SCS-C03 Exam Cram: Secure & Consistent Deployment Strategies

This guide covers Domain 6, Task 6.2 of the AWS Certified Security - Specialty exam, focusing on Infrastructure as Code (IaC), resource sharing, and centralized governance.

Topic Weighting

[!NOTE] While Domain 6 as a whole accounts for 14%, Task 6.2 is the technical core of the "Governance" section, focusing on how you actually roll out resources safely.

Key Concepts Summary

• Infrastructure as Code (IaC): Use CloudFormation to eliminate manual configuration.
  • cfn-lint: Validates CloudFormation syntax.
  • CloudFormation Guard: Policy-as-code tool to check templates against security rules (e.g., "No S3 buckets without encryption").
• CloudFormation StackSets: Deploys stacks across multiple AWS Accounts and Regions with a single operation. Essential for "Security Tooling" accounts.
• AWS Resource Access Manager (RAM): Securely shares resources (Subnets, Transit Gateways, License Manager) with other accounts or within an Organization without duplicating resources.
• AWS Service Catalog: Allows administrators to create and manage catalogs of IT services (CloudFormation templates) that are approved for use on AWS. Ensures users only deploy "blessed" configurations.
• Tagging Strategy: Essential for attribute-based access control (ABAC) and cost allocation. Tags should include Environment, Owner, and Compliance levels.
• AWS Firewall Manager: Central management of WAF, Shield Advanced, and VPC Security Group rules across the entire Organization.

Visual Anchors

Secure Deployment Pipeline

Resource Sharing via AWS RAM

\begin{tikzpicture}[node distance=2cm] \draw[thick, rounded corners] (0,0) rectangle (3,2) node[midway] {\begin{tabular}{c} Account A \ (Owner) \end{tabular}}; \draw[thick, rounded corners] (6,0) rectangle (9,2) node[midway] {\begin{tabular}{c} Account B \ (Consumer) \end{tabular}}; \draw[->, ultra thick, blue] (3.1,1) -- (5.9,1) node[midway, above] {AWS RAM}; \node[draw, circle, fill=green!20] at (4.5, -0.5) {Subnet / TGW}; \draw[dashed] (1.5,0) -- (4.5, -0.2); \draw[dashed] (7.5,0) -- (4.5, -0.2); \end{tikzpicture}

Common Pitfalls

• Pitfall 1: Manual Fixes (Drift): Changing resources in the console after CloudFormation deployment. Fix: Use CloudFormation Drift Detection.
• Pitfall 2: Sharing via IAM only: Trying to use cross-account IAM roles for resource types that support AWS RAM (like VPC Subnets). Fix: Use RAM for lower-level infrastructure sharing.
• Pitfall 3: Hardcoded Secrets: Including passwords in CloudFormation templates. Fix: Use dynamic references to AWS Secrets Manager or Parameter Store.
• Pitfall 4: StackSet Permissions: Forgetting that StackSets require specific IAM roles (AWSCloudFormationStackSetAdministrationRole and AWSCloudFormationStackSetExecutionRole) unless using Service-Managed Permissions with AWS Organizations.

Mnemonics / Memory Triggers

• G-U-A-R-D: Governance Using Automated Rule Definitions (CloudFormation Guard checks your templates before they run).
• R-A-M: Resources Are Multiplying (Use RAM to keep one resource like a Transit Gateway but use it everywhere).
• S-C: Service Catalog = Self Control (Users can launch what they need, but only from the approved list).

Formula / Equation Sheet

Worked Examples

Scenario 1: Enforcing Encryption

Problem: You need to ensure that no developer can launch an unencrypted S3 bucket via CloudFormation. Solution: Use CloudFormation Guard. Create a rule file that checks the BucketEncryption property of AWS::S3::Bucket. Integrate this check into the CI/CD pipeline. If the rule fails, the pipeline stops the deployment.

Scenario 2: Centralized Networking

Problem: A security team wants all VPCs in the Organization to use a central Transit Gateway for inspection but wants to minimize management overhead. Solution: Create the Transit Gateway in the Network/Security account. Use AWS RAM to share the Transit Gateway with the entire AWS Organization. Individual accounts can then create Transit Gateway Attachments to the shared resource.

Practice Set

1. Which tool allows you to write proactive policy-as-code to validate CloudFormation templates against security best practices?
   • Answer: CloudFormation Guard.
2. You need to deploy a set of IAM roles and GuardDuty configurations to 50 AWS accounts. What is the most efficient service?
   • Answer: CloudFormation StackSets (Service-Managed).
3. A user needs to deploy a complex three-tier application but lacks deep AWS knowledge. How can you ensure they deploy it securely?
   • Answer: Provide the application as a Product in AWS Service Catalog.
4. True or False: AWS RAM can be used to share an IAM Role across accounts.
   • Answer: False (RAM shares resource entities like Subnets; IAM Roles are shared via Trust Policies).
5. Which service should be used to centrally manage WAF rules across all ALBs in an AWS Organization?
   • Answer: AWS Firewall Manager.

Fact Recall Blanks

1. To detect when a resource's actual configuration differs from its CloudFormation template, use __________ Detection.
2. __________ is the utility used to check CloudFormation templates for syntax errors and best practice recommendations.
3. AWS RAM allows for resource sharing within an Organization without requiring __________ account credentials.
4. The __________ feature in AWS Control Tower automates the creation of new, pre-configured accounts.

---

Answers: 1. Drift, 2. cfn-lint, 3. Cross, 4. Account Factory