AWS Certified Security Specialty Interactive Course

AWS best practices for incident response

Cloud incidents

Roles and responsibilities in the incident response plan

AWS Security Finding Format

Implementing credential invalidation and rotation strategies in response to compromises

Isolating AWS resources

Designing and implementing playbooks and runbooks for responses to security incidents

Deploying security services

Configuring integrations with native AWS services and third-party services

AWS managed security services that detect threats

Anomaly and correlation techniques to join data across services

Visualizations to identify anomalies

Strategies to centralize security findings

Evaluating findings from security services

Searching and correlating security threats across AWS services

Performing queries to validate security events

Creating metric filters and dashboards to detect anomalous activity

AWS Security Incident Response Guide

Resource isolation mechanisms

Techniques for root cause analysis

Data capture mechanisms

Log analysis for event validation

Responding to compromised resources

Automating remediation by using AWS services

Investigating and analyzing to conduct root cause analysis

Capturing relevant forensics data from a compromised resource

Querying logs in Amazon S3 for contextual information related to security events

Protecting and preserving forensic artifacts

Preparing services for incidents and recovering services after incidents

AWS services that monitor events and provide alarms

AWS services that automate alerting

Tools that monitor metrics and baselines

Analyzing architectures to identify monitoring requirements and sources of data for security monitoring

Analyzing environments and workloads to determine monitoring requirements

Designing environment monitoring and workload monitoring based on business and security requirements

Setting up automated tools and scripts to perform regular audits

Defining the metrics and thresholds that generate alerts

Configuration of monitoring services

Relevant data that indicates security events

Analyzing the service functionality, permissions, and configuration of resources after an event that did not provide visibility or alerting

Analyzing and remediating the configuration of a custom application that is not reporting its statistics

Evaluating logging and monitoring services for alignment with security requirements

AWS services and features that provide logging capabilities

Attributes of logging capabilities

Log destinations and lifecycle management

Configuring logging for services and applications

Identifying logging requirements and sources for log ingestion

Implementing log storage and lifecycle management according to AWS best practices and organizational requirements

Capabilities and use cases of AWS services that provide data sources

AWS services and features that provide logging capabilities

Access permissions that are necessary for logging

Identifying misconfiguration and determining remediation steps for absent access permissions that are necessary for logging

Determining the cause of missing logs and performing remediation steps

Services and tools to analyze captured logs

Log analysis features of AWS services

Log format and components

Identifying patterns in logs to indicate anomalies and known threats

Normalizing, parsing, and correlating logs

Security features on edge services

Common attacks, threats, and exploits

Layered web application architecture

Defining edge security strategies for common use cases

Selecting appropriate edge services based on anticipated threats and attacks

Selecting appropriate protections based on anticipated vulnerabilities and risks

Defining layers of defense by combining edge security services

Applying restrictions at the edge based on various criteria

Activating logs, metrics, and monitoring around edge services to indicate attacks

VPC security mechanisms

Inter-VPC connectivity

Security telemetry sources

VPN technology, terminology, and usage

On-premises connectivity options

Implementing network segmentation based on security requirements

Designing network controls to permit or prevent network traffic as required

Designing network flows to keep data off the public internet

Determining which telemetry sources to monitor based on network design, threats, and attacks

Determining redundancy and security workload requirements for communication between on-premises environments and the AWS Cloud

Identifying and removing unnecessary network access

Managing network configurations as requirements change

Provisioning and maintenance of EC2 instances

IAM instance roles and IAM service roles

Services that scan for vulnerabilities in compute workloads

Host-based security

Creating hardened EC2 AMIs

Applying instance roles and service roles as appropriate to authorize compute workloads

Scanning EC2 instances and container images for known vulnerabilities

Applying patches across a fleet of EC2 instances or container images

Activating host-based security mechanisms

Analyzing Amazon Inspector findings and determining appropriate mitigation techniques

Passing secrets and credentials securely to compute workloads

How to analyze reachability

Fundamental TCP/IP networking concepts

How to read relevant log sources

Identifying, interpreting, and prioritizing problems in network connectivity

Determining solutions to produce desired network behavior

Analyzing log sources to identify problems

Capturing traffic samples for problem analysis

Methods and services for creating and managing identities

Long-term and temporary credentialing mechanisms

How to troubleshoot authentication issues

Establishing identity through an authentication system, based on requirements

Setting up multi-factor authentication

Determining when to use AWS Security Token Service to issue temporary credentials

Different IAM policies

Components and impact of a policy

How to troubleshoot authorization issues

Constructing attribute-based access control and role-based access control strategies

Evaluating IAM policy types for given requirements and workloads

Interpreting an IAM policy’s effect on environments and workloads

Applying the principle of least privilege across an environment

Enforcing proper separation of duties

Investigating unintended permissions, authorization, or privileges granted to a resource, service, or entity

Analyzing access or authorization errors to determine cause or effect

TLS concepts

VPN concepts

Secure remote access methods

Systems Manager Session Manager concepts

How TLS certificates work with various network services and resources

Designing secure connectivity between AWS and on-premises networks

Designing mechanisms to require encryption when connecting to resources

Requiring TLS for AWS API calls

Designing mechanisms to forward traffic over secure connections

Designing cross-Region networking by using private VIFs and public VIFs

Encryption technique selection

Integrity-checking techniques

Resource policies

IAM roles and policies

Designing resource policies to restrict access to authorized users

Designing mechanisms to prevent unauthorized public access

Configuring services to activate encryption of data at rest

Designing mechanisms to protect data integrity by preventing modifications

Designing encryption at rest by using AWS CloudHSM for relational databases

Choosing encryption techniques based on business requirements

Lifecycle policies

Data retention standards

Designing S3 Lifecycle mechanisms to retain data for required retention periods

Designing automatic lifecycle management for AWS services and resources

Establishing schedules and retention for AWS Backup across AWS services

Secrets Manager

Systems Manager Parameter Store

Usage and management of symmetric keys and asymmetric keys

Designing management and rotation of secrets for workloads

Designing KMS key policies to limit key usage to authorized users

Establishing mechanisms to import and remove customer-provided key material

Multi-account strategies

Managed services that allow delegated administration

Policy-defined guardrails

Root account best practices

Cross-account roles

Deploying and configuring AWS Organizations

Determining when and how to deploy AWS Control Tower

Implementing SCPs as a technical solution to enforce a policy

Centrally managing security services and aggregating findings

Securing AWS account root user credentials

Deployment best practices with infrastructure as code

Best practices for tagging

Centralized management, deployment, and versioning of AWS services

Visibility and control over AWS infrastructure

Using CloudFormation to deploy cloud resources consistently and securely

Implementing and enforcing multi-account tagging strategies

Configuring and deploying portfolios of approved AWS services

Organizing AWS resources into different groups for management

Deploying Firewall Manager to enforce policies

Securely sharing resources across AWS accounts

Data classification by using AWS services

How to assess, audit, and evaluate the configurations of AWS resources

Identifying sensitive data by using Macie

Creating AWS Config rules for detection of noncompliant AWS resources

Collecting and organizing evidence by using Security Hub and AWS Audit Manager

AWS cost and usage for anomaly identification

Strategies to reduce attack surfaces

AWS Well-Architected Framework

Identifying anomalies based on resource utilization and trends

Identifying unused resources by using AWS services and tools

Using the AWS Well-Architected Tool to identify security gaps