Exam Cram Sheet840 words
AWS SCS-C03 Exam Cram: Monitoring & Alerting Solutions
Design and implement monitoring and alerting solutions for an AWS account or organization
SCS-C03 Cram Sheet: Monitoring & Alerting Solutions
This guide covers the essential knowledge for Unit 1: Detection of the AWS Certified Security - Specialty exam, focusing on designing and implementing account-wide and organization-wide monitoring.
## Topic Weighting
| Domain | Percentage of Exam | Cram Topic Relevance |
|---|---|---|
| Domain 1: Threat Detection and Incident Response | 14% | Primary focus: GuardDuty, Security Hub, and logging aggregation. |
| Domain 6: Security Foundations and Governance | 20% | Relevant focus: AWS Config, Organizations, and Control Tower integration. |
## Key Concepts Summary
- Amazon GuardDuty: Intelligent threat detection using ML. Monitors CloudTrail (Management/Data), VPC Flow Logs, DNS logs, and EKS audit logs. It is regional but findings can be aggregated.
- AWS Security Hub: The "Central Pane of Glass." Aggregates findings from GuardDuty, Macie, Inspector, and AWS Config. Checks against security standards (CIS, PCI DSS).
- Amazon Macie: Focuses on S3 data privacy. Uses ML to discover PII/sensitive data and alerts on unencrypted or public buckets.
- AWS Config: Resource inventory and change tracking. Rules evaluate resource compliance; Conformance Packs provide a collection of rules for a compliance framework.
- Amazon Security Lake: Automatically centralizes security logs (VPC, Route 53, CloudTrail) into a purpose-built data lake in OCSF (Open Cybersecurity Schema Framework) format.
- Amazon EventBridge: The glue for automation. Triggers Lambda, Step Functions, or SNS in response to findings from any of the above services.
## Visual Anchors
Detection & Remediation Flow
Loading Diagram...
Centralized Monitoring Architecture
\begin{tikzpicture}[node distance=2cm] \draw[thick] (0,0) rectangle (3,2) node[pos=.5] {\begin{tabular}{c} Member \ Account A \end{tabular}}; \draw[thick] (0,-3) rectangle (3,-1) node[pos=.5] {\begin{tabular}{c} Member \ Account B \end{tabular}}; \draw[thick, fill=blue!10] (6,-1.5) rectangle (10,0.5) node[pos=.5] {\begin{tabular}{c} \textbf{Security Tooling} \ \textbf{Account} \ (Delegated Admin) \end{tabular}}; \draw[->, thick] (3,1) -- (6,-0.2); \draw[->, thick] (3,-2) -- (6,-0.8); \node at (4.5, 0.8) {\small Findings}; \node at (4.5, -1.7) {\small Findings}; \end{tikzpicture}
## Common Pitfalls
[!WARNING] Don't confuse Inspector and GuardDuty:
- Inspector: Scans EC2 instances and Container Images for vulnerabilities (CVEs) and software misconfigurations (agent-based or agentless).
- GuardDuty: Monitors behavioral anomalies and known malicious IP/DNS (log-based analysis).
- Security Hub vs. Config: Config tracks resource state (Is MFA on?). Security Hub tracks security posture based on findings (Did a GuardDuty alert trigger?).
- Data vs. Management Events: CloudTrail logs Management events by default; Data events (S3 GetObject, Lambda Invoke) must be enabled manually and incur additional costs.
- Regional Scope: Most detection services are Regional. You must enable them in every region and use Cross-Region Aggregation in Security Hub to see everything in one place.
## Mnemonics / Memory Triggers
- G-M-S (The Security Trinity):
- GuardDuty = Guardian (Threats)
- Macie = Marking (PII/Data)
- Security Hub = Summary (The Dashboard)
- Config = Camera: It takes a snapshot of your infrastructure history.
- CloudTrail = Footprints: Who did what and when (Audit logs).
## Formula / Equation Sheet
| Service | Primary Source Material | Best Use Case |
|---|---|---|
| GuardDuty | CloudTrail, VPC Flow, DNS, EKS, EBS | Real-time threat detection (e.g., Crypto-mining). |
| Macie | S3 Buckets / Objects | Discovering PII, analyzing bucket permissions. |
| Config Rules | Resource configuration snapshots | Compliance auditing (e.g., "No public S3 buckets"). |
| Security Hub | Findings from other AWS services | Centralized dashboard and compliance scores. |
| Health Checks | Endpoint response / CloudWatch | Monitoring workload availability (Route 53 / ELB). |
## Worked Examples
Scenario: Automating Remediation of Public S3 Buckets
- Detection: AWS Config Rule
s3-bucket-public-read-prohibitedmarks a bucket as non-compliant. - Alerting: Config sends a change notification to Amazon EventBridge.
- Action: EventBridge triggers an AWS Systems Manager (SSM) Automation Document.
- Remediation: The SSM document runs a script to update the S3 bucket policy to
private.
Scenario: Centralizing Organization-Wide Logging
- Create a Log Archive Account in AWS Organizations.
- Configure an Organization Trail in CloudTrail to send all logs to a centralized S3 bucket in the Log Archive account.
- Enable Amazon Security Lake in the delegated administrator account to aggregate logs across all regions into OCSF format for analysis via Amazon Athena.
## Practice Set
- Q: Which service provides the most efficient way to detect if an EC2 instance is communicating with a known Bitcoin mining command-and-control server?
- A: Amazon GuardDuty (via VPC Flow Log analysis).
- Q: How do you ensure that all accounts within an AWS Organization have a specific set of security compliance rules applied?
- A: Deploy AWS Config Conformance Packs at the Organization level.
- Q: You need to analyze 1TB of VPC Flow Logs to find the source of a specific IP spike. Which tool is most cost-effective for ad-hoc querying?
- A: CloudWatch Logs Insights or Amazon Athena (if logs are in S3).
## Fact Recall Blanks
- Security Hub findings are formatted in the AWS _________ _________ Format (ASFF).
- To manage security services centrally for an Organization, you must designate a _________ _________ account.
- AWS Config _________ _________ allow you to group rules and remediation actions into a single deployable entity.
- Amazon Macie uses _________ _________ and pattern matching to identify sensitive data.
▶Click for Answers
- Security Finding (ASFF)
- Delegated Administrator
- Conformance Packs
- Machine Learning