Curriculum Overview: Unit 5 - Data Protection (AWS Certified Security Specialty)
Unit 5: Data Protection
Curriculum Overview: Unit 5 — Data Protection
This curriculum covers Domain 5: Data Protection, which accounts for 18% of the AWS Certified Security — Specialty (SCS-C03) exam. It focuses on the implementation of controls to ensure the confidentiality, integrity, and availability of data both at rest and in transit.
Prerequisites
Before starting this unit, learners should have a solid grasp of the following:
- AWS IAM Basics: Understanding policies, roles, and the principle of least privilege.
- VPC Fundamentals: Knowledge of subnets, security groups, and routing.
- General Cryptography: Basic understanding of symmetric vs. asymmetric encryption, hashing, and digital signatures.
- Core AWS Services: Familiarity with Amazon S3, Amazon EC2, and EBS storage.
Module Breakdown
| Module | Focus Area | Difficulty | Core Services |
|---|---|---|---|
| 5.1 | Data in Transit | Intermediate | TLS, ELB, PrivateLink, Verified Access |
| 5.2 | Data at Rest | Advanced | KMS, CloudHSM, S3 Object Lock, EBS |
| 5.3 | Secrets & Keys | Advanced | Secrets Manager, Private CA, CloudWatch Logs |
| 5.4 | Lifecycle & Backup | Intermediate | AWS Backup, S3 Lifecycle, DataSync |
Learning Objectives per Module
Module 5.1: Protection for Data in Transit
- Enforce Encryption: Configure ELB security policies and enforce TLS for all resource connections.
- Private Connectivity: Implement AWS PrivateLink and VPC Endpoints to keep traffic within the AWS network.
- Inter-resource Security: Configure inter-node encryption for complex workloads like Amazon EMR, EKS, and SageMaker AI.
Module 5.2: Protection for Data at Rest
- Key Selection: Distinguish between AWS KMS (multi-tenant) and AWS CloudHSM (single-tenant/FIPS 140-2 Level 3).
- Encryption Types: Implement Client-side vs. Server-side encryption (SSE-S3, SSE-KMS, SSE-C).
- Integrity Controls: Deploy S3 Object Lock and Glacier Vault Lock to prevent data tampering or deletion (WORM).
Module 5.3: Confidential Data & Secrets
- Secret Rotation: Automate the rotation of RDS and third-party credentials using AWS Secrets Manager.
- Key Management: Manage imported key material (BYOK) vs. AWS-generated keys.
- Data Masking: Apply CloudWatch Logs data protection policies to mask PII/Sensitive data in logs.
Success Metrics
To demonstrate mastery of this unit, learners must be able to:
- Architect Cross-Account Encryption: Successfully share a KMS key and apply it to an EBS volume in a different AWS account.
- Pass Assessment: Achieve >85% on the "Data Protection Domain" practice quiz.
- Implement WORM: Configure an S3 bucket with Object Lock in "Compliance Mode" to ensure immutability.
- Audit Permissions: Use IAM Access Analyzer to identify and remediate unintended public access to encrypted resources.
Real-World Application
1. Regulatory Compliance (GDPR/HIPAA)
In the real world, data protection isn't just a technical goal but a legal requirement. Implementing the encryption and lifecycle policies in this unit allows organizations to meet strict GDPR/HIPAA standards regarding data residency and protection.
2. Ransomware Mitigation
By utilizing S3 Object Lock and AWS Backup with immutable vaults, security engineers can create "air-gapped" recovery points that cannot be deleted or encrypted by ransomware actors.
3. Secure Hybrid Cloud
Using AWS PrivateLink, enterprises can connect their on-premises data centers to AWS services without exposing sensitive traffic to the public internet, significantly reducing the attack surface.
\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, rounded corners, fill=blue!10, text centered, minimum width=3cm, minimum height=1cm}] \node (data) {Raw Data}; \node (protect) [right of=data, xshift=2cm] {Protection Layer}; \node (output) [right of=protect, xshift=2cm] {Secure Artifact};
\draw[->, thick] (data) -- node[above] {Encrypt} (protect);
\draw[->, thick] (protect) -- node[above] {Store} (output);
\node[draw=none, fill=none, below of=protect, yshift=1cm] {\tiny KMS / Secrets Mgr};\end{tikzpicture}
[!IMPORTANT] Data Protection (Domain 5) is one of the most technical sections of the exam. Focus heavily on the nuances of KMS Key Policies and S3 Bucket Policies, as they often overlap and cause authorization failures.