Book Image

AWS Certified Security – Specialty Exam Guide

By : Stuart Scott
Book Image

AWS Certified Security – Specialty Exam Guide

By: Stuart Scott

Overview of this book

AWS Certified Security – Specialty is a certification exam to validate your expertise in advanced cloud security. With an ever-increasing demand for AWS security skills in the cloud market, this certification can help you advance in your career. This book helps you prepare for the exam and gain certification by guiding you through building complex security solutions. From understanding the AWS shared responsibility model and identity and access management to implementing access management best practices, you'll gradually build on your skills. The book will also delve into securing instances and the principles of securing VPC infrastructure. Covering security threats, vulnerabilities, and attacks such as the DDoS attack, you'll discover how to mitigate these at different layers. You'll then cover compliance and learn how to use AWS to audit and govern infrastructure, as well as to focus on monitoring your environment by implementing logging mechanisms and tracking data. Later, you'll explore how to implement data encryption as you get hands-on with securing a live environment. Finally, you'll discover security best practices that will assist you in making critical decisions relating to cost, security,and deployment complexity. By the end of this AWS security book, you'll have the skills to pass the exam and design secure AWS solutions.
Table of Contents (27 chapters)
1
Section 1: The Exam and Preparation
3
Section 2: Security Responsibility and Access Management
8
Section 3: Security - a Layered Approach
15
Section 4: Monitoring, Logging, and Auditing
18
Section 5: Best Practices and Automation
21
Section 6: Encryption and Data Security

Customer master keys

The CMK is the main building block of the KMS service as it contains the key material used for both encrypting and decrypting data. 

KMS supports both symmetric and asymmetric CMKs. Any symmetric keys created and stored within KMS will be a 256-bit key that will, of course, be used for both encryption and decryption and will never leave the KMS service. The "private" key of any asymmetric key pairs that are created will be retained within the KMS service. Asymmetric keys were introduced into KMS in November 2019 and there are a few differences between the two, including the following:

  • Symmetric keys can be used to generate symmetric data keys in addition to asymmetric data key pairs.
  • Importing your own key material is only supported for symmetric CMKs.
  • Automatic key rotation is only supported for symmetric CMKs.
  • When using a custom key store, you can only store symmetric CMKs.
  • Asymmetric keys can either be used for encryption and decryption...