Passing the AWS Security Specialist Cert Part 3: Incident Response and Infrastructure Security

In this third part of our four-part series, we’ll explore two more domains covered by the AWS Security Specialty SCS-C02 exam. Check out parts one and two if you missed those. 

Assuming you’re all caught up, let’s jump right into the domains of Incident Response and Infrastructure Security!

Related: Passing the AWS Security Specialist Cert Part 1: Identity and Access Management & Data Protection

Incident Response: What to Know for the SCS-C02

As part of the Security Specialist cert exam, you'll be quizzed on more general knowledge of incident response concepts and processes, as well as the relevant AWS services related to dealing with an incident in your environment.

You need to have a few basics squared away before an incident happens so that you’re not caught completely unaware in the fog of war.

Identifying threats preemptively relevant to your environment is an essential starting point. This will be a broad and shallow list, including things like a hacked EC2 web server, publicly disclosed AWS access keys, or even a full-on breach and disclosure of private data. 

Next, you must formulate response steps and be ready to assign tasks. You don’t want to make assumptions about who is responsible for an incident, and definitely don’t want to miss essential steps to mitigation.

Finally, after an incident, you must do a post-mortem. This involves determining what happened, how to prevent it, how to better prepare and respond, etc. There must be no blame or finger-pointing during this process; it is about learning together how to be better.

Incident response is obviously a huge topic that we can only scratch the surface of here. AWS has published a comprehensive whitepaper that’s good reading, both for test prep and for the real world.

As mentioned, strengthening your defenses to prevent incidents from happening is an invaluable part of incident response. AWS has you covered, though, with several security tools and services focused on this area.

GuardDuty is an invaluable service for continuously monitoring your AWS environment for potential security threats. It uses various techniques, such as machine learning and threat intelligence feeds, to create alerts on traffic or events that don’t fit normal patterns. You can customize which of these alerts end up in your inbox to reduce noise and focus on only the threats relevant to your environment.

Another invaluable incident response service is AWS Config. It essentially records the configuration of your various AWS resources and tracks changes to those configurations over time. 

To illustrate, let’s say you have an EC2 instance that was compromised because the security group was altered. AWS Config will show a timeline of when that security group was changed, who made the change, and what the previous configuration was. This is very handy for tracking and reverting changes.

Related: Passing the AWS Security Speciality Cert Part 2: Logging & Monitoring.

Infrastructure Security: What to Know for the AWS SCS-C02

The Infrastructure Security domain of the exam covers implementing and managing security controls to protect your data and applications. This is a broad domain! One handy way to approach it is to think first about the traffic outside of your network and then the traffic on the inside.

Network edge security prevents bad traffic from getting into your VPCs. Security groups and NACLs are essential here to limit traffic to specific ports only from specific destinations. Hopefully, you already have a good grasp of this as an experienced AWS admin.

The next layer of edge defense is AWS WAF. The Web Application Firewall monitors incoming traffic for common application vulnerabilities like SQL injections or cross-site scripting. You can set up included rules sets or allow, block, or log on flagged traffic. WAF integrates with CloudFront to protect your apps before the traffic ever makes it to your EC2 instances.

Next comes AWS Shield. This service detects and blocks DDoS attacks. Shield has a Standard tier, which everyone gets for free and is enabled for all your EC2 instances, CloudFront distributions, and ELBs. Shield Advanced adds advanced protections for more elaborate attacks and gets you access to the Shield Response Team, kinda like the Avengers but for hackers instead of Thanos.

Finally, we’ll look at AWS Inspector. For any bad traffic that does make it through the edge, we must shore up the next line of defense with hardened OSes and applications. These layers are only strong if we monitor them for common vulnerabilities or CVEs. Inspector scans your EC2 instances, looking for and reporting on CVEs.

Working in conjunction with Inspector, AWS Systems Manager can patch those out-of-date instances. You can automate this potentially tedious work using Systems Manager, applying patches on demand across your entire fleet of instances to maximize your valuable time. It can do other neat automation, like running custom commands or scripts across your instances.

Related: Passing the AWS Security Specialty Cert Part 4: Management and Security Governance

Final Thoughts

The AWS Security Specialty cert is advanced, but well worth it for anyone involved in managing AWS accounts. A lot of the work is setting up the correct monitoring and services so that only relevant alerts reach you and ensuring that many of your defenses are automated.

We're not done, though! There is one final domain to cover: Management and Security Governance. Join us in part four as we close out this series.

Want to learn more about AWS? Sign up for a free trial of CBT Nuggets and dive into AWS Certified Security Specialist training.