AWS Certified Security - Specialty Certification Training

2.1 Design and Implement monitoring and alerting to address security events

• Key AWS services for monitoring and alerting
• Monitoring metrics and baselines
• Analyzing environments and workloads to determine monitoring requirements according to business and security requirements
• Setting up tools and scripts to perform regular audits

2.2 Troubleshoot security monitoring and alerting

• Configuring of monitoring services and collecting event data
• Application monitoring, alerting, and visibility challenges

2.3 Design and implement a logging solution

• Key logging services and attributes
• Log destinations, Ingestion points and lifecycle management
• Logging specific to services and applications

2.4 Troubleshoot logging solutions

• AWS services that provide data sources and logging capabilities
• Access permissions that are necessary for logging
• Identifying misconfigurations and remediations specific to logging
• Reasons for missing logs and performing remediation steps

2.5 Design a log analysis solution

• Services and tools to analyze captured logs
• Identifying patterns in logs to indicate anomalies and known threats
• Log analysis features for AWS services
• Log format and components
• Normalizing, parsing, and correlating logs

DOWNLOAD CURRICULUM

3.1 Design and implement security controls for edge services

• Define edge security strategies and security features
• Select proper edge services based on anticipated threats and attacks and define proper Protection mechanisms based on that
• Define layered Defense (Defense in Depth) mechanisms
• Applying restrictions based on different criteria
• Enable logging and monitoring across edge services to indicate attacks

3.2 Design and implement network security controls

• VPC security mechanisms including Security Groups, NACLs, and Network firewall
• Traffic Mirroring and VPC Flow Logs
• VPC Security mechanisms and implement network segmentation based on security requirements
• Network traffic management and segmentation
• Inter-VPC connectivity, Traffic isolation, and VPN concepts and deployment
• Peering and Transit Gateway
• AWS Point to Site and Site to Site VPN, Direct Connect
• Continuous optimization by identifying and removing unnecessary network access

3.3 Design and implement security controls for compute workloads

• Provisioning and maintenance of EC2 instances
• Create hardened images and backups
• Applying instance and service roles for defining permissions
• Host-based security mechanisms
• Vulnerability assessment using AWS Inspector
• Passing secrets and credentials security to computing workloads
• Troubleshoot network security
• Identifying, interpreting, and prioritizing network connectivity and analyzing reachability
• Analyse log sources to identify problems
• Network traffic sampling using traffic mirroring

DOWNLOAD CURRICULUM

4.1 Design, implement and troubleshoot authentication for AWS resources

• Identity and Access Management
• Establish identity through an authentication system based on requirements.
• Managed Identities, Identity federation
• AWS Identity center, IAM and Cognito
• MFA, Conditional access, STS
• Troubleshoot authentication issues

4.2 Design, implement and troubleshoot authorization for AWS resources

• IAM policies and types
• Policy structure and troubleshooting
• Troubleshoot authorization issues
• ABAC and RBAC strategies
• Principle of least privilege and Separation of duties
• Investigate unintended permissions, authorization, or privileges

DOWNLOAD CURRICULUM

5.1 Design and implement controls that provide confidentiality and integrity for data in transit

• Design secure connectivity between AWS and on-premises networks
• Design mechanisms to require encryption when connecting to resources.
• Requiring DIT encryption for AWS API calls.
• Design mechanisms to forward traffic over secure connections.
• Designing cross-region networking

5.2 Design and implement controls that provide confidentiality and integrity for data at rest

• Encryption and integrity concepts
• Resource policies
• Configure services to activate encryption for data at rest and to protect data integrity by preventing Modifications.
• Cloud HSM and KMS

5.3 Design and implement controls to manage the data lifecycle at rest

• Lifecycle policies and configurations
• Automated life cycle management
• Establishing schedules and retention for AWS backup across AWS services.

5.4 Design and implement controls to protect credentials, secrets, and cryptographic key materials

• Designing management and rotation of secrets for workloads using a secret manager
• Designing KMS key policies to limit key usage to authorized users.
• Establishing mechanisms to import and remove customer-provider key material.

DOWNLOAD CURRICULUM