Passing the AWS Security Specialist Cert Part 3: Incident Response and Infrastructure Security

In this third and final of our part series, we’ll explore the fourth and fifth domains covered by the AWS Certified Security – Specialty exam (SCS-C01). Check out part one and part two if you missed those. 

Assuming you’re all caught up, let’s jump right into Incident Response and Infrastructure Security!

Ready to Learn AWS Skills in 2023?

AWS is the undisputed leader in the cloud computing market. If you’ve been thinking about earning a certification or upskilling this year, learning AWS is as safe a bet as any. Find the online AWS training you need at CBT Nuggets. 

No matter if you are brand new to the cloud or a seasoned networking pro, our courses can get you up to speed on the latest AWS technologies and best practices. Our AWS cloud training maps to highly valued certifications — and covers skills that many organizations desperately need. 

Not a CBT Nuggets subscriber? Sign up for a 7-day free trial to get a feel of what it’s like to learn IT with us. Explore our AWS training and start learning skills that can help you level up your career today!

Incident Response

As part of the Security cert exam, you will be quizzed on more general knowledge of incident response concepts and processes, and also the relevant AWS services related to dealing with an incident in your environment.

There are a few basics you need to have squared away before an incident happens so that you’re not caught completely unaware in the fog of war.

Identifying threats preemptively that are relevant to your environment is an essential starting point. This will be a broad and shallow list, things like a hacked EC2 web server, publicly disclosed AWS access keys, or even a full-on breach and disclosure of private data. 

Next, you must formulate response steps and be ready to assign personal, a.k.a. who does what and when. You don’t want to be making assumptions about who is owning an incident and definitely don’t want to miss essential steps to mitigation.

Finally, after an incident, you must do a post-mortem. This is determining what happened, how to prevent it, how to better prepare and respond, etc. There must be no blame or finger-pointing during this process, just learning together how to be better.

Incident response is obviously a huge topic that we can only scratch the surface of here. AWS has published a comprehensive whitepaper that’s good reading, both for test prep and for real-world prep.

As mentioned, an invaluable part of incident response is shoring up your defenses to prevent an incident from ever happening (or, if you’re unlucky, preventing a repeat incident). AWS has you covered though with several services focused around this area.

GuardDuty is an invaluable service for continuously monitoring your AWS environment, looking out for potential security threats. It uses a variety of techniques like machine learning and threat intelligence feeds to create alerts on traffic or events that just don’t fit the normal patterns. You can customize which of these alerts end up in your inbox to reduce noise and focus on only the threat relevant to your environment.

Another invaluable incident response service is AWS Config. It essentially records the configuration of your various AWS resources and tracks changes to those configurations over time. To illustrate, let’s say you have an EC2 instance that was compromised because the security group was altered. AWS Config will show on a timeline when that security group was changed, who made the change, and what the previous configuration was. Very handy to track and revert changes.

Infrastructure Security

The Infrastructure Security domain of the AWS Certified Security – Specialty exam (SCS-C01) covers implementing and managing security controls to protect your data and applications.

This is obviously a pretty broad domain but one way to subdivide up your infrastructure security is to think about traffic first outside and then inside the edge of the network.

Network edge security is basically keeping any bad traffic from getting into your VPCs to begin with. Security groups and NACLs are essential here to limit traffic to specific ports only from specific destinations. Hopefully, you already have a good grasp of this as an experienced AWS admin.

The next layer of edge defense is AWS WAF. The Web Application Firewall monitors incoming traffic for common application vulnerabilities like SQL injections or cross-site scripting. You can set up included rules sets or allow, block, or log on flagged traffic. WAF integrates with CloudFront to protect your apps before the traffic ever makes it to your EC2 instances.

Next comes AWS Shield. This service detects and blocks DDoS attacks. Shield has a Standard tier, which everyone gets for free and is enabled for all your EC2 instances, CloudFront distributions, and ELBs. Shield Advanced adds advanced protections for more elaborate attacks and gets you access to the Shield Response Team, kinda like the Avengers but for DDoS attacks instead of Thanos.

Finally, we’ll look at AWS Inspector. For any bad traffic that does make it through the edge, we must shore up the next line of defense with hardened OSes and applications. These layers are only strong if we monitor them for common vulnerabilities or CVEs. Inspector scans your EC2 instances, looking for and reporting on CVEs.

Working in conjunction with Inspector, AWS Systems Manager can patch those out-of-date instances. You can automate this potentially tedious work using Systems Manager, applying patches on demand across your entire fleet of instances to maximize your valuable time. It can do other neat automation, like running custom commands or scripts across your instances.

Final Thoughts

We come now to the end of our AWS Security Specialist Certification overview. This is a more advanced cert but is well worth it for anyone involved in managing AWS accounts. A lot of the work is setting up the correct monitoring and services so that only relevant alerts make it your way and that a lot of the security is automated.

Hopefully, this was an invaluable overview, both of how to protect your accounts and also in preparation for the test. Best of luck to you on both!