32,39 €
The AWS Certified Security – Specialty exam validates your expertise in advanced cloud security, a crucial skill set in today's cloud market. With the latest updates and revised study material, this second edition provides an excellent starting point for your exam preparation.
You’ll learn the fundamentals of core services, which are essential prerequisites before delving into the six domains covered in the exam. The book addresses various security threats, vulnerabilities, and attacks, such as DDoS attacks, offering insights into effective mitigation strategies at different layers. You’ll learn different tools available in Amazon Web Services (AWS) to secure your Virtual Private Cloud and allow the correct traffic to travel securely to your workloads. As you progress, you’ll explore the intricacies of AWS EventBridge and IAM services. Additionally, you’ll get lifetime access to supplementary online resources, including mock exams with exam-like timers, detailed solutions, interactive flashcards, and invaluable exam tips, all accessible across various devices such as PCs, tablets, and smartphones.
Ultimately, armed with the knowledge and skills acquired from this AWS security guide, you'll be well-prepared to pass the exam and design secure AWS solutions with confidence.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 762
AWS Certified Security – Specialty (SCS-C02) Exam Guide
Second Edition
Get all the guidance you need to pass the AWS (SCS-C02) exam on your first attempt
Adam Book
Stuart Scott
Copyright © 2024 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Authors: Adam Book and Stuart Scott
Reviewer: Naman Jaswani
Publishing Product Manager: Anindya Sil
Senior-Development Editor Name: Megan Carlisle
Development Editor: Shubhra Mayuri
Presentation Designer: Salma Patel
Editorial Board: Vijin Boricha, Megan Carlisle, Simon Cox, Ketan Giri, Saurabh Kadave, Alex Mazonowicz, Gandhali Raut, and Ankita Thakur
First Published: September 2020
Second edition: April 2024
Production Reference: 1150424
Published by Packt Publishing Ltd.
Grosvenor House
11 St Paul’s Square
Birmingham
B3 1RB
ISBN: 978-1-83763-398-2
www.packtpub.com
Adam Book has been programming since the age of six and has been constantly tapped by founders and CEOs as one of the pillars to start their online or cloud businesses.
Adam has developed applications and websites. He’s been professionally involved in cloud computing and data center transformation since 1996, focusing on bringing the benefits of cloud computing to his clients. He’s led technology teams in transformative changes such as the shift to Infrastructure as Code and implementing Automation.
As a distinguished engineer by trade, Adam is a cloud evangelist with a track record of migrating thousands of applications to the cloud and guiding businesses in understanding cloud economics to create use cases and identify operating model gaps. Adam ran the local AWS user group in Atlanta for over 6 years. He has been certified on AWS since 2014 and holds many of the AWS Certifications and the CISSP and CCSK security certifications.
Stuart Scott has an extensive career spanning over two decades in the IT industry; he has expertise across various technological domains, with a particular interest for Amazon Web Services (AWS). Currently serving as the AWS Content Director at Cloud Academy, Stuart has written over 250 courses, enriching the learning experiences of more than 1.3 million students. His instructional content covers a diverse spectrum of topics, ranging from compute to cutting-edge generative AI solutions. A focal point of Stuart's professional interest lies in AWS security, identity, and compliance, wherein he delves into the intricacies of implementing and configuring AWS services to safeguard and monitor customer data within AWS.
Beyond his role at Cloud Academy, Stuart is a member of the AWS Community Builder program which provides technical resources, mentorship, and networking opportunities to AWS enthusiasts and emerging thought leaders who are passionate about sharing knowledge and connecting with the technical community. Furthermore, Stuart has contributed significantly to the AWS community by delivering talks at AWS community events hosted by AWS User Group Leaders and making appearances on the AWS Twitch channel to discuss cloud education.
Naman Jaswani is a seasoned Cyber Security Senior Consultant with over half a decade of experience. He specializes in AWS Security and boasts proficiency in Cloud Security, Application Security, and other Cyber Security domains. Outside of his consulting role, he dabbles in programming, and is particularly intrigued by Blockchain technology. Naman is not only passionate about his professional pursuits but also enjoys indulging in his hobbies of reading, traveling, and photography.
This book aims to provide you with a comprehensive understanding of the AWS Certified Security Specialty exam services. It includes sample architectures and case studies of those sample architectures so you can visualize how AWS services work. There are also plenty of hands-on exercises to try out in your own AWS account. You will find some very helpful use cases and anti-patterns presented for the different services in the book. It’s important to be aware of anti-patterns when preparing for an exam; an exam question may present a service as a potential solution, but that service may actually be an anti-pattern and should not be used. Knowing where a service fits best and where it doesn’t will help you choose the right answers in the exam.
Many certification books assume you will read them once, pass the test, and then place them on your bookshelf or pass them on to a colleague, and both their content and structure reflect this. In contrast, this book has been put together in such a way that you can hopefully use it as a reference guide in your duties as a security professional working in an AWS environment. You will find that extra information that may not necessarily appear in the exam has been added to the book. Once you pass the exam, you will be expected to be able to practically apply the topics you have learned about in the real world. The extra information in the book will help you tackle real-world, high-pressure security events, which can sometimes be harder than cracking the exam.
This book is for anyone who wishes to achieve the Certified Security Specialty certification offered by Amazon Web Services (AWS). Apart from that, this book will also be useful for security professionals looking to gain a more comprehensive understanding of the security aspects of AWS, as well as for AWS users looking to enhance the security of their offerings. The most common roles looking to achieve this certification are as follows:
Cloud security consultantCloud security architectCloud security engineerDevSecOps engineerCloud security specialistThis exam assumes you have some basic knowledge of security principles and concepts of information technology or cloud security or a background in IT security and governance.
The AWS Certified Security Specialty certification recommends a minimum of two years of practical AWS production deployment experience for the test taker. This requirement reflects the depth and technical proficiency expected from the candidate.
Chapter 1, AWS Shared Responsibility Model, discusses the different shared responsibility models that define where your responsibilities as a customer implementing, controlling, and managing security in AWS start and those of AWS itself, which controls the security of the cloud, begin.
Chapter 2, Fundamental AWS Services, briefly covers the core AWS services that will be discussed throughout the book. This chapter aims to ensure that you have a robust understanding of the core services before diving deep into the domains of the Security Specialty certification material.
Chapter 3, Understanding Attacks on Cloud Environments, shows you how the skills acquired from this book can translate into protecting you and your customers’ environments from bad actors seeking to take advantage of unprotected environments. It discusses some of the top cloud-native attacks on software and infrastructure, as well as different AWS services that can be used to combat those attacks, are discussed.
Chapter 4, Incident Response, explains how you can prepare for and react to incidents manually and automatically. You will learn the value of using a separate security forensic account for quarantine and containment. You will also review several AWS tools designed to help in various incident response situations.
Chapter 5, Managing Your Environment with AWS Config, takes a deep dive into the AWS Config service. It will show you how to use automation to maintain compliance in your AWS environment, as well as how AWS Config can be used across multiple regions and accounts. You will also learn how to use Lambda functions to automatically remediate items that violate your compliance policies using Config’s remediation feature.
Chapter 6, Event Management with Security Hub and GuardDuty, discusses threat detection and security management across one or more accounts with native tooling available in AWS, AWS Security Hub, and AWS GuardDuty. You will learn what types of data sources are ingested to provide threat detection and how you can enable services and trigger alerts for you and your team.
Chapter 7, Logs generated by AWS Services, discusses the different sources in AWS from which you can acquire logging data, as well as how to collect and search through these logs centrally. The different log types explained include S3 Server Access logs, VPC Flow logs, Load Balancer Logs, and CloudTrail logs.
Chapter 8, CloudWatch and CloudWatch Metrics, deals with the different monitoring aspects of the CloudWatch service. You will learn how to use and search CloudWatch Logs, install the CloudWatch Logs agent on an EC2 instance, use the basic metrics provided by CloudWatch, and create custom metrics. You will also learn about Amazon EventBridge and EventBridge Rules.
Chapter 9, Parsing Logs and Events with AWS Native Tools, explains the different storage options and their costs. It also takes you through the managed OpenSearch and Kinesis services and how they facilitate log aggregation. Finally, it teaches you how to parse logs with Amazon Athena.
Chapter 10, Configuring Infrastructure Security, aims to help you fully understand the Virtual Private Cloud (VPC) security features AWS offers to effectively secure your VPC environments. By the end of the chapter, you will be able to confidently build a secure multi-subnet VPC using internet gateways, route tables, network access control lists, security groups, bastion hosts, NAT gateways, subnets, and virtual private gateways.
Chapter 11, Securing EC2 Instances, covers securing your instance infrastructure using a variety of techniques. These include performing vulnerability scans using Amazon Inspector, securing your EC2 key pairs, and using AWS Systems Manager to effectively administer your fleet of EC2 instances.
Chapter 12, Managing Key Infrastructure, talks about Key Management Service (KMS), which stores and manages the encryption keys for the different services. You will learn about the differences between Amazon-managed keys and customer-managed keys. You will also learn about the CloudHSM service for companies that need more control over their encryption keys.
Chapter 13, Access Management, focuses on the core concept of Identity and Access Management (IAM) and the IAM service. You will learn how to provision users, groups, and roles in a single account, secure access to those users using Multi-Factor Authentication (MFA), and also look into multi-account access with the IAM Identity Center.
Chapter 14, Working with Access Policies, examines several different policies used to grant access permissions to resources. You will learn how to read, edit, and create IAM and S3 policies. You will also see examples of Service Control Policies (SCPs), which are key tools in providing security and governance to AWS Organizations.
Chapter 15, Federated and Mobile Access, provides comprehensive information on what federated access is. This includes explaining social federation and enterprise federation to your AWS account. You will see how to enable Single Sign On to your AWS account using SAML. You will also learn about the Amazon Cognito service, which allows federation with Identity Providers (IdPs) to your applications.
Chapter 16, Using Active Directory Services to Manage Access, explains the different types of Active Directory offerings in AWS and how to allow federated access from your on-premises system to your AWS cloud environment. You will review the differences between each offering and and explore scenarios in which a one-way or two-way trust would be useful.
Chapter 17, Protecting Data in Flight and at Rest, delves into the topic of encryption and, more specifically, how AWS handles encryption with different services. You will learn about Elastic Block Store encryption, Elastic File Store encryption, and options for encrypting S3 buckets from a filesystem and blob perspective. This chapter also covers database encryption, showing you how to encrypt the RDS and DynamoDB services.
Chapter 18, Securely Connecting to Your AWS Environment, teaches you how to connect securely to your AWS environment using AWS Virtual Private Network (VPN), AWS Direct Connect, and AWS CloudHub. It also presents an overview of VPN technology and the types of VPNs and AWS, as well as the different IPsec.
Chapter 19, Using Certificates and Certificate Services in AWS, covers the different types of secure certificates used in AWS. It then discusses the AWS Certificate Manager service and explains how it can generate public certificates and act as a private certificate manager. Finally, it shows you how you can use the certificates you generated with ACM with elastic load balancers in your account.
Chapter 20, Managing Secrets Securely in AWS, explains why you should store your secrets securely in a public cloud environment such as AWS. You will review the different service offerings available to help you perform this task: Secrets Manager and System Manager Parameter Store. Finally, it shows you how to tell which users actually used any given secret.
Chapter 21, Accessing the Online Practice Resources, presents all the necessary information and guidance on how you can access the online practice resources that come free with your copy of this book. These resources are designed to enhance your exam preparedness.
The AWS Certified Security Specialty exam was updated on July 11, 2023 and expanded from five domains to six. A new domain of Management and Security Governance was added. In addition to the additional domain, Domain 1 now includes threat detection.
The following table shows you the difference between the latest version of the exam outline and the previous one:
SCS-C01 (Applicable up to July 11, 2023)
SCS-C02 (Applicable from July 11, 2023)
Domain 1: Incident Response – 12%
Domain 1: Threat Detection and Incident Response – 14%
Domain 2: Logging and Monitoring – 20%
Domain 2: Security Logging and Monitoring – 18 %
Domain 3: Infrastructure Security – 26%
Domain 3: Infrastructure Security – 20%
Domain 4: Identity and Access Management – 20 %
Domain 4: Identity and Access Management – 16 %
Domain 5: Data Protection – 22%
Domain 5: Data Protection – 18%
Domain 6: Management and Security Governance – 14%
Table 0.1: Comparison between the previous and updated version of the exam
With this book, you will unlock unlimited access to our online exam-prep platform (Figure 0.1). This is your place to practice everything you learn in the book.
To learn how to access the online resources, refer to Chapter 21, Accessing the Online Practice Resources at the end of this book.
Figure 0.1 – Online exam-prep platform on a desktop device
Sharpen your knowledge of AWS Certified Security Specialty (SCS-C02) concepts with multiple sets of mock exams, interactive flashcards, and exam tips accessible from all modern web browsers.
We also provide a PDF file that has color images of the screenshots/diagrams used in this book.
You can download it here: <https://packt.link/RzbVH>
There are a number of text conventions used throughout this book.
Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “You will use the detect_labels API from Amazon Recognition in the code.”
A block of code is set as follows:
{ "Effect": "Allow", "Principal": { "CanonicalUser": "b035577b325d98aa1e72ca0000EXAMPLE" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::abcuser-bucket/*"}Any command-line input or output is written as follows:
aws iam create-login-profile --user-name Packt --password Ch@ng3mE --password-reset-requiredBold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: “In CloudWatch, each Lambda function will have a log group and, inside that log group, many log streams.”
Tips or important notes
Appear like this.
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details. We ensure that all valid errata are promptly updated in the GitHub repository, with the relevant information available in the Readme.md file. You can access the GitHub repository: <https://packt.link/L2aE6>.
Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Share Your Thoughts
Once you’ve read AWS Certified Security – Specialty (SCS-C02) Exam Guide, Second Edition, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.
Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.
Thanks for purchasing this book!
Do you like to read on the go but are unable to carry your print books everywhere?
Is your eBook purchase not compatible with the device of your choice?
Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.
Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.
The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily.
Follow these simple steps to get the benefits:
Scan the QR code or visit the link below:https://packt.link/free-ebook/9781837633982
Submit your proof of purchase.That’s it! We’ll send your free PDF and other benefits to your email directly.Before you start your journey into security with AWS, you first need to grasp a few fundamental concepts. This book begins with the AWS shared responsibility model, explaining the differences between security “in” the cloud and security “of” the cloud. The book also breaks down the responsibilities that you, the customer, hold regarding security compared with those AWS has as the cloud provider.
Next, the book dives into a quick review of AWS’s essential services and discusses how they relate to security. The exam asks questions on many of these services. Having an understanding of the purpose and abilities of these is vital for your successful dissection of the question and the basis of its query.
This should be combined with a consideration of some of the pertinent reasons as to why security should be at the forefront when building your AWS environments. Finally, as we wrap up the section, we look at some of the top attacks our cloud environments can fall vulnerable to, and some ways to mitigate those risks.
This section comprises the following chapters:
Chapter 1, AWS Shared Responsibility ModelChapter 2, Fundamental AWS ServicesChapter 3, Understanding Attacks on Cloud EnvironmentsNow that you are ready to begin your journey, the first step is to understand who is responsible for what when it comes to cloud computing. Security for both workloads and data stored in the cloud is separated into functions performed by both the customer and the cloud service provider (in this case, AWS). The shared responsibility model describes which duty belongs to whom.
From its very name, the Shared Responsibility Model, it is clear from the outset that more than one party is involved. This model defines where the customer’s responsibility for implementing, controlling, and managing security within AWS starts and ends, compared to that of the cloud service provider – in this case, AWS.
The roles and responsibilities of managing security require a shared awareness between the two parties. The model itself is not a legal agreement in any way; it is simply down to you to be aware of the model and understand its importance so you can architect and protect your resources effectively.
AWS has three different shared responsibility models: infrastructure, container, and managed services. All these have varied levels of responsibility between the cloud customers and AWS. In this chapter, you will explore each model to help you understand their differences and how this affects security in and ofthe cloud.
The following main topics will be covered in this chapter:
Understanding security in the AWS cloudThe AWS shared responsibility modelHow different services require more or fewer security responsibilities from a customer standpointThis book and its accompanying online resources are designed to be a complete preparation tool for your AWS Certified Security Specialty exam.
The book is written in a way that you can apply everything you’ve learned here even after your certification. The online practice resources that come with this book (Figure 1.1) are designed to improve your test-taking skills. They are loaded with timed mock exams, interactive flashcards, and exam tips to help you work on your exam readiness from now till your test day.
Before You Proceed
To learn how to access these resources, head over to Chapter 21, Accessing the Online Practice Resources, at the end of the book.
Figure 1.1: Dashboard interface of the online practice resources
Here are some tips on how to make the most out of this book so that you can clear your certification and retain your knowledge beyond your exam:
Read each section thoroughly.Make ample notes: You can use your favorite online note-taking tool or use a physical notebook. The free online resources also give you access to an online version of this book. Click the BACK TO THE BOOK link from the Dashboard to access the book in Packt Reader. You can highlight specific sections of the book there.Chapter Review Questions: At the end of this chapter, you’ll find a link to review questions for this chapter. These are designed to test your knowledge of the chapter. Aim to score at least 75% before moving on to the next chapter. You’ll find detailed instructions on how to make the most of these questions at the end of this chapter in the Exam Readiness Drill – Chapter Review Questions section. That way, you’re improving your exam-taking skills after each chapter, rather than at the end.Flashcards: After you’ve gone through the book and scored 75% or more in each of the chapter review questions, start reviewing the online flashcards. They will help you memorize key concepts.Mock Exams: Solve the mock exams that come with the book till your exam day. If you get some answers wrong, go back to the book and revisit the concepts you’re weak in.Exam Tips: Review these from time to time to improve your exam readiness even further.You need to have a basic understanding of AWS services and IaaS, PaaS, and SaaS cloud service models. Having a good understanding of Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) will come into play as you learn about the nuances of the different models and how the responsibilities shift between the cloud provider (AWS in this case) and you, the customer.
You’ll begin this chapter with a breakdown of which sections of security you, the customer, and AWS, the cloud provider, are individually responsible for, depending on the type of service you are using on the platform.
The more customizable your service or platform, the more responsibilities you hold as the customer. The AWS service that you choose to use dictates your responsibility based on the amount of configuration that needs to be performed in the service tier.
Figure 1.2: A comparison of shared responsibility models
Figure 1.1 shows that infrastructure services, which are presented as an IaaS platform, including services such as EC2, hold many more customer responsibilities regarding security. The trade-off you receive for this more significant burden of responsibility is the flexibility and customization you are allowed in the layer. You can see that each of the different models is labeled directly underneath, and each of the models will be discussed in detail in the following pages.
The basis for what AWS is responsible for remains the same—that is, the hardware, AWS global infrastructure, and the AWS foundational services. This security foundation is what AWS refers to as Security in the Cloud and is described in detail below:
AWS Global Infrastructure: AWS provides security for the global infrastructure, including Regions, Availability Zones, Edge Locations, and Regional Edge Caches. This global infrastructure forms the physical data centers and point-of-presence locations that AWS uses globally to store your AWS resources physically. Customers do not have physical access to AWS data centers and are not allowed to turn up at the door of an AWS data center and ask to see their cloud resources. As a result, it is down to AWS to ensure that the physical security of their data centers meets stringent security controls and global security standards.AWS Foundation Services: AWS also provides foundation services, as defined in the model, covering compute, storage, database, and network components. This means it physically provides the hardware and underlying infrastructure to allow customers to create resources from the pooled hardware AWS provisions. Again, as a customer, you do not have access to these hosts, the physical infrastructure, or the underlying hypervisor software on each host. To ensure the separation of resources on a single host, all access is controlled and their security is managed by AWS.The customer is responsible for the Security of the Cloud, which varies based on the service you are working with. As you will see in the following sections, the more control and customization you get with the AWS service, the more responsibility you have.
The shared model for infrastructure services is the most common model that AWS engineers and users are familiar with today. It is represented in Figure 1.2 and covers IaaS services such as Amazon Elastic Compute Cloud (EC2):
Figure 1.3: Shared responsibility model for infrastructure services
So, within this infrastructure, AWS provides global reach via various data centers and provides the underlying hardware and infrastructure required to allow its customers to create cloud resources from the AWS-provisioned and pooled hardware resources. These two components effectively make up the AWS cloud.
Essentially, customers have the ultimate security responsibility for anything they provision using AWS foundation services across the global infrastructure.
Using the EC2 service as an example, look at each point relating to the customer’s responsibilities from the preceding diagram:
Customer data: The customer has to maintain the security of the data they import into or create within their AWS environment—for example, any data stored on EC2 volumes, ephemeral or persistent.Platform, application, and Identity and Access Management (IAM): Any platform or application installed on top of your EC2 instance must be secured and protected by controls configured and implemented by you, the customer. In addition to this, you are solely responsible for maintaining any access control to your EC2 instance and applications. AWS provides the IAM service to implement these controls, but it is down to you to implement adequate security measures using the features offered by IAM.Operating system and network and firewall configuration: As you saw in Figure 1.2, the responsibility of AWS ends at the hypervisor level. EC2 instances fall within the infrastructure model, so maintaining the operating system’s security is the customer’s responsibility. As a result, the customer must sustain and implement patching for the relevant operating system. EC2 instances are deployed within a Virtual Private Cloud (VPC). Therefore, network configuration, including firewall restrictions such as security groups (effectively, virtual firewalls operating at the instance level) must be configured and associated appropriately to protect your EC2 fleet.Client-side data encryption and data integrity authentication: This relates to the protection of data generated by or stored on your EC2 instances via an encryption mechanism. If you plan to encrypt your data as a customer, you are responsible for doing so.Server-side encryption (filesystem and/or data): Again, if you plan to use any form of encryption to protect your data using server-side mechanisms, (perhaps through the use of the Key Management Service (KMS), which will be discussed in depth in a later chapter), it is down to you to use the service effectively for data protection.Network traffic protection (encryption/identity/integrity): When network traffic is being sent to and from your EC2 instance, you can configure to encrypt the communication with a protocol such as SSL or HTTPS, where applicable. Using AWS Certificate Manager, which will be discussed in depth in Chapter 19, Using Certificates and Certificate Services in AWS, helps simplify the management and provisioning of secure certificates with AWS services.When you spin up an EC2 instance in your AWS account, you are able to choose a region from all the available geographic regions AWS offers to have your instance come up in. There is no need to order a server or rack, stack it, secure it in the cage at the data center, and so on. Once that server spins up, it will have a base operating system and network connectivity based on the VPC settings that you have chosen or configured.
Once your instance is up and running, whether for minutes, hours, months, or even years, it is your responsibility as the customer to update (or remove) any packages that do not meet your security baseline. Suppose you add additional users; this falls under the Identity and Access Management category. In that case, it is up to you to ensure that these users conform to your organization’s password or secure key policy. Similarly, if you decide to install any additional applications, keeping them up to date when security patches become available (either through the vendor or from the developers) is again your responsibility.
As you connect to this EC2 instance, creating a secure connection via SSL or TLS is up to you. Securing the data in transit to and from the instance falls under the customer responsibilities of the shared model for infrastructure security.
In summary, when working with services that fall within the infrastructure shared responsibility model, AWS is responsible for the security of the cloud, which includes everything in the hypervisor stack and levels below it. The customer is then responsible for security in the cloud, which starts from the operating system stack and levels above it.
Having an understanding of each of these models will help you define a more robust security strategy and strengthen your security posture across your AWS account. Fully understanding what you are responsible for and what AWS is responsible for will help ensure that you are not left open to any unexpected vulnerabilities.
Although infrastructure services constitute a large part of cloud computing (especially when it comes to AWS), the way the security responsibilities are handled for the customer and the cloud provider is not the same as that of packaged services. In the next section, you will learn about some of those differences of the shared responsibility model for container services.
The second model this chapter will cover is the container model. The word container is frequently used to describe software packages containing code and all associated dependencies that can be run across various compute environments. Examples of standard container technologies are Docker, Podman, and Kubernetes. However, the word container refers to a slightly different concept when used in this context.
The container model focuses on services that reside on top of infrastructure services. This implies that the customer does not have access to some of the infrastructure-level components, such as the operating system. The following are some examples of services in the container model:
AWS Elastic MapReduce (EMR)AWS Relational Database Service (RDS)AWS Elastic BeanstalkFigure 1.4 shows the responsibility model for container services:
Figure 1.4: Shared responsibility model for container services
As is evident from the preceding figure, AWS still maintains the same level of security responsibility as it is retained from the infrastructure model, along with additional responsibilities. Platform, application management, operating system, and network configuration are now the responsibility of AWS in this model.
Consider the example of RDS. In this case, customers do not have access to the underlying operating system that the RDS databases are running on. As such, customers cannot patch the operating system. This security task has been shifted from the customer to AWS. In addition, platform and application management have also been passed to AWS. This is because RDS is a managed service, and as a result, all the application maintenance is undertaken by AWS. This takes a huge administrative burden off the customer but also simultaneously introduces a level of restriction, as they are only presented with the platform and everything above the stack.
The final model you will examine is the abstract shared responsibility model shown in Figure 1.5:
Figure 1.5: Shared responsibility model for abstract services
Right away, from a visual perspective, it is apparent that the shift in responsibility leans even more heavily toward AWS.
This model retains the level of security AWS must manage from the previous two models (infrastructure and container) and adds server-side encryption and network traffic protection. The following are some examples of services in the abstract model:
Amazon Simple Queue Service (SQS)Amazon DynamoDBAmazon Simple Storage Service (S3)These are defined as abstract services as almost all the control and management of the service is abstracted away from the end customer; you access these services through endpoints. Customers do not have access to the underlying operating system (infrastructure) or the actual platform running these services (container). Instead, the customer is presented with the service frontend or endpoint configured as required.
As a result, the customer is totally abstracted away from maintaining security updates for the operating system or any platform patches and security management. This also means that with services that fall in this model, AWS is responsible for implementing and controlling any server-side encryption algorithms, such as Amazon S3 Server-Side Encryption (SSE-S3). Therefore, the customer has no control over the access keys used for this encryption method—it is all managed by AWS.
Further, AWS will manage the secure transfer of data between the service components, for example, when S3 automatically copies customer data to multiple endpoints across different availability zones. As a customer, you have no control over this data transfer, so AWS must secure the traffic.
You have decided to store some static documents and data in multiple S3 buckets since S3 is both optimal for blob storage and cost-effective. AWS already manages the S3 platform and keeps the application and operating system patches up to date.
Once you decide to place one of the documents into a particular bucket, you need to refer to your organizational policies to see if encryption at rest is required. Your first decision is whether you will do client- or server-side encryption. If you decide to use client-side encryption, you will need to generate a pair of keys (if a pair is not already available), encrypt the document, and then upload the encrypted payload to the S3 bucket.
Suppose you decide to go with server-side encryption. In that case, you must either provide your own Customer Managed Key (CMS) using Key Management Service (KMS) or use the Amazon-managed key to encrypt the data once it is placed into the bucket.
Now that the data has been added to the bucket, you, as the bucket administrator, need to decide who will gain access to this bucket and how you will control this access. You can create an IAM policy if access is limited to internal users. If users from another organization need to access the data and documents, you will craft a bucket policy with the correct permissions.
To summarize this example, in the abstract services shared responsibility model, the customer manages their data, who has access to it, and the encryption settings.
With an understanding of the shared responsibility model for abstract services, you can now delve into how using and understanding these models can help you when dealing with audits or auditors.
Many industries require you to show compliance in your cloud environment as it relates to industrial controls.
Using and understanding the shared security model will help you and your auditors understand which controls you, as the customer, are responsible for and which ones are the responsibility of AWS, the cloud provider.
Suppose your auditor is requesting information or evidence for something that AWS manages. In that case, you can refer the auditor to the specific shared responsibility model for the service to show how the cloud service provider maintains control of that particular standard.
This chapter discussed the three shared security models used for AWS services: infrastructure, container, and abstract services. You learned that, from a security perspective and depending on the service you are using, your responsibility as a customer and that of AWS as the cloud provider can change.
Understanding these models and being able to differentiate between them will be beneficial when you implement your security strategies across your solutions as it means you will clearly understand where your responsibility ends and AWS’s responsibility begins. This will help ensure that you do not leave any vulnerabilities across your AWS infrastructure within your accounts.
You also examined how the shared security model can help you by clarifying which items you and your organization are responsible for when it comes to compliance and audits for your business.
Chapter 2, Fundamental AWS Services, will provide a brief overview of many of the services used in the AWS ecosystem that are not particularly focused on security. Even the services that do not have a specific security focus often play a significant role in the solutions we build for our systems and customers. The AWS Security Competency exam expects you to have a base knowledge of the services offered and how you can fortify them as a security engineer or professional.
For additional information on the AWS shared responsibility model and the underlying foundation of AWS security, please refer to the following resources:
Introduction to AWS Security: https://packt.link/yoltdThe shared responsibility model: https://packt.link/JjZ65Apart from a solid understanding of key concepts, being able to think quickly under time pressure is a skill that will help you ace your certification exam. That is why working on these skills early on in your learning journey is key.
Chapter review questions are designed to improve your test-taking skills progressively with each chapter you learn and review your understanding of key concepts in the chapter at the same time. You’ll find these at the end of each chapter.
How To Access These Resources
To learn how to access these resources, head over to the chapter titled Chapter 21, Accessing the Online Practice Resources.
To open the Chapter Review Questions for this chapter, perform the following steps:
Click the link – https://packt.link/SCSC02E2_CH01.Alternatively, you can scan the following QR code (Figure 1.6):
Figure 1.6: QR code that opens Chapter Review Questions for logged-in users
Once you log in, you’ll see a page similar to the one shown in Figure 1.7:Figure 1.7: Chapter Review Questions for Chapter 1
Once ready, start the following practice drills, re-attempting the quiz multiple times.For the first three attempts, don’t worry about the time limit.
The first time, aim for at least 40%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix your learning gaps.
The second time, aim for at least 60%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix any remaining learning gaps.
The third time, aim for at least 75%. Once you score 75% or more, you start working on your timing.
Tip
You may take more than three attempts to reach 75%. That’s okay. Just review the relevant sections in the chapter till you get there.
Target: Your aim is to keep the score the same while trying to answer these questions as quickly as possible. Here’s an example of how your next attempts should look like:
Attempt
Score
Time Taken
Attempt 5
77%
21 mins 30 seconds
Attempt 6
78%
18 mins 34 seconds
Attempt 7
76%
14 mins 44 seconds
Table 1.1: Sample timing practice drills on the online platform
Note
The time limits shown in the above table are just examples. Set your own time limits with each attempt based on the time limit of the quiz on the website.
With each new attempt, your score should stay above 75% while your time taken to complete should decrease. Repeat as many attempts as you want till you feel confident dealing with the time pressure.
Now that you understand the shared responsibility model, it’s time to look at some essential services that are used throughout the environments and accounts in which you will be working. These essential services are compute services such as Elastic Cloud Compute (EC2), the global Domain Name System (DNS) service of Route 53, database services such as RDS and Aurora, account management services such as Control Tower and AWS Organizations, and the advisory service of Trusted Advisor. This may seem like a review of services you already know if you have taken the Cloud Practitioner, Solution Architect (Associate or Professional), or other AWS certification. Although there is no need to take or pass any other AWS certification exams before attempting the Security Specialty certification by AWS, it’s not a bad idea to get familiar with some essential services.
After reading this chapter, you should have a basic understanding of the AWS services that the exam covers. These services are also many of the core services that you use on a daily basis. There are plenty of opportunities to dig deeper into the topics presented using the links at the end of this chapter.
The following main topics will be covered in this chapter:
Virtual private networking/Route 53 networkingCompute services on AWSCloud databasesMessage and queueing systemsTrusted AdvisorYou will need an AWS account to access the Management Console, and you need to have already set up the CLI.
Important Note
This book will not be going over AWS’s geography, regions, Availability Zones, or edge locations. However, these are fundamental concepts you should fully grasp before you sit the Security Specialty certification exam. If you need a refresher on these topics, then please visit the following URL: https://packt.link/7wY4v.
Whether you wish to set up a new environment or are on the path to growing an existing set of accounts, the Account Management tools can help you perform these tasks in an automated and systematic manner.