Book Image

AWS Certified Security – Specialty Exam Guide

By : Stuart Scott
Book Image

AWS Certified Security – Specialty Exam Guide

By: Stuart Scott

Overview of this book

AWS Certified Security – Specialty is a certification exam to validate your expertise in advanced cloud security. With an ever-increasing demand for AWS security skills in the cloud market, this certification can help you advance in your career. This book helps you prepare for the exam and gain certification by guiding you through building complex security solutions. From understanding the AWS shared responsibility model and identity and access management to implementing access management best practices, you'll gradually build on your skills. The book will also delve into securing instances and the principles of securing VPC infrastructure. Covering security threats, vulnerabilities, and attacks such as the DDoS attack, you'll discover how to mitigate these at different layers. You'll then cover compliance and learn how to use AWS to audit and govern infrastructure, as well as to focus on monitoring your environment by implementing logging mechanisms and tracking data. Later, you'll explore how to implement data encryption as you get hands-on with securing a live environment. Finally, you'll discover security best practices that will assist you in making critical decisions relating to cost, security,and deployment complexity. By the end of this AWS security book, you'll have the skills to pass the exam and design secure AWS solutions.

Related Content you might be interested in

Current Title:

Small book image
AWS Certified Security – Specialty Exam Guide
Stuart Scott
Sep, 2020 | 558 pages
Small book image
AWS Certified Solutions Architect - Associate Guide
Stuart Scott | Gabriel Isaias Ramirez Melgarejo
Oct, 2018 | 626 pages
Small book image
AWS Security Cookbook
Heartin Kanikathottu
Feb, 2020 | 440 pages
Small book image
Mastering AWS Security
Albert Anthony
Oct, 2017 | 252 pages
Table of Contents (27 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Code in Action
Download the color images
Conventions used
Get in touch
Reviews
1
Section 1: The Exam and Preparation
Section 1: The Exam and Preparation
Free Chapter
2
AWS Certified Security - Specialty Exam Coverage
AWS Certified Security - Specialty Exam Coverage
The aim of the certification
Intended audience
Domains assessed
Domain 1 – Incident response
Domain 2 – Logging and monitoring
Domain 3 – Infrastructure security
Domain 4 – Identity and Access Management (IAM)
Domain 5 – Data protection
Exam details
Summary
Questions
Further reading
3
Section 2: Security Responsibility and Access Management
Section 2: Security Responsibility and Access Management
4
AWS Shared Responsibility Model
AWS Shared Responsibility Model
Technical requirements
Shared responsibility model for infrastructure services
Shared responsibility model for container services
Shared responsibility model for abstract services
Summary
Questions
Further reading
5
Access Management
Access Management
Technical requirements
Understanding Identity and Access Management (IAM)
Provisioning users, groups, and roles in IAM
Creating users
Creating groups
Creating roles
Service roles
User roles
Web identity federated roles
SAML 2.0 federated roles
Configuring Multi-Factor Authentication (MFA)
Summary
Questions
Further reading
6
Working with Access Policies
Working with Access Policies
Technical requirements
Understanding the difference between policy types
Identity-based policies
Resource-based policies
Permissions boundaries
Access Control Lists (ACLs)
Organization SCPs
Identifying policy structure and syntax
An example of policy structure
The structure of a resource-based policy
Configuring cross-account access
Creating a cross-account access role
Creating a policy to assume the cross-account role
Assuming the cross-account role
IAM policy management
Permissions
Policy usage
Policy versions
Access Advisor
Policy evaluation
Using bucket policies to control access to S3
Summary
Questions
Further reading
7
Federated and Mobile Access
Federated and Mobile Access
Technical requirements
What is AWS federated access?
Using SAML federation
Gaining federated access to the AWS Management Console
Using social federation
Amazon Cognito
User pools
Identity pools
Gaining access using user and identity pools
Summary
Questions
Further reading
8
Section 3: Security - a Layered Approach
Section 3: Security - a Layered Approach
9
Securing EC2 Instances
Securing EC2 Instances
Technical requirements
Performing a vulnerability scan using Amazon Inspector
Installing the Amazon Inspector agent
Configuring assessment targets
Configuring an assessment template
Running an assessment
Viewing findings
Creating and securing EC2 key pairs
Creating key pairs
Creating key pairs during EC2 deployment
Creating key pairs within the EC2 console
Deleting a key
Deleting a key using the EC2 console
Recovering a lost private key
Connecting to a Linux-based instance with your key pair
Connecting to a Windows-based instance with your key pair
Isolating instances for forensic investigation
AWS monitoring and logging services
AWS CloudTrail
AWS Config
Amazon CloudWatch
VPC Flow Logs
Isolation
Using Systems Manager to administer EC2 instances
Creating resource groups in Systems Manager
Built-in insights
Actions
Automation
Run Command
Session Manager
Distributor
State Manager
Patch Manager
Use default patch baselines, or create your own
Organize instances into patch groups (optional)
Automate the patching schedule by using Maintenance Windows
Monitor patch status to ensure compliance
Summary
Questions
Further reading
10
Configuring Infrastructure Security
Configuring Infrastructure Security
Technical requirements
Understanding a VPC
Creating a VPC using the wizard
Understanding the VPC components
Subnets
The Description tab
The Flow Logs tab
The Route Table and Network ACL tabs
The Tags tab
Internet gateways
Route tables
The Summary tab
The Routes tab
The Subnet Associations tab
The Route Propagation tab
Network access control lists
The Details tab
The Inbound Rules and Outbound Rules tabs
The Subnet associations tab
Security groups
The Description tab
The Inbound Rules and Outbound Rules tabs
The Tags tab
Bastion hosts
NAT instances and NAT gateways
Virtual private gateways
Building a multi-subnet VPC manually
Creating a VPC
Creating public and private VPCs
Creating an IGW
Creating a route table
Creating a NAT gateway
Creating security groups in our subnets
Creating a security group for instances in Public_Subnet
Creating a security group for instances in Private_Subnet
Creating EC2 instances in our subnets
Creating E2C instances in Private_Subnet
Creating E2C instances in Public_Subnet
Creating a route table for Private_Subnet
Creating an NACL for our subnets
Creating an NACL for the public subnet
Creating an NACL for the private subnet
Summary
Questions
Further reading
11
Implementing Application Security
Implementing Application Security
Technical requirements
Exploring AWS WAF
Creating a web ACL
Step 1 – describing the web ACL and associating it with AWS resources
Step 2 – adding rules and rule groups
Step 3 – setting rule priority
Step 4 – configuring metrics
Step 5 – reviewing and creating the web ACL
Using AWS Firewall Manager
Adding your AWS account to an AWS organization
Selecting your primary account to act as the Firewall Manager administrative account
Enabling AWS Config
Creating and applying an AWS WAF policy to AWS Firewall Manager
Managing the security configuration of your ELBs
Types of AWS ELBs
Managing encrypted requests
Requesting a public certificate using ACM
Securing your AWS API Gateway
Controlling access to APIs
IAM roles and policies
IAM tags
Resource policies
VPC endpoint policies
Lambda authorizers
Amazon Cognito user pools
Summary
Questions
Further reading
12
DDoS Protection
DDoS Protection
Technical requirements
Understanding DDoS and its attack patterns
DDoS attack patterns
SYN floods
HTTP floods
Ping of death (PoD)
Protecting your environment using AWS Shield
The two tiers of AWS Shield
AWS Shield Standard
AWS Shield Advanced
Activating AWS Shield Advanced
Configuring AWS Shield Advanced
Selecting your resources to protect
Adding rate-based rules
Adding support from the AWS DDoS Response Team (DRT)
Additional services and features
Summary
Questions
Further reading
13
Incident Response
Incident Response
Technical requirements
Where to start when implementing effective IR
Making use of AWS features
Logging
Threat detection and management
Responding to an incident
A forensic AWS account
Collating log information
Resource isolation
Copying data
Forensic instances
A common approach to an infrastructure security incident
Summary
Questions
Further reading
14
Securing Connections to Your AWS Environment
Securing Connections to Your AWS Environment
Technical requirements
Understanding your connection
Using an AWS VPN
Configuring VPN routing options
Configuring your security groups
Using AWS Direct Connect
Virtual interfaces
Controlling Direct Connect access using policies
Summary
Questions
15
Section 4: Monitoring, Logging, and Auditing
Section 4: Monitoring, Logging, and Auditing
16
Implementing Logging Mechanisms
Implementing Logging Mechanisms
Technical requirements
Implementing logging
Amazon S3 logging
Enabling S3 server access logging
S3 object-level logging
Implementing flow logs
Configuring a VPC flow log for a particular VPC subnet
Understanding the log file format
Understanding log file limitations
VPC Traffic Mirroring
Using AWS CloudTrail logs
Creating a new trail
Configuring CloudWatch integration with your trail
Understanding CloudTrail logs
Consolidating multiple logs from different accounts into a single bucket
Making your logs available to Amazon Athena
Using the CloudWatch logging agent
Creating new roles
Downloading and configuring the agent
Installing the agent on your remaining EC2 instances
Summary
Questions
Further reading
17
Auditing and Governance
Auditing and Governance
Technical requirements
What is an audit?
Understanding AWS Artifact
Accessing reports and agreements
Securing AWS using CloudTrail
Encrypting log files with SSE-KMS
Enabling log file validation
Understanding your AWS environment through AWS Config
Configuration items
Configuration streams
Configuration history
Configuration snapshot
Configuration recorder
AWS Config rules
Resource relationships
AWS Config role
The AWS Config process
Maintaining compliance with Amazon Macie
Classifying data using Amazon Macie
Support vector machine-based classifier
Content type
File extension
Theme
Regex
Amazon Macie data protection
AWS CloudTrail events
AWS CloudTrail errors
Summary
Questions
18
Section 5: Best Practices and Automation
Section 5: Best Practices and Automation
19
Automating Security Detection and Remediation
Automating Security Detection and Remediation
Technical requirements
Using CloudWatch Events with AWS Lambda and SNS
Detecting events with CloudWatch
Configuring a response to an event
Configuring cross-account events using Amazon CloudWatch
Using Amazon GuardDuty
Enabling Amazon GuardDuty
Performing automatic remediation
Using AWS Security Hub
Enabling AWS Security Hub
Insights
Findings
Security standards
Performing automatic remediation
Summary
Questions
20
Discovering Security Best Practices
Discovering Security Best Practices
Technical requirements
Common security best practices
Using AWS Trusted Advisor
Understanding the availability of AWS Trusted Advisor
Reviewing deviations using AWS Trusted Advisor
Yellow alert
Red alert
Penetration testing in AWS
Summary
Questions
21
Section 6: Encryption and Data Security
Section 6: Encryption and Data Security
22
Managing Key Infrastructure
Managing Key Infrastructure
Technical requirements
A simple overview of encryption
Symmetric encryption versus asymmetric encryption
Exploring AWS Key Management Service (KMS)
Understanding the key components of AWS KMS
Customer master keys
AWS-owned CMKs
AWS-managed CMKs
Customer-managed CMKs
Data encryption keys (DEKs)
Encryption
Decryption
KMS key material
Importing your own key material
Key policies
Using only key policies to control access
Using key policies in addition to IAM
Using key policies with grants
Exploring AWS CloudHSM
CloudHSM clusters
Creating a CloudHSM cluster
AWS CloudHSM users
Precrypto Office
Crypto Office
Crypto User
Appliance User
AWS Secrets Manager
Summary
Questions
Further reading
23
Managing Data Security
Managing Data Security
Technical requirements
Amazon EBS encryption
Encrypting an EBS volume
Encrypting a new EBS volume
Encrypting a volume from an unencrypted snapshot
Re-encrypting a volume from an existing snapshot with a new CMK
Applying default encryption to a volume
Amazon EFS
Encryption at rest
Encryption in transit
Amazon S3
Server-side encryption with S3-managed keys (SSE-S3)
Server-side encryption with KMS-managed keys (SSE-KMS)
Server-side encryption with customer-managed keys (SSE-C)
Client-side encryption with KMS-managed keys (CSE-KMS)
Client-side encryption with customer-managed keys (CSE-C)
Amazon RDS
Encryption at rest
Encryption in transit
Amazon DynamoDB
Encryption at rest
DynamoDB encryption options
Encryption in transit
Summary
Questions
24
Mock Tests
Mock exam 1
Answers
Mock exam 2
Answers
25
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
Chapter 15
Chapter 16
Chapter 17
26
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

Bastion hosts

Bastion hosts are used to gain access to your instances that reside within your private subnets from the internet and the bastion itself resides within the public subnet. The difference between a public subnet and a private subnet is this: subnets only become classed as public when an IGW is attached to a VPC and a route exists within the route table associated with the subnet with a Destination value of 0.0.0.0/0 via the target of an IGW, for example:

Any subnet associated with a route table pointing to an IGW with a destination address of 0.0.0.0/0 is considered a public subnet as it has direct access to the internet. Any subnet without this route is considered private, as there is no route to get out to the internet or vice versa.

So, to clarify, for a subnet to be public, the following must be the case:

  • The VPC must have an IGW attached.
  • The subnet must have a route pointing to the internet (0.0.0.0/0) with a target of the IGW.

When a subnet is public...

Previous Section
End of Section 25
Next Section