THINGS I LEARNED FROM THE AWS CERTIFIED Security Speciality CERTIFICATION
Cloud security is a set of methods and technology designed to focus on external and internal threats to business security. Organizations need cloud security and use cloud-based services daily as they move toward the future. I pursued this certification because I wanted to learn more about cloud security from an AWS perspective. This exam challenged my knowledge of cloud security in new ways.
THINGS I LEARNED FROM THE AWS CERTIFIED Security Speciality CERTIFICATION
1. The difference between IAM policies and Service control policies.
Actions from SCP affect all IAM identities, including the member account's root user. You can use SCPs to allow or deny access to AWS services for individual AWS accounts with AWS Organization. IAM policies allow or deny access to AWS services or API actions that work with IAM. An IAM policy can be applied only to IAM identities (users, groups, or roles). IAM policies can't restrict the AWS account root user.
2. How cloudtrial and cloudwatch work together.
CloudTrail integrates with the CloudWatch service to publish the API calls being made to resources or services in the AWS accounts. The published event has invaluable information that can be used for compliance, auditing, and governance of your AWS accounts. Then in cloudwatch the cloudtrail logs can be monitored.
3. When AWS WAF vs when to use AWS Shield.
You can use AWS WAF, and AWS Shield together to create a complete security solution. AWS WAF is a web application firewall that can be used to block SQL injection attacks and cross-site scripting attacks. AWS Shield provides protection against distributed denial of service (DDoS) attacks for AWS resources, at the network and transport layers (layer 3 and 4) and the application layer (layer 7).
4. The difference GuardDuty and Inspector.
Amazon Inspector provides you with security assessments of your applications settings and configurations on your EC2 instances while Amazon GuardDuty helps with analyzing your entire AWS environment for potential threats.
5. The difference between AWS secrets manager and AWS systems manager parameter store.
The next point of difference is the ability to rotate the secret. AWS Secrets Manager offers the ability to switch secrets at any given time and can be configured to regularly rotate depending on your requirements. One advantage of the SSM Parameter is that it costs nothing to use it. You can store up to 10,000 parameters without getting billed.
6. How CloudFront can work with Certificate Manager.
To use a certificate in AWS Certificate Manager (ACM) to require HTTPS between viewers and CloudFront, make sure you request (or import) the certificate in the US East (N. Virginia) Region (us-east-1). If you want to require HTTPS between CloudFront and your origin, and you’re using a load balancer in Elastic Load Balancing as your origin, you can request or import the certificate in any AWS Region.
7. The difference between Cognito user pools from identity pools.
User pools are for authentication (identity verification). With a user pool, your app users can sign in through the user pool or federate through a third-party identity provider (IdP). Identity pools give users access to AWS resources, such as an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon DynamoDB table.
Resources used to pass this certification:
1. A Cloud Guru
2. AWS skill builder courses and practice test
- AWS Certified Security - Specialty Official Practice Question Set
- Exam Readiness: AWS Certified Security – Specialty
- AWS Security Fundamentals (Second Edition)
3. Tutorial dojo practice tests and cheat sheet
- AWS Certified Security Specialty Practice Exams 2023
- AWS Certified Security – Specialty Exam Guide Study Path SCS-c01
4. Whizlabs labs and practice tests
5. FAQs located on the official AWS Certified Security – Specialty page.
