will learn what types of data sources are ingested to provide threat detection and how you can enable services and trigger alerts for you and your team.
Chapter 7, Logs generated by AWS Services, discusses the different sources in AWS from which you can acquire logging data, as well as how to collect and search through these logs centrally. The different log types explained include S3 Server Access logs, VPC Flow logs, Load Balancer Logs, and CloudTrail logs.
Chapter 8, CloudWatch and CloudWatch Metrics, deals with the different monitoring aspects of the CloudWatch service. You will learn how to use and search CloudWatch Logs, install the CloudWatch Logs agent on an EC2 instance, use the basic metrics provided by CloudWatch, and create custom metrics. You will also learn about Amazon EventBridge and EventBridge Rules.
Chapter 9, Parsing Logs and Events with AWS Native Tools, explains the different storage options and their costs. It also takes you through the managed OpenSearch and Kinesis services and how they facilitate log aggregation. Finally, it teaches you how to parse logs with Amazon Athena.
Chapter 10, Configuring Infrastructure Security, aims to help you fully understand the Virtual Private Cloud (VPC) security features AWS offers to effectively secure your VPC environments. By the end of the chapter, you will be able to confidently build a secure multi-subnet VPC using internet gateways, route tables, network access control lists, security groups, bastion hosts, NAT gateways, subnets, and virtual private gateways.
Chapter 11, Securing EC2 Instances, covers securing your instance infrastructure using a variety of techniques. These include performing vulnerability scans using Amazon Inspector, securing your EC2 key pairs, and using AWS Systems Manager to effectively administer your fleet of EC2 instances.
Chapter 12, Managing Key Infrastructure, talks about Key Management Service (KMS), which stores and manages the encryption keys for the different services. You will learn about the differences between Amazon-managed keys and customer-managed keys. You will also learn about the CloudHSM service for companies that need more control over their encryption keys.
Chapter 13, Access Management, focuses on the core concept of Identity and Access Management (IAM) and the IAM service. You will learn how to provision users, groups, and roles in a single account, secure access to those users using Multi-Factor Authentication (MFA), and also look into multi-account access with the IAM Identity Center.
Chapter 14, Working with Access Policies, examines several different policies used to grant access permissions to resources. You will learn how to read, edit, and create IAM and S3 policies. You will also see examples of Service Control Policies (SCPs), which are key tools in providing security and governance to AWS Organizations.
Chapter 15, Federated and Mobile Access, provides comprehensive information on what federated access is. This includes explaining social federation and enterprise federation to your AWS account. You will see how to enable Single Sign On to your AWS account using SAML. You will also learn about the Amazon Cognito service, which allows federation with Identity Providers (IdPs) to your applications.
Chapter 16, Using Active Directory Services to Manage Access, explains the different types of Active Directory offerings in AWS and how to allow federated access from your on-premises system to your AWS cloud environment. You will review the differences between each offering and and explore scenarios in which a one-way or two-way trust would be useful.
Chapter 17, Protecting Data in Flight and at Rest, delves into the topic of encryption and, more specifically, how AWS handles encryption with different services. You will learn about Elastic Block Store encryption, Elastic File Store encryption, and options for encrypting S3 buckets from a filesystem and blob perspective. This chapter also covers database encryption, showing you how to encrypt the RDS and DynamoDB services.
Chapter 18, Securely Connecting to Your AWS Environment, teaches you how to connect securely to your AWS environment using AWS Virtual Private Network (VPN), AWS Direct Connect, and AWS CloudHub. It also presents an overview of VPN technology and the types of VPNs and AWS, as well as the different IPsec.
Chapter 19, Using Certificates and Certificate Services in AWS, covers the different types of secure certificates used in AWS. It then discusses the AWS Certificate Manager service and explains how it can generate public certificates and act as a private certificate manager. Finally, it shows you how you can use the certificates you generated with ACM with elastic load balancers in your account.
Chapter 20, Managing Secrets Securely in AWS, explains why you should store your secrets securely in a public cloud environment such as AWS. You will review the different service offerings available to help you perform this task: Secrets Manager and System Manager Parameter Store. Finally, it shows you how to tell which users actually used any given secret.
Chapter 21, Accessing the Online Practice Resources, presents all the necessary information and guidance on how you can access the online practice resources that come free with your copy of this book. These resources are designed to enhance your exam preparedness.
AWS Certified Security Specialty Exam
The AWS Certified Security Specialty exam was updated on July 11, 2023 and expanded from five domains to six. A new domain of Management and Security Governance was added. In addition to the additional domain, Domain 1 now includes threat detection.
The following table shows you the difference between the latest version of the exam outline and the previous one:
SCS-C01 (Applicable up to July 11, 2023)
SCS-C02 (Applicable from July 11, 2023)
Domain 1: Incident Response – 12%
Domain 1: Threat Detection and Incident Response – 14%
Domain 2: Logging and Monitoring – 20%
Domain 2: Security Logging and Monitoring – 18 %
Domain 3: Infrastructure Security – 26%
Domain 3: Infrastructure Security – 20%
Domain 4: Identity and Access Management – 20 %
Domain 4: Identity and Access Management – 16 %
Domain 5: Data Protection – 22%
Domain 5: Data Protection – 18%
Domain 6: Management and Security Governance – 14%
Table 0.1: Comparison between the previous and updated version of the exam
Online Practice Resources
With this book, you will unlock unlimited access to our online exam-prep platform (Figure 0.1). This is your place to practice everything you learn in the book.
How to access the resources
To learn how to access the online resources, refer to Chapter 21, Accessing the Online Practice Resources at the end of this book.
Figure 0.1 – Online exam-prep platform on a desktop device
Sharpen your knowledge of AWS Certified Security Specialty (SCS-C02) concepts with multiple sets of mock exams, interactive flashcards, and exam tips accessible from all modern web browsers.
Download the Color Images
We also provide a PDF file that has color images of the screenshots/diagrams used in this book.
You can download it here: <https://packt.link/RzbVH>
Conventions Used
There are a number of text conventions used throughout this book.
Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “You will use the detect_labels API from Amazon Recognition in the code.”
A block of code is set as follows:
{ "Effect": "Allow", "Principal": { "CanonicalUser": "b035577b325d98aa1e72ca0000EXAMPLE" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::abcuser-bucket/*"}Any command-line input or output is written as follows:
aws iam create-login-profile --user-name Packt --password Ch@ng3mE --password-reset-requiredBold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: “In CloudWatch, each Lambda function will have a log group and, inside that log group, many log streams.”
Tips or important notes
Appear like this.
Get in Touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details. We ensure that all valid errata are promptly updated in the GitHub repository, with the relevant information available in the Readme.md file. You can access the GitHub repository: <https://packt.link/L2aE6>.
Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Share Your Thoughts
Once you’ve read AWS Certified Security – Specialty (SCS-C02) Exam Guide, Second Edition, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.
Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.
Download a Free PDF Copy of This Book
Thanks for purchasing this book!
Do you like to read on the go but are unable to carry your print books everywhere?
Is your eBook purchase not compatible with the device of your choice?
Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.
Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.
The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily.
Follow these simple steps to get the benefits:
Scan the QR code or visit the link below:https://packt.link/free-ebook/9781837633982
Submit your proof of purchase.That’s it! We’ll send your free PDF and other benefits to your email directly.Section 1:AWS Security Fundamentals
Before you start your journey into security with AWS, you first need to grasp a few fundamental concepts. This book begins with the AWS shared responsibility model, explaining the differences between security “in” the cloud and security “of” the cloud. The book also breaks down the responsibilities that you, the customer, hold regarding security compared with those AWS has as the cloud provider.
Next, the book dives into a quick review of AWS’s essential services and discusses how they relate to security. The exam asks questions on many of these services. Having an understanding of the purpose and abilities of these is vital for your successful dissection of the question and the basis of its query.
This should be combined with a consideration of some of the pertinent reasons as to why security should be at the forefront when building your AWS environments. Finally, as we wrap up the section, we look at some of the top attacks our cloud environments can fall vulnerable to, and some ways to mitigate those risks.
This section comprises the following chapters:
Chapter 1, AWS Shared Responsibility ModelChapter 2, Fundamental AWS ServicesChapter 3, Understanding Attacks on Cloud Environments1
AWS Shared Responsibility Model
Now that you are ready to begin your journey, the first step is to understand who is responsible for what when it comes to cloud computing. Security for both workloads and data stored in the cloud is separated into functions performed by both the customer and the cloud service provider (in this case, AWS). The shared responsibility model describes which duty belongs to whom.
From its very name, the Shared Responsibility Model, it is clear from the outset that more than one party is involved. This model defines where the customer’s responsibility for implementing, controlling, and managing security within AWS starts and ends, compared to that of the cloud service provider – in this case, AWS.
The roles and responsibilities of managing security require a shared awareness between the two parties. The model itself is not a legal agreement in any way; it is simply down to you to be aware of the model and understand its importance so you can architect and protect your resources effectively.
AWS has three different shared responsibility models: infrastructure, container, and managed services. All these have varied levels of responsibility between the cloud customers and AWS. In this chapter, you will explore each model to help you understand their differences and how this affects security in and ofthe cloud.
The following main topics will be covered in this chapter:
Understanding security in the AWS cloudThe AWS shared responsibility modelHow different services require more or fewer security responsibilities from a customer standpointMaking the Most Out of this Book – Your Certification and Beyond
This book and its accompanying online resources are designed to be a complete preparation tool for your AWS Certified Security Specialty exam.
The book is written in a way that you can apply everything you’ve learned here even after your certification. The online practice resources that come with this book (Figure 1.1) are designed to improve your test-taking skills. They are loaded with timed mock exams, interactive flashcards, and exam tips to help you work on your exam readiness from now till your test day.
Before You Proceed
To learn how to access these resources, head over to Chapter 21, Accessing the Online Practice Resources, at the end of the book.
Figure 1.1: Dashboard interface of the online practice resources
Here are some tips on how to make the most out of this book so that you can clear your certification and retain your knowledge beyond your exam:
Read each section thoroughly.Make ample notes: You can use your favorite online note-taking tool or use a physical notebook. The free online resources also give you access to an online version of this book. Click the BACK TO THE BOOK link from the Dashboard to access the book in Packt Reader. You can highlight specific sections of the book there.Chapter Review Questions: At the end of this chapter, you’ll find a link to review questions for this chapter. These are designed to test your knowledge of the chapter. Aim to score at least 75% before moving on to the next chapter. You’ll find detailed instructions on how to make the most of these questions at the end of this chapter in the Exam Readiness Drill – Chapter Review Questions section. That way, you’re improving your exam-taking skills after each chapter, rather than at the end.Flashcards: After you’ve gone through the book and scored 75% or more in each of the chapter review questions, start reviewing the online flashcards. They will help you memorize key concepts.Mock Exams: Solve the mock exams that come with the book till your exam day. If you get some answers wrong, go back to the book and revisit the concepts you’re weak in.Exam Tips: Review these from time to time to improve your exam readiness even further.Technical Requirements
You need to have a basic understanding of AWS services and IaaS, PaaS, and SaaS cloud service models. Having a good understanding of Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) will come into play as you learn about the nuances of the different models and how the responsibilities shift between the cloud provider (AWS in this case) and you, the customer.
You’ll begin this chapter with a breakdown of which sections of security you, the customer, and AWS, the cloud provider, are individually responsible for, depending on the type of service you are using on the platform.
AWS Shared Responsibility Model
The more customizable your service or platform, the more responsibilities you hold as the customer. The AWS service that you choose to use dictates your responsibility based on the amount of configuration that needs to be performed in the service tier.
Figure 1.2: A comparison of shared responsibility models
Figure 1.1 shows that infrastructure services, which are presented as an IaaS platform, including services such as EC2, hold many more customer responsibilities regarding security. The trade-off you receive for this more significant burden of responsibility is the flexibility and customization you are allowed in the layer. You can see that each of the different models is labeled directly underneath, and each of the models will be discussed in detail in the following pages.
The basis for what AWS is responsible for remains the same—that is, the hardware, AWS global infrastructure, and the AWS foundational services. This security foundation is what AWS refers to as Security in the Cloud and is described in detail below:
AWS Global Infrastructure: AWS provides security for the global infrastructure, including Regions, Availability Zones, Edge Locations, and Regional Edge Caches. This global infrastructure forms the physical data centers and point-of-presence locations that AWS uses globally to store your AWS resources physically. Customers do not have physical access to AWS data centers and are not allowed to turn up at the door of an AWS data center and ask to see their cloud resources. As a result, it is down to AWS to ensure that the physical security of their data centers meets stringent security controls and global security standards.AWS Foundation Services: AWS also provides foundation services, as defined in the model, covering compute, storage, database, and network components. This means it physically provides the hardware and underlying infrastructure to allow customers to create resources from the pooled hardware AWS provisions. Again, as a customer, you do not have access to these hosts, the physical infrastructure, or the underlying hypervisor software on each host. To ensure the separation of resources on a single host, all access is controlled and their security is managed by AWS.The customer is responsible for the Security of the Cloud, which varies based on the service you are working with. As you will see in the following sections, the more control and customization you get with the AWS service, the more responsibility you have.
Shared Responsibility Model for Infrastructure Services
The shared model for infrastructure services is the most common model that AWS engineers and users are familiar with today. It is represented in Figure 1.2 and covers IaaS services such as Amazon Elastic Compute Cloud (EC2):
Figure 1.3: Shared responsibility model for infrastructure services
So, within this infrastructure, AWS provides global reach via various data centers and provides the underlying hardware and infrastructure required to allow its customers to create cloud resources from the AWS-provisioned and pooled hardware resources. These two components effectively make up the AWS cloud.
Essentially, customers have the ultimate security responsibility for anything they provision using AWS foundation services across the global infrastructure.
Using the EC2 service as an example, look at each point relating to the customer’s responsibilities from the preceding diagram:
Customer data: The customer has to maintain the security of the data they import into or create within their AWS environment—for example, any data stored on EC2 volumes, ephemeral or persistent.Platform, application, and Identity and Access Management (IAM): Any platform or application installed on top of your EC2 instance must be secured and protected by controls configured and implemented by you, the customer. In addition to this, you are solely responsible for maintaining any access control to your EC2 instance and applications. AWS provides the IAM service to implement these controls, but it is down to you to implement adequate security measures using the features offered by IAM.Operating system and network and firewall configuration: As you saw in Figure 1.2, the responsibility of AWS ends at the hypervisor level. EC2 instances fall within the infrastructure model, so maintaining the operating system’s security is the customer’s responsibility. As a result, the customer must sustain and implement patching for the relevant operating system. EC2 instances are deployed within a Virtual Private Cloud (VPC). Therefore, network configuration, including firewall restrictions such as security groups (effectively, virtual firewalls operating at the instance level) must be configured and associated appropriately to protect your EC2 fleet.Client-side data encryption and data integrity authentication: This relates to the protection of data generated by or stored on your EC2 instances via an encryption mechanism. If you plan to encrypt your data as a customer, you are responsible for doing so.Server-side encryption (filesystem and/or data): Again, if you plan to use any form of encryption to protect your data using server-side mechanisms, (perhaps through the use of the Key Management Service (KMS), which will be discussed in depth in a later chapter), it is down to you to use the service effectively for data protection.Network traffic protection (encryption/identity/integrity): When network traffic is being sent to and from your EC2 instance, you can configure to encrypt the communication with a protocol such as SSL or HTTPS, where applicable. Using AWS Certificate Manager, which will be discussed in depth in Chapter 19, Using Certificates and Certificate Services in AWS, helps simplify the management and provisioning of secure certificates with AWS services.Shared Responsibility Model Example for Infrastructure Services
When you spin up an EC2 instance in your AWS account, you are able to choose a region from all the available geographic regions AWS offers to have your instance come up in. There is no need to order a server or rack, stack it, secure it in the cage at the data center, and so on. Once that server spins up, it will have a base operating system and network connectivity based on the VPC settings that you have chosen or configured.
Once your instance is up and running, whether for minutes, hours, months, or even years, it is your responsibility as the customer to update (or remove) any packages that do not meet your security baseline. Suppose you add additional users; this falls under the Identity and Access Management category. In that case, it is up to you to ensure that these users conform to your organization’s password or secure key policy. Similarly, if you decide to install any additional applications, keeping them up to date when security patches become available (either through the vendor or from the developers) is again your responsibility.
As you connect to this EC2 instance, creating a secure connection via SSL or TLS is up to you. Securing the data in transit to and from the instance falls under the customer responsibilities of the shared model for infrastructure security.
In summary, when working with services that fall within the infrastructure shared responsibility model, AWS is responsible for the security of the cloud, which includes everything in the hypervisor stack and levels below it. The customer is then responsible for security in the cloud, which starts from the operating system stack and levels above it.
Having an understanding of each of these models will help you define a more robust security strategy and strengthen your security posture across your AWS account. Fully understanding what you are responsible for and what AWS is responsible for will help ensure that you are not left open to any unexpected vulnerabilities.
Although infrastructure services constitute a large part of cloud computing (especially when it comes to AWS), the way the security responsibilities are handled for the customer and the cloud provider is not the same as that of packaged services. In the next section, you will learn about some of those differences of the shared responsibility model for container services.
Share Responsibility Model for Container Services
The second model this chapter will cover is the container model. The word container is frequently used to describe software packages containing code and all associated dependencies that can be run across various compute environments. Examples of standard container technologies are Docker, Podman, and Kubernetes. However, the word container refers to a slightly different concept when used in this context.
The container model focuses on services that reside on top of infrastructure services. This implies that the customer does not have access to some of the infrastructure-level components, such as the operating system. The following are some examples of services in the container model:
AWS Elastic MapReduce (EMR)AWS Relational Database Service (RDS)AWS Elastic BeanstalkFigure 1.4 shows the responsibility model for container services:
Figure 1.4: Shared responsibility model for container services
As is evident from the preceding figure, AWS still maintains the same level of security responsibility as it is retained from the infrastructure model, along with additional responsibilities. Platform, application management, operating system, and network configuration are now the responsibility of AWS in this model.
Shared Responsibility Model Example for Container Services
Consider the example of RDS. In this case, customers do not have access to the underlying operating system that the RDS databases are running on. As such, customers cannot patch the operating system. This security task has been shifted from the customer to AWS. In addition, platform and application management have also been passed to AWS. This is because RDS is a managed service, and as a result, all the application maintenance is undertaken by AWS. This takes a huge administrative burden off the customer but also simultaneously introduces a level of restriction, as they are only presented with the platform and everything above the stack.
Shared Responsibility Model for Abstract Services
The final model you will examine is the abstract shared responsibility model shown in Figure 1.5:
Figure 1.5: Shared responsibility model for abstract services
Right away, from a visual perspective, it is apparent that the shift in responsibility leans even more heavily toward AWS.
This model retains the level of security AWS must manage from the previous two models (infrastructure and container) and adds server-side encryption and network traffic protection. The following are some examples of services in the abstract model:
Amazon Simple Queue Service (SQS)Amazon DynamoDBAmazon Simple Storage Service (S3)These are defined as abstract services as almost all the control and management of the service is abstracted away from the end customer; you access these services through endpoints. Customers do not have access to the underlying operating system (infrastructure) or the actual platform running these services (container). Instead, the customer is presented with the service frontend or endpoint configured as required.
As a result, the customer is totally abstracted away from maintaining security updates for the operating system or any platform patches and security management. This also means that with services that fall in this model, AWS is responsible for implementing and controlling any server-side encryption algorithms, such as Amazon S3 Server-Side Encryption (SSE-S3). Therefore, the customer has no control over the access keys used for this encryption method—it is all managed by AWS.
Further, AWS will manage the secure transfer of data between the service components, for example, when S3 automatically copies customer data to multiple endpoints across different availability zones. As a customer, you have no control over this data transfer, so AWS must secure the traffic.
Shared Responsibility Model Example for Abstract Services
You have decided to store some static documents and data in multiple S3 buckets since S3 is both optimal for blob storage and cost-effective. AWS already manages the S3 platform and keeps the application and operating system patches up to date.
Once you decide to place one of the documents into a particular bucket, you need to refer to your organizational policies to see if encryption at rest is required. Your first decision is whether you will do client- or server-side encryption. If you decide to use client-side encryption, you will need to generate a pair of keys (if a pair is not already available), encrypt the document, and then upload the encrypted payload to the S3 bucket.
Suppose you decide to go with server-side encryption. In that case, you must either provide your own Customer Managed Key (CMS) using Key Management Service (KMS) or use the Amazon-managed key to encrypt the data once it is placed into the bucket.
Now that the data has been added to the bucket, you, as the bucket administrator, need to decide who will gain access to this bucket and how you will control this access. You can create an IAM policy if access is limited to internal users. If users from another organization need to access the data and documents, you will craft a bucket policy with the correct permissions.
To summarize this example, in the abstract services shared responsibility model, the customer manages their data, who has access to it, and the encryption settings.
With an understanding of the shared responsibility model for abstract services, you can now delve into how using and understanding these models can help you when dealing with audits or auditors.
Auditors and the Shared Responsibility Model
Many industries require you to show compliance in your cloud environment as it relates to industrial controls.
Using and understanding the shared security model will help you and your auditors understand which controls you, as the customer, are responsible for and which ones are the responsibility of AWS, the cloud provider.
Suppose your auditor is requesting information or evidence for something that AWS manages. In that case, you can refer the auditor to the specific shared responsibility model for the service to show how the cloud service provider maintains control of that particular standard.
Summary
This chapter discussed the three shared security models used for AWS services: infrastructure, container, and abstract services. You learned that, from a security perspective and depending on the service you are using, your responsibility as a customer and that of AWS as the cloud provider can change.
Understanding these models and being able to differentiate between them will be beneficial when you implement your security strategies across your solutions as it means you will clearly understand where your responsibility ends and AWS’s responsibility begins. This will help ensure that you do not leave any vulnerabilities across your AWS infrastructure within your accounts.
You also examined how the shared security model can help you by clarifying which items you and your organization are responsible for when it comes to compliance and audits for your business.
Chapter 2, Fundamental AWS Services, will provide a brief overview of many of the services used in the AWS ecosystem that are not particularly focused on security. Even the services that do not have a specific security focus often play a significant role in the solutions we build for our systems and customers. The AWS Security Competency exam expects you to have a base knowledge of the services offered and how you can fortify them as a security engineer or professional.
Further Reading
For additional information on the AWS shared responsibility model and the underlying foundation of AWS security, please refer to the following resources:
Introduction to AWS Security: https://packt.link/yoltdThe shared responsibility model: https://packt.link/JjZ65Exam Readiness Drill – Chapter Review Questions
Apart from a solid understanding of key concepts, being able to think quickly under time pressure is a skill that will help you ace your certification exam. That is why working on these skills early on in your learning journey is key.
Chapter review questions are designed to improve your test-taking skills progressively with each chapter you learn and review your understanding of key concepts in the chapter at the same time. You’ll find these at the end of each chapter.
How To Access These Resources
To learn how to access these resources, head over to the chapter titled Chapter 21, Accessing the Online Practice Resources.
To open the Chapter Review Questions for this chapter, perform the following steps:
Click the link – https://packt.link/SCSC02E2_CH01.Alternatively, you can scan the following QR code (Figure 1.6):
Figure 1.6: QR code that opens Chapter Review Questions for logged-in users
Once you log in, you’ll see a page similar to the one shown in Figure 1.7:Figure 1.7: Chapter Review Questions for Chapter 1
Once ready, start the following practice drills, re-attempting the quiz multiple times.Exam Readiness Drill
For the first three attempts, don’t worry about the time limit.
ATTEMPT 1
The first time, aim for at least 40%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix your learning gaps.
ATTEMPT 2
The second time, aim for at least 60%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix any remaining learning gaps.
ATTEMPT 3
The third time, aim for at least 75%. Once you score 75% or more, you start working on your timing.
Tip
You may take more than three attempts to reach 75%. That’s okay. Just review the relevant sections in the chapter till you get there.
Working On Timing
Target: Your aim is to keep the score the same while trying to answer these questions as quickly as possible. Here’s an example of how your next attempts should look like:
Attempt
Score
Time Taken
Attempt 5
77%
21 mins 30 seconds
Attempt 6
78%
18 mins 34 seconds
Attempt 7
76%
14 mins 44 seconds
Table 1.1: Sample timing practice drills on the online platform
Note
The time limits shown in the above table are just examples. Set your own time limits with each attempt based on the time limit of the quiz on the website.
With each new attempt, your score should stay above 75% while your time taken to complete should decrease. Repeat as many attempts as you want till you feel confident dealing with the time pressure.
2
Fundamental AWS Services
Now that you understand the shared responsibility model, it’s time to look at some essential services that are used throughout the environments and accounts in which you will be working. These essential services are compute services such as Elastic Cloud Compute (EC2), the global Domain Name System (DNS) service of Route 53, database services such as RDS and Aurora, account management services such as Control Tower and AWS Organizations, and the advisory service of Trusted Advisor. This may seem like a review of services you already know if you have taken the Cloud Practitioner, Solution Architect (Associate or Professional), or other AWS certification. Although there is no need to take or pass any other AWS certification exams before attempting the Security Specialty certification by AWS, it’s not a bad idea to get familiar with some essential services.
After reading this chapter, you should have a basic understanding of the AWS services that the exam covers. These services are also many of the core services that you use on a daily basis. There are plenty of opportunities to dig deeper into the topics presented using the links at the end of this chapter.
The following main topics will be covered in this chapter:
Virtual private networking/Route 53 networkingCompute services on AWSCloud databasesMessage and queueing systemsTrusted AdvisorTechnical Requirements
You will need an AWS account to access the Management Console, and you need to have already set up the CLI.
Important Note
This book will not be going over AWS’s geography, regions, Availability Zones, or edge locations. However, these are fundamental concepts you should fully grasp before you sit the Security Specialty certification exam. If you need a refresher on these topics, then please visit the following URL: https://packt.link/7wY4v.
Account Management in AWS
Whether you wish to set up a new environment or are on the path to growing an existing set of accounts, the Account Management tools can help you perform these tasks in an automated and systematic manner.
