title
Please take a moment to fill out this form. We will get back to you as soon as possible.
All fields marked with an asterisk (*) are mandatory.
AWS Certified Security – Specialty
Duration
1 Day
Course
LQEX-AWS-SCS-C01
Available Formats
Exam Vouchers
AWS Training Pass
Take advantage of flexible training options with the AWS Training Pass and get Authorized AWS Training for a full year.
Learn More
Course Description
Overview
The AWS Certified Security – Specialty exam is intended for individuals who perform a security role. The exam validates a candidate’s ability to effectively demonstrate knowledge about securing the AWS platform.The exam also validates whether a candidate has the following:
- An understanding of specialized data classifications and AWS data protection mechanisms
- An understanding of data-encryption methods and AWS mechanisms to implement them
- An understanding of secure internet protocols and AWS mechanisms to implement them
- A working knowledge of AWS security services and features of services to provide a secure production environment
- Competency from 2 or more years of production deployment experience in using AWS security services and features
- The ability to make tradeoff decisions with regard to cost, security, and deployment complexity to meet a set of application requirements
- An understanding of security operations and risks
Objectives
Audience
The target candidate should have 5 years of IT security experience in designing and implementing security solutions. Additionally, the target candidate should have 2 or more years of hands-on experience in securing AWS workloads.
Prerequisites
-
The target candidate should have the following knowledge:
- The AWS shared responsibility model and its application
- Security controls for workloads on AWS
- Logging and monitoring strategies
- Cloud security threat models
- Patch management and security automation
- Ways to enhance AWS security services with third-party tools and services
- Disaster recovery controls, including BCP and backups
- Encryption
- Access control
- Data retention
- Five years of IT security experience in designing and implementing security solutions and at least two years of hands-on experience in securing AWS workloads
- Working knowledge of AWS security services and features of services to provide a secure production environment and an understanding of security operations and risks
- Knowledge of the AWS shared responsibility model and its application; security controls for workloads on AWS; logging and monitoring strategies; cloud security threat models; patch management and security automation; ways to enhance AWS security services with third-party tools and services; and disaster recovery controls, including BCP and backups, encryption, access control, and data retention
- Understanding of specialized data classifications and AWS data protection mechanisms, data-encryption methods and AWS mechanisms to implement them, and secure internet protocols and AWS mechanisms to implement them
- Ability to make tradeoff decisions with regard to cost, security, and deployment complexity to meet a set of application requirements
Topics
Domain 1: Incident Response
1.1 Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys.
- Given an AWS Abuse report about an EC2 instance, securely isolate the instance as part of a forensic investigation.
- Analyze logs relevant to a reported instance to verify a breach and collect relevant data.
- Capture a memory dump from a suspected instance for later deep analysis or for legal compliance reasons.
- Determine if changes to baseline security configuration have been made.
- Determine if list omits services, processes, or procedures which facilitate Incident Response.
- Recommend services, processes, procedures to remediate gaps.
- Automate evaluation of conformance with rules for new/changed/removed resources.
- Apply rule-based alerts for common infrastructure misconfigurations.
- Review previous security incidents and recommend improvements to existing systems.
- Analyze architecture and identify monitoring requirements and sources for monitoring statistics.
- Analyze architecture to determine which AWS services can be used to automate monitoring and alerting.
- Analyze the requirements for custom application monitoring and determine how this could be achieved.
- Set up automated tools/scripts to perform regular audits.
- Given an occurrence of a known event without the expected alerting, analyze the service functionality and configuration and remediate.
- Given an occurrence of a known event without the expected alerting, analyze the permissions and remediate.
- Given a custom application which is not reporting its statistics, analyze the configuration and remediate.
- Review audit trails of system and user activity.
- Analyze architecture and identify logging requirements and sources for log ingestion.
- Analyze requirements and implement durable and secure log storage according to AWS best practices.
- Analyze architecture to determine which AWS services can be used to automate log ingestion and analysis.
- Given the absence of logs, determine the incorrect configuration and define remediation steps.
- Analyze logging access permissions to determine incorrect configuration and define remediation steps.
- Based on the security policy requirements, determine the correct log level, type, and sources.
- For a given workload, assess and limit the attack surface.
- Reduce blast radius (e.g. by distributing applications across accounts and regions).
- Choose appropriate AWS and/or third-party edge services such as WAF, CloudFront and Route 53 to protect against DDoS or filter application-level attacks.
- Given a set of edge protection requirements for an application, evaluate the mechanisms to prevent and detect intrusions for compliance and recommend required changes.
- Test WAF rules to ensure they block malicious traffic.
- Disable any unnecessary network ports and protocols.
- Given a set of edge protection requirements, evaluate the security groups and NACLs of an application for compliance and recommend required changes.
- Given security requirements, decide on network segmentation (e.g., security groups and NACLs) that allow the minimum ingress/egress access required.
- Determine the use case for VPN or Direct Connect.
- Determine the use case for enabling VPC Flow Logs.
- Given a description of the network infrastructure for a VPC, analyze the use of subnets and gateways for secure operation.
- Determine where network traffic flow is being denied.
- Given a configuration, confirm security groups and NACLs have been implemented correctly.
- Given security requirements, install and configure host-based protections including Inspector, SSM.
- Decide when to use host-based firewall like iptables.
- Recommend methods for host hardening and monitoring.
- Given a description of a workload, analyze the access control configuration for AWS services and make recommendations that reduce risk.
- Given a description how an organization manages their AWS accounts, verify security of their root user.
- Given your organization’s compliance requirements, determine when to apply user policies and resource policies.
- Within an organization’s policy, determine when to federate a directory service to IAM.
- Design a scalable authorization model that includes users, groups, roles, and policies.
- Identify and restrict individual users of data and AWS resources.
- Review policies to establish that users/systems are restricted from performing functions beyond their responsibility, and also enforce proper separation of duties.
- Investigate a user’s inability to access S3 bucket contents.
- Investigate a user’s inability to switch roles to a different account.
- Investigate an Amazon EC2 instance’s inability to access a given AWS resource.
- Analyze a given scenario to determine an appropriate key management solution.
- Given a set of data protection requirements, evaluate key usage and recommend required changes.
- Determine and control the blast radius of a key compromise event and design a solution to contain the same.
- Break down the difference between a KMS key grant and IAM policy.
- Deduce the precedence given different conflicting policies for a given key.
- Determine when and how to revoke permissions for a user or service in the event of a compromise.
- Given a set of data protection requirements, evaluate the security of the data at rest in a workload and recommend required changes.
- Verify policy on a key such that it can only be used by specific AWS services.
- Distinguish the compliance state of data through tag-based data classifications and automate remediation.
- Evaluate a number of transport encryption techniques and select the appropriate method (i.e. TLS, IPsec, client-side KMS encryption).
Related Courses
-
AWS Security Essentials
AWS-115- Duration: 1 Day
- Delivery Format: Classroom Training, Online Training
- Price: 675.00 USD
-
Security Engineering on AWS
AWS-116- Duration: 3 Days
- Delivery Format: Classroom Training, Online Training
- Price: 2,025.00 USD
Self-Paced Training Info
Learn at your own pace with anytime, anywhere training
- Same in-demand topics as instructor-led public and private classes.
- Standalone learning or supplemental reinforcement.
- e-Learning content varies by course and technology.
- View the Self-Paced version of this outline and what is included in the SPVC course.
- Learn more about e-Learning
Course Added To Shopping Cart
bla
bla
bla
bla
bla
bla
Self-Paced Training Terms & Conditions
THIS IS A SELF-PACED VIRTUAL CLASS. AFTER YOU REGISTER, YOU HAVE 30 DAYS TO COMPLETE THE COURSE.
Before you enroll, review the system requirements to ensure that your system meets the minimum requirements for this course. AFTER YOU ARE ENROLLED IN THIS COURSE, YOU WILL NOT BE ABLE TO CANCEL YOUR ENROLLMENT. You are billed for the course when you submit the enrollment form. Self-Paced Virtual Classes are non-refundable. Once you purchase a Self-Paced Virtual Class, you will be charged the full price.
After you receive confirmation that you are enrolled, you will be sent further instructions to access your course material and remote labs. A confirmation email will contain your online link, your ID and password, and additional instructions for starting the course.
You can start the course at any time within 12 months of enrolling for the course. After you register/start the course, you have 30 days to complete your course. Within this 30 days, the self-paced format gives you the opportunity to complete the course at your convenience, at any location, and at your own pace. The course is available 24 hours a day.
Exam Terms & Conditions
??exam-warning??
??group-training-form-area??
??how-can-we-help-you-area??
??personalized-form-area??
??request-quote-area??
Sorry, there are no classes that meet your criteria.
Please contact us to schedule a class.
STOP! Before You Leave
Save 0% on this course!
Take advantage of our online-only offer & save 0% on any course !
Promo Code skip0 will be applied to your registration
Nothing yet
Purchase Information
??elearning-coursenumber?? ??coursename??
View Cart
title
Please take a moment to fill out this form. We will get back to you as soon as possible.
All fields marked with an asterisk (*) are mandatory.