The AWS Certified Security Specialty (SCS-C01) examination is intended for individuals who perform a security role.
This exam validates an examinee’s ability to effectively demonstrate knowledge about securing the AWS platform. It validates an examinee’s ability to demonstrate:
An understanding of specialized data classifications and AWS data protection mechanisms.
An understanding of data-encryption methods and AWS mechanisms to implement them.
An understanding of secure Internet protocols and AWS mechanisms to implement them.
A working knowledge of AWS security services and features of services to provide a secure production environment.
Competency gained from two or more years of production deployment experience using AWS security services and features.
The ability to make tradeoff decisions with regard to cost, security, and deployment complexity given a set of application requirements.
An understanding of security operations and risks.
Domain 1: Incident Response
Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys.
Preparation stages for incident response
Mitigation steps to perform Incident response steps
Verify that the Incident Response plan includes relevant AWS services.
Dealing with exposed access keys
Evaluated suspected compromised EC2 Instances
Evaluate the configuration of automated alerting, and execute possible remediation of security-related incidents and emerging issues.
AWS Guard duty
Domain 2: Logging and Monitoring
Design and implement security monitoring and alerting.
Design and implement a logging solution.
Continuous Security Monitoring
Introduction to Vulnerability Assessment
AWS Inspector Assessment targets
AWS EC2 systems manager
VPC Flow Logs
AWS Cloud Trail
AWS Security Hub
S3 Event notifications
Trusted advisor recommendations
Troubleshoot security monitoring and alerting.
Troubleshoot logging solutions.
Domain 3: Infrastructure Security
Design edge security on AWS.
Design and implement a secure network infrastructure.
AWS CloudFront Custom SSL
IPS/IDS concepts in cloud
AWS Web Application Firewall (WAF)
AWS Shield concepts
Virtual Private Cloud (VPC)
AWS lambda fundamentals
AWS Simple Email Service
AWS Route53 DNS
Troubleshoot a secure network infrastructure
Design and implement host-based security
Domain 4: Identity and Access Management
Design and implement a scalable authorization and authentication system to access AWS resources.
Understand the Principle of Least Privilege
IAM JSON Policy Elements
IAM Permission boundaries
Evaluating effective permissions
Cross account policies & roles
AWS Directory services
SAML Overview Concepts
Cross Account S3 access
S3 MFA delete
AWS License manager
Troubleshoot an authorization and authentication system to access AWS resources.
Domain 5: Data Protection
Design and implement key management and use
Cloud Hardware Security Module (HSM)
AWS Key Management Service (KMS)
KMS Authentication and Access Control
CloudTrail and Encryption
EBS Architecture and Secure Data Wiping
AWS Certificate Manager
ELB- ALB and NLB
Docker and container security fundamentals
Troubleshoot key management.
Design and implement a data encryption solution for data at rest and data in transit.