Book Image

AWS Certified Security – Specialty Exam Guide

By : Stuart Scott
Book Image

AWS Certified Security – Specialty Exam Guide

By: Stuart Scott

Overview of this book

AWS Certified Security – Specialty is a certification exam to validate your expertise in advanced cloud security. With an ever-increasing demand for AWS security skills in the cloud market, this certification can help you advance in your career. This book helps you prepare for the exam and gain certification by guiding you through building complex security solutions. From understanding the AWS shared responsibility model and identity and access management to implementing access management best practices, you'll gradually build on your skills. The book will also delve into securing instances and the principles of securing VPC infrastructure. Covering security threats, vulnerabilities, and attacks such as the DDoS attack, you'll discover how to mitigate these at different layers. You'll then cover compliance and learn how to use AWS to audit and govern infrastructure, as well as to focus on monitoring your environment by implementing logging mechanisms and tracking data. Later, you'll explore how to implement data encryption as you get hands-on with securing a live environment. Finally, you'll discover security best practices that will assist you in making critical decisions relating to cost, security,and deployment complexity. By the end of this AWS security book, you'll have the skills to pass the exam and design secure AWS solutions.
Table of Contents (27 chapters)
1
Section 1: The Exam and Preparation
3
Section 2: Security Responsibility and Access Management
8
Section 3: Security - a Layered Approach
15
Section 4: Monitoring, Logging, and Auditing
18
Section 5: Best Practices and Automation
21
Section 6: Encryption and Data Security

Encryption at rest 

By default, at-rest encryption using server-side encryption is enabled on all DynamoDB tables, and this option cannot be turned off or disabled. Again, this method of encryption uses the KMS service.

Unlike Amazon RDS, where you have to use the same KMS key for the duration of the database, with DynamoDB, you can swap your encryption key at any given time. For example, you could create your DynamoDB database with the AWS-managed key for DynamoDB, and then at a later date, if you created your own customer-managed CMK, you could select this new key as the key to be used for your encryption.

By default, your DynamoDB primary key, local and secondary indexes, backups, global tables, and DynamoDB Accelerator (DAX) clusters are all encrypted, which helps to maintain a high level of compliance.