Book Image

AWS Certified Security – Specialty Exam Guide

By : Stuart Scott
Book Image

AWS Certified Security – Specialty Exam Guide

By: Stuart Scott

Overview of this book

AWS Certified Security – Specialty is a certification exam to validate your expertise in advanced cloud security. With an ever-increasing demand for AWS security skills in the cloud market, this certification can help you advance in your career. This book helps you prepare for the exam and gain certification by guiding you through building complex security solutions. From understanding the AWS shared responsibility model and identity and access management to implementing access management best practices, you'll gradually build on your skills. The book will also delve into securing instances and the principles of securing VPC infrastructure. Covering security threats, vulnerabilities, and attacks such as the DDoS attack, you'll discover how to mitigate these at different layers. You'll then cover compliance and learn how to use AWS to audit and govern infrastructure, as well as to focus on monitoring your environment by implementing logging mechanisms and tracking data. Later, you'll explore how to implement data encryption as you get hands-on with securing a live environment. Finally, you'll discover security best practices that will assist you in making critical decisions relating to cost, security,and deployment complexity. By the end of this AWS security book, you'll have the skills to pass the exam and design secure AWS solutions.

Related Content you might be interested in

Current Title:

Small book image
AWS Certified Security – Specialty Exam Guide
Stuart Scott
Sep, 2020 | 558 pages
Small book image
AWS Certified Solutions Architect - Associate Guide
Stuart Scott | Gabriel Isaias Ramirez Melgarejo
Oct, 2018 | 626 pages
Small book image
AWS Security Cookbook
Heartin Kanikathottu
Feb, 2020 | 440 pages
Small book image
Mastering AWS Security
Albert Anthony
Oct, 2017 | 252 pages
Table of Contents (27 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Code in Action
Download the color images
Conventions used
Get in touch
Reviews
1
Section 1: The Exam and Preparation
Section 1: The Exam and Preparation
Free Chapter
2
AWS Certified Security - Specialty Exam Coverage
AWS Certified Security - Specialty Exam Coverage
The aim of the certification
Intended audience
Domains assessed
Domain 1 – Incident response
Domain 2 – Logging and monitoring
Domain 3 – Infrastructure security
Domain 4 – Identity and Access Management (IAM)
Domain 5 – Data protection
Exam details
Summary
Questions
Further reading
3
Section 2: Security Responsibility and Access Management
Section 2: Security Responsibility and Access Management
4
AWS Shared Responsibility Model
AWS Shared Responsibility Model
Technical requirements
Shared responsibility model for infrastructure services
Shared responsibility model for container services
Shared responsibility model for abstract services
Summary
Questions
Further reading
5
Access Management
Access Management
Technical requirements
Understanding Identity and Access Management (IAM)
Provisioning users, groups, and roles in IAM
Creating users
Creating groups
Creating roles
Service roles
User roles
Web identity federated roles
SAML 2.0 federated roles
Configuring Multi-Factor Authentication (MFA)
Summary
Questions
Further reading
6
Working with Access Policies
Working with Access Policies
Technical requirements
Understanding the difference between policy types
Identity-based policies
Resource-based policies
Permissions boundaries
Access Control Lists (ACLs)
Organization SCPs
Identifying policy structure and syntax
An example of policy structure
The structure of a resource-based policy
Configuring cross-account access
Creating a cross-account access role
Creating a policy to assume the cross-account role
Assuming the cross-account role
IAM policy management
Permissions
Policy usage
Policy versions
Access Advisor
Policy evaluation
Using bucket policies to control access to S3
Summary
Questions
Further reading
7
Federated and Mobile Access
Federated and Mobile Access
Technical requirements
What is AWS federated access?
Using SAML federation
Gaining federated access to the AWS Management Console
Using social federation
Amazon Cognito
User pools
Identity pools
Gaining access using user and identity pools
Summary
Questions
Further reading
8
Section 3: Security - a Layered Approach
Section 3: Security - a Layered Approach
9
Securing EC2 Instances
Securing EC2 Instances
Technical requirements
Performing a vulnerability scan using Amazon Inspector
Installing the Amazon Inspector agent
Configuring assessment targets
Configuring an assessment template
Running an assessment
Viewing findings
Creating and securing EC2 key pairs
Creating key pairs
Creating key pairs during EC2 deployment
Creating key pairs within the EC2 console
Deleting a key
Deleting a key using the EC2 console
Recovering a lost private key
Connecting to a Linux-based instance with your key pair
Connecting to a Windows-based instance with your key pair
Isolating instances for forensic investigation
AWS monitoring and logging services
AWS CloudTrail
AWS Config
Amazon CloudWatch
VPC Flow Logs
Isolation
Using Systems Manager to administer EC2 instances
Creating resource groups in Systems Manager
Built-in insights
Actions
Automation
Run Command
Session Manager
Distributor
State Manager
Patch Manager
Use default patch baselines, or create your own
Organize instances into patch groups (optional)
Automate the patching schedule by using Maintenance Windows
Monitor patch status to ensure compliance
Summary
Questions
Further reading
10
Configuring Infrastructure Security
Configuring Infrastructure Security
Technical requirements
Understanding a VPC
Creating a VPC using the wizard
Understanding the VPC components
Subnets
The Description tab
The Flow Logs tab
The Route Table and Network ACL tabs
The Tags tab
Internet gateways
Route tables
The Summary tab
The Routes tab
The Subnet Associations tab
The Route Propagation tab
Network access control lists
The Details tab
The Inbound Rules and Outbound Rules tabs
The Subnet associations tab
Security groups
The Description tab
The Inbound Rules and Outbound Rules tabs
The Tags tab
Bastion hosts
NAT instances and NAT gateways
Virtual private gateways
Building a multi-subnet VPC manually
Creating a VPC
Creating public and private VPCs
Creating an IGW
Creating a route table
Creating a NAT gateway
Creating security groups in our subnets
Creating a security group for instances in Public_Subnet
Creating a security group for instances in Private_Subnet
Creating EC2 instances in our subnets
Creating E2C instances in Private_Subnet
Creating E2C instances in Public_Subnet
Creating a route table for Private_Subnet
Creating an NACL for our subnets
Creating an NACL for the public subnet
Creating an NACL for the private subnet
Summary
Questions
Further reading
11
Implementing Application Security
Implementing Application Security
Technical requirements
Exploring AWS WAF
Creating a web ACL
Step 1 – describing the web ACL and associating it with AWS resources
Step 2 – adding rules and rule groups
Step 3 – setting rule priority
Step 4 – configuring metrics
Step 5 – reviewing and creating the web ACL
Using AWS Firewall Manager
Adding your AWS account to an AWS organization
Selecting your primary account to act as the Firewall Manager administrative account
Enabling AWS Config
Creating and applying an AWS WAF policy to AWS Firewall Manager
Managing the security configuration of your ELBs
Types of AWS ELBs
Managing encrypted requests
Requesting a public certificate using ACM
Securing your AWS API Gateway
Controlling access to APIs
IAM roles and policies
IAM tags
Resource policies
VPC endpoint policies
Lambda authorizers
Amazon Cognito user pools
Summary
Questions
Further reading
12
DDoS Protection
DDoS Protection
Technical requirements
Understanding DDoS and its attack patterns
DDoS attack patterns
SYN floods
HTTP floods
Ping of death (PoD)
Protecting your environment using AWS Shield
The two tiers of AWS Shield
AWS Shield Standard
AWS Shield Advanced
Activating AWS Shield Advanced
Configuring AWS Shield Advanced
Selecting your resources to protect
Adding rate-based rules
Adding support from the AWS DDoS Response Team (DRT)
Additional services and features
Summary
Questions
Further reading
13
Incident Response
Incident Response
Technical requirements
Where to start when implementing effective IR
Making use of AWS features
Logging
Threat detection and management
Responding to an incident
A forensic AWS account
Collating log information
Resource isolation
Copying data
Forensic instances
A common approach to an infrastructure security incident
Summary
Questions
Further reading
14
Securing Connections to Your AWS Environment
Securing Connections to Your AWS Environment
Technical requirements
Understanding your connection
Using an AWS VPN
Configuring VPN routing options
Configuring your security groups
Using AWS Direct Connect
Virtual interfaces
Controlling Direct Connect access using policies
Summary
Questions
15
Section 4: Monitoring, Logging, and Auditing
Section 4: Monitoring, Logging, and Auditing
16
Implementing Logging Mechanisms
Implementing Logging Mechanisms
Technical requirements
Implementing logging
Amazon S3 logging
Enabling S3 server access logging
S3 object-level logging
Implementing flow logs
Configuring a VPC flow log for a particular VPC subnet
Understanding the log file format
Understanding log file limitations
VPC Traffic Mirroring
Using AWS CloudTrail logs
Creating a new trail
Configuring CloudWatch integration with your trail
Understanding CloudTrail logs
Consolidating multiple logs from different accounts into a single bucket
Making your logs available to Amazon Athena
Using the CloudWatch logging agent
Creating new roles
Downloading and configuring the agent
Installing the agent on your remaining EC2 instances
Summary
Questions
Further reading
17
Auditing and Governance
Auditing and Governance
Technical requirements
What is an audit?
Understanding AWS Artifact
Accessing reports and agreements
Securing AWS using CloudTrail
Encrypting log files with SSE-KMS
Enabling log file validation
Understanding your AWS environment through AWS Config
Configuration items
Configuration streams
Configuration history
Configuration snapshot
Configuration recorder
AWS Config rules
Resource relationships
AWS Config role
The AWS Config process
Maintaining compliance with Amazon Macie
Classifying data using Amazon Macie
Support vector machine-based classifier
Content type
File extension
Theme
Regex
Amazon Macie data protection
AWS CloudTrail events
AWS CloudTrail errors
Summary
Questions
18
Section 5: Best Practices and Automation
Section 5: Best Practices and Automation
19
Automating Security Detection and Remediation
Automating Security Detection and Remediation
Technical requirements
Using CloudWatch Events with AWS Lambda and SNS
Detecting events with CloudWatch
Configuring a response to an event
Configuring cross-account events using Amazon CloudWatch
Using Amazon GuardDuty
Enabling Amazon GuardDuty
Performing automatic remediation
Using AWS Security Hub
Enabling AWS Security Hub
Insights
Findings
Security standards
Performing automatic remediation
Summary
Questions
20
Discovering Security Best Practices
Discovering Security Best Practices
Technical requirements
Common security best practices
Using AWS Trusted Advisor
Understanding the availability of AWS Trusted Advisor
Reviewing deviations using AWS Trusted Advisor
Yellow alert
Red alert
Penetration testing in AWS
Summary
Questions
21
Section 6: Encryption and Data Security
Section 6: Encryption and Data Security
22
Managing Key Infrastructure
Managing Key Infrastructure
Technical requirements
A simple overview of encryption
Symmetric encryption versus asymmetric encryption
Exploring AWS Key Management Service (KMS)
Understanding the key components of AWS KMS
Customer master keys
AWS-owned CMKs
AWS-managed CMKs
Customer-managed CMKs
Data encryption keys (DEKs)
Encryption
Decryption
KMS key material
Importing your own key material
Key policies
Using only key policies to control access
Using key policies in addition to IAM
Using key policies with grants
Exploring AWS CloudHSM
CloudHSM clusters
Creating a CloudHSM cluster
AWS CloudHSM users
Precrypto Office
Crypto Office
Crypto User
Appliance User
AWS Secrets Manager
Summary
Questions
Further reading
23
Managing Data Security
Managing Data Security
Technical requirements
Amazon EBS encryption
Encrypting an EBS volume
Encrypting a new EBS volume
Encrypting a volume from an unencrypted snapshot
Re-encrypting a volume from an existing snapshot with a new CMK
Applying default encryption to a volume
Amazon EFS
Encryption at rest
Encryption in transit
Amazon S3
Server-side encryption with S3-managed keys (SSE-S3)
Server-side encryption with KMS-managed keys (SSE-KMS)
Server-side encryption with customer-managed keys (SSE-C)
Client-side encryption with KMS-managed keys (CSE-KMS)
Client-side encryption with customer-managed keys (CSE-C)
Amazon RDS
Encryption at rest
Encryption in transit
Amazon DynamoDB
Encryption at rest
DynamoDB encryption options
Encryption in transit
Summary
Questions
24
Mock Tests
Mock exam 1
Answers
Mock exam 2
Answers
25
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
Chapter 15
Chapter 16
Chapter 17
26
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

What this book covers

Chapter 1, AWS Certified Security Specialty Exam Coverage, provides you with an understanding of the different assessment topics that will be covered throughout the exam across the five different domains, including incident response, logging and monitoring, infrastructure security, identity and access management, and data protection.

Chapter 2, AWS Shared Responsibility Model, looks at the different security models (infrastructure, container, and abstract) that define where your responsibility as a customer implementing, controlling, and managing security in AWS starts and ends, in addition to the responsibilities of AWS, which controls the security of the cloud.

Chapter 3, Access Management, outlines the core concepts of identity and access management through the use of users, groups, and roles, and the differences between them. It also dives into the different types of roles available and EC2 instance profiles, before finishing with an understanding of how to implement multi-factor authentication.

Chapter 4, Working with Access Policies, takes a deep look at the multitude of different access policies that exist across the AWS environment, and which policy type should be used in different circumstances.

You will also learn how to read JSON policies to evaluate their permissions and the steps involved to implement cross-account access.

Chapter 5, Federated and Mobile Access, provides you with a comprehensive understanding of different federated access methods, including enterprise identity and social identity federation to provide a single sign-on approach to your AWS environment. In addition, you will also be introduced to the Amazon Cognito service to understand access control through mobile applications and devices. 

Chapter 6, Securing EC2 Instances, tackles the best approach to secure your instance infrastructure using a variety of techniques.  These include performing vulnerability scans using Amazon Inspector, how to manage your EC2 key pairs, using AWS Systems Manager to effectively administer your fleet of EC2 instances, and also, should a security breach occur, how to isolate your EC2 instances for forensic investigation.

Chapter 7, Configuring Infrastructure Security, enables you to gain a full understanding and awareness of the range of Virtual Private Cloud (VPC) security features that AWS offers to effectively secure your VPC environments. By the end of the chapter, you will be able to confidently build a secure multi-subnet VPC using internet gateways, route tables, network access control lists, security groups, bastion hosts, NAT gateways, subnets, and virtual private gateways.

Chapter 8, Implementing Application Security, looks at how to minimize and mitigate threats against your application architecture using different AWS services to prevent them from being compromised. You will also be introduced to the configuration of securing your elastic load balancers using certificates and how to secure your APIs using AWS API Gateway.

Chapter 9, DDoS Protection, highlights how to utilize different AWS features and services to minimize threats against this very common attack to ensure that your infrastructure is not hindered or halted by the threat. You will gain an understanding of the different DDoS attack patterns and how AWS Shield can be used to provide added protection.

Chapter 10, Incident Response, explains the process and steps to manage a security incident and the best practices to help you reduce the blast radius of the attack. You will understand how to prepare for such incidents and the necessary response actions to isolate the issue using a forensic account.

Chapter 11, Securing Connections to Your AWS Environment, provides you with an understanding of the different methods of securely connecting your on-premise data centers to your AWS cloud environment using both a Virtual Private Network (VPN) and the AWS Direct Connect service.  

Chapter 12, Implementing Logging Mechanisms, focuses on Amazon S3 server access logs, VPC flow logs, AWS CloudTrail logs, and the Amazon CloudWatch logging agent to enable you to track and record what is happening across your resources to allow you to monitor your environment for potential weaknesses or signs of attack indicating a security threat.  

Chapter 13, Auditing and Governance, looks at the different methods and AWS services that can play key parts in helping you to maintain a level of governance and how to provide evidence during an audit. You will be introduced to AWS Artifact, the integrity controls of  AWS CloudTrail, AWS Config, and how to maintain compliance with Amazon Macie.

Chapter 14, Automating Security Threat Detection and Remediation, provides you with an understanding of how to implement automation to quickly identify, record, and remediate security threats as and when they occur. It looks at Amazon CloudWatch, Amazon GuardDuty, and AWS Security Hub to help you detect and automatically resolve and block potential security incidents.

Chapter 15, Discovering Security Best Practices, covers a wide range of different methods of implementing security best practices when working with AWS in an effort to enhance your security posture. It highlights and reviews a number of common best practices that are easy to implement and could play a huge role in protecting your solutions and data.

Chapter 16, Managing Key Infrastructure, takes a deep dive look into the world of two data encryption services, the AWS Key Management Service (KMS) and CloudHSM. You will learn how to implement, manage, and secure your data through AWS encryption services and the best service to use to meet your business requirements.

Chapter 17, Managing Data Security, introduces you to a variety of different encryption features related to a range of different services covering both storage and database services, including Amazon Elastic Block Store (EBS), Amazon Elastic File System (EFS), Amazon Simple Storage Service (S3), Amazon Relational Database Service (RDS), and Amazon DynamoDB.  

Chapter 18, Mock Tests, provides you with two mock exams. Each of them is 65 questions in length to review your understanding of the content covered throughout this book to help you assess your level of exam readiness.

Previous Section
Next Section