Specialty Tier · AWS Certification
AWS Security
Specialty
Master the SCS-C02 exam — threat detection with GuardDuty, Detective, Inspector and Macie; IAM least privilege; KMS encryption; S3 data protection; WAF, Shield and Network Firewall; and org-wide governance with Control Tower.
65
Questions
170
Minutes
750
Pass Score
6
Domains
0
Penalty
Domain 1 · 14%
Threat Detection & Incident Response
Design and implement threat detection using GuardDuty, Detective, Inspector, Macie and Security Hub. Build automated incident response playbooks using EventBridge and Lambda. Know each service's specific function and when to use them together.
01
Threat Detection — GuardDuty, Detective, Inspector, Macie
Detect threats · Investigate findings · Scan vulnerabilities · Classify sensitive data
14%
OF EXAM
🔍 Amazon GuardDuty
- Intelligent threat detection using ML + threat intel
- Sources: CloudTrail, VPC Flow Logs, DNS logs, S3
- Finding types: Recon, Backdoor, Trojan, UnauthorizedAccess, CryptoCurrency
- Suppression rules: auto-archive known-good findings
- Trusted IP lists & custom threat intel feeds
- Multi-account: delegated admin via Organizations
🛡️ AWS Security Hub
- Aggregates: GuardDuty, Inspector, Macie, Access Analyzer
- Security standards: CIS, AWS FSBP, PCI DSS, NIST
- ASFF (AWS Security Finding Format) — normalized findings
- Custom insights for filtering and grouping
- Cross-Region/account aggregation via delegated admin
- Auto-remediation via EventBridge → Lambda
🔬 Amazon Detective
- INVESTIGATES security findings — NOT detection
- Behavior graphs from CloudTrail, VPC Flow Logs, GuardDuty
- Visualizes entity timelines: IP, role, user activity
- Answers "why did GuardDuty fire?" with full context
- Works directly with Security Hub findings
- Cannot be used alone — works after GuardDuty fires
🔎 Amazon Inspector
- Automated CVE vulnerability scanning
- Scans: EC2 instances, Lambda functions, ECR images
- EC2 requires SSM Agent + AmazonSSMManagedInstanceCore
- CVE-based findings with CVSS scores
- Continuous scanning — not point-in-time
- Integrates with Security Hub; Inspector v2 only
🚨 Incident Response Automation
- IR pattern: GuardDuty → EventBridge → Lambda
- Isolate EC2: attach deny-all SG, remove from ELB/ASG
- Snapshot EBS volumes for forensic analysis
- Revoke IAM credentials: disable key + TokenIssueTime Deny
- Tag instance with incident ID for tracking
- Never terminate until forensics complete
🐝 Amazon Macie
- S3 data classification using ML: PII, PHI, financial
- Finding types: SensitiveData and Policy findings
- Inventory: S3 bucket security posture overview
- Multi-account: Organizations delegated admin
- Does NOT automatically delete or block data
- Wire automation via EventBridge → Lambda for action
Key Distinction: GuardDuty DETECTS threats. Detective INVESTIGATES them. Inspector finds VULNERABILITIES. Macie finds SENSITIVE DATA in S3. Security Hub AGGREGATES all findings. These four services are tested together constantly — know exactly when each applies.
GuardDuty Finding Types — Know These Cold
| Finding Prefix | Resource | Example |
|---|---|---|
| CryptoCurrency:EC2 | EC2 | BitcoinTool — EC2 querying crypto mining C&C domains |
| UnauthorizedAccess:EC2 | EC2 | TorClient, SSHBruteForce, MaliciousIPCaller |
| Recon:EC2 | EC2 | PortProbeUnprotectedPort — port scanning detected |
| UnauthorizedAccess:IAMUser | IAM | MaliciousIPCaller — IAM creds used from bad IP |
| Policy:S3 | S3 | BucketPublicAccessGranted, BlockPublicAccessDisabled |
| Exfiltration:S3 | S3 | AnomalousBehavior — unusual large data transfer |
Domain 2 · 18%
Security Logging & Monitoring
Design centralized logging architectures, monitor for anomalies, and build complete audit trails. Master the difference between Config (what changed) and CloudTrail (who changed it), and know when to use each log source.
02
Logging & Monitoring — CloudTrail, Config, CloudWatch
Audit trails · Compliance detection · Anomaly alerting · Log centralization
18%
OF EXAM
📋 AWS CloudTrail
- Records API calls: who, what, when, from where
- Management events: free (CreateBucket, RunInstances)
- Data events: paid (S3 GetObject, Lambda Invoke)
- Organization trail: covers all accounts + all regions
- Log file integrity: SHA-256 + RSA-signed digest files
- CloudTrail Insights: detects unusual API call volume
- CloudTrail Lake: managed SQL query lake, 7-yr retention
📊 AWS Config
- Tracks resource configuration changes over time
- Config records WHAT changed — CloudTrail records WHO
- Config rules: evaluate compliance (managed + custom Lambda)
- Conformance packs: bundles of rules (CIS, HIPAA, NIST)
- Auto-remediation: SSM Automation documents
- Organization Config: deploy rules across all accounts
- Key rule:
restricted-ssh→ port 22 from 0.0.0.0/0 = NON_COMPLIANT
📈 CloudWatch Monitoring
- Metric filters: extract metrics from log events
- CloudWatch Alarms: ONE notification per state transition
- Log Insights: interactive query language for ad-hoc analysis
- Anomaly Detection: ML-based baseline on metrics
- Subscription filters: stream logs to Kinesis/Lambda real-time
- Alert pattern: CT → CW Logs → Metric Filter → Alarm → SNS
🌊 VPC Flow Logs & Route 53
- VPC Flow Logs: IP metadata (IPs, ports, bytes, ACCEPT/REJECT)
- NOT packet payload — use Traffic Mirroring for packets
- Requires IAM role with trust: vpc-flow-logs.amazonaws.com
- Route 53 query logs: DNS queries from VPC resources
- Use R53 query logs to detect DNS tunneling and C&C comms
- S3 access logs: per-request S3 API operation logging
⚡ Amazon EventBridge
- Event-driven automation for security responses
- Match events from GuardDuty, Config, Macie, Inspector
- Targets: Lambda, SNS, SQS, Step Functions, SSM
- Cross-account event bus: centralize events in security account
- Schedule: cron-based compliance checks
- SIEM: CT → CW Logs → Subscription Filter → Kinesis → SIEM
🔍 Log Analysis — Athena
- Athena + S3: serverless SQL queries on CloudTrail, Flow Logs
- Partition by account/region/date: reduces scan cost
- CloudTrail Lake: no S3/Athena setup; built-in SQL; 7-year
- Use Lake Formation for centralized access control on log data
- S3+Athena: more flexible, custom partitions, lower cost
- Prevent CT disable (SCP): deny StopLogging + DeleteTrail
Centralized Logging Architecture: Ship CloudTrail + Config + VPC Flow Logs → central S3 bucket in dedicated security account. Enable S3 Object Lock (WORM, Compliance mode) for tamper-proof retention. Use Athena or CloudTrail Lake for SQL analysis. Use SCP to deny cloudtrail:StopLogging in all member accounts.
| Log Source | Captures | Best For |
|---|---|---|
| CloudTrail Mgmt | API calls: who/when/what | Audit, insider threat, compliance |
| CloudTrail Data | S3/Lambda object-level ops | Who accessed specific S3 objects |
| CloudTrail Insights | Unusual API call volumes | Anomalous CreateUser spikes |
| VPC Flow Logs | IP meta (no payload) | Network anomalies, ACCEPT/REJECT |
| Route 53 Query Logs | DNS queries from VPC | DNS tunneling, C&C detection |
| AWS Config | Resource config state changes | What changed before/after |
Domain 3 · 20%
Infrastructure Security
Design and implement secure network architectures across the full stack. The largest domain — covers WAF, Shield, Network Firewall, Firewall Manager, Security Groups, NACLs, Systems Manager, and VPC endpoint security.
03
Infrastructure Security — WAF, NF, SG, NACL, SSM
Edge protection · Network controls · Compute security · Secure access
20%
OF EXAM
🌐 AWS WAF
- Layer 7 HTTP/HTTPS for ALB, CloudFront, API GW, AppSync
- Web ACL rules evaluated top-down; lower priority# = first
- Managed rule groups: SQLi, XSS, OWASP Top 10, Log4j
- Rate-based: block IPs > threshold/5 min; min 100 req
- Geo match: block/allow by country for compliance
- Bot Control: managed rule group for bot detection
- ALLOW rule before managed group = bypass false positives
🛡️ AWS Shield
- Shield Standard: free, automatic L3/L4 DDoS for all
- Shield Advanced: $3K/month/org — L7 + WAF + DRT
- L7 DDoS: requires WAF Web ACL associated + auto L7 mitigation
- DRT (DDoS Response Team): 24/7 proactive engagement
- Automatic WAF rule creation during active attacks
- DDoS cost protection for scaling during attack
🔥 AWS Network Firewall
- VPC-level L3-L7 firewall with Suricata IPS/IDS engine
- Stateless: fast per-packet L3/L4 (processed first)
- Stateful: connection-tracked; domain filter via SNI (no decrypt)
- Domain lists: block *.badsite.com via HTTPS SNI inspection
- TLS inspection: decrypt-inspect-re-encrypt with ACM Private CA
- Firewall Manager: deploy NF org-wide automatically
🧱 SG vs NACL — Critical Differences
- SG: stateful, ENI-level, allow-only, SG-to-SG references
- NACL: stateless, subnet-level, allow+deny rules
- NACL lowest rule number wins — first match stops evaluation
- NACL MUST allow ephemeral ports 1024-65535 outbound
- NACL evaluated FIRST; if NACL denies, SG never reached
- Default NACL: allow all. Custom NACL: deny all by default
💻 AWS Systems Manager
- Session Manager: browser shell, no port 22/3389 needed
- Full command audit to CloudWatch Logs and/or S3
- VPC endpoints required: ssm + ssmmessages + ec2messages
- Patch Manager: automated patching, compliance reports
- Run Command: run scripts on fleets without SSH
- SSM Agent + AmazonSSMManagedInstanceCore required
🏗️ VPC Endpoints & PrivateLink
- Gateway endpoints: S3 and DynamoDB — free, route table entry
- Interface endpoints: 100+ services — ENI, private DNS, $0.01/hr
- Endpoint policy: IAM resource policy on endpoint
- aws:ResourceOrgID: prevents S3 exfil to external buckets
- PrivateLink: NLB-backed service, no CIDR overlap issues
- Firewall Manager: WAF+Shield+SG+NF+DNS Firewall org-wide
Firewall Manager Prerequisites: Three requirements — (1) AWS Organizations must be enabled, (2) a Firewall Manager administrator account must be designated, and (3) AWS Config must be enabled in all managed accounts. Without all three, Firewall Manager cannot deploy policies.
| Control | Layer | Stateful | Scope | Key Feature |
|---|---|---|---|---|
| Security Group | L4 | Yes | ENI | Allow-only; SG-to-SG refs |
| NACL | L3/4 | No | Subnet | Allow+Deny; rule number order |
| Network Firewall | L3-7 | Both | VPC | Suricata IPS; domain filter; TLS inspect |
| WAF | L7 | Yes | ALB/CF | HTTP; managed rules; rate-based |
| Shield Advanced | L3-7 | Yes | Account | DDoS+DRT+cost protection |
| Firewall Manager | All | Both | Org | Central mgmt; auto-covers new accounts |
Domain 4 · 16%
Identity & Access Management
Design least-privilege IAM policies, implement federation and SSO, secure cross-account access with ExternalId, and use Organizations SCPs to establish preventive guardrails. Know the five policy types and how they interact.
04
IAM — Policies, SCPs, Federation, Cross-Account
Least privilege · Permission boundaries · SCPs · ABAC · Federation
16%
OF EXAM
📜 Five IAM Policy Types
- Identity-based: grants permissions to user/group/role
- Resource-based: S3 bucket policy, KMS key policy, Lambda
- Permission boundaries: MAX cap on a specific user/role
- SCPs: org-level MAX ceiling — does NOT grant permissions
- Session policies: restricts session at AssumeRole time
- Effective = intersection of all applicable; explicit deny always wins
🏢 SCPs & Organizations
- SCPs set MAX permissions — never grant permissions
- SCP Deny overrides even AdministratorAccess IAM policy
- Management account is EXEMPT from SCPs
- Inherited from parent OU; effective = intersection of SCP hierarchy
- Prevent root API: SCP deny *:* when PrincipalType = Root
- FullAWSAccess SCP must be attached for any access to work
🔄 Cross-Account Access
- IAM role with trust policy allowing cross-account AssumeRole
- ExternalId: prevents confused deputy in third-party roles
- Cross-account S3: BOTH bucket policy AND IAM policy required
- DynamoDB: no resource-based policy → must use role chaining
- RAM: share resources (VPC subnets, Route 53 resolvers) across accounts
- AssumeRoleWithWebIdentity: OIDC federation (Cognito, Google)
🏷️ ABAC — Attribute-Based Access Control
- Tag resources and IAM principals with matching tags
- Condition:
aws:ResourceTag/Team = ${aws:PrincipalTag/Team} - Scales better than RBAC for large dynamic environments
- One policy controls access to all matching-tagged resources
- Requires consistent tagging strategy across entire org
- Works with IAM roles and resource-based policies
🔐 IAM Identity Center (SSO)
- Recommended for enterprise multi-account SSO
- Permission sets: define access level, deploy to many accounts
- SCIM: auto-provision users from Azure AD, Okta
- Supports SAML 2.0 and OIDC identity sources
- Organizations integration: automatic account discovery
- Use over manual SAML federation for 50+ accounts
🎯 IAM Key Patterns
- Enforce MFA: Deny when
aws:MultiFactorAuthPresent = false - Revoke sessions: inline Deny with
aws:TokenIssueTime < now - Generate least-privilege policy: Access Analyzer (90-day CloudTrail)
- Cognito Identity Pools:
${cognito-identity.amazonaws.com:sub}for per-user S3 - Policy eval order: Explicit Deny → SCP → Resource → Identity → Boundary → Session
Permission Boundary vs SCP: Permission Boundary limits one specific IAM user or role within an account. SCP limits an entire account or OU at the org level. Both are "guardrails" — they reduce maximum permissions, never grant them. The effective permission is always the intersection of all applicable controls.
Domain 5 · 18%
Data Protection
Implement encryption at rest and in transit. Master KMS key policies, envelope encryption, S3 Object Lock, and the critical difference between SSE types. Know how to encrypt existing resources and prevent data exfiltration.
05
Data Protection — KMS, S3 Security, Secrets Manager
Encryption at rest · Key management · S3 WORM · Secrets rotation
18%
OF EXAM
🔑 AWS KMS
- Key policy is PRIMARY access control — IAM alone insufficient
- Envelope encryption: DEK encrypts data; CMK encrypts DEK
- Data never flows through KMS (4KB API limit)
- Multi-Region keys: same key material, different ARNs per region
- Deletion window: 7-30 days; cancel to recover; after = permanent loss
- SSE-KMS: CloudTrail logs GenerateDataKey + Decrypt per object
🏦 AWS CloudHSM
- FIPS 140-2 Level 3 (KMS is Level 2)
- Customer has SOLE control — AWS cannot access keys
- Use for: PKI, PKCS#11/JCE, custom crypto, key ceremonies
- Custom Key Store: use CloudHSM as backend for KMS CMKs
- HA: deploy 2+ HSMs across AZs
- More complex and expensive than KMS — use only when required
📦 S3 Encryption Types
- SSE-S3: AWS-managed keys (AES-256); free; default since Jan 2023
- SSE-KMS: customer CMK; full CloudTrail audit; $cost per op
- DSSE-KMS: dual-layer with KMS; two API calls per object
- SSE-C: customer provides key in each HTTPS request; AWS never stores it
- Enforce SSE-KMS: bucket policy Deny PutObject when
s3:x-amz-server-side-encryption != aws:kms - Enforce HTTPS: bucket policy Deny when
aws:SecureTransport = false
🔒 S3 Security Controls
- Block Public Access: account-level overrides ALL policies + ACLs
- Object Lock Compliance: truly immutable WORM; nobody can delete/shorten
- Object Lock Governance: bypassable with
s3:BypassGovernanceRetention - MFA Delete: extra MFA step to delete versions
- VPC Endpoint +
aws:ResourceOrgID: blocks exfil to external buckets - Compliance mode for SEC 17a-4, FINRA, HIPAA requirements
🔐 Secrets Manager
- Auto-rotation: native support for RDS, Redshift, DocumentDB
- Custom rotation: Lambda function sets credential + updates secret
- Lambda needs VPC endpoint if DB is in private subnet
- Cross-account access via resource-based policy on secret
- vs Parameter Store: Secrets Manager has rotation; Store is cheaper/simpler
- Always use Secrets Manager for anything requiring rotation
🔑 Encrypt Existing Resources
- RDS: snapshot → copy with KMS encryption → restore new instance
- EBS: snapshot → copy with KMS encryption → create new volume
- Cannot encrypt existing RDS/EBS in-place — snapshot copy only
- ACM certificates: free for ALB/CF/API GW; cannot be exported
- ACM Private CA: internal certs for Network Firewall TLS inspect
- MACsec: L2 AES-256-GCM on Direct Connect dedicated connections
KMS Key Policy Rule: To access a KMS CMK you need BOTH: (1) An IAM policy allowing kms:Decrypt and kms:GenerateDataKey, AND (2) The KMS key policy must explicitly allow the IAM principal. If the key policy grants kms:* to the root account ARN, then IAM policies work normally. This dual-requirement is one of the most tested KMS concepts.
Domain 6 · 14%
Management & Security Governance
Implement org-wide security governance using Control Tower, Config conformance packs, IAM Access Analyzer, AWS Artifact, and Trusted Advisor. Understand the shared responsibility model and Well-Architected Security Pillar principles.
06
Security Governance — Control Tower, Artifact, Access Analyzer
Landing zones · Compliance frameworks · Automated governance
14%
OF EXAM
🏗️ AWS Control Tower
- Landing zone: governed multi-account environment
- Preventive guardrails: SCPs that block prohibited actions
- Detective guardrails: Config rules that detect violations
- Account Factory: automated governed account provisioning
- Built-in: Audit account + Log Archive account
- New accounts auto-inherit all OU guardrails
📑 AWS Artifact
- On-demand compliance reports: SOC 1/2/3, PCI DSS AOC
- ISO 27001, FedRAMP, HIPAA eligibility documentation
- Agreements: BAA for HIPAA, GDPR DPA
- Free — no AWS Support needed
- Used by auditors as AWS infrastructure audit evidence
- Artifact Agreements: accept agreements org-wide
🔍 IAM Access Analyzer
- External access: resources accessible outside zone of trust
- Analyzes: S3, IAM roles, KMS, Lambda, SQS, Secrets Manager
- Unused access: over-provisioned roles/keys in 90-180d lookback
- Generate Policy: creates minimal policy from CloudTrail usage
- Policy Validation: errors/warnings before applying policies
- Archive rules: suppress known-good findings
✅ AWS Trusted Advisor
- Core security checks free: exposed SGs, public S3, MFA on root
- Full suite requires Business/Enterprise support
- Exposed access key checks: detects keys in public code
- EventBridge integration: automate responses to check changes
- EventBridge → Lambda → disable exposed key + notify team
📐 Security Well-Architected Pillar
- 7 design principles: strong identity, traceability, all-layers security
- Automate best practices; protect data in transit and at rest
- Prepare for security events; keep people away from data
- 5 areas: IAM, Detection, Infrastructure, Data Protection, Incident Response
- Shared Responsibility: AWS secures OF the cloud; customer secures IN
- Fargate: AWS manages host OS; customer manages container image + task IAM
📏 Governance Patterns
- Security services org-wide: delegated admin + auto-enable
- PCI compliance: download Attestation of Compliance from Artifact
- Service whitelist: SCP deny prohibited services across org
- 2-year audit trail: CloudTrail + Config + S3 Object Lock WORM
- Config conformance packs: CIS/PCI/HIPAA/NIST bundles
- Detect external sharing: Access Analyzer org zone of trust
Control Tower vs Config vs Organizations: Control Tower = automated multi-account landing zone with guardrails and Account Factory. Config = tracks resource configuration state and compliance. Organizations = account management and SCP guardrails. Control Tower uses both Organizations and Config as building blocks — they work together, not in competition.
SCS-C02 Mock Exam
100 scenario-based questions · Select your answer · Click 💡 Explain on any question to read the rationale
0/100