AWS Certified Security Specialty: Everything You Need To Know

• Aim of the certification
• Intended audience
• Domains accessed
• How to Book Exam
• Exam details

• An understanding of specialized data classifications and AWS data protection mechanisms
• An understanding of data encryption methods and AWS mechanisms to implement them
• An understanding of secure internet protocols and AWS mechanisms to implement them
• Working knowledge of AWS security services and the features of services used to provide a secure production environment
• Competency gained from 2 or more years of production deployment experience using AWS security services and features
• The ability to make trade-off decisions about cost, security, and deployment complexity is given a set of application requirements.
• An understanding of security operations and risks

• • Cloud security consultant
  • Cloud security architect
  • Cloud security engineer
  • Cloud security specialist

The certification can be given by anyone; there are no prerequisites in terms of other certifications for taking this AWS Certified Security – Specialty

Domain 1 – Incident response (12% of Examination)

This domain will test how to identify, respond to, and resolve AWS incidents across a range of services:

• 1.1: Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys: In this, you will be expected to know how to respond to an incident and the steps to remediate the issue, and the necessary action that is required, depending on the affected resource in question.
• 1.2: Verify that the incident response plan includes the relevant AWS services: When an incident occurs within an AWS System, you must know the appropriate AWS resources to identify, isolate, and resolve the issue, without affecting or hindering other AWS infrastructure and valuable resources.
• 1.3: Evaluate the configuration of automated alerting, and execute possible remediation of security-related incidents and emerging issues: You must understand proactive monitoring and speed are two key elements when analyzing your infrastructure for potential issues, in addition to utilizing automated services. You must have an understanding of these features and how they can assist you to spot a potential problem and help you to resolve the issue.

Additionally, you’ll need to become familiar with these recommended Amazon security services:

• AWS Config
• AWS CloudTrail
• Amazon CloudWatch
• Amazon GuardDuty
• AWS Lambda
• Amazon Inspector

Domain 2 – Logging and monitoring (20% of Examination)

Basically, this domain determines the user’s ability to implement and troubleshoot solutions relating to logging, monitoring, and alerting & you will need to be able to deploy, operate, and troubleshoot solutions relating to these four components within your AWS infrastructure:

• 2.1: Design and implement security monitoring and alerting: The user must have a complete comprehension of the available monitoring and alerting services within AWS. Additionally, you need to be aware of how these can be utilized and integrated to implement an effective solution for monitoring your infrastructure for security threats & vulnerabilities.
• 2.2: Troubleshoot security monitoring and alerting:  You need to be aware of how the architecture is coupled together and the prerequisites for specific AWS features.
• 2.3: Design and implement a logging solution: Data held in logs generated from services and applications can provide a wealth of information to help you identify a potential security breach. Therefore, you must have an awareness of implementing a solution to capture and record log data.
• 2.4: Troubleshoot logging solutions: you have to understand the key components, concepts, and how components depend on one another to enable you to resolve any incidents.

Additionally, you’ll need to become familiar with these recommended Amazon security services:

• CloudWatch
• CloudTrail
• Athena
• Config
• Inspector

Domain 3 – Infrastructure security (26% of Examination)

This domain assesses your ability to implement security best practices across your AWS architecture, from an individual host to your VPC and then to the outer reaches of your edge infrastructure. This domain carries the highest percentage mark across your certification, so it is recommended to understand all the concepts and components:

• 3.1: Design edge security on AWS: An understanding of Amazon CloudFront and its security capabilities and controls is required, in addition to other edge services offered by AWS.
• 3.2: Design and implement a secure network infrastructure: In this, you will be tested on your knowledge of Virtual Private Cloud infrastructure and how an environment meets other security needs using route tables, Network Access Control Lists (NACLs), bastion hosts, NAT gateways, Internet Gateway (IGWs), and security groups.
• 3.3: Troubleshoot a secure network infrastructure: This ensures that you have a deep level of security architecture, enabling you to quickly pinpoint the most likely cause of misconfiguration from a security perspective.
• 3.4: Design and implement host-based security: This majorly focuses on security controls enabled and configured on individual hosts, such as your Elastic Compute Cloud (EC2) instances.

Especially for this domain, you need to focus on these issues:

• Edge security
• Host-based security of your EC2 instances
• DDoS mitigation within AWS
• Protecting against common exploits such as cross-site scripting (XSS) and SQL injection

Additionally, you’ll need to become familiar with these recommended Amazon security services:

• AWS WAF (Web Application Firewall)
• AWS Shield for DDoS protection

Domain 4 – Identity and Access Management (IAM) (20% of Examination)

This domain will focus on everything access control-related regarding the IAM service and how to control access to your AWS resources. IAM must be understood inside out:

• 4.1: Design and implement a scalable authorization and authentication system to access AWS resources: This will test your knowledge of authentication and authorization mechanisms, from multi-factor authorization to implementing conditional-based IAM policies for cross-account access on AWS.
• 4.2: Troubleshoot an authorization and authentication system to access the AWS resources domain: In this, you will be required to demonstrate your ability to resolve complex permission-based issues with your AWS resources.

Additionally, you’ll need to become familiar with these recommended Amazon security services:

• CloudTrail
• Multi-factor authentication (MFA)
• Active Directory Federation (ADF)

Domain 5 – Data protection(22% of Examination)

This domain requires you to have a solid understanding of how data within AWS can be protected through an encryption mechanism, both at rest and in transit. You will be assessed on services relating to encryption, specifically the Key Management Service (KMS):

• 5.1: Design and implement fundamental management and use: This required you to demonstrate your knowledge of encryption using KMS. You must be aware of when, how, and why this service is used and which services can benefit the most.
• 5.2: Troubleshoot key management: You need to understand how you can configure the permissions surrounding these keys and what to look for when troubleshooting issues relating to data encryption and customer master keys.
• 5.3: Design and implement a data encryption solution for data at rest and data in transit: In this, you will be assessed on your understanding of encryption as a whole. You must demonstrate that you have the knowledge to encrypt data in any state using the correct configuration, depending on a set of requirements.

How to Book the [SCS-C01] Exam

• Step 1: Visit the AWS Training and Certification
• Step 2: Select the desired certificate from the available list i.e.SCS-C01
• Step 3: Select the schedule with Pearson VUE or PSI.
• Step 4: Select the exam mode home via online proctoring or Test center.
• Step 5: Agree upon the Terms and Conditions.
• Step 6: Select the Date, and time and confirm with the payment method.

Related References

• AWS Certificate Manager: Overview, Features and How it Works?
• AWS Database Services – Amazon RDS, Aurora, DynamoDB, ElastiCache
• Multi-Account Management Using AWS Organizations
• AWS Certified Solutions Architect: Roles & Responsibilities
• Amazon Kinesis Overview, Features And Benefits
• AWS Route 53 Introduction

Next Task For You

Begin your journey towards becoming an AWS Certified Security Specialty by joining our FREE Informative Class on AWS Security Specialty Certification & Demo by clicking on the below image.