This book aims to provide you with a comprehensive understanding of the AWS Certified Security Specialty exam services. It includes sample architectures and case studies of those sample architectures so you can visualize how AWS services work. There are also plenty of hands-on exercises to try out in your own AWS account. You will find some very helpful use cases and anti-patterns presented for the different services in the book. It’s important to be aware of anti-patterns when preparing for an exam; an exam question may present a service as a potential solution, but that service may actually be an anti-pattern and should not be used. Knowing where a service fits best and where it doesn’t will help you choose the right answers in the exam.

Many certification books assume you will read them once, pass the test, and then place them on your bookshelf or pass them on to a colleague, and both their content and structure reflect this. In contrast, this book has been put together in such a way that you can hopefully use it as a reference guide in your duties as a security professional working in an AWS environment. You will find that extra information that may not necessarily appear in the exam has been added to the book. Once you pass the exam, you will be expected to be able to practically apply the topics you have learned about in the real world. The extra information in the book will help you tackle real-world, high-pressure security events, which can sometimes be harder than cracking the exam.

This book is for anyone who wishes to achieve the Certified Security Specialty certification offered by Amazon Web Services (AWS). Apart from that, this book will also be useful for security professionals looking to gain a more comprehensive understanding of the security aspects of AWS, as well as for AWS users looking to enhance the security of their offerings. The most common roles looking to achieve this certification are as follows:

• Cloud security consultant
• Cloud security architect
• Cloud security engineer
• DevSecOps engineer
• Cloud security specialist

This exam assumes you have some basic knowledge of security principles and concepts of information technology or cloud security or a background in IT security and governance.

The AWS Certified Security Specialty certification recommends a minimum of two years of practical AWS production deployment experience for the test taker. This requirement reflects the depth and technical proficiency expected from the candidate.

Chapter 1, AWS Shared Responsibility Model, discusses the different shared responsibility models that define where your responsibilities as a customer implementing, controlling, and managing security in AWS start and those of AWS itself, which controls the security of the cloud, begin.

Chapter 2, Fundamental AWS Services, briefly covers the core AWS services that will be discussed throughout the book. This chapter aims to ensure that you have a robust understanding of the core services before diving deep into the domains of the Security Specialty certification material.

Chapter 3, Understanding Attacks on Cloud Environments, shows you how the skills acquired from this book can translate into protecting you and your customers’ environments from bad actors seeking to take advantage of unprotected environments. It discusses some of the top cloud-native attacks on software and infrastructure, as well as different AWS services that can be used to combat those attacks, are discussed.

Chapter 4, Incident Response, explains how you can prepare for and react to incidents manually and automatically. You will learn the value of using a separate security forensic account for quarantine and containment. You will also review several AWS tools designed to help in various incident response situations.

Chapter 5, Managing Your Environment with AWS Config, takes a deep dive into the AWS Config service. It will show you how to use automation to maintain compliance in your AWS environment, as well as how AWS Config can be used across multiple regions and accounts. You will also learn how to use Lambda functions to automatically remediate items that violate your compliance policies using Config’s remediation feature.

Chapter 6, Event Management with Security Hub and GuardDuty, discusses threat detection and security management across one or more accounts with native tooling available in AWS, AWS Security Hub, and AWS GuardDuty. You will learn what types of data sources are ingested to provide threat detection and how you can enable services and trigger alerts for you and your team.

Chapter 7, Logs generated by AWS Services, discusses the different sources in AWS from which you can acquire logging data, as well as how to collect and search through these logs centrally. The different log types explained include S3 Server Access logs, VPC Flow logs, Load Balancer Logs, and CloudTrail logs.

Chapter 8, CloudWatch and CloudWatch Metrics, deals with the different monitoring aspects of the CloudWatch service. You will learn how to use and search CloudWatch Logs, install the CloudWatch Logs agent on an EC2 instance, use the basic metrics provided by CloudWatch, and create custom metrics. You will also learn about Amazon EventBridge and EventBridge Rules.

Chapter 9, Parsing Logs and Events with AWS Native Tools, explains the different storage options and their costs. It also takes you through the managed OpenSearch and Kinesis services and how they facilitate log aggregation. Finally, it teaches you how to parse logs with Amazon Athena.

Chapter 10, Configuring Infrastructure Security, aims to help you fully understand the Virtual Private Cloud (VPC) security features AWS offers to effectively secure your VPC environments. By the end of the chapter, you will be able to confidently build a secure multi-subnet VPC using internet gateways, route tables, network access control lists, security groups, bastion hosts, NAT gateways, subnets, and virtual private gateways.

Chapter 11, Securing EC2 Instances, covers securing your instance infrastructure using a variety of techniques. These include performing vulnerability scans using Amazon Inspector, securing your EC2 key pairs, and using AWS Systems Manager to effectively administer your fleet of EC2 instances.

Chapter 12, Managing Key Infrastructure, talks about Key Management Service (KMS), which stores and manages the encryption keys for the different services. You will learn about the differences between Amazon-managed keys and customer-managed keys. You will also learn about the CloudHSM service for companies that need more control over their encryption keys.

Chapter 13, Access Management, focuses on the core concept of Identity and Access Management (IAM) and the IAM service. You will learn how to provision users, groups, and roles in a single account, secure access to those users using Multi-Factor Authentication (MFA), and also look into multi-account access with the IAM Identity Center.

Chapter 14, Working with Access Policies, examines several different policies used to grant access permissions to resources. You will learn how to read, edit, and create IAM and S3 policies. You will also see examples of Service Control Policies (SCPs), which are key tools in providing security and governance to AWS Organizations.

Chapter 15, Federated and Mobile Access, provides comprehensive information on what federated access is. This includes explaining social federation and enterprise federation to your AWS account. You will see how to enable Single Sign On to your AWS account using SAML. You will also learn about the Amazon Cognito service, which allows federation with Identity Providers (IdPs) to your applications.

Chapter 16, Using Active Directory Services to Manage Access, explains the different types of Active Directory offerings in AWS and how to allow federated access from your on-premises system to your AWS cloud environment. You will review the differences between each offering and and explore scenarios in which a one-way or two-way trust would be useful.

Chapter 17, Protecting Data in Flight and at Rest, delves into the topic of encryption and, more specifically, how AWS handles encryption with different services. You will learn about Elastic Block Store encryption, Elastic File Store encryption, and options for encrypting S3 buckets from a filesystem and blob perspective. This chapter also covers database encryption, showing you how to encrypt the RDS and DynamoDB services.

Chapter 18, Securely Connecting to Your AWS Environment, teaches you how to connect securely to your AWS environment using AWS Virtual Private Network (VPN), AWS Direct Connect, and AWS CloudHub. It also presents an overview of VPN technology and the types of VPNs and AWS, as well as the different IPsec.

Chapter 19, Using Certificates and Certificate Services in AWS, covers the different types of secure certificates used in AWS. It then discusses the AWS Certificate Manager service and explains how it can generate public certificates and act as a private certificate manager. Finally, it shows you how you can use the certificates you generated with ACM with elastic load balancers in your account.

Chapter 20, Managing Secrets Securely in AWS, explains why you should store your secrets securely in a public cloud environment such as AWS. You will review the different service offerings available to help you perform this task: Secrets Manager and System Manager Parameter Store. Finally, it shows you how to tell which users actually used any given secret.

Chapter 21, Accessing the Online Practice Resources, presents all the necessary information and guidance on how you can access the online practice resources that come free with your copy of this book. These resources are designed to enhance your exam preparedness.

The AWS Certified Security Specialty exam was updated on July 11, 2023 and expanded from five domains to six. A new domain of Management and Security Governance was added. In addition to the additional domain, Domain 1 now includes threat detection.

The following table shows you the difference between the latest version of the exam outline and the previous one:

Table 0.1: Comparison between the previous and updated version of the exam

With this book, you will unlock unlimited access to our online exam-prep platform (Figure 0.1). This is your place to practice everything you learn in the book.

How to access the resources

To learn how to access the online resources, refer to Chapter 21, Accessing the Online Practice Resources at the end of this book.

Figure 0.1 – Online exam-prep platform on a desktop device

Sharpen your knowledge of AWS Certified Security Specialty (SCS-C02) concepts with multiple sets of mock exams, interactive flashcards, and exam tips accessible from all modern web browsers.

We also provide a PDF file that has color images of the screenshots/diagrams used in this book.

You can download it here: <https://packt.link/RzbVH>

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “You will use the detect_labels API from Amazon Recognition in the code.”

A block of code is set as follows:

{

  "Effect": "Allow",

  "Principal": {

    "CanonicalUser": "b035577b325d98aa1e72ca0000EXAMPLE"

  },

  "Action": "s3:GetObject",

  "Resource": "arn:aws:s3:::abcuser-bucket/*"

}

Any command-line input or output is written as follows:

aws iam create-login-profile --user-name Packt --password Ch@ng3mE --password-reset-required

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: “In CloudWatch, each Lambda function will have a log group and, inside that log group, many log streams.”

Tips or important notes

Appear like this.

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at customercare@packt.com.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details. We ensure that all valid errata are promptly updated in the GitHub repository, with the relevant information available in the Readme.md file. You can access the GitHub repository: <https://packt.link/L2aE6>.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at copyright@packt.com with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read AWS Certified Security – Specialty (SCS-C02) Exam Guide, Second Edition, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily.

Follow these simple steps to get the benefits:

1. Scan the QR code or visit the link below:

https://packt.link/free-ebook/9781837633982

2. Submit your proof of purchase.
3. That’s it! We’ll send your free PDF and other benefits to your email directly.