☁️ AWS
AWS Certified Security - Specialty (SCS-C03)
Comprehensive AWS Certified Security Specialty (SCS-C03) hive provides study notes, question bank with practice tests, flashcards, and hands-on labs, all supported by a personal AI tutor to help you master the AWS Certified Security Specialty certification (SCS-C03).
Study Notes & Guides
130 AI-generated study notes covering the full AWS Certified Security - Specialty (SCS-C03) curriculum.
Curriculum Overview: Aggregating Security and Monitoring Events
Aggregate security and monitoring events
845 words
Mastering AWS Authorization Analysis: Curriculum Overview
Analyze authorization failures to determine causes or effects (for example, IAM Policy Simulator, IAM Access Analyzer).
842 words
Curriculum Overview: Troubleshooting AWS Security Logging and Resource Configuration
Analyze the functionality, permissions, and configuration of resources (for example, Lambda function logging, Amazon API Gateway logging, health checks, Amazon CloudFront logging)
820 words
Curriculum Overview: Analyzing Workload Monitoring Requirements
Analyze workloads to determine monitoring requirements
745 words
Curriculum Overview: Authorizing Compute Workloads via IAM Roles
Apply instance profiles, service roles, and execution roles appropriately to authorize compute workloads
820 words
Forensic Log Management: Capture and Storage Strategy
Capture and store relevant system and application logs as forensic artifacts
865 words
Mastering Centralized Security Management: Delegated Administration in AWS Organizations
Centrally manage security services (for example, delegated administrator accounts).
845 words
Curriculum Overview: AWS Edge and Third-Party Security Integrations
Configure integrations with AWS edge services and third-party services (for example, by ingesting data in Open Cybersecurity Schema Framework [OCSF] format, by using third-party WAF rules)
820 words
Curriculum Overview: AWS Logging and Monitoring Solutions
Configure logging for AWS services and applications (for example, by configuring an AWS CloudTrail trail for an organization, by creating a dedicated Amazon CloudWatch logging account, by configuring the Amazon CloudWatch Logs agent)
865 words
Curriculum Overview: Temporary Credential Mechanisms in AWS
Configure mechanisms to issue temporary credentials (for example, AWS Security Token Service [AWS STS], Amazon S3 presigned URLs).
680 words
Secure Administrative Access to Compute Resources: Curriculum Overview
Configure secure administrative access to compute resources (for example, Systems Manager Session Manager, EC2 Instance Connect)
785 words
CI/CD Pipeline Security: Vulnerability Discovery & Remediation Strategy
Configure security tools to discover and remediate vulnerabilities within a pipeline (for example, Amazon Q Developer, Amazon CodeGuru Security)
845 words
Mastering Automated Security Assessments and Investigations on AWS
Create and manage automations to perform regular assessments and investigations (for example, by deploying AWS Config conformance packs, Security Hub, AWS Systems Manager State Manager)
820 words
Curriculum Overview: Multi-Region Key and Certificate Management
Create and manage encryption keys and certificates across a single AWS Region or multiple Regions (for example, AWS KMS customer managed AWS KMS keys, AWS Private Certificate Authority).
785 words
Curriculum Overview: Advanced AWS Security Detection & Anomaly Monitoring
Create metrics, alerts, and dashboards to detect anomalous data and events (for example, Amazon GuardDuty, Amazon Security Lake, AWS Security Hub, Amazon Macie)
845 words
AWS Security Specialty: Automated Compliance & Remediation Curriculum
Create or enable rules to detect and remediate noncompliant AWS resources and to send notifications (for example, by using AWS Config to aggregate alerts and remediate non-compliant resources, Security Hub).
780 words
Curriculum Overview: AWS Edge Security Strategies
Define and select edge security strategies based on anticipated threats and attacks
820 words
AWS Organizations: Multi-Account Strategy & Governance
Deploy and configure organizations by using AWS Organizations.
685 words
Centralized Security Governance: Policy Deployment and Enforcement
Deploy and enforce policies and configurations from a central source (for example, AWS Firewall Manager).
750 words
Curriculum Overview: Automated Patching and Continuous Vulnerability Management
Deploy patches across compute resources to maintain secure and compliant environments by automating update processes and by integrating continuous validation (for example, Systems Manager Patch Manager, Amazon Inspector)
845 words
Mastering Root Cause Analysis in AWS: Amazon Detective & IR Frameworks
Describe methods to conduct root cause analysis (for example, Amazon Detective)
845 words
AWS KMS: AWS-Generated vs. Imported Key Material
Describe the differences between imported key material and AWS generated key material.
780 words
Curriculum Overview: Inter-Resource Encryption in Transit
Design and configure inter-resource encryption in transit (for example, inter-node encryption configurations for Amazon EMR, Amazon Elastic Kubernetes Service [Amazon EKS], SageMaker AI, Nitro encryption).
782 words
Curriculum Overview: Designing Secure and Private Access to AWS Resources
Design and configure mechanisms for secure and private access to resources (for example, AWS PrivateLink, VPC endpoints, AWS Client VPN, AWS Verified Access).
820 words
Curriculum Overview: Protecting Data Integrity
Design and configure mechanisms to protect data integrity (for example, S3 Object Lock, S3 Glacier Vault Lock, versioning, digital code signing, file validation).
680 words
AWS Data Protection: Enforcing Encryption in Transit for Resources
Design and configure mechanisms to require encryption when connecting to connect to resources (for example, by configuring Elastic Load Balancing [ELB] security policies, by enforcing TLS configurations).
680 words
Curriculum Overview: Secure Data Replication & Backup Solutions
Design and configure secure data replication and backup solutions (for example, Amazon Data Lifecycle Manager, AWS Backup, ransomware protection, AWS DataSync).
820 words
Curriculum Guide: AWS Identity and Authentication Solutions
Design and establish identity solutions for human, application, and system authentication (for example, AWS IAM Identity Center, Amazon Cognito, multi-factor authentication [MFA], identity provider [IdP] integration).
925 words
Curriculum Guide: Advanced AWS Authorization & Access Controls
Design and evaluate authorization controls for human, application, and system access (for example, Amazon Verified Permissions, IAM paths, IAM Roles Anywhere, resource policies for cross-account access, IAM role trust policies).
825 words
Curriculum Overview: AWS Edge Controls and Rules
Design and implement AWS edge controls and rules based on requirements (for example, geography, geolocation, rate limiting, client fingerprinting)
845 words
AWS Certified Security Specialty: Data at Rest Controls Cram Sheet
Design and implement controls for data at rest
865 words
Curriculum Overview: Designing and Implementing Controls for Data at Rest
Design and implement controls for data at rest
785 words
Lab: Implementing Secure Data at Rest Controls with AWS KMS and S3
Design and implement controls for data at rest
845 words
AWS Security: Designing Controls for Data in Transit
Design and implement controls for data in transit
680 words
Exam Cram: Data in Transit Controls (AWS Security Specialty)
Design and implement controls for data in transit
850 words
Lab: Design and Implement Data in Transit Controls on AWS
Design and implement controls for data in transit
1,050 words
AWS Security Specialty Cram Sheet: Protecting Secrets and Keys
Design and implement controls to protect confidential data, credentials, secrets, and cryptographic key materials
850 words
Curriculum Overview: Protecting Confidential Data, Credentials, and Secrets
Design and implement controls to protect confidential data, credentials, secrets, and cryptographic key materials
785 words
Lab: Securing Confidential Data with AWS KMS and Secrets Manager
Design and implement controls to protect confidential data, credentials, secrets, and cryptographic key materials
850 words
Curriculum Overview: Hardening Compute Workloads with AWS EC2 Image Builder
Design and implement hardened Amazon EC2 AMIs and container images to secure compute workloads and embed security controls (for example, Systems Manager, EC2 Image Builder)
820 words
AWS Certified Security - Specialty: Logging Solutions Cram Sheet
Design and implement logging solutions
925 words
Curriculum Overview: Designing and Implementing AWS Logging Solutions
Design and implement logging solutions
845 words
Lab: Designing and Implementing a Centralized Logging Solution on AWS
Design and implement logging solutions
845 words
AWS SCS-C03 Exam Cram: Monitoring & Alerting Solutions
Design and implement monitoring and alerting solutions for an AWS account or organization
840 words
AWS Security Detection: Monitoring and Alerting Curriculum Overview
Design and implement monitoring and alerting solutions for an AWS account or organization
750 words
Lab: Implementing Automated Security Monitoring and Alerting with Amazon GuardDuty
Design and implement monitoring and alerting solutions for an AWS account or organization
842 words
AWS Certified Security: Incident Response and Runbook Design
Design and implement response plans and runbooks to respond to security incidents (for example, Systems Manager OpsCenter, Amazon SageMaker AI notebooks)
820 words
Curriculum Overview: AWS Workload Monitoring and Health Strategy
Design and implement workload monitoring strategies (for example, by configuring resource health checks)
645 words
Curriculum Overview: Designing and Testing Incident Response Plans in AWS
Design and test an incident response plan
872 words
Exam Cram: Designing and Testing an AWS Incident Response Plan (SCS-C03)
Design and test an incident response plan
820 words
Showing 50 of 130 study notes. View all →
Sample Practice Questions
Try 5 sample questions from a bank of 980.
Q1.A security architect is designing a governance strategy for a large multi-account environment. They must ensure two specific outcomes: first, that no customer data is used to improve AWS AI services across any member account; and second, that a centralized "data perimeter" is established by restricting the maximum permissions that resource-based policies can grant to external entities. Which combination of AWS Organizations policies should be implemented to achieve these goals?
Show answer
Correct: A
Q2.A security engineer is configuring an AWS Client VPN to provide remote access to a private VPC. The organization has the following security requirements: 1. Users must authenticate using their existing corporate credentials managed by an external SAML 2.0-compliant Identity Provider (IdP). 2. Access must be restricted to specific company-managed devices that possess a valid, unique client certificate. Which configuration of authentication methods should the engineer implement on the Client VPN endpoint to meet these requirements?
Show answer
Correct: C
Q3.An administrator has configured a custom Network Access Control List (NACL) for a subnet containing EC2 instances that act as web clients. These instances need to download software updates from an external repository over HTTPS (TCP port $443$). The administrator has added an outbound rule to the NACL allowing TCP port $443$ to the repository's IP address. However, the instances are still unable to establish a connection to download the updates. Which of the following troubleshooting steps is most likely to resolve the connectivity issue?
Show answer
Correct: B
Q4.A developer is implementing a mobile application that allows users to authenticate using their Amazon.com retail accounts to access private objects in an Amazon S3 bucket. Which of the following represents the correct sequence of steps to obtain temporary AWS credentials using the AWS STS `AssumeRoleWithWebIdentity` API?
Show answer
Correct: A
Q5.A systems administrator is managing a web application behind a load balancer. The application's web server listens on port 80. During a recent database outage, the web server remained reachable on port 80, but the application returned an **HTTP 500 Internal Server Error** for all user requests. Despite the application being unusable, the load balancer continued to route traffic to the affected instances because they were still marked as 'Healthy.' Which configuration change to the health probe would most effectively ensure that the load balancer stops routing traffic to instances during such an application-layer failure?
Show answer
Correct: B
Want more? Clone this hive to access all 980 questions, timed exams, and AI tutoring. Start studying →
Flashcard Collections
460 flashcard decks for spaced-repetition study.
Unit 1: Detection - AWS Certified Security Specialty
Sample:
**Amazon GuardDuty**
Design and Implement Monitoring and Alerting Solutions for AWS
Sample:
**Amazon GuardDuty**
Analyze workloads to determine monitoring requirements
Sample:
**Amazon CloudWatch** vs. **AWS CloudTrail**
Aggregate security and monitoring events
Sample:
**AWS Security Hub**
AWS Workload Monitoring Strategies
Sample:
To automate responses to infrastructure issues, you can ingest events from ___ into ___ to trigger automated remediation via AWS Lambda.
AWS Detection & Monitoring: GuardDuty, Security Hub, Macie, and Security Lake
Sample:
**Amazon GuardDuty**
Ready to ace AWS Certified Security - Specialty (SCS-C03)?
Clone this hive to get full access to all 980 practice questions, 10 timed mock exams, study notes, flashcards, and a personal AI tutor — completely free.
Start Studying — Free