AWS Certified Security:Specialty Exam Guide
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Domains assessed

In the exam, there are five domains that have been defined by AWS that you will be assessed against, each with a different percentage weighting level, as shown in the following table:

Attention must be paid to each domain to ensure you feel confident and comfortable with the topics, services, and features that may crop up in your exam. Let me break down these domains further to allow you to gain a deeper understanding of exactly what is tested within each domain.

Domain 1 – Incident response

This domain tests your understanding of how best to identify, respond to, and resolve AWS incidents across a range of services, and has been broken down into the following three elements:

  • 1.1: Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys: Here, you will be expected to know how to respond to such an incident and the steps required to remediate the issue and take the appropriate action, depending on the affected resource in question.
  • 1.2: Verify that the incident response plan includes the relevant AWS services: When an incident occurs within an AWS environment, you must be able to utilize the appropriate AWS resources to identify, isolate, and resolve the issue as quickly as possible, without affecting or hindering other AWS infrastructure and resources.
  • 1.3: Evaluate the configuration of automated alerting, and execute possible remediation of security-related incidents and emerging issues: Proactive monitoring and speed are two key elements when analyzing your infrastructure for potential issues, in addition to utilizing automated services. You must have a solid understanding of these features, and how they can assist you to spot a potential problem and help you to resolve the issue.

Being able to identity, verify, and remediate incidents as they occur within your environment allows you to effectively isolate your resources before the blast radius of the security incident travels deeper within your infrastructure.

Domain 2 – Logging and monitoring

This domain determines your ability to implement and troubleshoot solutions relating to logging, monitoring, and alerting. You will need to be able to deploy, operate, and troubleshoot solutions relating to these four components within your AWS infrastructure:

  • 2.1: Design and implement security monitoring and alerting: You must have full comprehension of the available monitoring and alerting services within AWS. In addition, you must also be aware of how these can be utilized and integrated to implement an effective solution for monitoring your infrastructure for security threats and vulnerabilities.
  • 2.2: Troubleshoot security monitoring and alerting: Implementing a monitoring and alerting system is one thing, but being able to resolve issues with the solution and design is another. You must be aware of how the architecture is coupled together and the prerequisites for specific AWS features.
  • 2.3: Design and implement a logging solution: Data held in logs generated from services and applications can provide a wealth of information to help you identify a potential security breach. Therefore, it's imperative that you have a sound awareness of how to implement a solution to capture and record log data.
  • 2.4: Troubleshoot logging solutions: Similar to 2.2, your knowledge of logging solutions has to go deeper than implementation; you have to understand the key components, concepts, and how components depend on one another to enable you to resolve any incidents.

You must understand the complexities and importance of monitoring and logging and how they can be used together as an effective security tool.

Domain 3 – Infrastructure security

The infrastructure security domain assesses your ability to architect security best practices across your AWS architecture, from an individual host, to your VPC, and then to the outer reaches of your edge infrastructure. This domain carries the highest percentage mark across your certification, so it's key that you understand all the concepts and components:

  • 3.1: Design edge security on AWS: A thorough understanding of Amazon CloudFront and its security capabilities and controls is a must, in addition to other edge services offered by AWS.
  • 3.2: Design and implement a secure network infrastructure: Here, you will be tested on your knowledge of Virtual Private Cloud (VPC) infrastructure, and how to architect an environment to meet different security needs using route tables, NACLs, bastion hosts, NAT gateways, IGWs, and security groups.
  • 3.3: Troubleshoot a secure network infrastructure: This follows on from point 3.2, which ensures that you have a deep level of security architecture, enabling you to quickly pinpoint the most likely cause of misconfiguration from a security perspective.
  • 3.4: Design and implement host-based security: This will focus on security controls that can be enabled and configured on individual hosts, such as your EC2 instances.

Implementing a VPC is one of the first elements you are likely to build within your AWS account. Understanding how to protect your VPC is key in maintaining a level of protection to the rest of your resources running within it.

Domain 4 – Identity and access management (IAM)

This domain will focus solely on everything access control-related regarding the IAM service and how to control access to your AWS resources. IAM must be understood inside out and it is essential that you have the knowledge and confidence to spot errors in IAM JSON policies:

  • 4.1: Design and implement a scalable authorization and authentication system to access AWS resources: I can't emphasize enough the importance of understanding IAM at a deep level. This point will test your knowledge of authentication and authorization mechanisms, from multi-factor authorization to implementing conditional-based IAM policies used for cross-account access.
  • 4.2: Troubleshoot an authorization and authentication system to access the AWS resources domain: Here, you will be required to demonstrate your ability to resolve complex permission-based issues with your AWS resources.

Access control is covered in detail within the exam, so you must be familiar with all things relating to access management, and specifically the IAM service. You need to be able to read access policies to determine the resulting access of that policy.

Domain 5 – Data protection

The last domain requires you to have a solid understanding and awareness of how data within AWS can be protected through an encryption mechanism, both at rest and in transit. You will be assessed on services relating to encryption, specifically the Key Management Service (KMS):

  • 5.1: Design and implement key management and use: This point requires you to demonstrate your knowledge when it comes to encryption using KMS. You must be aware of when, how, and why this service is used, and which services can benefit from the features it offers.
  • 5.2: Troubleshoot key management: Data encryption keys are a powerful tool to help protect your data, but you must understand how you can configure the permissions surrounding these keys and what to look for when troubleshooting issues relating to data encryption and customer master keys.
  • 5.3: Design and implement a data encryption solution for data at rest and data in transit: Here, you will be assessed on your understanding of encryption as a whole. You must demonstrate that you have the knowledge to encrypt data in any state using the correct configuration, depending on a set of requirements.

It is of no surprise that the security specialty will assess your understanding of encryption, which will be centered around two key services, AWS Key Management Service (KMS) and AWS CloudHSM. The KMS service integrates with many different AWS services to offer a level of encryption, so make sure that you are familiar with all the components of KMS.

上一章目录下一章