AWS Certified Security - Specialty (SCS-C03): Compute Workload Security Cram Sheet

This cram sheet focuses on Task 3.2: Design, implement, and troubleshoot security controls for compute workloads. It covers hardening, vulnerability scanning, patching, and secure access for EC2, Containers, and Lambda.

Topic Weighting

• Domain 3 (Infrastructure Security): 26% of total exam score.
• Task 3.2 Focus: Approximately 8–10% of the total exam, focusing on the security lifecycle of compute resources (Provisioning → Access → Maintenance → Monitoring).

Key Concepts Summary

• Hardening (EC2 Image Builder): Automates the creation of "Golden AMIs." Steps: Source Image → Build Components → Tests → Distribute. Use to ensure OS-level CIS benchmarks are met.
• Amazon Inspector: Automated vulnerability management. Scans EC2 (agent-based or agentless), ECR container images, and Lambda functions for software vulnerabilities and unintended network exposure.
• SSM Session Manager: Provides secure, auditable terminal access to EC2 without SSH keys, bastion hosts, or inbound port 22. Uses IAM for authorization and logs all commands to CloudWatch/S3.
• IAM Instance Profiles: Container for an IAM role that allows EC2 instances to call AWS services securely. Never store long-term AWS credentials (AK/SK) on an instance.
• GuardDuty Runtime Monitoring: Continuous monitoring of runtime behavior for EC2, EKS, and Fargate to detect potential threats like cryptomining or credential exfiltration.
• SSM Patch Manager: Automates the process of patching managed nodes with security-related updates. Uses Patch Baselines to define which patches are approved.

Visual Anchors

EC2 Image Builder Pipeline

Vulnerability vs. Threat Detection

\begin{tikzpicture} \draw[thick, fill=blue!10] (0,0) circle (2cm) node[yshift=1.5cm] {\textbf{Amazon Inspector}}; \draw[thick, fill=red!10, opacity=0.7] (2,0) circle (2cm) node[yshift=1.5cm] {\textbf{GuardDuty}}; \node at (0,-0.5) [align=center, text width=2.5cm] {Software Vulnerabilities (CVEs), Config Issues}; \node at (2,-0.5) [align=center, text width=2.5cm] {Malicious Activity, Anomalies, Threats}; \node at (1,0) [align=center] {\textbf{Over-} \ \textbf{lap}}; \end{tikzpicture}

Common Pitfalls

• SSH/RDP Exposure: Do NOT open Port 22 or 3389 to 0.0.0.0/0. Always prefer SSM Session Manager.
• Public AMIs: Sharing an AMI publicly without scrubbing sensitive data (SSH keys, bash history, app secrets).
• Role Confusion: Confusing Execution Roles (Lambda/ECS permissions to run) with Service Roles (AWS service's permission to act on your behalf).
• Inspector Agents: Forgetting that "Classic" Inspector required an agent, while "New" Inspector can perform agentless scans of EBS volumes, though deep software scans still benefit from the SSM agent.

Mnemonics / Memory Triggers

• I-P-A (Patching): Identify (Inspector), Patch (Patch Manager), Audit (Config).
• S-S-M (Session Manager): SSH-free, Secure, Monitored.
• Golden AMI Rule: "Bake" your security in, don't "Fry" it later (Install security agents during AMI creation, not manually after launch).

Formula / Equation Sheet

Worked Examples

Scenario: Forensic Isolation of a Compromised EC2 Instance

Problem: GuardDuty alerts for "CryptoCurrency:EC2/BitcoinTool.B!DNS" on instance i-12345.

Steps to Isolate:

1. Snapshot: Create an Amazon EBS snapshot of all volumes for forensic analysis.
2. Tag: Add a tag like Status: Quarantined to prevent automated scripts from terminating it.
3. Restrict Security Group: Attach a "Quarantine SG" that has no inbound/outbound rules (removing the current SG).
4. Detach Role: Modify the IAM Instance Profile to an empty role or one with zero permissions to prevent credential misuse.
5. Analyze: Launch a forensics instance in an isolated VPC and attach the snapshots (as read-only).

Practice Set

1. A security engineer needs to ensure that all EC2 instances in an account are automatically patched for critical security updates every Sunday at 2:00 AM. Which service should be used?
   • Answer: AWS Systems Manager Patch Manager (configured with a Maintenance Window).
2. How can you restrict a Lambda function so it can only access a specific S3 bucket without using long-term access keys?
   • Answer: Assign an IAM Execution Role to the Lambda function with a policy granting s3:GetObject on the specific bucket ARN.
3. Which AWS service provides the most effective protection against the OWASP Top 10 for LLM Applications in a generative AI workload?
   • Answer: AWS WAF (Web Application Firewall) with specific managed rules and Amazon Bedrock Guardrails.
4. True or False: Amazon Inspector can scan container images stored in a local Docker registry on an EC2 instance.
   • Answer: False. Inspector scans images stored in Amazon ECR (Elastic Container Registry).
5. A user cannot connect via Session Manager. What is the most likely cause?
   • Answer: The SSM Agent is not installed/running, or the instance lacks the AmazonSSMManagedInstanceCore IAM policy.

Fact Recall Blanks

• The service used to automate the creation and maintenance of hardened AMIs is EC2 Image Builder.
• To provide terminal access without opening port 22, use SSM Session Manager.
• Amazon Inspector provides a score called the Inspector Score to prioritize vulnerabilities based on environmental factors.
• Lambda functions require an Execution Role to grant the service permission to access other AWS resources.
• GuardDuty uses VPC Flow Logs, DNS Logs, and CloudTrail events to detect malicious activity.

[!IMPORTANT] Exam Tip: If a question mentions "removing the need for a Bastion Host," the answer is almost always SSM Session Manager.