Curriculum Overview: Aggregating Security and Monitoring Events

This curriculum provides a comprehensive pathway for mastering the aggregation of security and monitoring events within the AWS ecosystem, specifically aligned with the AWS Certified Security - Specialty (SCS-C03) exam objectives. You will learn to move beyond isolated log silos toward a unified, observable security posture.

Prerequisites

Before beginning this curriculum, learners should possess the following foundational knowledge:

• Foundational AWS Knowledge: Familiarity with core services like Amazon EC2, Amazon S3, and Amazon VPC.
• Identity and Access Management (IAM): Understanding of IAM roles, policies, and the principle of least privilege.
• Basic Logging Concepts: Prior exposure to AWS CloudTrail (management events) and Amazon CloudWatch (log groups and metrics).
• Networking Basics: Understanding of VPC Flow Logs and DNS query logging via Route 53.

Module Breakdown

Learning Objectives per Module

Module 1: Foundational Logging

• Configure organization-wide CloudTrail trails to capture API activity across all accounts.
• Analyze workloads to determine specific monitoring requirements based on threat models.
• Implement VPC Flow Logs and Route 53 Resolver logs to monitor network traffic patterns.

Module 2: Event Routing & Normalization

• Design event-driven architectures (EDA) using Amazon EventBridge to route security events to multiple targets.
• Utilize EventBridge Pipes and Rules to transform and filter raw event data before ingestion.
• Implement cross-account event routing to centralize security monitoring into a dedicated security account.

Module 3: Security Finding Aggregation

• Enable and configure AWS Security Hub as the primary pane of glass for security findings.
• Aggregating findings from Amazon GuardDuty, Amazon Macie, and Amazon Inspector into Security Hub.
• Manage finding lifecycles, including suppression rules and workflow statuses.

Module 4: Centralized Data Lakes

• Deploy Amazon Security Lake to automatically centralize security logs from AWS and third-party sources into the Open Cybersecurity Schema Framework (OCSF).
• Execute complex queries using Amazon Athena to correlate events across disparate log sources.

Module 5: Automated Remediation

• Create automation runbooks using AWS Systems Manager to respond to specific security events.
• Develop AWS Lambda functions triggered by EventBridge to perform real-time resource containment (e.g., isolating an EC2 instance).

Visual Overview

Event Aggregation Pipeline

Centralized Security Architecture

Success Metrics

How to know you have mastered this curriculum:

1. Architecture Completion: Successfully deploy a multi-account AWS Organization where all Security Hub findings from member accounts are automatically forwarded to a central administrator account.
2. Schema Alignment: Demonstrate the ability to query logs in Amazon Security Lake that have been normalized to the OCSF format.
3. Alert Latency: Configure a CloudWatch Alarm/EventBridge Rule that triggers a notification within 60 seconds of a high-severity GuardDuty finding.
4. Remediation Efficacy: Build an automated response that successfully revokes an IAM user's permissions or isolates a network resource upon detection of a specific threat.

Real-World Application

Mastering event aggregation is critical for several high-stakes professional contexts:

• Incident Response: Reduces "Mean Time to Detect" (MTTD) by providing a single source of truth for forensic evidence, allowing responders to correlate activity across different AWS services.
• Regulatory Compliance: Meets requirements for centralized logging and long-term retention (e.g., PCI-DSS, HIPAA, SOC2) through services like Amazon Security Lake.
• Operational Efficiency: Eliminates "alert fatigue" by using GuardDuty and Security Hub to deduplicate and prioritize the most critical security threats.
• Security Engineering Careers: This skill set is the backbone of the Security Operations Center (SOC) Analyst and Security Engineer roles, specifically for those managing large-scale enterprise cloud environments.

[!IMPORTANT] Effective aggregation is not just about collecting everything; it is about filtering noise and ensuring that data is actionable for the security team.

Mastering AWS Authorization Analysis: Curriculum Overview

This curriculum provides a structured pathway for security professionals to master the identification and remediation of authorization failures within the AWS ecosystem. Focusing on the AWS Certified Security - Specialty (SCS-C03) objectives, it bridges the gap between theoretical IAM policy logic and practical troubleshooting using cloud-native tools.

Prerequisites

Before engaging with this curriculum, learners should possess a foundational understanding of the following:

• Core IAM Concepts: Knowledge of IAM Users, Roles, Groups, and the difference between Identity-based and Resource-based policies.
• Policy Syntax: Familiarity with JSON policy structure, specifically the Effect, Action, Resource, and Condition blocks.
• Standard AWS Services: Experience with S3 and EC2 to understand common resource-level permissions.
• Principle of Least Privilege: Theoretical knowledge of granting only the minimum permissions required for a task.

Module Breakdown

The Authorization Flow

Understanding how AWS evaluates requests is the cornerstone of troubleshooting. The following flowchart illustrates the decision-making process within the IAM engine.

Learning Objectives per Module

Module 1: IAM Evaluation Logic

• Determine the outcome of policy intersections (Identity-based, Resource-based, SCPs, and Boundaries).
• Understand why an Explicit Deny always overrides any Allow.

Module 2: IAM Policy Simulator

• Create and run simulation traces for specific API actions against existing IAM entities.
• Identify which specific statement in a multi-policy environment is responsible for an "Implicit Deny."

Module 3: IAM Access Analyzer

• Configure analyzers for the entire Organization or specific Accounts.
• Evaluate "Findings" to determine if external entities have unintended access to S3 buckets, KMS keys, or IAM roles.

Module 4: IAM Access Advisor

• Utilize "Last Accessed" data to identify underutilized permissions.
• Generate IAM policies based on CloudTrail activity to achieve granular least privilege.

Success Metrics

To demonstrate mastery of this curriculum, the learner must be able to:

1. Isolate Failure Points: Within 5 minutes of an "Access Denied" error, identify whether the failure is due to an SCP, a Permission Boundary, or a missing Identity-based Allow.
2. Pass Simulation Tests: Successfully use the IAM Policy Simulator to predict the outcome of a complex request involving 3+ overlapping policies with 100% accuracy.
3. Automate Detection: Configure an IAM Access Analyzer finding that triggers an SNS notification when a resource is made public.
4. Policy Refinement: Reduce a "FullAccess" policy to a scoped-down version using Access Advisor data without breaking the application's functionality.

Real-World Application

In a production environment, authorization analysis is not just about fixing bugs—it is about Risk Mitigation and Compliance.

[!IMPORTANT] Unauthorized access is a leading cause of data breaches. Mastering these tools allows you to proactively audit your perimeter.

Visualizing Policy Intersection

The diagram below represents the "Effective Permissions" zone. Only the intersection of all applicable policy types results in a successful authorization.

Use Cases

• Incident Response: When an application suddenly loses access to an S3 bucket, use the IAM Policy Simulator to check if a new Service Control Policy (SCP) was applied at the root of the Organization.
• External Audit: Use IAM Access Analyzer to generate a report for auditors showing that no IAM Roles in the production account are trustable by entities outside of the corporate AWS Organization.
• Rightsizing: During a quarterly security review, use Access Advisor to remove ec2:TerminateInstances from developer roles if the data shows the action hasn't been used in 90 days.

Curriculum Overview: Troubleshooting AWS Security Logging and Resource Configuration

This curriculum focuses on Domain 1 (Detection) and Domain 2 (Incident Response) of the AWS Certified Security - Specialty (SCS-C03) exam. It covers the deep-dive analysis of how AWS resources generate logs, the permissions required for those logs to flow, and how to remediate common misconfigurations.

Prerequisites

Before starting this module, learners should possess:

• Foundational IAM Knowledge: Understanding of IAM Roles, Trust Policies, and Service-Linked Roles.
• CloudWatch Core Concepts: Familiarity with Log Groups, Log Streams, Retention Policies, and Metric Filters.
• Basic AWS Networking: Understanding of VPCs, Subnets, and the flow of traffic through Elastic Load Balancers and CloudFront.
• AWS Security Fundamentals: General awareness of the Shared Responsibility Model regarding logging.

Module Breakdown

Learning Objectives per Module

Module 1: The IAM Foundation

• Analyze the Trust Relationships required for services like API Gateway to assume the cloudwatch.amazonaws.com role.
• Configure resource-based policies for S3 buckets to accept logs from ELB and CloudFront.

Module 2: Serverless & App Logging

• Differentiate between API Gateway Execution Logs (detailed) and Access Logs (customizable).
• Validate Lambda execution role permissions (logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents).

Module 3: Edge & Network Visibility

• Determine the correct destination for CloudFront Standard Logs (S3) vs. Real-time Logs (Kinesis Data Streams).
• Troubleshoot Route 53 Resolver Query Logging and VPC Flow Log delivery failures.

Module 4: Advanced Remediation

• Diagnose CloudWatch Agent issues using configuration-validation.log.
• Implement automated remediation for non-compliant logging using AWS Config and Systems Manager Automation.

Visual Overview

The Logging Permission Flow

Resource Configuration Logic

Success Metrics

You have mastered this curriculum when you can:

1. Identify why logs are missing: Determine if the issue is a missing IAM permission, a service-side configuration toggle, or a destination resource policy (e.g., S3 Bucket Policy).
2. Read Log Metadata: Successfully use CloudWatch Logs Insights to parse and query logs from at least three different AWS services.
3. Perform Root Cause Analysis: Use Amazon Detective or CloudTrail to identify the specific API call that failed, resulting in a logging gap.
4. Configure Multi-Destination Logging: Setup a single resource (like VPC Flow Logs) to deliver to both S3 and CloudWatch Logs simultaneously.

Real-World Application

[!IMPORTANT] In a production environment, "blind spots" in logging are a massive security risk. If an attacker compromises a Lambda function and deletes the logs or if permissions were never set, your Incident Response team will have no forensic trail.

• Forensics: During a breach, these logs provide the "who, what, and when" necessary for legal and compliance reporting.
• Cost Management: Troubleshooting logging configurations also involves managing costs (e.g., choosing what to log in API Gateway to avoid massive CloudWatch bills).
• Audit Compliance: Maintaining continuous logging for services like CloudFront and Route 53 is a requirement for many frameworks (SOC2, PCI-DSS, HIPAA).

Appendix: Service Comparison Table

Curriculum Overview: Analyzing Workload Monitoring Requirements

This curriculum is designed to equip security professionals with the skills to evaluate AWS workloads, identify critical telemetry points, and design robust monitoring strategies that align with the AWS Certified Security - Specialty (SCS-C03) objectives.

Prerequisites

To succeed in this curriculum, learners should possess the following foundational knowledge:

• AWS Core Services: Proficiency in managing EC2, S3, VPC, and IAM.
• Cloud Security Fundamentals: Understanding of the Shared Responsibility Model and the Principle of Least Privilege (PoLP).
• JSON/YAML Syntax: Ability to read and modify AWS policy documents and CloudFormation templates.
• Basic Networking: Familiarity with IP addressing, subnets, and the OSI model (specifically Layers 3, 4, and 7).
• Recommended Certification: AWS Certified Solutions Architect – Associate or equivalent 1-year hands-on experience.

Module Breakdown

Learning Objectives per Module

Module 1: Workload Profiling

• Determine the "blast radius" of specific application components.
• Categorize workloads based on data sensitivity (e.g., PII vs. public data).

Module 2: Telemetry Sources & Logging

• Select appropriate log sources based on threat models (e.g., using VPC Flow Logs for network lateral movement detection).
• Design log aggregation strategies for multi-account environments using Amazon Security Lake.

Module 3: Metrics & Thresholds

• Configure Amazon CloudWatch dashboards to visualize resource health.
• Establish baseline performance behavior to detect anomalous spikes indicative of DDoS or unauthorized access.

Module 4: Automated Intelligence

• Integrate Amazon GuardDuty for intelligent threat detection (e.g., crypto-mining or unusual API calls).
• Utilize Amazon Macie to discover and protect sensitive data in S3 buckets.

Module 5: Compliance Monitoring

• Deploy AWS Config rules to monitor resource configuration changes in real-time.
• Use Security Hub to aggregate findings and benchmark against CIS Foundations.

Visual Anchors

Monitoring Data Flow

This diagram illustrates how workload data is transformed into actionable intelligence.

Logic for Choosing Monitoring Tools

Success Metrics

Learners will have mastered this curriculum when they can:

1. Identify Missing Logs: Given a hypothetical security breach, identify which log source (e.g., DNS logs vs. CloudTrail) would have provided the necessary forensic evidence.
2. Dashboard Creation: Successfully build a CloudWatch Dashboard that tracks 4xx/5xx errors, unauthorized API attempts, and CPU utilization across a fleet.
3. Alert Precision: Configure an alert that triggers on a "Security Group Change" event within 60 seconds of the occurrence.
4. Cost Optimization: Explain the trade-offs between CloudWatch Logs "Standard" vs. "Infrequent Access" classes for long-term retention.

Real-World Application

[!IMPORTANT] Monitoring is not just about "looking for problems"; it is about ensuring business continuity and regulatory compliance.

• Financial Services: Use CloudTrail and AWS Config to maintain a continuous audit trail for PCI-DSS compliance, ensuring no unauthorized changes are made to the cardholder data environment.
• E-Commerce: Set up CloudWatch Metric Filters to detect an unusual volume of failed login attempts, triggering an automated Lambda function to update WAF IP sets and block the potential brute-force attack.
• Healthcare: Implement Amazon Macie to scan historical data backups, ensuring no HIPAA-regulated data is stored in unencrypted S3 buckets.

[!TIP] Always start with the Threat Model. Don't monitor everything; monitor the things that represent the highest risk to your specific workload.

Curriculum Overview: Authorizing Compute Workloads

This curriculum is designed for security professionals aiming for the AWS Certified Security - Specialty (SCS-C03). It focuses on the secure authorization of compute workloads, specifically addressing Skill 3.2.2: Applying instance profiles, service roles, and execution roles appropriately.

Prerequisites

Before starting this curriculum, learners should have a solid foundation in the following areas:

• IAM Fundamentals: Understanding of IAM users, groups, and the structure of JSON policy documents (Allow/Deny, Resource, Action, Condition).
• Compute Basics: General familiarity with Amazon EC2 (instances), AWS Lambda (functions), and container concepts (ECS/EKS).
• Security Principles: Knowledge of the Principle of Least Privilege and the risks associated with long-term access keys.
• AWS CLI/SDK: Basic ability to interact with AWS services via terminal or programmatic interfaces.

Module Breakdown

Learning Objectives per Module

Module 1: Workload Identity Foundations

• Explain the mechanism of AWS Security Token Service (STS) in issuing temporary credentials.
• Differentiate between an Identity Policy and a Trust Policy.
• Construct a trust policy that allows a specific service (e.g., ec2.amazonaws.com) to assume a role.

Module 2: EC2 Instance Profiles

• Define the relationship between an IAM Role and an Instance Profile.
• Configure an EC2 instance to access S3 or SQS without hardcoded credentials.
• Implement and troubleshoot Instance Metadata Service Version 2 (IMDSv2) for session-oriented security.

Module 3: Lambda Execution Roles

• Create an Execution Role that allows Lambda to write to CloudWatch Logs and access VPC resources.
• Apply resource-based policies to allow cross-account Lambda triggers.

Module 4: Service & Container Roles

• Distinguish between a Task Role (permissions for the application) and an Execution Role (permissions for the Fargate/ECS agent).
• Identify when to use Service-Linked Roles for automated service interactions.

Module 5: Identity for Hybrid Workloads

• Configure IAM Roles Anywhere to provide AWS credentials to on-premises servers using X.509 certificates.
• Audit authorization failures using IAM Access Analyzer and CloudTrail.

Visual Anchors

Authorization Flow for EC2

Logical Trust Relationship

Success Metrics

• Conceptual Mastery: Ability to explain why instance profiles are used for EC2 but not for Lambda.
• Practical Application: Successful deployment of a compute workload that can interact with S3 without any AWS_ACCESS_KEY_ID present in the environment or code.
• Troubleshooting: Identifying a 403 Forbidden error as a missing Trust Policy vs. a missing Identity Policy using the IAM Policy Simulator.
• SCS-C03 Readiness: Scoring 80%+ on practice questions specifically targeting Domain 3 (Infrastructure Security) and Domain 4 (IAM).

Real-World Application

In a production environment, authorizing compute workloads correctly is the primary defense against credential leakage. By using instance profiles and execution roles:

• Security Compliance: Organizations meet PCI-DSS and SOC2 requirements by avoiding long-term secret storage on disk.
• Automation: Auto-scaling groups can launch thousands of instances that are "born" with the correct permissions, requiring no manual key rotation.
• Blast Radius Reduction: By using specific roles for specific microservices, a compromise of one container does not grant access to the entire AWS environment.

[!IMPORTANT] Always prioritize IMDSv2 on EC2 instances to prevent SSRF (Server-Side Request Forgery) attacks from stealing temporary credentials.

Forensic Log Management: Capture and Storage Strategy

This curriculum overview covers the essential skills required to capture, centralize, and protect system and application logs as immutable forensic artifacts within an AWS environment, specifically aligned with the AWS Certified Security – Specialty (SCS-C03) objectives.

Prerequisites

Before beginning this module, learners should have a solid foundation in the following areas:

• AWS Identity and Access Management (IAM): Understanding of the Principle of Least Privilege (PoLP) and resource-based policies.
• Amazon S3 Fundamentals: Knowledge of bucket policies, versioning, and lifecycle configurations.
• Cloud Security Concepts: Basic understanding of the shared responsibility model and the incident response lifecycle.
• Basic CLI Proficiency: Ability to execute commands using the AWS Command Line Interface (CLI).

Module Breakdown

Learning Objectives per Module

Module 1: Log Source Identification

• Differentiate between Management Events, Data Events, and Insights Events in AWS CloudTrail.
• Configure the CloudWatch Logs Agent (unified agent) to capture OS-level and application-level logs from EC2 instances.
• Example: Capturing /var/log/auth.log from a Linux instance to track failed SSH attempts during a suspected brute-force attack.

Module 2: Centralized Logging Architecture

• Design a hub-and-spoke logging model where member accounts push logs to a dedicated Security/Forensic AWS Account.
• Utilize AWS Organizations to enforce organizational trails that cannot be disabled by local account administrators.

Module 3: Integrity & Immutability

• Implement Log File Validation to generate SHA-256 hashes for every log file delivered by CloudTrail.
• Apply S3 Object Lock in compliance mode to prevent even the root user from deleting logs during a mandatory retention period.
• Example: A forensic investigator uses the aws cloudtrail validate-logs command to prove that evidence has not been tampered with since its creation.

Module 4: Forensic Analytics Readiness

• Deploy CloudTrail Lake to store and query logs for up to 10 years using standard SQL without managing separate S3 buckets or ETL pipelines.
• Use Amazon Athena to query raw logs stored in S3 for specific patterns like unauthorized API calls from a known malicious IP.

Module 5: Lifecycle & Retention

• Define S3 Lifecycle Policies to transition forensic artifacts from S3 Standard to S3 Glacier Deep Archive after 90 days to minimize costs.
• Establish automated deletion rules that align with regulatory requirements (e.g., 7-year retention for financial data).

Success Metrics

To demonstrate mastery of this curriculum, the learner must successfully complete the following:

1. Immutability Verification: Successfully configure an S3 bucket with Object Lock and verify that a "DeleteObject" request fails.
2. Cross-Account Delivery: Demonstrate logs appearing in the centralized forensic account bucket within 15 minutes of an action occurring in a member account.
3. Integrity Check: Execute a CLI-based integrity check on a trail and receive a Valid status output.
4. SQL Query Proficiency: Write a CloudTrail Lake or Athena query that identifies the specific IAM user responsible for a "StopInstances" API call within a specific timeframe.

Real-World Application

[!IMPORTANT] In a real-world forensic investigation, the "Chain of Custody" begins at the moment a log is generated. If logs are stored in the same account where a breach occurred, the attacker may delete the evidence to cover their tracks.

• Legal Compliance: In regulated industries (Finance, Healthcare), failing to provide immutable logs during an audit can result in multi-million dollar fines.
• Root Cause Analysis: During a post-mortem of a security incident, centralized logs allow investigators to correlate events across multiple services (e.g., matching a WAF block to a VPC Flow Log rejection and a CloudTrail "AccessDenied" error).
• Incident Recovery: Using automated forensic orchestrators to snapshot EBS volumes and capture volatile memory logs based on GuardDuty alerts.

[!TIP] Always use KMS Customer Managed Keys (CMK) for encrypting logs. This allows you to revoke the key's permissions separately from S3 bucket permissions, adding an extra layer of protection against data exfiltration.

Mastering Centralized Security Management: Delegated Administration

This curriculum provides a deep dive into the strategies and technical implementations required to manage security services across a multi-account AWS environment. Centered on the AWS Certified Security - Specialty exam domains, this overview focuses on the transition from management-account-heavy operations to a scalable, secure, and delegated administration model.

[!IMPORTANT] A management account should be reserved for billing and organization-level changes only. Delegated administration is the primary mechanism to enforce the Principle of Least Privilege by moving security operations to dedicated member accounts.

---

Prerequisites

Before beginning this curriculum, learners should have a foundational understanding of the following:

• AWS Organizations: Familiarity with the hierarchical structure of Organizations, Organizational Units (OUs), and Management vs. Member accounts.
• IAM Fundamentals: Understanding of IAM roles, policies, and cross-account access patterns.
• Basic Security Services: Initial exposure to AWS CloudTrail, AWS Config, and Amazon GuardDuty.
• Governance Concepts: A high-level understanding of Service Control Policies (SCPs) and how they limit maximum available permissions.

---

Module Breakdown

---

Learning Objectives per Module

Module 1: The Delegation Framework

• Define the role of a Delegated Administrator and explain why it reduces risk in the management account.
• Register a member account as an administrator for specific security services.
• Identify services that support delegation (e.g., IAM Identity Center, Account Management).

Module 2: Global Visibility (Logging)

• Configure an Organization Trail in AWS CloudTrail from a delegated administrator account.
• Understand the flow of logs from member accounts to a centralized S3 bucket in a Security Account.

Module 3: Compliance & Auditing

• Enable AWS Config across the organization to aggregate configuration and compliance data.
• Use AWS Audit Manager to automate evidence collection for regulatory frameworks (SOC2, HIPAA) across all accounts.

Module 4: Threat & Vulnerability

• Implement Amazon Inspector deep inspection to scan EC2 instances and Lambda functions organization-wide.
• Centralize Amazon Detective investigations to analyze the root cause of security findings across member accounts.

---

Visual Anchors

The Delegation Model

This flowchart illustrates how the Management account offloads operational responsibility to a dedicated Security (Delegated Admin) account.

Organizational Hierarchy & Policy Flow

This diagram demonstrates how policies and administration rights are distributed within the organization.

---

Success Metrics

To demonstrate mastery of centralized security management, the learner must be able to:

1. Reduce Management Account Footprint: Explain and demonstrate that no security tasks (other than delegation registration) are performed in the management account.
2. Cross-Account Investigation: Successfully use Amazon Detective from the Security Account to trace a security finding originating in a Production Member Account.
3. Aggregate Compliance: Generate a single organization-wide compliance report using AWS Config Aggregators.
4. Enforce Guardrails: Draft and apply a Service Control Policy (SCP) that prevents member accounts from disabling CloudTrail or GuardDuty.
5. Automated Remediation: Configure an AWS Config rule that triggers a Lambda function to remediate non-compliant resources in member accounts automatically.

---

Real-World Application

Why This Matters in Your Career

In modern cloud engineering, managing 100+ accounts is common. Manually configuring security in each account is impossible and prone to error. Proficiency in delegated administration allows you to:

• Scale Security Operations: Manage security for thousands of accounts as easily as one.
• Enforce Governance: Ensure that every new account created via the Account Factory (Control Tower) is automatically enrolled in security monitoring.
• Limit Blast Radius: By moving security tools out of the management account, you ensure that a compromise of a security tool doesn't grant attacker access to your organization's root/billing layer.
• Audit Readiness: Providing auditors with access to a single "Audit Account" (Delegated Admin for Audit Manager) rather than granting them access to every production environment.

[!TIP] When implementing this in production, use AWS Control Tower to automate the creation of your "Security" and "Log Archive" accounts. This ensures they are configured with best-practice guardrails from day one.

Curriculum Overview: AWS Edge and Third-Party Security Integrations

This curriculum focuses on the advanced configuration of AWS edge security services (WAF, Shield, CloudFront) and their integration with third-party security ecosystems. A primary emphasis is placed on standardized data ingestion using the Open Cybersecurity Schema Framework (OCSF) and leveraging specialized third-party rulesets for robust defense-in-depth.

Prerequisites

Before starting this curriculum, learners should possess:

• AWS Certified Cloud Practitioner level knowledge or equivalent experience.
• Networking Fundamentals: Understanding of DNS, HTTP/S protocols, OSI Model Layer 7, and Content Delivery Networks (CDNs).
• IAM Proficiency: Ability to configure IAM roles and policies for cross-service communication.
• Security Basics: Familiarity with common web exploits (SQLi, XSS) and the OWASP Top 10 risks.

Module Breakdown

Learning Objectives per Module

Module 1: Edge Protection Foundations

• Implement AWS WAF associations with CloudFront, API Gateway, and Application Load Balancers (ALB).
• Configure AWS Shield Advanced to protect against sophisticated Layer 3/4 and Layer 7 DDoS attacks.
• Utilize CloudFront headers to enforce security at the edge (e.g., Geo-blocking, Referrer checks).

Module 2: Third-Party WAF Ecosystem

• Deploy Managed Rule Groups from the AWS Marketplace (e.g., F5, Fortinet, Imperva).
• Analyze the trade-offs between AWS Managed Rules and third-party vendor rulesets.
• Troubleshoot rule conflicts and false positives using WAF logs and Amazon Athena.

Module 3: The OCSF Standard

• Define the structure of the Open Cybersecurity Schema Framework (OCSF) and its event classes.
• Understand the role of Amazon Security Lake in centralizing security data from diverse sources.
• Map native AWS service logs (VPC Flow Logs, CloudTrail) to OCSF categories.

Module 4: Ingestion & Interoperability

• Configure Custom Sources for Security Lake using Kinesis Data Firehose to transform logs into Parquet format.
• Utilize AWS AppFabric to connect SaaS applications (like Slack or Zoom) to security monitoring pipelines.
• Establish Subscriber access for third-party SIEM tools (e.g., Splunk, Datadog) to query OCSF data via Amazon Athena.

Visual Anchors

Data Ingestion Flow to Security Lake (OCSF)

Edge Security Stack Architecture

Success Metrics

Learners have mastered this curriculum when they can:

1. Deploy a Multi-Layered WAF: Successfully associate a Web ACL containing both AWS Managed Rules and at least one Third-Party Marketplace rule group.
2. Verify OCSF Compliance: Confirm that data from a custom source is correctly partitioned and queryable in Amazon Security Lake using the OCSF event class schema.
3. Automate Response: Configure an EventBridge rule that triggers a Lambda function in response to a specific Third-Party WAF rule finding.
4. Cost Optimization: Explain the cost implications of Shield Advanced vs. Standard and the storage savings of using Parquet format in Security Lake.

Real-World Application

• Regulatory Compliance: Using OCSF and Security Lake allows organizations to meet strict audit requirements by having a centralized, immutable, and standardized log repository.
• Security Operations Center (SOC) Efficiency: By standardizing data into OCSF, SOC analysts can use the same queries across different security vendors, reducing the "swivel-chair" effect between multiple consoles.
• Modernizing Defense: Integrating third-party WAF rules allows specialized industries (e.g., Finance, Healthcare) to benefit from vendor-researched protections against niche vulnerabilities that standard rules might miss.

Curriculum Overview: AWS Logging and Monitoring Solutions

This curriculum provides a comprehensive roadmap for mastering the design, implementation, and troubleshooting of logging strategies within the AWS ecosystem, specifically aligned with the AWS Certified Security - Specialty (SCS-C03) requirements.

Prerequisites

Before engaging with this curriculum, students should possess the following foundational knowledge:

• AWS Fundamentals: Basic understanding of core services (EC2, S3, IAM, VPC).
• Identity and Access Management (IAM): Proficiency in creating IAM roles, policies, and understanding trust relationships.
• Command Line Interface (CLI): Comfort using the terminal and the AWS CLI for resource management.
• JSON Structure: Ability to read and modify JSON files, as these are used for CloudWatch Agent configurations and IAM policies.
• Networking Basics: Understanding of VPC components, subnets, and routing (required for VPC Flow Logs).

Module Breakdown

Learning Objectives per Module

Module 1: AWS CloudTrail Strategy

• Configure Organization Trails to capture API activity across all accounts in an AWS Organization.
• Differentiate between management events, data events, and insights events.
• Implement log file integrity validation to ensure audit trails are not tampered with.

Module 2: CloudWatch Logs Core

• Design a hierarchical log structure using Log Groups and Log Streams.
• Configure data protection policies to mask sensitive information (PII) within logs.
• Manage log lifecycles using retention settings and KMS encryption for compliance.

Module 3: The Unified Logging Agent

• Deploy the Unified CloudWatch Agent using AWS Systems Manager (SSM) for automated installation.
• Create and manage agent configuration files to capture system-level logs and custom application traces.
• Troubleshoot agent connectivity using the amazon-cloudwatch-agent-ctl utility.

Module 4: Log Analysis & Insights

• Perform high-speed log analysis using CloudWatch Logs Insights query syntax.
• Integrate logs with Amazon Security Lake to create a centralized security data lake.
• Use Amazon Athena to run SQL-like queries against S3-stored logs for deep forensics.

Module 5: Centralized Logging Architecture

• Implement a Dedicated Logging Account pattern to isolate security telemetry from production workloads.
• Configure cross-account log destination permissions to allow member accounts to stream data centrally.
• Set up real-time alerting using Metric Filters and Amazon SNS.

Visual Anchors

Centralized Logging Architecture

This diagram illustrates how logs from multiple accounts are aggregated into a centralized security account for analysis.

Log Structure Hierarchy

Understanding the relationship between events, streams, and groups is critical for efficient querying.

Success Metrics

You will have mastered this curriculum when you can:

1. Deploy a multi-account CloudTrail that centralizes all logs into a single encrypted S3 bucket in a secondary region.
2. Author a CloudWatch Agent JSON config that successfully streams /var/log/secure and custom application logs from an EC2 fleet.
3. Execute a Logs Insights query that identifies the top 10 IP addresses causing 403 Access Denied errors in your environment within the last hour.
4. Configure a KMS CMK with a policy that allows the CloudWatch Logs service to encrypt/decrypt log data without granting excessive permissions to users.

Real-World Application

In a professional environment, these skills are fundamental to the Security Operations Center (SOC) and DevSecOps roles.

[!IMPORTANT] Without centralized logging, an incident response team is effectively "blind." A compromised account could have its local logs deleted; however, an immutable organization-level trail ensures that forensic evidence remains available for root cause analysis.

• Incident Response: Using CloudTrail and VPC Flow Logs to trace the lateral movement of an attacker after an initial credential compromise.
• Compliance: Meeting PCI-DSS or HIPAA requirements for 7-year log retention and auditability.
• Operational Excellence: Reducing Mean Time to Repair (MTTR) by creating CloudWatch Dashboards that correlate application errors with infrastructure metrics.

Curriculum Overview: Temporary Credential Mechanisms

This curriculum covers the design and implementation of temporary security credentials within AWS, focusing on AWS Security Token Service (STS) and Amazon S3 Presigned URLs. These mechanisms are critical for adhering to the principle of least privilege and reducing the blast radius of potential credential compromises.

Prerequisites

Before starting this module, students should have a firm grasp of the following:

• IAM Fundamentals: Understanding of IAM Users, Groups, and Roles.
• Resource-Based Policies: Basic knowledge of S3 Bucket Policies.
• AWS CLI: Ability to execute basic commands and configure local profiles.
• Identity Basics: Familiarity with the difference between authentication (who you are) and authorization (what you can do).

Module Breakdown

Learning Objectives per Module

Module 1: AWS STS Fundamentals

• Define the structure of temporary credentials and explain why a Session Token is required alongside the Access Key and Secret Key.
• Configure credential expiration intervals (ranging from 15 minutes to 12 hours).

Module 2: Cross-Account & Service Roles

• Create a Trust Policy that allows an external entity or service to perform the sts:AssumeRole action.
• Implement service roles for EC2 or Lambda to eliminate the need for long-term access keys.

Module 3: Amazon S3 Presigned URLs

• Generate a presigned URL using the AWS CLI: aws s3 presign s3://bucket/key --expires-in <seconds>.
• Differentiate between expiration limits: Up to 7 days via CLI/SDK vs. 12 hours via the AWS Management Console.

Module 4: Federation and Web Identity

• Explain the flow of exchanging external IdP (Active Directory, Okta, Google) tokens for STS credentials.
• Understand the role of Amazon Cognito in social identity federation for mobile/web applications.

Visual Overview

The STS Credential Request Flow

Expiration Limits Comparison

Success Metrics

To demonstrate mastery of this curriculum, the learner must:

1. Generate and Validate: Successfully generate an S3 presigned URL and confirm it works for a user without AWS credentials.
2. Cross-Account Configuration: Set up a role in Account B that can be assumed by a user in Account A, confirming successful credential exchange via sts:AssumeRole.
3. Troubleshooting: Identify why an STS session might fail (e.g., maximum session duration exceeded or invalid trust policy).
4. CLI Proficiency: Correctly use the --expires-in parameter to set custom timeouts for temporary access.

Real-World Application

• Secure Content Delivery: Providing temporary access to a private video file in S3 to a premium subscriber without making the bucket public.
• Corporate SSO: Allowing employees to log into the AWS Management Console using their existing corporate Windows credentials (Active Directory).
• Mobile Apps: Enabling a mobile photo-sharing app to upload directly to S3 using Amazon Cognito to trade a Facebook or Google login for temporary AWS permissions.

[!IMPORTANT] Temporary credentials are not just a "best practice"—they are a requirement for passing the AWS Certified Security Specialty exam. Always favor IAM Roles over IAM Users with long-term keys.