Unit 1: Detection - Curriculum Overview | AWS Certified Security - Specialty (SCS-C03)
Unit 1: Detection
Unit 1: Detection - Curriculum Overview
This document outlines the scope, objectives, and practical applications of Unit 1: Detection within the AWS Certified Security - Specialty (SCS-C03) certification. This unit focuses on the critical ability to design and implement monitoring and alerting solutions that provide visibility into the security posture of an AWS account or organization.
Prerequisites
Before beginning this unit, learners should have a solid foundation in the following areas:
- AWS Cloud Practitioner Essentials: Understanding of the AWS Shared Responsibility Model and basic cloud infrastructure.
- Foundational Security Concepts: Knowledge of Identity and Access Management (IAM) basics, including roles and policies.
- Core Management Services: Familiarity with the purpose of AWS CloudTrail (governance/audit) and Amazon CloudWatch (monitoring/performance).
- Basic Automation: A high-level understanding of JSON/YAML for reading configurations and basic scripting concepts.
Module Breakdown
| Module | Focus Area | Difficulty |
|---|---|---|
| 1.1 Monitoring Strategy | Analyzing workloads to define specific security monitoring requirements and resource health checks. | Intermediate |
| 1.2 Event Aggregation | Centralizing logs and security events across multiple accounts and regions. | Advanced |
| 1.3 Detection Services | Implementation of Amazon GuardDuty, Amazon Macie, and Amazon Security Lake. | Intermediate |
| 1.4 Centralized Security | Configuring AWS Security Hub to provide a single-pane-of-glass view of security findings. | Intermediate |
| 1.5 Compliance Automation | Using AWS Config and Systems Manager to automate assessments and maintain desired state. | Advanced |
Learning Objectives per Module
1.1 Monitoring Requirements & Health Checks
- Determine which metrics are critical for specific workload types (e.g., EC2 vs. Lambda).
- Configure Route 53 Health Checks and CloudWatch Alarms to monitor resource availability.
1.2 Event Aggregation & Metrics
- Design a strategy to aggregate events from various sources into a centralized logging account.
- Create custom CloudWatch Dashboards and Filter Patterns to detect anomalous activity.
1.3 Specialist Detection Services
- Amazon GuardDuty: Deploy threat detection to monitor for malicious activity and unauthorized behavior.
- Amazon Macie: Implement automated sensitive data discovery (PII) at scale within S3 buckets.
- Amazon Security Lake: Centralize security data from cloud, on-premises, and custom sources into a purpose-built data lake.
1.4 Automated Compliance & Investigations
- Deploy AWS Config Conformance Packs to ensure resources meet regulatory or internal compliance standards.
- Use AWS Systems Manager State Manager to maintain consistent configuration across a fleet of instances.
Visual Overview
Detection Event Flow
This flowchart illustrates how security data moves from individual resources to a centralized response mechanism.
The Security Hub Architecture
\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, rounded corners, minimum width=3cm, minimum height=1cm, align=center}] \node (hub) [fill=orange!20] {\textbf{AWS Security Hub}}; \node (gd) [above left of=hub, xshift=-1cm] {GuardDuty}; \node (macie) [above right of=hub, xshift=1cm] {Macie}; \node (config) [below left of=hub, xshift=-1cm] {AWS Config}; \node (insp) [below right of=hub, xshift=1cm] {Inspector};
\draw[->, thick] (gd) -- (hub); \draw[->, thick] (macie) -- (hub); \draw[->, thick] (config) -- (hub); \draw[->, thick] (insp) -- (hub);
\node (action) [below of=hub, fill=green!10] {Response/Automation}; \draw[->, double, thick] (hub) -- (action); \end{tikzpicture}
Success Metrics
You have mastered Unit 1 when you can:
- Deploy a Conformance Pack: Successfully deploy an AWS Config conformance pack (e.g., Operational Best Practices for PCI DSS) across an entire AWS Organization.
- Trigger a GuardDuty Finding: Manually trigger a sample finding in GuardDuty and verify it appears in Security Hub.
- Automate Remediation: Create a CloudWatch Event rule that triggers an AWS Lambda function to revoke a public S3 bucket policy detected by AWS Config.
- Analyze Sensitive Data: Configure an Amazon Macie discovery job and interpret the resulting "Sensitive Data Discovery" report.
Real-World Application
In a professional setting, the skills learned in Unit 1 are vital for building a Detection-in-Depth strategy:
- Reduced MTTR (Mean Time To Respond): By automating alerts via Security Hub and SNS, security teams are notified of breaches in seconds rather than days.
- Continuous Compliance: Instead of annual audits, AWS Config provides real-time visibility into whether the environment is currently meeting compliance standards (HIPAA, SOC2, etc.).
- Cost Efficiency: Using Security Lake allows organizations to store vast amounts of security data in OCSF format, making it searchable by third-party SIEM tools without expensive ingestion fees.
[!IMPORTANT] Detection is the "eyes" of your security infrastructure. Without the robust monitoring strategies taught in this unit, an organization is blind to active threats and configuration drift.