AWS Certified Security Study Guide E-Book

Table of Contents

Cover

Table of Contents

Title Page

Copyright

Acknowledgments

About the Authors

Table of Exercises

Introduction

Assessment Test

Answers to Assessment Test

Chapter 1: Security Fundamentals

Understanding Security

Basic Security Concepts

Foundational Networking Concepts

Main Classes of Attacks

Risk Management

Well-Known Security Frameworks and Models

Summary

Exam Essentials

Review Questions

Chapter 2: Cloud Security Principles and Frameworks

Introduction

Cloud Security Principles Overview

The Shared Responsibility Model

AWS Compliance Programs

AWS Well-Architected Framework

The AWS Marketplace

Summary

Exam Essentials

Review Questions

Chapter 3: Management and Security Governance

Introduction

Multi-Account Management Using AWS Organizations

Secure and Consistent Infrastructure Deployment in AWS

Evaluating Compliance

Architecture Review and Cost Analysis

Summary

Exam Essentials

Review Questions

Chapter 4: Identity and Access Management

Introduction

IAM Overview

How AWS IAM Works

Access Management in Amazon S3

Identity Federation

Protecting Credentials with AWS Secrets Manager

IAM Security Best Practices

Common Access Control Troubleshooting Scenarios

Summary

Exam Essentials

Review Questions

Chapter 5: Security Logging and Monitoring

Introduction

Stage 1: Resources State

Stage 2: Events Collection

Stage 3: Events Analysis

Stage 4: Action

Summary

Exam Essentials

Review Questions

Chapter 6: Infrastructure Protection

Introduction

AWS Networking Constructs

Network Address Translation

Security Groups

Network Access Control Lists

Amazon VPC Transit Gateways

Elastic Load Balancing

VPC Endpoints

VPC Flow Logs

AWS Web Application Firewall

AWS Shield

AWS Network Firewall

Amazon Inspector

AWS Systems Manager Patch Manager

EC2 Image Builder

Network and Connectivity Troubleshooting Scenarios

Summary

Exam Essentials

Review Questions

Chapter 7: Data Protection

Introduction

AWS Key Management Service

Managing Keys in AWS KMS

Understanding the Cloud Hardware Security Module

AWS Certificate Manager

AWS Secret Protection Mechanisms

Protecting Your S3 Buckets

Amazon Macie

Protecting Data on the Move in AWS

Data Protection Troubleshooting Scenarios

Summary

Exam Essentials

Review Questions

Chapter 8: Threat Detection and Incident Response

Introduction

Threat Detection

Threat Detection Services

Incident Response

Creating Your Incident Response Plan

Reacting to Specific Security Incidents

Automating Incident Response

Summary

Exam Essentials

Review Questions

Appendix A: Answers to Review Questions

Chapter 1: Security Fundamentals

Chapter 2: Cloud Security Principles and Frameworks

Chapter 3: Management and Security Governance

Chapter 4: Identity and Access Management

Chapter 5: Security Logging and Monitoring

Chapter 6: Infrastructure Protection

Chapter 7: Data Protection

Chapter 8: Threat Detection and Incident Response

Appendix B: Creating Your Security Journey in AWS

Introduction

How to Prioritize Your Security Initiatives

It’s a Journey

Security Maturity Model

Appendix C: AWS Security Services Portfolio

Amazon Cognito

Amazon Detective

Amazon GuardDuty

Amazon Inspector

Amazon Macie

Amazon Security Lake

Amazon Verified Permissions

AWS Artifact

AWS Audit Manager

AWS Certificate Manager

AWS CloudHSM

AWS Directory Service

AWS Firewall Manager

AWS Identity and Access Management

AWS IAM Identity Center

AWS Key Management Service

AWS Network Firewall

AWS Organizations

AWS Payment Cryptography

AWS Private Certificate Authority

AWS Resource Access Manager

AWS Secrets Manager

AWS Security Hub

AWS Shield

AWS Web Application Firewall

Appendix D: DevSecOps in AWS

Introduction

Dev + Sec + Ops

AWS Developer Tools

Creating a CI/CD Using AWS Tools

Evaluating Security in Agile Development

Creating the Correct Guardrails Using SAST and DAST

Security as Code: Creating Guardrails and Implementing Security by Design

Index

End User License Agreement

List of Illustrations

Chapter 1

Figure 1.1 Positioning the security policy.

Figure 1.2 The OSI model.

Figure 1.3 Comparison between the OSI model and the TCP/IP stack.

Figure 1.4 The IPv4 header.

Figure 1.5 UDP and TCP headers.

Figure 1.6 The IPv6 header and sample extension headers.

Figure 1.7 Main types of IPv6 unicast addresses.

Figure 1.8 Deriving the interface identifier from the MAC address.

Figure 1.9 Contrasting WAF and a web proxy.

Figure 1.10 Sample API endpoint tree.

Figure 1.11 Sample inbound topology.

Figure 1.12 Classic topology for VPN termination.

Figure 1.13 Sample topology for inbound TLS orchestration.

Figure 1.14 The security wheel.

Figure 1.15 The attack continuum model.

Figure 1.16 The attack continuum model applied to malware protection.

Chapter 2

Figure 2.1 Services available from the AWS Management Console.

Figure 2.2 Standard Shared Responsibility Model.

Figure 2.3 Shared Responsibility Model for container services.

Figure 2.4 Shared Responsibility Model for abstracted services.

Figure 2.5 AWS security documentation.

Figure 2.6 AWS compliance programs site.

Figure 2.7 AWS PCI DSS compliance guide.

Figure 2.8 AWS CSA compliance site.

Figure 2.9 CSA consensus assessment initiative questionnaire.

Figure 2.10 AWS Artifact portal.

Figure 2.11 AWS Well-Architected Tool.

Figure 2.12 AWS Marketplace security solutions.

Chapter 3

Figure 3.1 AWS Organizations account hierarchy.

Figure 3.2 Logical representation of a StackSet model.

Chapter 4

Figure 4.1 Update Account Settings page.

Figure 4.2 IAM users and account permissions.

Figure 4.3 Groups and IAM users.

Figure 4.4 Resource-based policy example.

Figure 4.5 Effective permissions example.

Figure 4.6 Identity federation workflow.

Figure 4.7 User pool authentication flow.

Figure 4.8 Cognito identity pools authentication flow.

Figure 4.9 Authentication workflow using federation between an AWS account and M...

Chapter 5

Figure 5.1 Detective controls flow framework.

Figure 5.2 AWS Config Console: Resource view.

Figure 5.3 AWS Config Console: Resource Timeline view.

Figure 5.4 S3 bucket containing AWS Config History files.

Figure 5.5 AWS Config and the detective framework.

Figure 5.6 AWS CloudTrail digest file object metadata.

Figure 5.7 Representation of CloudWatch Log hierarchical grouping.

Figure 5.8 Schematic representation of log data for cross-account consumption.

Figure 5.9 Visualization of source account telemetry (logs) in a monitoring account.

Figure 5.10 AWS Config Console: Resource timeline.

Figure 5.11 Amazon EventBridge flow representation.

Chapter 6

Figure 6.1 Amazon VPC dashboard.

Figure 6.2 Create VPC dashboard (wizard view).

Figure 6.3 VPC settings.

Figure 6.4 Create VPC: VPC settings.

Figure 6.5 VPC1 network topology.

Figure 6.6 Architecture VPC1 topology.

Figure 6.7 Subnet view.

Figure 6.8 Subnet creation.

Figure 6.9 Subnet10-AZ1a parameters.

Figure 6.10 VPC1 default route table.

Figure 6.11 VPC1 subnet associations.

Figure 6.12 VPC view: Resource Map.

Figure 6.13 Internet gateway IGW1 creation.

Figure 6.14 IGW1 is attached to VPC1.

Figure 6.15 Updated topology.

Figure 6.16 Main route table after IGW1 creation.

Figure 6.17 Adding the default route to the main route table.

Figure 6.18 Modifying IP auto-assignment on Subnet10-AZ1a.

Figure 6.19 Two instances deployed on Subnet10-AZ1a.

Figure 6.20 The Create NAT Gateway screen.

Figure 6.21 NAT gateway creation.

Figure 6.22 Route table creation.

Figure 6.23 Adding a default route to RouteTable-Subnet20-AZ1b.

Figure 6.24 Subnet associations.

Figure 6.25 Resource map.

Figure 6.26 Topology with NAT gateway.

Figure 6.27 NAT-GW1 CloudWatch statistics.

Figure 6.28 Security group SG1.

Figure 6.29 Security groups and an inbound connection.

Figure 6.30 SG1 outbound rules.

Figure 6.31 VPC1 default security group.

Figure 6.32 Default NACL inbound rules.

Figure 6.33 Default NACL outbound rules.

Figure 6.34 Network topology showing the default NACL.

Figure 6.35 Recently created NACL1.

Figure 6.36 NACL1 inbound rules.

Figure 6.37 NACL1 outbound rules.

Figure 6.38 Transit gateway creation.

Figure 6.39 Transit gateway information.

Figure 6.40 Transit gateway attachment creation.

Figure 6.41 Transit gateway attachment configuration.

Figure 6.42 Route table with Transit gateway as a target.

Figure 6.43 Associations for a Transit gateway route table.

Figure 6.44 Transit gateway route table.

Figure 6.45 Elastic load balancing architecture.

Figure 6.46 Select Load Balancer Type screen.

Figure 6.47 TG1 basic configuration.

Figure 6.48 TG1 registered targets.

Figure 6.49 ALB1 description settings.

Figure 6.50 ALB1 Resource Map view.

Figure 6.51 ALB1 Requests Amazon CloudWatch Metric.

Figure 6.52 Network topology with ALB1.

Figure 6.53 ALB integrations: AWS WAF.

Figure 6.54 Connectivity to AWS services using VPC endpoints.

Figure 6.55 VPC gateway endpoint creation.

Figure 6.56 VPC endpoint in VPC1.

Figure 6.57 Updated main route table in VPC1.

Figure 6.58 Prefix list for S3.

Figure 6.59 VPC interface endpoint creation.

Figure 6.60 Flow Log creation.

Figure 6.61 VPC Flow Log example.

Figure 6.62 WebACL1 creation.

Figure 6.63 Adding rules to WebACL1.

Figure 6.64 Custom rule creation.

Figure 6.65 BlockAdminPages custom rule creation.

Figure 6.66 BlockAdminPages custom rule creation: Action.

Figure 6.67 Enable AWS WAF logging.

Figure 6.68 WebACL1 overview graph.

Figure 6.69 Shield Advanced General view.

Figure 6.70 Shield Advanced protected resources.

Figure 6.71 AWS Network Firewall deployed in a single AZ and traffic flow for a...

Figure 6.72 AWS Network Firewall creation.

Figure 6.73 AWS Network Firewall overview.

Figure 6.74 Managed Rules overview.

Figure 6.75 Managed Rules to add at NFW1-Policy.

Figure 6.76 Amazon Inspector dashboard.

Figure 6.77 Amazon Inspector Resources coverage.

Figure 6.78 Systems Manager Patch Manager: Dashboard view.

Figure 6.79 Systems Manager Patch Manager: Create Policy.

Figure 6.80 Patch Manager: Create Policy: Patch baseline custom.

Figure 6.81 Patch Manager: Create Policy: Targets.

Figure 6.82 Patch Manager: Create Policy: Rate control and profile options.

Figure 6.83 Patch Manager: Compliance Reporting.

Figure 6.84 Patch Manager: Patch Baseline example.

Figure 6.85 Patch Manager: Summary.

Figure 6.86 EC2 Image Builder summary.

Figure 6.87 EC2 Image Builder recipe.

Figure 6.88 Reachability Analyzer.

Figure 6.89 Path details.

Figure 6.90 Network Access Scopes (Amazon created).

Figure 6.91 Network Access Scopes custom.

Figure 6.92 Findings example.

Figure 6.93 Architecture of a NAT gateway.

Figure 6.94 Architecture of an Internet gateway.

Figure 6.95 Peering example.

Figure 6.96 No transitivity example.

Chapter 7

Figure 7.1 Plain text and ciphertext.

Figure 7.2 Asymmetric encryption.

Figure 7.3 Signature using an asymmetric algorithm.

Figure 7.4 Hash algorithm usage.

Figure 7.5 AWS KMS service integration.

Figure 7.6 Implementing an end-to-end encryption strategy using AWS KMS.

Figure 7.7 Managed and data keys.

Figure 7.8 KMS managed key protection.

Figure 7.9 User access methods to the managed key.

Figure 7.10 Customer-managed key examples.

Figure 7.11 AWS KMS service integration.

Figure 7.12 Customer-managed key details: ARN, alias, KeyID.

Figure 7.13 Two roles used to control access to the CMK.

Figure 7.14 Role configuration in KMS to control access to the CMK.

Figure 7.15 JSON permission policy example diagram.

Figure 7.16 JSON permission policy, all AWS principals in the account.

Figure 7.17 JSON permission policy, IAM user

SEC_AWS_BOOK_KMS_ADMIN

.

Figure 7.18 JSON permission policy, IAM user

SEC_AWS_BOOK_KMS_USER

.

Figure 7.19 Key categories in AWS KMS.

Figure 7.20 Allow key administrators to delete this key option.

Figure 7.21 Key disable and schedule key deletion options.

Figure 7.22 Confirm that you want to disable the key.

Figure 7.23 Configuring and checking key rotation.

Figure 7.24 Enabling key rotation.

Figure 7.25 CloudHSM configuration.

Figure 7.26 CloudHSM configuration validation.

Figure 7.27 CloudHSM certificates hierarchy.

Figure 7.28 CloudHSM cluster initialization.

Figure 7.29 VPC architecture to access Cluster HSM.

Figure 7.30 AWS KMS custom key stores configuration with HSM.

Figure 7.31 Custom key store KMS integration to CloudHSM.

Figure 7.32 ACM integration with AWS-native services scenario.

Figure 7.33 ACM private CA scenario.

Figure 7.34 ACM General dashboard.

Figure 7.35 Private CA general dashboard.

Figure 7.36 Secret creation.

Figure 7.37 Python code to access a secret.

Figure 7.38 AWS Systems Manager Parameter Store creation.

Figure 7.39 AWS Parameter Store: My Parameters view.

Figure 7.40 Block Public Access: Account Level.

Figure 7.41 Block Public Access: Bucket Level.

Figure 7.42 An access point named finance.

Figure 7.43 Object Lock setup.

Figure 7.44 Glacier S3 vault policies.

Figure 7.45 Glacier S3 Vault Lock policy example.

Figure 7.46 Default S3 creation with encryption.

Figure 7.47 S3 SSE-KMS configuration.

Figure 7.48 S3 SSE-KMS with preexisting CMK.

Figure 7.49 S3 Replication configuration.

Figure 7.50 Key that must be used to replicate encrypted objects.

Figure 7.51 Amazon Macie summary.

Figure 7.52 Amazon Macie bucket view.

Figure 7.53 Amazon Macie findings legend.

Figure 7.54 Amazon Macie job creation.

Figure 7.55 Amazon Macie job creation: Final.

Figure 7.56 Automated sensitive data discovery.

Chapter 8

Figure 8.1 How Amazon GuardDuty works.

Figure 8.2 Sample finding details in Amazon GuardDuty.

Figure 8.3 How AWS Security Hub works.

Figure 8.4 Centralized view in AWS Security Hub grouped by product name.

Figure 8.5 AWS Security Hub—insights example.

Figure 8.6 AWS Security Hub multi-region aggregated view.

Figure 8.7 How Amazon Detective works.

Figure 8.8 Finding group visualization: Node graph.

Figure 8.9 The incident response life cycle.

Figure 8.10 AWS account security contacts.

Figure 8.11 Security automation logical sequence.

Figure 8.12 AWS Security Hub as the centerpiece of security automation.

Figure 8.13 Automated Security Response on AWS.

Figure 8.14 Simple security automation example.

Figure 8.15 GuardDuty’s TOR Client detection message.

Figure 8.16 AWS Lambda environment variable pointing to the forensics security group.

Appendix B

Figure B.1 Identifying quick wins.

Figure B.2 Phases.

Figure B.3 Security Maturity Model Phase 1: Quick Wins.

Figure B.4 Security Maturity Model Phase 2: Foundational.

Figure B.5 Security Maturity Model Phase 3: Efficient.

Figure B.6 Security Maturity Model Phase 4: Optimized.

Appendix C

Figure C.1 Amazon Cognito icon.

Figure C.2 Amazon Detective icon.

Figure C.3 Amazon GuardDuty icon.

Figure C.4 Amazon Inspector icon.

Figure C.5 Amazon Macie icon.

Figure C.6 Amazon Security Lake icon.

Figure C.7 Amazon Verified Permissions icon.

Figure C.8 AWS Artifact icon.

Figure C.9 AWS Audit Manager icon.

Figure C.10 AWS Certificate Manager icon.

Figure C.11 AWS CloudHSM icon.

Figure C.12 AWS Directory Service icon.

Figure C.13 AWS Firewall Manager icon.

Figure C.14 AWS Identity and Access Management (IAM) icon.

Figure C.15 AWS IAM Identity Center icon.

Figure C.16 AWS Key Management Service (AWS KMS) icon.

Figure C.17 AWS Network Firewall icon.

Figure C.18 AWS Organizations icon.

Figure C.19 AWS Payment Cryptography icon.

Figure C.20 AWS Private Certificate Authority icon.

Figure C.21 AWS Resource Access Manager icon.

Figure C.22 AWS Secrets Manager icon.

Figure C.23 AWS Security Hub icon.

Figure C.24 AWS Shield icon.

Figure C.25 AWS Web Application Firewall (WAF) icon.

Appendix D

Figure D.1 Continuous delivery vs. continuous deployment.

Figure D.2 Steps of software release process.

Figure D.3 AWS X-Ray service map.

Figure D.4 Amazon CloudWatch panel.

Figure D.5 Committed source code.

Figure D.6 Role configuration.

Figure D.7 Project configuration.

Figure D.8 Source screen.

Figure D.9 Environment screen.

Figure D.10 Buildspec screen.

Figure D.11 Artifacts screen.

Figure D.12 Logs screen.

Figure D.13 Build screen.

Figure D.14 Pipeline settings.

Figure D.15 Add source stage screen.

Figure D.16 Add build stage screen.

Figure D.17 Add deploy stage screen.

Figure D.18 Pipeline result.

Figure D.19 Pipeline with failed status.

Figure D.20 Pipeline with Success status.

List of Tables

Chapter 5

Table 5.1 Comparison of Different “Views” for Configuration Items

Table 5.2 AWS CloudTrail: Event Types

Table 5.3 AWS CloudTrail: Trails and Event Data Stores

Table 5.4 Amazon Inspector: Available Types of Inspection

Table 5.5 Amazon EventBridge: Event Buses and Pipes

Chapter 6

Table 6.1 Security Group Rules Parameters

Table 6.2 Network ACL Rule Parameters

Table 6.3 Routing Table

Chapter 7

Table 7.1 Symmetric Cryptographic Encryption Algorithms

Table 7.2 Hash Algorithms Examples

Table 7.3 AWS Services That Support Protection of Data in Transit

Table 7.4 Common Issues in AWS KMS

Table 7.5 Monitoring and Logging for KMS

Guide

Cover

Table of Contents

Title Page

Copyright

Acknowledgments

About the Authors

Table of Exercises

Introduction

Assessment Test

Answers to Assessment Test

Begin Reading

Appendix A: Answers to Review Questions

Appendix B: Creating Your Security Journey in AWS

Appendix C: AWS Security Services Portfolio

Appendix D: DevSecOps in AWS

Index

End User License Agreement

Pages

iii

iv

v

vi

vii

viii

xix

xx

xxi

xxii

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

xxxiii

xxxiv

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

AWS®Certified Security Study Guide

Specialty (SCS-C02) Exam

Second Edition

Copyright © 2025 by John Wiley & Sons, Inc. All rights reserved, including rights for text and data mining and training of artificial intelligence technologies or similar technologies.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

The manufacturer’ s authorized representative according to the EU General Product Safety Regulation is Wiley-VCH GmbH, Boschstr. 12, 69469 Weinheim, Germany, e-mail: [email protected].

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993. For product technical support, you can find answers to frequently asked questions or reach us via live chat at https://sybexsupport.wiley.com.

If you believe you’ve found a mistake in this book, please bring it to our attention by emailing our reader support team at [email protected] with the subject line “Possible Book Errata Submission.”

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2025911987

ISBN: 9781394253463 (paperback)

ISBN: 9781394253470 (epub)

ISBN: 9781394253487 (ePDF)

Cover Design: Wiley

Cover Image: © Jeremy Woodhouse/Getty Images

Acknowledgments

First and foremost, we offer our most profound thanks to our spouses, children, and families, whose support and understanding during our many long hours of writing and reviews gave us the time and strength to create this book. This book would not have been possible without our wonderful families.

We would also like to show our appreciation for Amazon Web Services (AWS) for providing cloud-computing platforms, APIs, and the Specialty Exam to the world at large. We are excited to be an active part of this transformative growth and development of secure cloud computing in the world today.

We’d also like to thank associate publisher Jim Minatel and acquisitions editor Ken Brown for entrusting us with the role of creating this study guide for Wiley. We also appreciate the insights of technical editor Rogerio Kasa, whose attention to detail elevated this book to the next level. Thanks also goes to managing editor Pete Gaughan, project manager Robyn Alvarez, production specialist Bala Shanmugasundaram, copy editor Kezia Endsley, and the entire team at Wiley for their guidance and assistance in making this book. We’d also like to thank all of our colleagues and experts who consulted with us while we were writing this book—too many to name here, but we are grateful for your suggestions and contributions.

And perhaps more than anyone else, we would like to thank our readers. We are grateful for the trust that you have placed in us to help you study for the exam. We wrote this book to support you in your journey.

—The Authors

About the Authors

Mauricio Muñoz is a Principal Technologist at Amazon Web Services (AWS), where he guides global customers in their journey to implement mission-critical applications into the AWS Cloud. With over 25 years of experience in information security and a CISSP certification since 2005, Mauricio has continuously expanded his expertise across various domains, including networking, application integration, analytics, and cloud computing. A passionate advocate for learning and knowledge sharing, Mauricio has served as an authorized instructor for CISSP and CEH certification training, as well as other technical certifications, including recent AWS architectural training. He is a sought-after speaker at both cloud computing and industry events, bringing valuable insights to diverse audiences. His international career spans Latin America and the United States, enriching his global perspective in technology consulting. Academically, Mauricio holds an electronics engineering degree from Pontificia Universidad Javeriana (PUJ—Colombia) and an executive MBA from Insper (Brazil), combining technical prowess with strategic business acumen.

Darío Goldfarb is a security solutions architect at Amazon Web Services in Latin America with more than 18 years of experience in cybersecurity, helping organizations from different industries improve their cyber-resiliency. Dario enjoys sharing security knowledge through speaking at public events, presenting webinars, teaching classes for universities, and writing blogs and articles for the press. He has a significant number of certifications, including CISSP, the Open Group Master IT Architect, and the AWS Security Specialty certification, and he holds a degree in systems engineering from UTN (Argentina) and a diploma in cybersecurity management from UCEMA (Argentina).

Alexandre Matos da Silva Pires de Moraes, CCIE No. 6063, worked as a systems engineer for Cisco Brazil from 1998 to 2014, in projects involving not only security and VPN technologies but also routing protocol and campus design, IP multicast routing, and MPLS networks design. He is the author of Cisco Firewalls (Cisco Press, 2011) and has delivered many technical sessions related to security in market events, such as Cisco Networkers and Cisco Live (Brazil, United States, United Kingdom). In 2014, Alexandre started a new journey as a director for Teltec Solutions, a Brazilian systems integrator that is highly specialized in the fields of network design, security architectures, and cloud computing. Alexandre holds the CISSP and three CCIE certifications (routing/switching, security, and service provider). He graduated with a degree in electronic engineering from the Instituto Tecnológico de Aeronáutica (ITA—Brazil) and holds a master’s degree in mathematics (group theory) from Universidade de Brasília (UnB—Brazil). Alexandre also contributes, as a mathematics teacher, to preparing candidates for the national exams of military universities in Brazil, such as ITA and IME (Instituto Militar de Engenharia).

Andrés González Santos is a senior security specialist solution architect at Amazon Web Services in Latin America with more than 20 years of experience in cybersecurity. Andrés has served in various security positions, including consultant, IT architect, and security auditor, helping organizations across diverse industries strengthen their security posture. His experience spans multiple countries, including Colombia, Ecuador, and Peru, where he has implemented strategic technological solutions for both national and international enterprises. Andrés holds a master’s degree in systems engineering and a master’s degree in information security. He also holds a significant number of certifications, including CISSP, CISA, CISM, CRISC, ABCP and AWS Certified Security—Specialty, AWS Networking Specialty, and AWS Certified Solutions Architect.

Omner Barajas is a security specialist solution architect at Amazon Web Services in Latin America with more than 15 years of experience in cybersecurity. During those years, Omner has taken multiple roles as security consultant, IT architect, and security auditor while helping organizations from different industries to improve their security posture. Omner has a master’s degree in information security and holds a significant number of certifications, including CISSP, CISA, CISM, AWS Certified Security—Specialty, AWS Certified Solutions Architect—Professional, and PCI Internal Security Assessor (ISA).

Rogerio Kasa is a Security Solutions Architect at Amazon Web Services (AWS), where he helps organizations strengthen their cloud security posture through strategic advisory and technical leadership. Since joining AWS in 2019, he has established himself as a trusted advisor in cloud security, leading the internal extended Security Community in Brazil, implementing risk-based security controls, governance frameworks, and compliance requirements. A certified professional holding CISSP/ISC2, CISM/ISACA, CCSK/CSA, and multiple AWS certifications, Rogerio combines deep technical expertise with strategic insight to help organizations navigate their cloud security challenges. His work spans security automation, incident response, network security, IAM, detection/response, data protection, and the implementation of comprehensive security controls across multi-account environments.

Table of Exercises

Exercise 2.1

Generating a PCI DSS Report in the AWS Artifact Portal

Exercise 2.2

Checking the ISO 27001 and ISO 27017 Reports

Exercise 2.3

Using the Well-Architected Tool

Exercise 3.1

Viewing Compliance of Your AWS Resources

Exercise 3.2

Enabling Organization View in Trusted Advisor

Exercise 4.1

Change the Root Account Password

Exercise 4.2

Enable Virtual Multifactor Authentication for the Root Account

Exercise 4.3

Create an IAM User with Administrator Access Permissions

Exercise 4.4

Create an IAM Group with Amazon S3 Read-Only Access Role

Exercise 4.5

Create an Amazon S3 Bucket

Exercise 4.6

Add a User to the AmazonS3Viewers Group

Exercise 4.7

Force TLS Encryption for an Amazon S3 Bucket

Exercise 5.1

Set Up AWS Config

Exercise 5.2

Set Up a Trail in CloudTrail

Exercise 5.3

AWS CloudTrail Integration with Amazon CloudWatch Logs

Exercise 5.4

Create a Metric and an Alarm in Amazon CloudWatch

Exercise 5.5

AWS Config Rules

Exercise 5.6

AWS CloudTrail Integration with Amazon EventBridge

Exercise 6.1

Create a VPC and Subnets

Exercise 6.2

Create an Internet Gateway

Exercise 6.3

Create NAT Gateways

Exercise 6.4

Create Security Groups

Exercise 6.5

Create an NACL

Exercise 6.6

Create a Transit Gateway Attachment for VPC

Exercise 6.7

Elastic Load Balancing

Exercise 6.8

Work with VPC Endpoints

Exercise 6.9

Check VPC Flow Logs

Exercise 6.10

Create and Test an AWS Web Application Firewall

Exercise 7.1

Create a KMS Key

Exercise 7.2

Create an S3 Bucket and Use a KMS Key to Protect It

Exercise 7.3

Protecting RDS with KMS

Exercise 7.4

Protecting EBS with KMS

Exercise 7.5

Protect Your S3 Buckets with Block Public Access Settings and Service Control Policy

Exercise 7.6

Replicate Encrypted S3 Objects Across Regions

Exercise 7.7

Protect Your S3 Buckets with a Resource Policy and VPC Endpoints

Exercise 8.1

Enable Amazon GuardDuty in Your Account

Exercise 8.2

Enable AWS Security Hub in Your Account

Exercise 8.3

Enable Amazon Detective in Your Account

Exercise 8.4

Rotate AWS IAM Credentials

Exercise 8.5

Isolate Instances Using a TOR Anonymization Network

Introduction

As the pioneer and world leader of cloud computing, Amazon Web Services (AWS) has positioned security as its highest priority. Throughout its history, the cloud provider has constantly added security-specific services to its offerings as well as security features to its ever-growing portfolio. Consequently, the AWS Certified Security—Specialty certification offers a great way for IT professionals to achieve industry recognition as cloud security experts and learn how to secure AWS environments, both in concept and practice.

According to the AWS Certified Security Specialty Exam Guide, the corresponding certification attests your ability to demonstrate the following:

An understanding of specialized data classifications and AWS data protection mechanisms

An understanding of data-encryption methods and AWS mechanisms to implement them

An understanding of secure Internet protocols and AWS mechanisms to implement them

A working knowledge of AWS security services and features of services to provide a secure production environment

Competency from two or more years of production deployment experience in using AWS security services and features

The ability to make trade-off decisions regarding cost, security, and deployment complexity to meet a set of application requirements

An understanding of security operations and risks

Through multiple choice and multiple response questions, you will be tested on your ability to design, operate, and troubleshoot secure AWS architectures composed of compute, storage, networking, and monitoring services. It is expected that you know how to deal with different business objectives (such as cost optimization, agility, and regulations) to determine the best solution for a described scenario.

The AWS Certified Security—Specialty exam is intended for individuals who perform a security role for three to five years with at least two years of hands-on experience securing AWS workloads.

What Does This Book Cover?

To help you prepare for the AWS Certified Security Specialty (SCS-C02) certification exam, AWS Certified Security Study Guide Specialty (SCS-C02) Exam, Second Edition explores the following topics:

Chapter 1

:

Security Fundamentals

  This chapter introduces you to basic security definitions and foundational networking concepts. It also explores major types of attacks, along with the AAA architecture, security frameworks, practical models, and other solutions. In addition, it discusses the TCP/IP protocol stack.

Chapter 2

:

Cloud Security Principles and Frameworks

  This chapter discusses critical AWS Cloud security concepts such as its shared responsibility model, AWS hypervisors, AWS security certifications, the AWS Well-Architected Framework, and the AWS Marketplace. It also addresses both security

of

the cloud and security

in

the cloud. These concepts are foundational for working with AWS.

Chapter 3

:

Management and Security Governance

  This chapter discusses strategies to govern your workloads effectively using multiple AWS accounts and AWS Organizations to centrally manage security services with delegated administration and applying guardrails such as SCPs (Service Control Policies) as a technical solution to enforce policies across your organization. It also addresses how AWS Control Tower helps to consistently deploy architectures based on best practices and security guardrails to protect your workloads.

Chapter 4

:

Identity and Access Management

  This chapter explores AWS Identity and Access Management (IAM), which establishes the foundation for all resource interactions within AWS accounts. It covers authentication methods through various interfaces (AWS Console, CLI, and SDKs) and explains how to implement authorization through policies and permissions. The chapter also addresses critical security features, including multifactor authentication, identity federation, and AWS Secrets Manager, while emphasizing best practices for securing AWS environments. Key concepts include role-based access, cross-account permissions, and the principle of least privilege.

Chapter 5

:

Security Logging and Monitoring

  This chapter discusses how to gather information about the status of your resources and the events they produce through a four-stage framework: resources state, events collection, events analysis, and action. Key services include AWS Config, CloudTrail, CloudWatch, Inspector, Security Lake, Systems Manager, Trusted Advisor, and EventBridge, which work together to provide comprehensive visibility and automated responses to security events in AWS environments.

Chapter 6

:

Infrastructure Protection

  This chapter explores AWS networking concepts such as Amazon VPC, subnets, route tables, and other features that are related to network address translation (NAT gateways and NAT instances) and traffic filtering (security groups and network access control lists). It also addresses AWS Elastic Load Balancing and how security services such as AWS Web Application Firewall can provide secure access to your cloud-based applications. Finally, it discusses the AWS Shield and AWS’s unique approach to mitigate distributed denial-of-service attacks.

Chapter 7

:

Data Protection

  This chapter discusses protecting data using a variety of security services and best practices, including AWS Key Management Service (KMS), the cloud hardware security module (CloudHSM), and AWS Certificate Manager. It also covers creating a customer master key (CMK) in AWS KMS, protecting Amazon S3 buckets, and how Amazon Macie can deploy machine learning to identify personal identifiable information (PII).

Chapter 8

:

Threat Detection and Incident Response

  This chapter covers AWS threat detection services (including GuardDuty, Security Hub, Trusted Advisor, and Detective) and incident response procedures, emphasizing both manual and automated approaches to handling security incidents. It covers the incident response life cycle, common security scenarios, and best practices for creating and implementing response plans while leveraging AWS services and automation capabilities to detect and remediate security issues effectively.

Appendix A

:

Answers to Review Questions

  This appendix provides the answers to the review questions that appear at the end of each chapter throughout the book.

Appendix B

:

Creating Your Security Journey in AWS

  This appendix discusses how to create your strategy to improve your security posture, consistently prioritizing the most important initiatives that can provide you security benefits, such as mitigating critical risks as soon as possible, thus optimizing your team’s results.

Appendix C

:

AWS Security Services Portfolio

  This appendix provides an overview of the 24 AWS cloud services dedicated to security, identity, and compliance.

Appendix D

:

DevSecOps in AWS

  This appendix introduces DevSecOps, the AWS family of services that implement DevOps practices, and how security controls can be implemented in an automated pipeline.

How to Contact the Publisher

If you believe you’ve found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts, an error may occur.

In order to submit your possible errata, please email it to our Customer Service Team at [email protected] with the subject line “Possible Book Errata Submission.”

Interactive Online Learning Environment and Test Bank

Studying the material in the AWS Certified Security Study Guide: Specialty (SCS-C02) Exam is an important part of preparing for the AWS Certified Security Specialty (SCS-C02) certification exam, but we provide additional tools to help you prepare. The online test bank will help you understand the types of questions that will appear on the certification exam. The online test bank runs on multiple devices.

Sample Tests: The sample tests in the test bank include all the questions at the end of each chapter as well as the questions from the assessment test. In addition, there are two practice exams with 50 questions each. You can use these tests to evaluate your understanding and identify areas that may require additional study.

Flashcards: The flashcards in the test bank will push the limits of what you should know for the certification exam. There are 100 questions provided in digital format. Each flashcard has one question and one correct answer.

Glossary: The online glossary is a searchable list of key terms introduced in this exam guide that you should know for the AWS Certified Security Specialty (SCS-C02) certification exam.

Go to www.wiley.com/go/sybextestprep to register and gain access to this interactive online learning environment and test bank with study tools. To start using these tools to study for the AWS Certified Security Specialty (SCS-C02) exam, go to www.wiley.com/go/sybextestprep to register your book and receive your unique PIN. Once you have the PIN, return to www.wiley.com/go/sybextestprep, find your book, and click register or login and follow the link to register a new account or add this book to an existing account.

AWS Certified Security Study Guide—Specialty (SCS-C02) Exam Objectives

This table shows the extent, by percentage, of each domain represented on the actual examination.

Domain

Percent of Examination

Domain 1: Threat Detection and Incident Response

14%

Domain 2: Security Logging and Monitoring

18%

Domain 3: Infrastructure Security

20%

Domain 4: Identity and Access Management

16%

Domain 5: Data Protection

18%

Domain 6: Management and Security Governance

14%

Total

100%

Exam objectives are subject to change at any time without prior notice and at AWS’s sole discretion. Visit the AWS Certified Security–Specialty website (aws.amazon.com/certification/certified-security-specialty) for the most current listing of exam objectives.

Objective Map

Objective

Chapters

Domain 1: Threat Detection and Incident Response

1.1: Design and implement an incident response plan.

2

,

8

1.2: Detect security threats and anomalies by using AWS services.

1

,

5

,

8

1.3: Respond to compromised resources and workloads.

8

Domain 2: Security Logging and Monitoring

2.1: Design and implement monitoring and alerting to address security events.

1

,

5

2.2: Troubleshoot security monitoring and alerting.

5

2.3: Design and implement a logging solution.

5

2.4: Troubleshoot logging solutions.

5

2.5: Design a log analysis solution.

5

Domain 3: Infrastructure Security

3.1: Design and implement security controls for edge services.

1

,

6

3.2: Design and implement network security controls.

1

,

6

3.3: Design and implement security controls for compute workloads.

6

3.4: Troubleshoot network security.

2

,

6

Domain 4: Identity and Access Management

4.1: Design, implement, and troubleshoot authentication for AWS resources.

1

,

4

4.2: Design, implement, and troubleshoot authorization for AWS resources.

4

Domain 5: Data Protection

5.1: Design and implement controls that provide confidentiality and integrity for data in transit.

7

5.2: Design and implement controls that provide confidentiality and integrity for data at rest.

7

5.3: Design and implement controls to manage the life cycle of data at rest.

1

,

7

5.4: Design and implement controls to protect credentials, secrets, and cryptographic key materials.

7

Domain 6: Management and Security Governance

6.1: Develop a strategy to centrally deploy and manage AWS accounts.

3

6.2: Implement a secure and consistent deployment strategy for cloud resources.

3

6.3: Evaluate the compliance of AWS resources.

3

,

5

6.4: Identify security gaps through architectural reviews and cost analysis.

3

Assessment Test

Which one of the following components should not influence an organization’s security policy?

Business objectives

Regulatory requirements

Risk

Cost–benefit analysis

Current firewall limitations

Consider the following statements about the AAA architecture:

Authentication deals with the question “Who is the user?”

Authorization addresses the question “What is the user allowed to do?”

Accountability answers the question “What did the user do?”

Which of the following is correct?

Only I is correct.

Only II is correct.

I, II, and III are correct.

I and II are correct.

II and III are correct.

What is the difference between denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks?

DDoS attacks have many targets, whereas DoS attacks have only one each.

DDoS attacks target multiple networks, whereas DoS attacks target a single network.

DDoS attacks have many sources, whereas DoS attacks have only one each.

DDoS attacks target multiple layers of the OSI model and DoS attacks only one.

DDoS attacks are synonymous with DoS attacks.

Which of the following options is incorrect?

A firewall is a security system aimed at isolating specific areas of the network and delimiting domains of trust.

Generally speaking, the web application firewall (WAF) is a specialized security element that acts as a full-reverse proxy, protecting applications that are accessed through HTTP.

Whereas intrusion prevention system (IPS) devices handle only copies of the packets and are mainly concerned with monitoring and alerting tasks, intrusion detection system (IDS) solutions are deployed inline in the traffic flow and have the inherent design goal of avoiding actual damage to systems.

Security information and event management (SIEM) solutions are designed to collect security-related logs as well as flow information generated by systems (at the host or the application level), networking devices, and dedicated defense elements such as firewalls, IPSs, IDSs, and antivirus software.

In the standard shared responsibility model, AWS is responsible for which of the following options?

Regions, availability zones, and data encryption

Hardware, firewall configuration, and hypervisor software

Hypervisor software, regions, and availability zones

Network traffic protection and identity and access management

Which AWS service allows you to generate compliance reports that enable you to evaluate the AWS security controls and posture?

AWS Artifact

AWS Trusted Advisor

AWS Well-Architected Tool

Amazon Inspector

Which of the following contains a definition that is not a pillar from the AWS Well-Architected Framework?

Security and operational excellence

Reliability and performance efficiency

Cost optimization and availability

Security and performance efficiency

Which of the following services provides a set of APIs that controls access to your resources on the AWS Cloud?

AWS AAA

AWS IAM

AWS Authenticator

AWS AD

Regarding AWS IAM principals, which option is

not

correct?

A principal is an IAM entity that has permission to interact with resources in the AWS Cloud.

They can only be permanent.

They can represent a human user, a resource, or an application.

They have three types: root users, IAM users, and roles.

Which of the following is

not

a recommendation for protecting your root user credentials?

Use a strong password to help protect account-level access to the management console.

Enable MFA on your AWS root user account.

Do not create an access key for programmatic access to your root user account.

If you must maintain an access key to your root user account, you should never rotate it using the AWS Console.

In AWS Config, which option is

not

correct?

The main goal of AWS Config is to record configuration and the changes of the resources.

AWS Config Rules can decide if a change is good or bad and if it needs to execute an action.

AWS Config cannot integrate with external resources like on-premises servers and applications.

AWS Config can provide configuration history files, configuration snapshots, and configuration streams.

AWS CloudTrail is the service in charge of keeping records of API calls to the AWS Cloud. Which option is

not

a type of AWS CloudTrail event?

Management

Insights

Data

Control

In Amazon VPCs, which of the following is

not

correct?

You can deploy only private IP addresses from RFC 1918 within VPCs.

VPC is the acronym of Virtual Private Cloud.

VPCs do not extend beyond an AWS region.

You can configure your VPC to not share hardware with other AWS accounts.

In NAT gateways, which option is

not

correct?

NAT gateways are always positioned in public subnets.

Route table configuration is usually required to direct traffic to these devices.

NAT gateways are highly available by default.

Amazon CloudWatch automatically monitors traffic flowing through NAT gateways.

In security groups, which option is

not

correct?

Security groups only have allow (permit) rules.

The default security group allows all outbound communications.

The default security group allows all outbound communications to any destination.

You cannot have more than one security group associated with an instance’s ENI.

In network ACLs, which option is

not

correct?

They can be considered an additional layer of traffic filtering to security groups.

Network ACLs have allow and deny rules.

The default network ACL has only one inbound rule, denying all traffic from all protocols and all port ranges, from any source.

A subnet can be associated with only one network ACL at a time.

In AWS KMS, which option is

not

correct?

KMS can integrate with Amazon S3 and Amazon EBS.

KMS can be used to generate SSH access keys for Amazon EC2 instances.

KMS is considered multitenant, not a dedicated hardware security module.

KMS can be used to provide data-at-rest encryption for RDS, Aurora, DynamoDB, and Redshift databases.

Which option is

not

correct with regard to AWS KMS customer managed keys?

A CMK is a 256-bit AES for symmetric keys.

A CMK has a key ID, an alias, and an ARN (Amazon Resource Name).

A CMK has two policies roles: key administrators and key users.

A CMK can also use IAM users, IAM groups, and IAM roles.

Which of the following actions is

not

recommended when an Amazon EC2 instance is compromised by malware?

Take a snapshot of the EBS volume at the time of the incident.

Change its security group accordingly and reattach any IAM role attached to the instance.

Tag the instance as compromised together with an AWS IAM policy that explicitly restricts all operations related to the instance, the incident response, and forensics teams.

When the incident forensics team wants to analyze the instance, they should deploy it into a totally isolated environment—ideally a private subnet.

Which of the following actions is recommended when temporary credentials from an Amazon EC2 instance are inadvertently made public?

You should assume that the access key was compromised and revoke it immediately.

You should try to locate where the key was exposed and inform AWS.

You should not reevaluate the IAM roles attached to the instance.

You should avoid rotating your key.

Which of the following options may

not

be considered a security automation trigger?

Unsafe configurations from AWS Config or Amazon Inspector

AWS Security Hub findings

Systems Manager Automation documents

Event from Amazon CloudWatch Events

Which of the following options may

not

be considered a security automation response task?

An AWS Lambda function can use AWS APIs to change security groups or network ACLs.

A Systems Manager Automation document execution run.

Systems Manager Run Command can be used to execute commands to multiple hosts.

Apply a thorough forensic analysis in an isolated instance.

Which of the following may not be considered a troubleshooting tool for security in AWS Cloud environments?

AWS CloudTrail

Amazon CloudWatch Logs

AWS Key Management Service

Amazon EventBridge

Right after you correctly deploy VPC peering between two VPCs (A and B), inter-VPC traffic is still not happening. What is the most probable cause?

The peering must be configured as transitive.

The route tables are not configured.

You need a shared VPC.

You need to configure a routing protocol.

A good mental exercise for your future cloud security design can start with the analysis of how AWS native security services and features (as well as third-party security solutions) can replace your traditional security controls. Which of the options is not a valid mapping between traditional security controls and potential AWS security controls?

Network segregation (such as firewall rules and router access control lists) and security groups and network ACLs, Web Application Firewall (WAF)

Data encryption at rest and Amazon S3 server-side encryption, Amazon EBS encryption, Amazon RDS encryption, and other AWS KMS-enabled encryption features

Monitor intrusion and implementing security controls at the operating system level versus Amazon GuardDuty

Role-based access control (RBAC) versus AWS IAM, Active Directory integration through IAM groups, temporary security credentials, AWS Organizations

Answers to Assessment Test

E.

 Specific control implementations and limitations should not drive a security policy. In fact, the security policy should influence such decisions, and not vice versa.

D.

 Accountability is not part of the AAA architecture; accounting is.

C.

 When a DoS attack is performed in a coordinated fashion, with a simultaneous use of multiple source hosts, the term

distributed denial-of-service

(DDoS) is used to describe it.

C.

 It’s the other way around.

C.

 AWS is responsible for its regions, availability zones, and hypervisor software. In the standard shared responsibility model, AWS is not responsible for user-configured features such as data encryption, firewall configuration, network traffic protection, and identity and access management.

A.

 AWS Artifact is the free service that allows you to access compliance-related reports.

C.

 Availability is not a pillar from the AWS Well-Architected Framework.

B.

 AWS Identity and Access Management (IAM) gives you the ability to define authentication and authorization methods for using the resources in your account.

B.

 IAM principals can be permanent or temporary.

D.

 If you must maintain an access key to your root user account, which is a bad practice, you should regularly rotate it using the AWS Console.

C.

 AWS Config can also integrate with external resources like on-premises servers and applications, third-party monitoring applications, or version control systems.

D.

 CloudTrail events can be classified as management, insights, and data.

A

. You can also assign public IP addresses in VPCs.

C.

 You need to design your VPC architecture to include NAT gateway redundancy.

D.

 You can add up to five security groups per network interface.

C.

 The default network ACL also has a Rule 100, which allows all traffic from all protocols and all port ranges, from any source.

B.

 Key pairs (public and private keys) are generated directly from the EC2 service.

D.

 IAM groups cannot be used as principals in KMS policies.

B.

 To isolate a compromised instance, you need to change its security group accordingly and detach (not reattach) any IAM role attached to the instance. You also remove it from Auto Scaling groups so that the service creates a new instance from the template and service interruption is reduced.

A.

 As a best practice, if any access key is leaked to a shared repository (like GitHub)—even if only for a couple of seconds—you should assume that the access key was compromised and revoke it immediately.

C.

 Systems Manager Automation documents are actually a security automation response task.

D.

 A forensic analysis is a detailed investigation for detecting and documenting an incident. It usually requires human action and analysis.

C.

 AWS KMS is a managed service that facilitates the creation and control of the encryption keys used to encrypt your data, but it doesn’t help you troubleshoot in other services.

B.

 VPC peering requires route table configuration to direct traffic between a pair of VPCs.

C.

 Monitor intrusion and security controls at the operating system level can be mapped to third-party solutions, including endpoint detection and response (EDR), antivirus (AV), host intrusion prevention system (HIPS), anomaly detection, user and entity behavior analytics (UEBA), and patching.

Chapter 1Security Fundamentals

THE AWS CERTIFIED SECURITY SPECIALTY EXAM OBJECTIVES THAT LEVERAGE CONCEPTS EXPLAINED IN THIS CHAPTER INCLUDE THE FOLLOWING:

✔ Domain 1: Incident Response

1.2. Verify that the Incident Response plan includes relevant AWS services

✔ Domain 2: Logging and Monitoring

2.1. Design and implement security monitoring and alerting

✔ Domain 3: Infrastructure Security

3.1. Design edge security on AWS

3.2. Design and implement a secure network infrastructure

✔ Domain 4: Identity and Access Management

4.1. Design and implement a scalable authorization and authentication system to access AWS resources

✔ Domain 5: Data Protection

5.3. Design and implement a data encryption solution for data at rest and data in transit

An understanding of the concepts explained in this chapter is critical in your journey to pass the AWS Certified Security Specialty exam. We introduce the following topics:

Basic security definitions

Foundational networking concepts

Main classes of attacks

Risk management

Well-known security frameworks and models