Hey everyone! My last post was a few weeks back (because life was life’n), but I wanted to follow up with another article covering another domain as I push along my studies for the security specialty. With all that’s happened within the past week or so, I decided to push my exam date out two extra weeks, to be able to properly study the material and write the articles about each domain as it’s fresh on my mind.
The third domain, “Infrastructure Security,” within the SCS-C02 AWS Certified Security Specialty exam blueprint focuses on how the cloud infrastructure, which supports all operations in the cloud, can be better secured. It is, therefore, very important to understand and be able to apply AWS services and tools designed to protect network boundaries, secure compute, storage, and database services. Also, this domain weighs the heaviest of all six, coming in at 20%. Below are the key AWS services and tools that are essential for this domain:
Amazon Virtual Private Cloud (VPC)
With an Amazon VPC, one can create a logically isolated section of the AWS cloud, logically isolated from the rest of the cloud, and have complete control over the virtual networking environment. It is like one has a piece of real estate in the cloud. It is so personalized: controls are in place that spans to range from the IP address, subnets, routing, security settings, among others. Building an immensely flexible and secure network environment.
AWS Identity and Access Management (IAM)
AWS Identity and Access Management is a web service that enables you to securely control access to AWS services and resources. You can use IAM to create and manage AWS users and groups, and use permissions to allow or deny their access to AWS resources. It’s AWS environment’s security guard, who stands at the door, verifies the IDs, and decides who is allowed to come in and even restricts what the persons allowed to come in can do. IAM is so important, it’s received an entire domain (4), and gets in depth on the services and best practices associated with it. Check out the previously written article here: Domain 4 – IAM
AWS Shield
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that will help protect your web applications running on AWS against DDoS attacks. It automatically offers detection 24/7 and mitigations that greatly reduce application downtime and latency of application-layer attacks.
AWS WAF (Web Application Firewall)
AWS WAF helps you protect your web applications against common web exploits that could affect application availability, compromise security, or consume excessive resources. The functions of AWS WAF enables you to have full traffic control to your applications with easily customizable rules to filter anything that you might find threatening to your web security.
Amazon Inspector
Amazon Inspector is an automated security assessment service that helps improve the security and compliance of your applications deployed on AWS. It automatically assesses your application for vulnerabilities or deviations from best practices. In short, it’s an active agent in your AWS environment, searching for security flaws.
AWS Key Management Service (KMS)
AWS Key Management Service makes it easy for you to create and control your keys that may be used across the broadest range of AWS services and applications. It acts as a secure key storage, allowing you to encrypt and decrypt your data.
Amazon CloudFront
Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency and high transfer speeds.
VPC Endpoints
VPC Endpoints enable private connections between your VPC and AWS services without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. It’s like having a direct, private line to AWS services, bypassing the public internet.
AWS Systems Manager
AWS Systems Manager is a great way to increase operational visibility and achieve control across your AWS resources. This means you can efficiently automate operational tasks so that your AWS environment stays safe. It’s like a controlling device for your AWS resources from a distance that helps you handle your infrastructure more easily.
Best Practices for Conquering Domain 3
Hands on Labs:
I know, many will omit this part and focus primarily on the theory behind the security services within this domain. However, the easiest way to cement the knowledge is to get active within the AWS environment. Here are somethings you can do to get the ball rolling:
- Set up and configure a VPC: Practice creating VPCs, subnets, route tables, internet gateways, and setting up security groups and network ACLs. Experiment with different configurations to understand their impact on security. (An understanding of Networking concepts is assumed).
- Implement IAM best practices: Create users, groups, roles, and policies. Practice applying the principle of least privilege by granting the minimal necessary permissions.
Documentation, Documentation, Documentation
Utilize AWS Documentation and Whitepapers: AWS documentation and whitepapers are invaluable resources for understanding the specifics of each service, including security features, best practices, and use cases. Look for security best practices guides and service-specific documentation. You will here me say this in every post! To know the documentation, is to know the product; so get familiar with reading.
Practice Exams
Nothing humbles the soul faster than a practice exam. There are countless resources that are online you can choose from, but the ones that tend to be closer in nature (in my opinion) are:
1. AWS Practice Exams: Released officially from AWS, they provide 40 questions that are to be completed within an hour. In order to access these practice exams, you need to have a skill builder account (which comes at a premium).
2. Tutorials Dojo: I’ve relied heavily on tutorials dojo for most of my AWS related exam material. Often, I’ve found these practice exams more challenging than the real thing. Usually, these practice exams are around $17.99, but often there are sales that drop the price drastically.
As previously mentioned, this was merely to shed light on some relevant topics that you are expected to know, but if you’re looking for a more granular explanation of what is to be on the exam, please take a look at the exam guide found here https://d1.awsstatic.com/training-and-certification/docs-security-spec/AWS-Certified-Security-Specialty_Exam-Guide.pdf
Sincerely,
Carl+Alt+Del