AWS Certified Security - Specialty (SCS-C03): Compute Workload Security Cram Sheet

This cram sheet focuses on Task 3.2: Design, implement, and troubleshoot security controls for compute workloads. It covers hardening, vulnerability scanning, patching, and secure access for EC2, Containers, and Lambda.

Topic Weighting

Domain 3 (Infrastructure Security): 26% of total exam score.
Task 3.2 Focus: Approximately 8–10% of the total exam, focusing on the security lifecycle of compute resources (Provisioning → Access → Maintenance → Monitoring).

Key Concepts Summary

Hardening (EC2 Image Builder): Automates the creation of "Golden AMIs." Steps: Source Image → Build Components → Tests → Distribute. Use to ensure OS-level CIS benchmarks are met.
Amazon Inspector: Automated vulnerability management. Scans EC2 (agent-based or agentless), ECR container images, and Lambda functions for software vulnerabilities and unintended network exposure.
SSM Session Manager: Provides secure, auditable terminal access to EC2 without SSH keys, bastion hosts, or inbound port 22. Uses IAM for authorization and logs all commands to CloudWatch/S3.
IAM Instance Profiles: Container for an IAM role that allows EC2 instances to call AWS services securely. Never store long-term AWS credentials (AK/SK) on an instance.
GuardDuty Runtime Monitoring: Continuous monitoring of runtime behavior for EC2, EKS, and Fargate to detect potential threats like cryptomining or credential exfiltration.
SSM Patch Manager: Automates the process of patching managed nodes with security-related updates. Uses Patch Baselines to define which patches are approved.

Visual Anchors

EC2 Image Builder Pipeline

Loading Diagram...

Vulnerability vs. Threat Detection

Compiling TikZ diagram…

⏳

Running TeX engine…

This may take a few seconds

Common Pitfalls

SSH/RDP Exposure: Do NOT open Port 22 or 3389 to 0.0.0.0/0. Always prefer SSM Session Manager.
Public AMIs: Sharing an AMI publicly without scrubbing sensitive data (SSH keys, bash history, app secrets).
Role Confusion: Confusing Execution Roles (Lambda/ECS permissions to run) with Service Roles (AWS service's permission to act on your behalf).
Inspector Agents: Forgetting that "Classic" Inspector required an agent, while "New" Inspector can perform agentless scans of EBS volumes, though deep software scans still benefit from the SSM agent.

Mnemonics / Memory Triggers

I-P-A (Patching): Identify (Inspector), Patch (Patch Manager), Audit (Config).
S-S-M (Session Manager): SSH-free, Secure, Monitored.
Golden AMI Rule: "Bake" your security in, don't "Fry" it later (Install security agents during AMI creation, not manually after launch).

Formula / Equation Sheet

Feature	Service / Tool	Purpose
Administrative Access	SSM Session Manager	Auditable, No-SSH terminal access.
Vulnerability Scanning	Amazon Inspector	Detects CVEs in EC2, ECR, and Lambda.
Threat Detection	GuardDuty	Real-time behavior analysis and threat intel.
Golden Image Automation	EC2 Image Builder	Hardened AMI/Container creation.
Credential Delivery	IAM Instance Profile	Provides temporary STS credentials to EC2.
Compliance/Audit	AWS Config	Tracks resource configuration changes over time.

Worked Examples

Scenario: Forensic Isolation of a Compromised EC2 Instance

Problem: GuardDuty alerts for "CryptoCurrency:EC2/BitcoinTool.B!DNS" on instance i-12345.

Steps to Isolate:

Snapshot: Create an Amazon EBS snapshot of all volumes for forensic analysis.
Tag: Add a tag like Status: Quarantined to prevent automated scripts from terminating it.
Restrict Security Group: Attach a "Quarantine SG" that has no inbound/outbound rules (removing the current SG).
Detach Role: Modify the IAM Instance Profile to an empty role or one with zero permissions to prevent credential misuse.
Analyze: Launch a forensics instance in an isolated VPC and attach the snapshots (as read-only).

Practice Set

A security engineer needs to ensure that all EC2 instances in an account are automatically patched for critical security updates every Sunday at 2:00 AM. Which service should be used?
- Answer: AWS Systems Manager Patch Manager (configured with a Maintenance Window).
How can you restrict a Lambda function so it can only access a specific S3 bucket without using long-term access keys?
- Answer: Assign an IAM Execution Role to the Lambda function with a policy granting s3:GetObject on the specific bucket ARN.
Which AWS service provides the most effective protection against the OWASP Top 10 for LLM Applications in a generative AI workload?
- Answer: AWS WAF (Web Application Firewall) with specific managed rules and Amazon Bedrock Guardrails.
True or False: Amazon Inspector can scan container images stored in a local Docker registry on an EC2 instance.
- Answer: False. Inspector scans images stored in Amazon ECR (Elastic Container Registry).
A user cannot connect via Session Manager. What is the most likely cause?
- Answer: The SSM Agent is not installed/running, or the instance lacks the AmazonSSMManagedInstanceCore IAM policy.

Fact Recall Blanks

The service used to automate the creation and maintenance of hardened AMIs is EC2 Image Builder.
To provide terminal access without opening port 22, use SSM Session Manager.
Amazon Inspector provides a score called the Inspector Score to prioritize vulnerabilities based on environmental factors.
Lambda functions require an Execution Role to grant the service permission to access other AWS resources.
GuardDuty uses VPC Flow Logs, DNS Logs, and CloudTrail events to detect malicious activity.

[!IMPORTANT] Exam Tip: If a question mentions "removing the need for a Bastion Host," the answer is almost always SSM Session Manager.