Domain 1: Incident Response

• Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys.
• Given an AWS Abuse report about an EC2 instance, securely isolate the instance as part of a forensic investigation.
• Analyze logs relevant to a reported instance to verify a breach, and collect relevant data.
• Capture a memory dump from a suspected instance for later deep analysis or for legal compliance reasons.
• Verify that the Incident Response plan includes relevant AWS services.
• Determine if changes to baseline security configuration have been made.
• Determine if list omits services, processes, or procedures which facilitate Incident Response.
• Recommend services, processes, procedures to remediate gaps.
• Evaluate the configuration of automated alerting, and execute possible remediation of security related incidents and emerging issues.
• Automate evaluation of conformance with rules for new/changed/removed resources.
• Apply rule-based alerts for common infrastructure misconfigurations.
• Review previous security incidents and recommend improvements to existing systems.

Domain 2: Logging and Monitoring

• Design and implement security monitoring and alerting.
• Analyze architecture and identify monitoring requirements and sources for monitoring statistics.
• Analyze architecture to determine which AWS services can be used to automate monitoring and alerting.
• Analyze the requirements for custom application monitoring, and determine how this could be achieved.
• Set up automated tools/scripts to perform regular audits.
• Troubleshoot security monitoring and alerting.
• Given an occurrence of a known event without the expected alerting, analyze the service
• functionality and configuration and remediate.
• Given an occurrence of a known event without the expected alerting, analyze the permissions and remediate.
• Given a custom application which is not reporting its statistics, analyze the configuration and remediate.
• Review audit trails of system and user activity.
• Design and implement a logging solution.
• Analyze architecture and identify logging requirements and sources for log ingestion.
• Analyze requirements and implement durable and secure log storage according to AWS best practices.
• Analyze architecture to determine which AWS services can be used to automate log ingestion and analysis.
• Troubleshoot logging solutions.
• Given the absence of logs, determine the incorrect configuration and define remediation steps.
• Analyze logging access permissions to determine incorrect configuration and define remediation steps.
• Based on the security policy requirements, determine the correct log level, type, and sources.

Domain 3: Infrastructure Security

• Design edge security on AWS.
• For a given workload, assess and limit the attack surface.
• Reduce blast radius (e.g. by distributing applications across accounts and regions).
• Choose appropriate AWS and/or third-party edge services such as WAF, CloudFront and Route 53 to protect against DDoS or filter application-level attacks.
• Given a set of edge protection requirements for an application, evaluate the mechanisms to prevent and detect intrusions for compliance and recommend required changes.
• Test WAF rules to ensure they block malicious traffic.
• Design and implement a secure network infrastructure.
• Disable any unnecessary network ports and protocols.
• Given a set of edge protection requirements, evaluate the security groups and NACLs of an application for compliance and recommend required changes.
• Given security requirements, decide on network segmentation (e.g. security groups and NACLs) that allow the minimum ingress/egress access required.
• Determine the use case for VPN or Direct Connect.
• Determine the use case for enabling VPC Flow Logs.
• Given a description of the network infrastructure for a VPC, analyze the use of subnets and gateways for secure operation.
• Troubleshoot a secure network infrastructure.
• Determine where network traffic flow is being denied.
• Given a configuration, confirm security groups and NACLs have been implemented correctly.
• Design and implement host-based security.
• Given security requirements, install and configure host-based protections including Inspector, SSM.
• Decide when to use host-based firewall like iptables.
• Recommend methods for host hardening and monitoring.

Domain 4: Identity and Access Management

• Design and implement a scalable authorization and authentication system to access AWS resources.
• Given a description of a workload, analyze the access control configuration for AWS services and make recommendations that reduce risk.
• Given a description how an organization manages their AWS accounts, verify security of their root user.
• Given your organization’s compliance requirements, determine when to apply user policies and resource policies.
• Within an organization’s policy, determine when to federate a directory services to IAM.
• Design a scalable authorization model that includes users, groups, roles, and policies.
• Identify and restrict individual users of data and AWS resources.
• Review policies to establish that users/systems are restricted from performing functions beyond their responsibility, and also enforce proper separation of duties.
• Troubleshoot an authorization and authentication system to access AWS resources.
• Investigate a user’s inability to access S3 bucket contents.
• Investigate a user’s inability to switch roles to a different account.
• Investigate an Amazon EC2 instance’s inability to access a given AWS resource.

Domain 5: Data Protection

• Design and implement key management and use.
• Analyze a given scenario to determine an appropriate key management solution.
• Given a set of data protection requirements, evaluate key usage and recommend required changes.
• Determine and control the blast radius of a key compromise event and design a solution to contain the same.
• Troubleshoot key management.
• Break down the difference between a KMS key grant and IAM policy.
• Deduce the precedence given different conflicting policies for a given key.
• Determine when and how to revoke permissions for a user or service in the event of a compromise.
• Design and implement a data encryption solution for data at rest and data in transit.
• Given a set of data protection requirements, evaluate the security of the data at rest in a workload and recommend required changes.
• Verify policy on a key such that it can only be used by specific AWS services.
• Distinguish the compliance state of data through tag-based data classifications and automate remediation.
• Evaluate a number of transport encryption techniques and select the appropriate method (i.e. TLS, IPsec, client-side KMS encryption).