Title PageAbout PacktWhy subscribe?Copyright and CreditsAWS Certified Security – Specialty Exam GuideContributorsAbout the authorAbout the reviewerPackt is searching for authors like youPrefaceWho this book is forWhat this book coversTo get the most out of this bookCode in ActionDownload the color imagesConventions usedGet in touchReviewsSection 1: The Exam and PreparationAWS Certified Security Specialty Exam CoverageAim of the certificationIntended audienceDomains assessedDomain 1 – Incident responseDomain 2 – Logging and monitoringDomain 3 – Infrastructure securityDomain 4 – Identity and access management (IAM)Domain 5 – Data protectionExam detailsSummaryQuestionsFurther readingSection 2: Security Responsibility and Access ManagementAWS Shared Responsibility ModelTechnical requirementsShared responsibility model for infrastructure servicesShared responsibility model for container servicesShared responsibility model for abstract servicesSummaryQuestionsFurther readingAccess ManagementTechnical requirementsUnderstanding Identity and Access Management (IAM) Provisioning users, groups, and roles in IAMCreating usersCreating groupsCreating rolesService rolesUser rolesWeb identity federated rolesSAML 2.0 federated rolesConfiguring Multi-Factor Authentication (MFA)SummaryQuestionsFurther readingWorking with Access PoliciesTechnical requirements<span>Understanding the difference between policy types</span>Identity-based policiesResource-based policiesPermissions boundariesAccess control listsOrganization SCPsIdentifying policy structure and syntaxAn example of policy structureThe structure of a resource-based policyConfiguring cross-account accessCreating a cross-account access roleCreating a policy to assume the cross-account roleAssuming the cross-account roleIAM policy managementPermissionsPolicy usagePolicy versionsAccess AdvisorPolicy evaluationUsing bucket policies to control access to S3SummaryQuestionsFurther readingFederated and Mobile AccessTechnical requirementsWhat is AWS federated access?<span>Using SAML federation</span>Gaining federated access to the AWS Management ConsoleUsing social federationAmazon CognitoUser poolsIdentity poolsGaining access using user and identity poolsSummaryQuestionsFurther readingSection 3: Security - a Layered ApproachSecuring EC2 InstancesTechnical requirementsPerforming a vulnerability scan using Amazon InspectorInstalling the Amazon Inspector agentConfiguring assessment targetsConfiguring an assessment templateRunning an assessmentViewing findingsCreating and securing EC2 key pairsCreating key pairsCreating key pairs during EC2 deploymentCreating key pairs within the EC2 consoleDeleting a keyDeleting a key using the EC2 consoleRecovering a lost private keyConnecting to a Linux-based instance with your key pairConnecting to a Windows-based instance with your key pairIsolating instances for forensic investigationAWS monitoring and logging servicesAWS CloudTrail<strong>AWS Config</strong><strong>Amazon CloudWatch</strong><strong>VPC Flow</strong> LogsIsolationUsing Systems Manager to administer EC2 instancesCreating resource groups in Systems ManagerBuilt-in insightsActionsAutomationRun CommandSession ManagerDistributor State ManagerPatch ManagerUse default patch baselines, or create your ownOrganizing instances into patch groups (optional)Automate the patching schedule by using maintenance windowsMonitoring your patch status to ensure complianceSummaryQuestionsFurther readingConfiguring Infrastructure SecurityTechnical requirementsUnderstanding a VPCCreating a VPC using the WizardUnderstanding the VPC componentsSubnetsThe Description <span>tab</span>The flow logs tabThe Route Table and Network ACL tabsThe Tags tabInternet gatewaysRoute tablesThe Summary tab<strong>The Routes tab</strong><strong>The Subnet Associations tab</strong><strong>The Route Propagation tab</strong>Network Access Control Lists<strong>The Details tab</strong><strong>The Inbound Rules and Outbound Rules tabs</strong><strong>The Subnet associations tab</strong>Security groups<strong>The Description tab</strong><strong>The Inbound Rules and Outbound Rules tab</strong><strong>The Tags tab</strong>Bastion hostsNAT instances and NAT gatewaysVirtual private gatewaysBuilding a multi-subnet VPC manuallyCreating a VPCCreating public and private VPCsCreating an internet gatewayCreating a route tableCreating a NAT gatewayCreating security groups in our subnetsFor instances in your 'Public_Subnet'For Instances in your Private_SubnetCreating EC2 instances in our subnetsCreating E2C instances in the Private_SubnetCreating E2C instances in the Public_SubnetCreating a route table for Private_SubnetCreating an NACL for our subnetsCreating an NACL for the public subnetCreate an NACL for the private SubnetSummaryQuestionsFurther readingImplementing Application SecurityTechnical requirementsExploring AWS Web WAFCreating a web ACLStep 1 – Describing the web ACL and associating it with AWS resourcesStep 2 – Adding rules and rule groupsStep 3 – Setting rule priorityStep 4 – Configuring metricsStep 5 – Reviewing and creating the web ACLUsing AWS Firewall ManagerAdding your AWS account to an AWS organizationSelecting your primary account to act as the Firewall Manager administrative accountEnabling AWS ConfigCreating and applying an AWS WAF policy to AWS Firewall ManagerManaging the security configuration of your ELBsTypes of AWS ELBsManaging encrypted requests  Requesting a public certificate using ACMSecuring your AWS API GatewayControlling access to APIsIAM roles and policiesIAM tagsResource policiesVPC endpoint policiesLambda authorizersAmazon Cognito user poolsSummaryQuestionsFurther readingDDoS ProtectionTechnical requirements<span>Understanding DDoS and its attack patterns</span>DDoS attack patternsSYN floodsHTTP floodsPing of death (PoD)Protecting your environment using AWS ShieldThe two tiers of AWS ShieldAWS Shield StandardAWS Shield AdvancedActivating AWS Shield AdvancedConfiguring AWS Shield AdvancedSelecting your resources to protect  Adding rate-based rulesAdding support from the AWS DDoS Response Team (DRT)Additional services and featuresSummary  QuestionsFurther readingIncident ResponseTechnical requirementsWhere to start when <span>implementing effective IR</span>Making use of AWS featuresLoggingThreat detection and managementResponding to an incidentForensic AWS accountCollating log informationResource isolationCopying dataForensic instancesA common approach to an infrastructure security incident SummaryQuestionsFurther readingSecuring Connections to Your AWS Environment<span>Technical requirements</span><span>Understanding your connection</span><span>Using an AWS VPN</span>Configuring VPN routing optionsConfiguring your security groups<span>Using AWS Direct Connect</span>Virtual interfacesControlling Direct Connect access using policiesSummaryQuestionsSection 4: Monitoring, Logging, and AuditingImplementing Logging MechanismsTechnical requirementsImplementing loggingAmazon S3 logging<strong>Enabling S3 server access logging</strong><strong>S3 object-level logging</strong>Implementing Flow LogsConfiguring a VPC flow log for a particular VPC subnetUnderstanding the log file formatUnderstanding log file limitationsVPC Traffic MirroringUsing AWS CloudTrail logsCreating a new trail Configuring CloudWatch integration with your trailUnderstanding CloudTrail LogsConsolidating multiple logs from different accounts into a single bucketMaking your logs available to Amazon Athena Using the CloudWatch logging agentCreating new rolesDownloading and configuring the agentInstalling the agent on your remaining EC2 instancesSummaryQuestionsFurther readingAuditing and GovernanceTechnical requirementsWhat is an audit?Understanding AWS ArtifactAccessing reports and agreements<span>Securing AWS using CloudTrail</span>Encrypting<strong> log files with SSE-KMS</strong><strong>Enabling log file validation</strong><span>Understanding your AWS environment through AWS Config</span><strong>Configuration items</strong><strong>Configuration streams</strong><strong>Configuration history</strong><strong>Configuration snapshot</strong><strong>Configuration recorder</strong><strong>AWS Config rules</strong><strong>Resource relationships</strong><strong>AWS Config role</strong>The AWS Config process<span>Maintaining compliance with Amazon Macie</span>Classifying data using Amazon Macie<strong>Support vector machine-based classifier</strong><strong>Content type </strong><strong>File extensions</strong><strong>Themes</strong><strong>Regex</strong>Amazon Macie data protection<strong>AWS CloudTrail events</strong><strong>CloudTrail errors</strong>SummaryQuestionsSection 5: Best Practices and AutomationAutomating Security Detection and RemediationTechnical requirementsUsing CloudWatch events with AWS Lambda and SNSDetecting events with <span>CloudWatch </span>Configuring a response to an event<span>Configuring cross-account events using Amazon CloudWatch</span>Using Amazon GuardDutyEnabling Amazon GuardDutyPerforming automatic remediationUsing AWS Security HubEnabling AWS Security HubInsightsFindingsSecurity standardsPerforming automatic remediationSummaryQuestionsDiscovering Security Best PracticesTechnical requirementsCommon security best practices <span>Using AWS Trusted Advisor</span>Understanding the availability of AWS Trusted Advisor Reviewing deviations using AWS Trusted AdvisorYellow alertRed alert<span>Penetration testing in AWS</span><span>Summary</span>QuestionsSection 6: Encryption and Data SecurityManaging Key InfrastructureTechnical requirementsA simple overview of encryptionSymmetric encryption versus asymmetric encryptionExploring AWS Key Management Service (KMS)Understanding the key components of AWS KMS<strong>Customer master keys</strong><strong>AWS-owned CMKs</strong><strong>AWS-managed CMKs</strong><strong>Customer-managed CMKs</strong><strong>Data encryption keys (DEKs)</strong><strong>Encryption</strong><strong>Decryption</strong>KMS key material<strong>Importing your own key material</strong>Key policies<strong>Using only key policies to control access</strong><strong>Using key policies in addition to IAM</strong><strong>Using key policies with grants</strong><span>Exploring AWS CloudHSM</span>CloudHSM clustersCreating a CloudHSM clusterAWS CloudHSM users<strong>Precrypto Office</strong><strong>Crypto Office</strong><strong>Crypto User</strong><strong>Appliance User</strong><span>AWS Secrets Manager</span>SummaryQuestionsFurther readingManaging Data SecurityTechnical requirementsAmazon EBS encryptionEncrypting an EBS volume<strong>Encrypting a new EBS volume</strong><strong>Encrypting a volume from an unencrypted snapshot</strong><strong>Re-encrypting a volume from an existing snapshot with a new CMK</strong>Applying default encryption to a volumeAmazon EFSEncryption at restEncryption in transitAmazon S3Server-side encryption with S3-managed keys (SSE-S3)Server-side encryption with KMS-managed keys (SSE-KMS)Server-side encryption with customer-managed keys (SSE-C)Client-side encryption with KMS-managed keys (CSE-KMS)Client-side encryption with KMS-managed keys (CSE-C)Amazon RDSEncryption at restEncryption in transit<span> </span>Amazon DynamoDBEncryption at rest<span> </span>DynamoDB encryption optionsEncryption in transit<span> </span>SummaryQuestionsMock TestsMock exam 1AnswersMock exam 2AnswersAssessmentsChapter 1<span>Chapter 2</span><span>Chapter 3</span><span>Chapter 4</span><span>Chapter 5</span><span>Chapter 6</span><span>Chapter 7</span><span>Chapter 8</span><span>Chapter 9</span><span>Chapter 10</span><span>Chapter 11</span><span>Chapter 12</span><span>Chapter 13</span><span>Chapter 14</span><span>Chapter 15</span><span>Chapter 16</span>Chapter 17Other Books You May EnjoyLeave a review - let other readers know what you think