AWS Certified Security – Specialty SCS-C02 Exam Guide Study Path

Home » AWS Certified Security Specialty » AWS Certified Security – Specialty SCS-C02 Exam Guide Study Path

AWS Certified Security – Specialty SCS-C02 Exam Guide Study Path

Last updated on February 19, 2024

The AWS Specialty certification exams are intended for people who handle more specific responsibilities in AWS Cloud. Since these responsibilities demand a more advanced skill set with prior experience from a person, these AWS specialty exams are built so that they could reinforce and validate a person’s eligibility for that role. There are no associate and professional levels in a specialty learning path, so the exams serve as the whole package already. And since they are made that way, expect no less from the specialty certification exams, as they will be as tough as the professional exams.

The name of the certificate immediately points out what to focus on — AWS Security. Although we mentioned earlier that specialty exams tackle more specific roles, security in AWS is very broad and extensive. There are a lot of topics involved when we speak about AWS security, whether it be native AWS services or other third-party tools. If you need a comprehensive review material for learning these topics then this study guide is for you.

SCS-C02 Study Materials

Having prior knowledge and experience in handling (cloud) security will allow you to understand the concepts and strategies that appear in AWS reference materials. You will also find it easier to comprehend scenario type questions in your exam. To know more about the AWS Security specialty exam, check out the official AWS Exam Blueprint here.

AWS documentations and whitepapers will be your best friends here. They are your primary source of information. We recommend reading the following papers:

  1. Introduction to AWS Security
  2. AWS Security Documentation
  3. AWS Well-Architected Framework
  4. Security Pillar – AWS Well-Architected Framework
  5. AWS Security Best Practices
  6. AWS Key Management Service Best Practices
  7. AWS Key Management Service Cryptographic Details
  8. Encrypting File Data with Amazon Elastic File System
  9. Secure Content Delivery with Amazon CloudFront
  10. Guidelines for Implementing AWS WAF
  11. AWS Best Practices for DDoS Resiliency
  12. Security at Scale: Logging in AWS
  13. AWS Security Incident Response Guide
  14. Implementing Security Controls on AWS

Add-On Compliance whitepapers:

  1. Security by Design
  2. AWS Risk & Compliance
  3. Architecting for HIPAA Security and Compliance on AWS
  4. Tutorials dojo strip
  5. Navigating GDPR Compliance on AWS
  6. Payment Card Industry Data Security Standard (PCI DSS) 3.2.1 on AWS
  7. FedRAMP Compliance

Optional whitepaper for configuring Windows ADFS + EC2

After you have studied the sources above, it would be wise to expose yourself with different scenarios and strategies in enforcing security in AWS. Re:Invent videos, AWS blogs, virtual classes, and even some AWS forums provide sample scenarios and strategies for you. The links below will redirect you to some of the references:

AWS Services to Focus On For the SCS-C02 exam

When we talk about security as a discipline, especially in the context of cloud, we are tackling it as a combination of different domains. AWS enumerates its catalog of services and features under different domains based on their purposes. In this section, we will try to do the same and group AWS services according to their domains.

Identity and Access Control

  • AWS Identity and Access Management – You must learn every detail of AWS IAM since this is AWS’ primary user management and access control service. Practice writing your own IAM policies.
  • Resource-Based Policies – Although resource-based policies fall under AWS IAM, they tend to be ignored compared to user-based policies. Take note of which services support this type of policy and how they are different from user-based policies.
  • S3 Presigned URLs – Know what is the purpose of S3 presigned URLs and how they differ from CloudFront signed URLs.
  • CloudFront Signed URLs – Know what is the purpose of CloudFront signed URLs and how they differ from S3 presigned URLs or CloudFront signed cookies.
  • Amazon Cognito – Read through the benefits of AWS Cognito and how to integrate it with web and mobile applications. Differentiate user pools from identity pools.
  • AWS IAM Identity Center – Learn how you can use AWS IAM Identity Center together with other authentication protocols to securely authenticate users in your environment. 
  • AWS Security Token Service – Know the purpose and use cases of Amazon STS. Try building a program that utilizes temporary tokens as credentials.
  • AWS Directory Service – Know the different options you have for AWS Directory Service. Each option solves a different requirement and it is up to you to figure out how you can get your directory to gain access to your users and other information.
  • AWS Organizations – AWS Organizations is a very helpful service when dealing with large scale enterprises with multiple AWS accounts. Know the benefits of using this service (like consolidated billing feature) and how to build an organization hierarchy with Organization Units and Service Control Policies.
  • AWS Resource Access Manager – AWS RAM allows you to securely share resources with other AWS accounts. Experiment with this service to know how to share your resources and what restrictions are involved.

Application and Infrastructure Security

  • EC2 key pairs – This goes without saying, but EC2 key pairs play a very important role in protecting your EC2 instances.
  • AWS Systems Manager – AWS SSM secures your applications through services like Patch Baselines, Run Command, Session Manager, and more. By utilizing automation and code, you run less risk in human error and unwanted/untracked changes to your application.
  • AWS WAF – AWS WAF is essential in protecting your applications from common exploits like SQL injection or XSS attacks. Differentiate WAF from Shield and Firewall Manager.
  • AWS Shield – AWS Shield complements AWS WAF since this service offers DDoS protection. Read what features are different between Shield Basic and Shield Advanced.
  • AWS Firewall Manager – This service simplifies administration overhead when setting up AWS WAF, AWS Shield and VPC security groups. Best to do a hands-on on the service.

Data Security

  • AWS KMS – Study the different types of KMS keys available and how you should manage them. Determine which AWS services support using AWS KMS for encryption.
  • Amazon CloudHSM – Know when to use AWS KMS vs CloudHSM for your encryption needs.
  • AWS SSM Parameter Store – It is important to know how AWS SSM Parameter Store can protect your referenceable information through SecureString. 
  • Amazon Secrets Manager – Secrets Manager is similar to Parameter Store wherein you can store and retrieve sensitive strings in AWS securely.
  • SSE-S3 Encryption – Read when it is better to use SSE-S3 keys or KMS keys for server-side encryption. Also read how your encrypted buckets and objects are handled during operations such as replication, deletion, etc.
  • S3 Glacier Vault Lock – Know the purpose of a Glacier Vault Lock and try implementing a policy yourself.
  • Amazon Macie – Read how Macie automatically classifies and protects your data. This is one of those services that you will just understand better if you try it out.
  • AWS Certificate Manager – Know which services integrate with your certificates stored in Certificate Manager. Try creating your own private CA and issue some custom certificates.

Network Security

  • Amazon VPC – Know everything on VPCs since they are basic building blocks for a protected AWS environment. Differentiate security groups vs network ACLs. Study VPC endpoints too.
  • Amazon CloudFront – Study how CloudFront protects your endpoints from being publicly accessible. Read on setting up Origin Access Identity with S3 buckets. Know which services integrate with CloudFront, such as API Gateway and WAF. CloudFront has a feature that allows content access to only selected locations.
  • AWS ELB – Study how ELB protects your web traffic and endpoints from malicious attacks. Understand how SSL certificates are being handled by ELB.
  • Amazon API Gateway – Similar to ELB, API Gateway also protects your endpoints from being exposed to the public internet. Commonly used in serverless applications, study how APIs can secure Lambda functions. Also know what services it integrates with, such as WAF.
  • AWS VPN – Although AWS VPN is fairly new, you should have an overview of what this service is and how to set it up in your AWS environment.
  • AWS Direct Connect – Read how a dedicated line from your network to AWS can protect your inbound and outbound traffic. A common way to secure your traffic in Direct Connect is by using an AWS Site to Site VPN.

Logging and Monitoring

  • Amazon CloudWatch – Know everything about Cloudwatch (Logs, Alarms, Events, Metrics)
  • Amazon CloudTrail – Know everything about CloudTrail, like how to store and encrypt your log files, how to monitor different regions and capture different types of data.
  • Service Logs (VPC, ELB, API Gateway, S3, CloudFront) – Multiple AWS services support logging which they forward to an S3 bucket. It would be good to have an idea of which services support logging. Logs are crucial when conducting incident response and analysis.
  • Amazon Route 53 – Study how Route 53 can quickly handle network issues by performing DNS and endpoint health checks. Route 53 also helps in making your environment more resilient by performing automatic failovers.

Threat Detection, Prevention, Response and Remediation

  • Amazon GuardDuty – Have an understanding of the use cases of Amazon GuardDuty.
  • Amazon Inspector – Have an understanding of the use cases of Amazon Inspector.
  • Amazon Detective – Know which services integrate with Amazon Detective. Also, have an understanding of the use cases of Amazon Detective.
  • AWS Security Hub – Have an understanding of the use cases of AWS Security Hub.

Risk and Compliance Management

  • AWS Artifact – Know the purpose of AWS Artifact and what kinds of reports it provides for you.
  • AWS Config – AWS Config is an important compliance monitoring tool that you should learn about. Study the concepts and how they work. Practice writing a Config rule of your own to have a better understanding of the service.

Lastly, as we have repeatedly talked about, specialty exams are intended for experienced individuals. Therefore, you should go try out the services above in your own AWS account. Also, do not limit yourself to the Management Console. Some implementations can only be done via AWS CLI or AWS SDK. Be comfortable with them all. 

Common Exam Scenarios for SCS-C02

Scenario

Solution

AWS Config

A company requires a solution that will automatically detect and enable disabled VPC Flow Logs.

Create an AWS Config rule that will detect disabled VPC Flow Logs. Create an Amazon EventBridge rule based on that Config Rule to trigger a Lambda Function for enabling VPC Flow Logs.

Verify if EC2 instances are using approved AMI. Create a notification if non-compliant instances are detected.

Utilize the approved-amis-by-id managed rule in AWS Config to check if running instances are using an approved AMI. Use CloudWatch Alarms for notification.

A Security Analyst needs to remediate the risks of having security groups that allow inbound traffic for the 0.0.0.0/0 CIDR range (Anywhere). The security group must only allow inbound traffic for the company’s firewall IP address.

Create an AWS Config rule that will automatically detect security groups that allow inbound traffic from the 0.0.0.0/0 CIDR range. Associate a Lambda function in the Config rule to update the security group’s inbound rule with the company’s firewall IP address.

You need to build a solution that will allow the Security team to review the IAM policy assigned to an IAM user before and after a security incident has occurred.

Use AWS Config

Automatically detect and remediate an incident where API logging is disabled

Create an AWS Config rule to detect disabled CloudTrail settings. Configure the rule to use an AWS Systems Manager Automation document to automatically re-enable CloudTrail logs.

Detect if someone is using the AWS account’s root access in creating new API keys without proper approval.

Set up an AWS Config rule to track the usage of the create-api-key command by the root IAM user.

AWS KMS

A company requires a CMK that automatically rotates every year.

Create a CMK with AWS generated key material.

A company needs to rotate a CMK with imported key material

Create a new CMK with the new imported key material and point the existing alias to the new CMK.

A company has to manage the access control for hundreds of CMKs without having to edit key policies

Use grants in AWS KMS.

A Security Specialist must use additional authenticated data (AAD) to prevent tampering against the ciphertext.

Add the kms:EncryptionContext condition when defining the key policy for the CMK.

A company needs to migrate AWS resources encrypted with KMS into another region.

Use a new CMK in the target region.

AWS WAF, AWS Shield

An application hosted on an EC2 instance needs protection from common web exploits. Also, the outgoing traffic from the instance should be restricted only to trusted URLs.

Use AWS WAF for common web exploits protection and use a third-party solution to whitelist URLs for outbound traffic.

A Security Specialist needs to block high-volume requests from specific user-agent HTTP header

Use AWS WAF rate-based rule to limit the number of requests.

Which AWS Services has direct integration with AWS WAF?

Amazon CloudFront & Application Load Balancer

A company is serving static content using Amazon CloudFront, Amazon S3, and Amazon Route53. They must respond to DDoS attacks at L7, L4, and L3.

Use AWS Shield Advanced

AWS CloudTrail

Protect CloudTrail Logs from tampering and un-authorized access

Enable the CloudTrail log file validation

Some AWS accounts can’t send CloudTrail logs in a centralized logging account. What are the steps to troubleshoot the issue?

  1. Check if the AWS Account IDs are included within the Central account’s S3 bucket policy.

  2. Check if the AWS Accounts are using the correct S3 bucket name for centralized logging.

  3. Check if all trails are active

A Security Specialist has updated the log file prefix for a trail but encountered a “There is a problem with the bucket policy.” error

First, update the new log file prefix in the S3 bucket policy, then specify the updated log file prefix in the CloudTrail Console.

A Security Engineer needs to review user activities from a specific access key within the past 3 months.

Review the user activities through the CloudTrail Console

Amazon CloudWatch

Some EC2 instances stop sending CloudWatch logs after a security incident. What are the steps to troubleshoot this issue?

  1. Check if CloudWatch Logs agent is active and running in the EC2 instances.

  2. Check if the EC2 instances have Internet access.

  3. Check the validity of the OS Log rotation rules.

After an update to IAM policy, an application stops sending custom metrics to AWS CloudWatch.

Add the cloudwatch:putMetricData permission in the IAM policy

A Security Engineer must build a near real-time logging solution to collect logs from different AWS Accounts.

Use the Amazon CloudWatch cross-account log data sharing with subscriptions. Use Amazon Kinesis Data Firehose to deliver the logs.

A company has set up a notification system using CloudWatch and CloudTrail that will alert a Security Team when new access keys are created. The team is not receiving notifications.

Make sure that the value of consecutive periods alarm threshold is equal to or greater than 1.

Amazon GuardDuty

A company needs a threat detection system for monitoring malicious activities in an AWS Account

Use Amazon GuardDuty

A company is using an Active Directory server to resolve DNS for EC2 instances in a VPC. A security engineer noticed that one of the instances is being used for command-and-control (C2C) operations but GuardDuty has failed to recognize it.

GuardDuty does not recognize DNS requests coming from third-party DNS servers.

A company wants to perform a network port scan against EC2 instances in VPC but does not want to get alerts for specific instances.

Add the EIP of the specific instances to the trusted IP lists in Amazon GuardDuty.

Infrastructure Security

A company has complex connectivity rules for Amazon EC2 instances. How should they manage these connection rules with no additional cost?

Implement the rules using the built-in host-based firewall such as iptables

A Security Engineer needs to inspect packet data.

  1. Use a proxy software hosted on an EC2 instance.

  2. Use a host-based agent on an EC2 instance. Note that you can only perform packet data analysis with third-party solutions.

A Security Engineer has a virtual security appliance. The Engineer is using a security group and NACL to comply with security requirements. How can he allow traffic through the virtual security appliance?

Disable the Source/Destination check of the Elastic Network Interface (ENI) associated with the virtual security appliance.

A Security Engineer needs to remediate the risk of users exploiting the instance metadata service to access AWS resources in other accounts.

Restrict the access to the instance metadata service using iptables.

 

Validate Your Knowledge for the SCS-C02 AWS Security Specialty Exam

The virtual classrooms we listed in the Study Materials section often include short quizzes at the end of each video. They will serve as guides on how to look for key terminologies in your exam questions, as well as how to break down your options to determine the most suitable answer for the question. Another virtual lecture we recommend you attending after you finished reviewing for the exam is the Exam Readiness: AWS Certified Security – Specialty Course. They provide sample questions that you can follow along and answer.

Exam-Readiness-AWS-Certified-Security-Specialty-SCS-C02

 

AWS also provides a sample exam on the AWS Certified Security Specialty page, which you can find here. Although this sample exam is not on the same level of difficulty one might expect on the real exam, it is still a helpful resource for your reviews. Lastly, Tutorials Dojo also has a set of high-quality practice exams and study guide eBook for the AWS Security Specialty certification. The practice exams and study guide eBook will help boost your preparedness for the real exam, and it will also help you determine which areas you are weak in, so you can focus your efforts on studying those areas.

 

Sample Exam Questions for the SCS-C02 Exam:

Question 1

AWS Exam Readiness Courses

A leading hospital has a web application hosted in AWS that will store sensitive Personally Identifiable Information (PII) of its patients in an Amazon S3 bucket. Both the master keys and the unencrypted data should never be sent to AWS to comply with the strict compliance and regulatory requirements of the company.

Which S3 encryption technique should the Security Engineer implement?

  1. Implement an Amazon S3 client-side encryption with a KMS-managed customer master key.
  2. Implement an Amazon S3 client-side encryption with a client-side master key.
  3. Implement an Amazon S3 server-side encryption with a KMS-managed key.
  4. Implement an Amazon S3 server-side encryption with a customer-provided key.

Correct Answer: 2

Client-side encryption is the act of encrypting data before sending it to Amazon S3. To enable client-side encryption, you have the following options:

– Use an AWS KMS-managed customer master key.

– Use a client-side master key.

When using an AWS KMS-managed customer master key to enable client-side data encryption, you provide an AWS KMS customer master key ID (CMK ID) to AWS. On the other hand, when you use client-side master key for client-side data encryption, your client-side master keys and your unencrypted data are never sent to AWS. It’s important that you safely manage your encryption keys because if you lose them, you can’t decrypt your data.

This is how client-side encryption using client-side master key works:

When uploading an object – You provide a client-side master key to the Amazon S3 encryption client. The client uses the master key only to encrypt the data encryption key that it generates randomly. The process works like this:

1. The Amazon S3 encryption client generates a one-time-use symmetric key (also known as a data encryption key or data key) locally. It uses the data key to encrypt the data of a single Amazon S3 object. The client generates a separate data key for each object.

2. The client encrypts the data encryption key using the master key that you provide. The client uploads the encrypted data key and its material description as part of the object metadata. The client uses the material description to determine which client-side master key to use for decryption.

3. The client uploads the encrypted data to Amazon S3 and saves the encrypted data key as object metadata (x-amz-meta-x-amz-key) in Amazon S3.

When downloading an object – The client downloads the encrypted object from Amazon S3. Using the material description from the object’s metadata, the client determines which master key to use to decrypt the data key. The client uses that master key to decrypt the data key and then uses the data key to decrypt the object.

Hence, the correct answer is: Implementing an S3 client-side encryption with a client-side master key.

Implementing an Amazon S3 client-side encryption with a KMS-managed customer master key is incorrect because in client-side encryption with a KMS-managed customer master key, you provide an AWS KMS customer master key ID (CMK ID) to AWS. The scenario clearly indicates that both the master keys and the unencrypted data should never be sent to AWS.

Implementing an Amazon S3 server-side encryption with a KMS managed key is incorrect because the scenario mentioned that the unencrypted data should never be sent to AWS, which means that you have to use client-side encryption in order to encrypt the data first before sending to AWS. In this way, you can ensure that there are no unencrypted data being uploaded to AWS. In addition, the master key used by Server-Side Encryption with AWS KMS–Managed Keys (SSE-KMS) is uploaded and managed by AWS, which directly violates the requirement of not uploading the master key.

Implementing an Amazon S3 server-side encryption with customer provided key is incorrect because, just as mentioned above, you have to use client-side encryption in this scenario instead of server-side encryption. For the S3 server-side encryption with customer-provided key (SSE-C), you actually provide the encryption key as part of your request to upload the object to S3. Using this key, Amazon S3 manages both the encryption (as it writes to disks) and decryption (when you access your objects).

References:
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingEncryption.html
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html

Check out this AWS Key Management Service Cheat Sheet:
https://tutorialsdojo.com/aws-key-management-service-aws-kms/

Question 2

An enterprise monitoring application collects data and generates audit logs of all operational activities of the company’s AWS Cloud infrastructure. The IT Security team requires that the application retain the logs for 5 years before the data can be deleted.

How can the Security Engineer meet the above requirement?

  1. Use Amazon S3 Glacier to store the audit logs and apply a Vault Lock policy.
  2. Use Amazon EBS Volumes to store the audit logs and take automated EBS snapshots every month using Amazon Data Lifecycle Manager.
  3. Use Amazon S3 to store the audit logs and enable Multi-Factor Authentication Delete (MFA Delete) for additional protection.
  4. Use Amazon EFS to store the audit logs and enable Network File System version 4 (NFSv4) file-locking mechanism.

Correct Answer: 1

An Amazon S3 Glacier (Glacier) vault can have one resource-based vault access policy and one Vault Lock policy attached to it. A Vault Lock policy is a vault access policy that you can lock. Using a Vault Lock policy can help you enforce regulatory and compliance requirements. Amazon S3 Glacier provides a set of API operations for you to manage the Vault Lock policies.

As an example of a Vault Lock policy, suppose that you are required to retain archives for one year before you can delete them. To implement this requirement, you can create a Vault Lock policy that denies users permissions from deleting an archive until the archive has existed for one year. You can test this policy before locking it down. After you lock the policy, it becomes immutable. For more information about the locking process, see Amazon S3 Glacier Vault Lock. If you want to manage other user permissions that can be changed, you can use the vault access policy

Amazon S3 Glacier supports the following archive operations: Upload, Download, and Delete. Archives are immutable and cannot be modified. Hence, the correct answer is: Use Amazon S3 Glacier to store the audit logs and apply a Vault Lock policy.

The option that says: Use Amazon EBS Volumes to store the audit logs and take automated EBS snapshots every month using Amazon Data Lifecycle Manager is incorrect because this is not a suitable and secure solution. Anyone who has access to the EBS Volume can simply delete and modify the audit logs. Snapshots can be deleted too.

The option that says: Use Amazon S3 to store the audit logs and enable Multi-Factor Authentication Delete (MFA Delete) for additional protection is incorrect because this would still not meet the requirement. If someone has access to the S3 bucket and also has the proper MFA privileges then the audit logs can be edited. 

The option that says: Use Amazon EFS to store the audit logs and enable Network File System version 4 (NFSv4) file-locking mechanism is incorrect because the data integrity of the audit logs can still be compromised if it is stored in an EFS volume with Network File System version 4 (NFSv4) file-locking mechanism and hence, not suitable as storage for the files. Although it will provide some sort of security, the file lock can still be overridden and the audit logs might be edited by someone else.  

References:
https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock.html
https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock-policy.html
https://aws.amazon.com/blogs/aws/glacier-vault-lock/

Check out this Amazon S3 Glacier Cheat Sheet:
https://tutorialsdojo.com/amazon-glacier/

Click here for more AWS Certified Security Specialty practice exam questions.

Check out our other AWS practice test courses here:

 

With the growing number of security attacks each day, companies are now focusing their efforts in strengthening their digital security. This responsibility requires a team effort from both AWS engineers and industry professionals, which is why we have a shared responsibility model. Professionals will have to be equipped with the right tools and knowledge to protect what is valuable to them and to their company.

We hope that our guide has helped you achieve that goal, and we would love to hear back from you after your exam. Get some well-deserved rest, and we wish you the best of results.

Tutorials Dojo portal

Be Inspired and Mentored with Cloud Career Journeys!

Tutorials Dojo portal

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Recent Posts

Written by: Jon Bonso

Jon Bonso is the co-founder of Tutorials Dojo, an EdTech startup and an AWS Digital Training Partner that provides high-quality educational materials in the cloud computing space. He graduated from Mapúa Institute of Technology in 2007 with a bachelor's degree in Information Technology. Jon holds 10 AWS Certifications and is also an active AWS Community Builder since 2020.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?