Home Page Icon
Home Page
Table of Contents for
AWS Certified Security – Specialty Exam Guide
Close
AWS Certified Security – Specialty Exam Guide
by Stuart Scott
AWS Certified Security - Specialty Exam Guide
Title Page
About Packt
Why subscribe?
Copyright and Credits
AWS Certified Security – Specialty Exam Guide
Contributors
About the author
About the reviewer
Packt is searching for authors like you
Preface
Who this book is for
What this book covers
To get the most out of this book
Code in Action
Download the color images
Conventions used
Get in touch
Reviews
Section 1: The Exam and Preparation
AWS Certified Security Specialty Exam Coverage
Aim of the certification
Intended audience
Domains assessed
Domain 1 – Incident response
Domain 2 – Logging and monitoring
Domain 3 – Infrastructure security
Domain 4 – Identity and access management (IAM)
Domain 5 – Data protection
Exam details
Summary
Questions
Further reading
Section 2: Security Responsibility and Access Management
AWS Shared Responsibility Model
Technical requirements
Shared responsibility model for infrastructure services
Shared responsibility model for container services
Shared responsibility model for abstract services
Summary
Questions
Further reading
Access Management
Technical requirements
Understanding Identity and Access Management (IAM) 
Provisioning users, groups, and roles in IAM
Creating users
Creating groups
Creating roles
Service roles
User roles
Web identity federated roles
SAML 2.0 federated roles
Configuring Multi-Factor Authentication (MFA)
Summary
Questions
Further reading
Working with Access Policies
Technical requirements
<span>Understanding the difference between policy types</span>
Identity-based policies
Resource-based policies
Permissions boundaries
Access control lists
Organization SCPs
Identifying policy structure and syntax
An example of policy structure
The structure of a resource-based policy
Configuring cross-account access
Creating a cross-account access role
Creating a policy to assume the cross-account role
Assuming the cross-account role
IAM policy management
Permissions
Policy usage
Policy versions
Access Advisor
Policy evaluation
Using bucket policies to control access to S3
Summary
Questions
Further reading
Federated and Mobile Access
Technical requirements
What is AWS federated access?
<span>Using SAML federation</span>
Gaining federated access to the AWS Management Console
Using social federation
Amazon Cognito
User pools
Identity pools
Gaining access using user and identity pools
Summary
Questions
Further reading
Section 3: Security - a Layered Approach
Securing EC2 Instances
Technical requirements
Performing a vulnerability scan using Amazon Inspector
Installing the Amazon Inspector agent
Configuring assessment targets
Configuring an assessment template
Running an assessment
Viewing findings
Creating and securing EC2 key pairs
Creating key pairs
Creating key pairs during EC2 deployment
Creating key pairs within the EC2 console
Deleting a key
Deleting a key using the EC2 console
Recovering a lost private key
Connecting to a Linux-based instance with your key pair
Connecting to a Windows-based instance with your key pair
Isolating instances for forensic investigation
AWS monitoring and logging services
AWS CloudTrail
<strong>AWS Config</strong>
<strong>Amazon CloudWatch</strong>
<strong>VPC Flow</strong> Logs
Isolation
Using Systems Manager to administer EC2 instances
Creating resource groups in Systems Manager
Built-in insights
Actions
Automation
Run Command
Session Manager
Distributor 
State Manager
Patch Manager
Use default patch baselines, or create your own
Organizing instances into patch groups (optional)
Automate the patching schedule by using maintenance windows
Monitoring your patch status to ensure compliance
Summary
Questions
Further reading
Configuring Infrastructure Security
Technical requirements
Understanding a VPC
Creating a VPC using the Wizard
Understanding the VPC components
Subnets
The Description <span>tab</span>
The flow logs tab
The Route Table and Network ACL tabs
The Tags tab
Internet gateways
Route tables
The Summary tab
<strong>The Routes tab</strong>
<strong>The Subnet Associations tab</strong>
<strong>The Route Propagation tab</strong>
Network Access Control Lists
<strong>The Details tab</strong>
<strong>The Inbound Rules and Outbound Rules tabs</strong>
<strong>The Subnet associations tab</strong>
Security groups
<strong>The Description tab</strong>
<strong>The Inbound Rules and Outbound Rules tab</strong>
<strong>The Tags tab</strong>
Bastion hosts
NAT instances and NAT gateways
Virtual private gateways
Building a multi-subnet VPC manually
Creating a VPC
Creating public and private VPCs
Creating an internet gateway
Creating a route table
Creating a NAT gateway
Creating security groups in our subnets
For instances in your 'Public_Subnet'
For Instances in your Private_Subnet
Creating EC2 instances in our subnets
Creating E2C instances in the Private_Subnet
Creating E2C instances in the Public_Subnet
Creating a route table for Private_Subnet
Creating an NACL for our subnets
Creating an NACL for the public subnet
Create an NACL for the private Subnet
Summary
Questions
Further reading
Implementing Application Security
Technical requirements
Exploring AWS Web WAF
Creating a web ACL
Step 1 – Describing the web ACL and associating it with AWS resources
Step 2 – Adding rules and rule groups
Step 3 – Setting rule priority
Step 4 – Configuring metrics
Step 5 – Reviewing and creating the web ACL
Using AWS Firewall Manager
Adding your AWS account to an AWS organization
Selecting your primary account to act as the Firewall Manager administrative account
Enabling AWS Config
Creating and applying an AWS WAF policy to AWS Firewall Manager
Managing the security configuration of your ELBs
Types of AWS ELBs
Managing encrypted requests  
Requesting a public certificate using ACM
Securing your AWS API Gateway
Controlling access to APIs
IAM roles and policies
IAM tags
Resource policies
VPC endpoint policies
Lambda authorizers
Amazon Cognito user pools
Summary
Questions
Further reading
DDoS Protection
Technical requirements
<span>Understanding DDoS and its attack patterns</span>
DDoS attack patterns
SYN floods
HTTP floods
Ping of death (PoD)
Protecting your environment using AWS Shield
The two tiers of AWS Shield
AWS Shield Standard
AWS Shield Advanced
Activating AWS Shield Advanced
Configuring AWS Shield Advanced
Selecting your resources to protect  
Adding rate-based rules
Adding support from the AWS DDoS Response Team (DRT)
Additional services and features
Summary  
Questions
Further reading
Incident Response
Technical requirements
Where to start when <span>implementing effective IR</span>
Making use of AWS features
Logging
Threat detection and management
Responding to an incident
Forensic AWS account
Collating log information
Resource isolation
Copying data
Forensic instances
A common approach to an infrastructure security incident 
Summary
Questions
Further reading
Securing Connections to Your AWS Environment
<span>Technical requirements</span>
<span>Understanding your connection</span>
<span>Using an AWS VPN</span>
Configuring VPN routing options
Configuring your security groups
<span>Using AWS Direct Connect</span>
Virtual interfaces
Controlling Direct Connect access using policies
Summary
Questions
Section 4: Monitoring, Logging, and Auditing
Implementing Logging Mechanisms
Technical requirements
Implementing logging
Amazon S3 logging
<strong>Enabling S3 server access logging</strong>
<strong>S3 object-level logging</strong>
Implementing Flow Logs
Configuring a VPC flow log for a particular VPC subnet
Understanding the log file format
Understanding log file limitations
VPC Traffic Mirroring
Using AWS CloudTrail logs
Creating a new trail 
Configuring CloudWatch integration with your trail
Understanding CloudTrail Logs
Consolidating multiple logs from different accounts into a single bucket
Making your logs available to Amazon Athena 
Using the CloudWatch logging agent
Creating new roles
Downloading and configuring the agent
Installing the agent on your remaining EC2 instances
Summary
Questions
Further reading
Auditing and Governance
Technical requirements
What is an audit?
Understanding AWS Artifact
Accessing reports and agreements
<span>Securing AWS using CloudTrail</span>
Encrypting<strong> log files with SSE-KMS</strong>
<strong>Enabling log file validation</strong>
<span>Understanding your AWS environment through AWS Config</span>
<strong>Configuration items</strong>
<strong>Configuration streams</strong>
<strong>Configuration history</strong>
<strong>Configuration snapshot</strong>
<strong>Configuration recorder</strong>
<strong>AWS Config rules</strong>
<strong>Resource relationships</strong>
<strong>AWS Config role</strong>
The AWS Config process
<span>Maintaining compliance with Amazon Macie</span>
Classifying data using Amazon Macie
<strong>Support vector machine-based classifier</strong>
<strong>Content type </strong>
<strong>File extensions</strong>
<strong>Themes</strong>
<strong>Regex</strong>
Amazon Macie data protection
<strong>AWS CloudTrail events</strong>
<strong>CloudTrail errors</strong>
Summary
Questions
Section 5: Best Practices and Automation
Automating Security Detection and Remediation
Technical requirements
Using CloudWatch events with AWS Lambda and SNS
Detecting events with <span>CloudWatch </span>
Configuring a response to an event
<span>Configuring cross-account events using Amazon CloudWatch</span>
Using Amazon GuardDuty
Enabling Amazon GuardDuty
Performing automatic remediation
Using AWS Security Hub
Enabling AWS Security Hub
Insights
Findings
Security standards
Performing automatic remediation
Summary
Questions
Discovering Security Best Practices
Technical requirements
Common security best practices 
<span>Using AWS Trusted Advisor</span>
Understanding the availability of AWS Trusted Advisor 
Reviewing deviations using AWS Trusted Advisor
Yellow alert
Red alert
<span>Penetration testing in AWS</span>
<span>Summary</span>
Questions
Section 6: Encryption and Data Security
Managing Key Infrastructure
Technical requirements
A simple overview of encryption
Symmetric encryption versus asymmetric encryption
Exploring AWS Key Management Service (KMS)
Understanding the key components of AWS KMS
<strong>Customer master keys</strong>
<strong>AWS-owned CMKs</strong>
<strong>AWS-managed CMKs</strong>
<strong>Customer-managed CMKs</strong>
<strong>Data encryption keys (DEKs)</strong>
<strong>Encryption</strong>
<strong>Decryption</strong>
KMS key material
<strong>Importing your own key material</strong>
Key policies
<strong>Using only key policies to control access</strong>
<strong>Using key policies in addition to IAM</strong>
<strong>Using key policies with grants</strong>
<span>Exploring AWS CloudHSM</span>
CloudHSM clusters
Creating a CloudHSM cluster
AWS CloudHSM users
<strong>Precrypto Office</strong>
<strong>Crypto Office</strong>
<strong>Crypto User</strong>
<strong>Appliance User</strong>
<span>AWS Secrets Manager</span>
Summary
Questions
Further reading
Managing Data Security
Technical requirements
Amazon EBS encryption
Encrypting an EBS volume
<strong>Encrypting a new EBS volume</strong>
<strong>Encrypting a volume from an unencrypted snapshot</strong>
<strong>Re-encrypting a volume from an existing snapshot with a new CMK</strong>
Applying default encryption to a volume
Amazon EFS
Encryption at rest
Encryption in transit
Amazon S3
Server-side encryption with S3-managed keys (SSE-S3)
Server-side encryption with KMS-managed keys (SSE-KMS)
Server-side encryption with customer-managed keys (SSE-C)
Client-side encryption with KMS-managed keys (CSE-KMS)
Client-side encryption with KMS-managed keys (CSE-C)
Amazon RDS
Encryption at rest
Encryption in transit<span> </span>
Amazon DynamoDB
Encryption at rest<span> </span>
DynamoDB encryption options
Encryption in transit<span> </span>
Summary
Questions
Mock Tests
Mock exam 1
Answers
Mock exam 2
Answers
Assessments
Chapter 1
<span>Chapter 2</span>
<span>Chapter 3</span>
<span>Chapter 4</span>
<span>Chapter 5</span>
<span>Chapter 6</span>
<span>Chapter 7</span>
<span>Chapter 8</span>
<span>Chapter 9</span>
<span>Chapter 10</span>
<span>Chapter 11</span>
<span>Chapter 12</span>
<span>Chapter 13</span>
<span>Chapter 14</span>
<span>Chapter 15</span>
<span>Chapter 16</span>
Chapter 17
Other Books You May Enjoy
Leave a review - let other readers know what you think
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Next
Next Chapter
Title Page
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset