Certificazione AWS Certified Security – Specialty
Esame AWS Certified Security – Specialty;
The AWS Certified Security – Specialty (SCS-C01) exam is intended for individuals who perform a security role. The exam validates a candidate’s ability to effectively demonstrate knowledge about securing the AWS platform.
The exam also validates whether a candidate has the following:
- An understanding of specialized data classifications and AWS data protection mechanisms
- An understanding of data-encryption methods and AWS mechanisms to implement them
- An understanding of secure internet protocols and AWS mechanisms to implement them
- A working knowledge of AWS security services and features of services to provide a secure production environment
- Competency from 2 or more years of production deployment experience in using AWS security services and features
- The ability to make tradeoff decisions with regard to cost, security, and deployment complexity to meet a set of application requirements
- An understanding of security operations and risks
Per conseguire la Certificazione AWS Certified Security – Specialty è necessario sostenere con successo il seguente esame:
Corsi di Preparazione:
- AWS Security Essentials
- Security Engineering on AWS
- Exam Readiness: AWS Certified Security – Specialty
Conttaci ora per ricevere tutti i dettagli e per richiedere, senza alcun impegno, di parlare direttamente con uno dei nostri Docenti CLICCA QUI.
Oppure chiamaci subito al nostro numero verde 800-177596.
SVOLGIMENTO E DURATA
Esame AWS Certified Security – Specialty Durata 170 minuti circa 65 quesiti;
Negli esami sono presenti quesiti formulati in lingua inglese in forme differenti: Risposta Multipla; completamento di testo, collegamenti concettuali Drag and Drop; vere e proprie simulazioni laboratoriali.
Si consiglia la frequentazione dei seguenti corsi:
Esame AWS Certified Security – Specialty – SCS-C01
Domain 1: Incident Response
- Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys.
- Given an AWS Abuse report about an EC2 instance, securely isolate the instance as part of a forensic investigation.
- Analyze logs relevant to a reported instance to verify a breach, and collect relevant data.
- Capture a memory dump from a suspected instance for later deep analysis or for legal compliance reasons.
- Verify that the Incident Response plan includes relevant AWS services.
- Determine if changes to baseline security configuration have been made.
- Determine if list omits services, processes, or procedures which facilitate Incident Response.
- Recommend services, processes, procedures to remediate gaps.
- Evaluate the configuration of automated alerting, and execute possible remediation of security related incidents and emerging issues.
- Automate evaluation of conformance with rules for new/changed/removed resources.
- Apply rule-based alerts for common infrastructure misconfigurations.
- Review previous security incidents and recommend improvements to existing systems.
Domain 2: Logging and Monitoring
- Design and implement security monitoring and alerting.
- Analyze architecture and identify monitoring requirements and sources for monitoring statistics.
- Analyze architecture to determine which AWS services can be used to automate monitoring and alerting.
- Analyze the requirements for custom application monitoring, and determine how this could be achieved.
- Set up automated tools/scripts to perform regular audits.
- Troubleshoot security monitoring and alerting.
- Given an occurrence of a known event without the expected alerting, analyze the service
- functionality and configuration and remediate.
- Given an occurrence of a known event without the expected alerting, analyze the permissions and remediate.
- Given a custom application which is not reporting its statistics, analyze the configuration and remediate.
- Review audit trails of system and user activity.
- Design and implement a logging solution.
- Analyze architecture and identify logging requirements and sources for log ingestion.
- Analyze requirements and implement durable and secure log storage according to AWS best practices.
- Analyze architecture to determine which AWS services can be used to automate log ingestion and analysis.
- Troubleshoot logging solutions.
- Given the absence of logs, determine the incorrect configuration and define remediation steps.
- Analyze logging access permissions to determine incorrect configuration and define remediation steps.
- Based on the security policy requirements, determine the correct log level, type, and sources.
Domain 3: Infrastructure Security
- Design edge security on AWS.
- For a given workload, assess and limit the attack surface.
- Reduce blast radius (e.g. by distributing applications across accounts and regions).
- Choose appropriate AWS and/or third-party edge services such as WAF, CloudFront and Route 53 to protect against DDoS or filter application-level attacks.
- Given a set of edge protection requirements for an application, evaluate the mechanisms to prevent and detect intrusions for compliance and recommend required changes.
- Test WAF rules to ensure they block malicious traffic.
- Design and implement a secure network infrastructure.
- Disable any unnecessary network ports and protocols.
- Given a set of edge protection requirements, evaluate the security groups and NACLs of an application for compliance and recommend required changes.
- Given security requirements, decide on network segmentation (e.g. security groups and NACLs) that allow the minimum ingress/egress access required.
- Determine the use case for VPN or Direct Connect.
- Determine the use case for enabling VPC Flow Logs.
- Given a description of the network infrastructure for a VPC, analyze the use of subnets and gateways for secure operation.
- Troubleshoot a secure network infrastructure.
- Determine where network traffic flow is being denied.
- Given a configuration, confirm security groups and NACLs have been implemented correctly.
- Design and implement host-based security.
- Given security requirements, install and configure host-based protections including Inspector, SSM.
- Decide when to use host-based firewall like iptables.
- Recommend methods for host hardening and monitoring.
Domain 4: Identity and Access Management
- Design and implement a scalable authorization and authentication system to access AWS resources.
- Given a description of a workload, analyze the access control configuration for AWS services and make recommendations that reduce risk.
- Given a description how an organization manages their AWS accounts, verify security of their root user.
- Given your organization’s compliance requirements, determine when to apply user policies and resource policies.
- Within an organization’s policy, determine when to federate a directory services to IAM.
- Design a scalable authorization model that includes users, groups, roles, and policies.
- Identify and restrict individual users of data and AWS resources.
- Review policies to establish that users/systems are restricted from performing functions beyond their responsibility, and also enforce proper separation of duties.
- Troubleshoot an authorization and authentication system to access AWS resources.
- Investigate a user’s inability to access S3 bucket contents.
- Investigate a user’s inability to switch roles to a different account.
- Investigate an Amazon EC2 instance’s inability to access a given AWS resource.
Domain 5: Data Protection
- Design and implement key management and use.
- Analyze a given scenario to determine an appropriate key management solution.
- Given a set of data protection requirements, evaluate key usage and recommend required changes.
- Determine and control the blast radius of a key compromise event and design a solution to contain the same.
- Troubleshoot key management.
- Break down the difference between a KMS key grant and IAM policy.
- Deduce the precedence given different conflicting policies for a given key.
- Determine when and how to revoke permissions for a user or service in the event of a compromise.
- Design and implement a data encryption solution for data at rest and data in transit.
- Given a set of data protection requirements, evaluate the security of the data at rest in a workload and recommend required changes.
- Verify policy on a key such that it can only be used by specific AWS services.
- Distinguish the compliance state of data through tag-based data classifications and automate remediation.
- Evaluate a number of transport encryption techniques and select the appropriate method (i.e. TLS, IPsec, client-side KMS encryption).