Passing the AWS Security Specialist Cert Part 1: Identity and Access Management & Data Protection

The AWS Security Specialist SCS-C02 certification is a great choice for anyone working in AWS, whether you are a security engineer, developer, or DevOps admin. Any resource created in AWS quickly becomes a target. Knowing and practicing the many nuances of securing these resources will help keep you, your applications, your data, and your customers safe.

We’ve already discussed whether this cert is worth it. Hopefully, since you're reading this, you’ve already decided that it is worth it and are ready to explore the domains covered by the cert a little more. 

If you review that article (or the official exam guide), you’ll recall the six domains of knowledge that this certification covers. Today, we will start with domains four (Identity and Access Management) and five (Data Protection, which mostly covers AWS KMS). These domains represent the most critical pieces of a fully secured AWS account, both for the real world and for what you need to know for your exam.

Before jumping in, let’s take a big step back to look at the bigger picture. There are over 200 services in AWS as of the time of this article’s publication. And your job is to help secure this wide and deep surface area for your organization.

But guess what? Two of these services are the most essential to securing AWS, and many other services rely on them. First is IAM; it controls permissions for all services, giving access to users, other services, and your code. The second, KMS, covers encrypting and protecting your data, also across many services.

There’s a lot to cover in these two domains alone, so let’s start with Identity and Access Management, or IAM.

Related: Passing the AWS Security Speciality Cert Part 2: Logging & Monitoring.

Ready to Learn AWS Skills in 2025?

AWS is the undisputed leader in the cloud computing market. If you’ve been thinking about earning a certification or upskilling this year, learning AWS is as safe a bet as any. Find the online AWS training you need at CBT Nuggets. 

No matter if you are brand new to the cloud or a seasoned networking pro, our courses can get you up to speed on the latest AWS technologies and best practices. Our AWS cloud training maps to highly valued certifications — and covers skills that many organizations desperately need. 

Not a CBT Nuggets subscriber? Sign up for a 7-day free trial to get a feel of what it’s like to learn IT with us. Explore our AWS training and start learning skills that can help you level up your career today!

Identity and Access Management

The AWS Security Speciality cert is not intended for beginners, but for folks with at least a few years of AWS experience under their belts. However, it’s always worth reviewing the basics before getting too deep.

Let’s start by breaking down IAM. “Identity” ties the closest to authentication, or verifying the identity of a user by a password or access key. These are users that you create in the IAM console. There are all kinds of best practices that you must learn involved with creating users, things like enabling MFA, enforcing a strong password policy, and granting users the least privilege they need to do their jobs.

Enabling MFA

Multi-factor authentication, or MFA, is Security 101 in the 21st century. MFA on login requires a second means of identifying yourself, usually a code generated by either a hardware device or an authenticator app like Authy or Duo. That proves you are you because you both know the password for the account and you have the means to generate a valid code for your account. This knowing and having combined is the “multi” in multi-factor authentication.

Related: Passing the AWS Security Specialist Exam Part 3: Incident Response and Infrastructure Security.

Password Policy 

Strong password policies are obvious. An admin ticks a box that requires users to choose a password that has characteristics like a minimum length, special characters, and the need to change it every few days.

Principle of Least Privilege 

Granting the least privilege is another essential security principle. If Bob the intern only needs read-only access to a few S3 buckets to do his job, but you assign the SystemAdministrator policy to his user, you’ve just given him keys to the kingdom: read and write on every resource in your account! Plus, if his account were to be compromised, hackers would have a field day.

So that’s IAM users. There's another facet to IAM, though: policies. These are groups of permissions that you attach to users. There are AWS-managed policies that you get out of the box for common tasks, like AmazonEC2FullAccess. This, as it says on the tin, gives you full access to everything related to EC2 on the account, including creating and deleting instances, starting and stopping them, and many other auxiliary functions.

Custom Policies 

You can create custom policies as needed, selecting individual permissions to attach to the policy. You can also get even more fine-grained, selecting individual permissions on individual resources. For example, Bob the intern only needs read-only access on the buckets containing logs, so you would create a policy that does just that, without giving him any permissions to read any other buckets, like those containing customer data or payroll info.

Policies are written as JSON and are tricky to write from scratch. Luckily, the console has a nice GUI that lets you build a policy through a wizard that generates the JSON for you. It’s helpful to go to any of the AWS-managed policies and read through the JSON, trying to follow the flow and how permissions are granted or denied to individual actions on services.

Roles

The next key part of IAM is roles. A role is an identity with policies attached to it. Users can use roles, generally by assuming a specific role after logging in. Assuming a role gives you access to all the permissions that role has. The role isn’t unique to you; anyone with access can assume the role.

Roles get complicated, but they are an essential part of using IAM to secure your accounts. Since IAM is such a large part of the AWS Security Specialist cert, you will want to put extra effort into understanding it, both from the AWS docs and from the CBT Nuggets training.

Related: Passing the AWS Security Specialty Cert Part 4: Management and Security Governance

Key Management Service

The other test domain we’re going to cover today is Data Protection, which focuses largely on AWS Key Management Service (KMS). KMS protects your data through encryption and decrypts it upon appropriately authenticated access. KMS by itself isn’t helpful, like a lock without a door. But paired with other AWS services, it's essential. 

How Does it Work? 

KMS uses strong encryption keys to encrypt your data. For the services that use this encrypted data, the encryption and decryption functions are mostly transparent. If you are authenticated with a user that has access to the key that certain data is encrypted with, when you access that data KMS automatically works behind the scenes to decrypt it. 

Two important security best practices are at play here: you must have explicit access to the keys, and data must be encrypted at rest.

Policies 

For the first, IAM again comes into the picture. When you create a KMS key, the key needs a policy defining who can use it to encrypt and decrypt data and who can administer it. These policies all refer to either IAM users or roles to grant the permissions, so it’s essential to understand IAM first and have your account set up properly before delving into KMS.

If you want to use encryption but aren’t as concerned about the granular user permissions, there are AWS-managed keys for services. These have wide-open permissions, so any user in your account can decrypt data using them, plus AWS handles regularly rotating the keys on your behalf.

Data at Rest 

For the second best practice, KMS encrypts data at rest. A common example is for S3 buckets. There’s an option for every bucket for default encryption. Once enabled, you choose either an AWS-managed key or your own KMS key, and any files created in that bucket are encrypted at rest in the bucket. When those files are requested, the appropriate decryption happens transparently. The importance of encryption at rest is that, even if someone had root access on the server where your data is at AWS or got hold of the actual hard drive, your data is safe.

The Takeaway 

That’s the gist of KMS and IAM, but there’s a massive amount of complexity and granularity, especially when it comes to configuring individual services. Combining a deep dive into the AWS docs with the CBT Nuggets training will be a winning combo to help you pass the cert.

That’s probably enough for today. In the next three parts, we’ll examine the four remaining domains for the AWS Security Specialist certification. Stay tuned!

Not a CBT Nuggets Subscriber? Sign up for a free 7-day trial.