AWS Security Specialty (SCS-C02) Prep – Domain 5 -Data Protection

hdd, computer, laptop-7880077.jpg

Hey Everyone! I fell off the map for a while, but I wanted to share my current experience with the AWS Security Specialty exam.

I decided to sit for the exam remotely, because my options were slim for in-person. Prior to taking the exam, I made sure my system & internet passed all needed checks. Now that it’s exam time, I sat for about 2 hrs, and completed about 90% of my exam before the problems came rolling in. I tried a few times to reboot the Pearson Vue application, but the end result was the proctor voiding my exam, and issuing another voucher code days later.

Nonetheless, I will end up rescheduling the exam sometime in the near future, but wanted to still complete my blog series on the AWS security specialty.

For the AWS Security Specialty SCS-C02 exam, Domain 5 focuses on Data Protection. Here’s a list of AWS tools and services that are crucial in this domain, but be advised that some services might overlap with other domains. However, each domain may focus on a particular aspect of the tool or service. Sooooo, lets get it!

  1. AWS Key Management Service (KMS) helps you create and manage cryptographic keys used to encrypt and decrypt data. AWS KMS is integrated with other AWS services to simplify the encryption process across your applications and services.
  2. AWS CloudHSM provides hardware security modules in the cloud. It’s used when you need to meet strict regulatory requirements for data encryption, offering you control and flexibility by managing your own encryption keys in a dedicated hardware device.
  3. AWS Certificate Manager (ACM) is used to provision, manage, and deploy SSL/TLS certificates for web applications and services. ACM helps in securing network communications and establishing the identity of websites over the Internet.
  4. Amazon S3 Encryption offers built-in encryption capabilities to protect your data at rest. You can choose either to manage the keys yourself or let S3 manage them for you, ensuring that your stored data is encrypted and secure.
  5. Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. This service is particularly useful for identifying and securing Personally Identifiable Information (PII) or financial data stored in Amazon S3.
  6. AWS Secrets Manager helps manage access to sensitive data like API keys, passwords, and tokens. You can securely retrieve, store, and rotate these credentials through their lifecycle without hard-coding them in your applications.
  7. AWS Identity and Access Management (IAM) known for managing access, IAM plays a crucial role in data protection by controlling who can access specific AWS resources, thereby helping protect the data contained within those resources.

Best Practices for Bossing Up on Domain 5

Here are a few things I would really focus on prior to sitting for the exam:

Deep Dive into Encryption Techniques: Understand the difference between symmetric and asymmetric encryption, when to use each, and the benefits they offer in various scenarios. Learn about AWS services like AWS Key Management Service (KMS) and AWS CloudHSM, focusing on how they manage encryption keys and the specific use cases they are designed for.

Practice with AWS KMS: Gain hands-on experience by creating, managing, and applying encryption keys using AWS KMS. Experiment with encrypting and decrypting data, rotating keys, and using customer managed keys versus AWS managed keys.

Explore S3 Encryption Options: Learn the nuances between S3 client-side encryption and server-side encryption. Understand the roles of S3-managed keys (SSE-S3), KMS-managed keys (SSE-KMS), and customer-provided keys (SSE-C). Set up different encryption configurations in an S3 bucket to understand their impacts and behaviors.

Utilize AWS Certificate Manager: Get comfortable with AWS Certificate Manager by practicing how to provision, manage, and deploy SSL/TLS certificates. This will help in securing data in transit within your AWS environment.

Familiarize Yourself with Amazon Macie: Use Amazon Macie to discover, classify, and protect sensitive data. Learn how to configure and run Macie jobs, understand the findings, and how to respond to potential security threats or data leaks.

Hands-On with AWS Secrets Manager: Practice using AWS Secrets Manager to handle secrets lifecycle management. Explore how to securely store, access, and rotate credentials automatically, reducing the risk of hard-coding sensitive information in your code.

Understand IAM Policies and Roles: Since IAM is integral to securing access to data, ensure you are proficient in writing and debugging IAM policies. Know how to use conditions and least privilege principles to limit access to sensitive data effectively.

As previously mentioned, this was merely to shed light on some relevant topics that you are expected to know, but if you’re looking for a more granular explanation of what is to be on the exam, please take a look at the exam guide found here https://d1.awsstatic.com/training-and-certification/docs-security-spec/AWS-Certified-Security-Specialty_Exam-Guide.pdf

Sincerely,

Carl+Alt+Del

Leave a Comment

Your email address will not be published. Required fields are marked *