Curriculum Overview782 words
Unit 3: Infrastructure Security - Curriculum Overview
Unit 3: Infrastructure Security
Unit 3: Infrastructure Security - Curriculum Overview
This curriculum covers Domain 3 of the AWS Certified Security - Specialty (SCS-C03) exam. It focuses on the design, implementation, and troubleshooting of security controls across edge services, compute workloads, and network architectures.
Prerequisites
Before starting this unit, learners should have a solid foundation in the following areas:
- AWS Networking Fundamentals: Proficiency in VPC constructs including Subnets, Internet Gateways (IGW), Route Tables, and NAT Gateways.
- Security Shared Responsibility Model: Understanding of what AWS secures (the cloud) versus what the customer secures (in the cloud).
- Basic IAM Knowledge: Familiarity with IAM users, roles, and the principle of least privilege.
- Cloud Security Principles: Awareness of common threats such as DDoS, SQL injection, and unauthorized access.
Module Breakdown
The following table outlines the progression of topics within this unit, categorized by their technical focus and difficulty.
| Module | Focus Area | Key Services | Difficulty |
|---|---|---|---|
| 3.1 Edge Security | Protecting entry points | AWS WAF, Shield, CloudFront, IoT | Intermediate |
| 3.2 Compute Security | Hardening workloads | EC2, Inspector, Systems Manager (SSM) | Advanced |
| 3.3 Network Security | Traffic control & isolation | Network Firewall, Security Groups, NACLs | Intermediate |
| 3.4 Hybrid Connectivity | Secure cross-network links | VPN, Direct Connect, Verified Access | Advanced |
Learning Objectives per Module
3.1 Network Edge Services
- Strategic Selection: Define edge security strategies based on specific threat models (e.g., OWASP Top 10).
- Implementation: Configure AWS WAF rules, CloudFront security headers, and S3 CORS policies.
- Advanced Protection: Deploy AWS Shield Advanced for L3/L4 and L7 DDoS mitigation.
- Third-Party Integration: Ingest data in Open Cybersecurity Schema Framework (OCSF) format from external WAF rules.
3.2 Compute Workloads
- Image Hardening: Use EC2 Image Builder and Systems Manager to create secure, patched AMIs and container images.
- Vulnerability Management: Automate scans for Lambda functions and containers using Amazon Inspector.
- Access Control: Implement secure administrative access using Systems Manager Session Manager (eliminating the need for SSH keys).
- AI Guardrails: Apply GenAI security protections for LLM-based applications.
3.3 Network Security Controls
- Segmentation: Design multi-tier architectures with isolated subnets and micro-segmentation using Security Groups.
- Firewall Orchestration: Implement AWS Network Firewall for deep packet inspection and stateful traffic filtering.
- Audit & Reachability: Use Network Access Analyzer and VPC Reachability Analyzer to identify unintended network paths.
Visual Overview
Defense in Depth Hierarchy
Loading Diagram...
Hybrid Connectivity Architecture
Loading Diagram...
Success Metrics
To demonstrate mastery of Infrastructure Security, learners must meet the following criteria:
- Design Proficiency: Ability to architect a 3-tier VPC that passes a Network Access Analyzer audit with zero unauthorized public paths.
- Remediation Speed: Successfully automate the patching of an EC2 fleet using SSM Patch Manager within a 24-hour compliance window.
- Threat Mitigation: Correctly configure WAF rate-limiting rules to stop a simulated HTTP flood attack.
- Exam Readiness: Achieve a score of 80% or higher on Domain 3 practice questions, specifically identifying the differences between NACLs (stateless) and Security Groups (stateful).
Real-World Application
Infrastructure security is the "digital fence" of any enterprise cloud environment. In a professional setting, these skills are applied to:
- Compliance Audits: Ensuring all compute resources are scanned by Amazon Inspector to meet SOC2 or PCI-DSS requirements.
- Incident Response: Using Amazon Detective and VPC Flow Logs to conduct root-cause analysis after a security event.
- Cost Management: Shield Advanced provides cost protection for scaling during DDoS attacks, preventing unexpected billing spikes.
- Zero Trust Architecture: Moving away from perimeter-only security to identity-aware access using AWS Verified Access for hybrid workforces.
[!IMPORTANT] Domain 3 accounts for 18% of the SCS-C03 exam. Focus heavily on the integration of Systems Manager with EC2, as this appears frequently in troubleshooting scenarios.
Estimated Timeline
- Week 1: Edge Security & WAF (5 hours)
- Week 2: Compute Hardening & Vulnerability Scanning (6 hours)
- Week 3: Advanced Networking & Hybrid Connectivity (7 hours)
- Week 4: Final Review & Hands-on Labs (4 hours)