Introduction

As the pioneer and world leader of cloud computing, Amazon Web Services (AWS) has positioned security as its highest priority. Throughout its history, the cloud provider has constantly added security-specific services to its offerings as well as security features to its ever-growing portfolio. Consequently, the AWS Certified Security—Specialty certification offers a great way for IT professionals to achieve industry recognition as cloud security experts and learn how to secure AWS environments, both in concept and practice.

According to the AWS Certified Security Specialty Exam Guide, the corresponding certification attests your ability to demonstrate the following:

• An understanding of specialized data classifications and AWS data protection mechanisms
• An understanding of data-encryption methods and AWS mechanisms to implement them
• An understanding of secure Internet protocols and AWS mechanisms to implement them
• A working knowledge of AWS security services and features of services to provide a secure production environment
• Competency from two or more years of production deployment experience in using AWS security services and features
• The ability to make trade-off decisions regarding cost, security, and deployment complexity to meet a set of application requirements
• An understanding of security operations and risks

Through multiple choice and multiple response questions, you will be tested on your ability to design, operate, and troubleshoot secure AWS architectures composed of compute, storage, networking, and monitoring services. It is expected that you know how to deal with different business objectives (such as cost optimization, agility, and regulations) to determine the best solution for a described scenario.

The AWS Certified Security—Specialty exam is intended for individuals who perform a security role for three to five years with at least two years of hands-on experience securing AWS workloads.

What Does This Book Cover?

To help you prepare for the AWS Certified Security Specialty (SCS-C02) certification exam, AWS Certified Security Study Guide Specialty (SCS-C02) Exam, Second Edition explores the following topics:

• Chapter 1: Security Fundamentals  This chapter introduces you to basic security definitions and foundational networking concepts. It also explores major types of attacks, along with the AAA architecture, security frameworks, practical models, and other solutions. In addition, it discusses the TCP/IP protocol stack.
• Chapter 2: Cloud Security Principles and Frameworks  This chapter discusses critical AWS Cloud security concepts such as its shared responsibility model, AWS hypervisors, AWS security certifications, the AWS Well-Architected Framework, and the AWS Marketplace. It also addresses both security of the cloud and security in the cloud. These concepts are foundational for working with AWS.
• Chapter 3: Management and Security Governance  This chapter discusses strategies to govern your workloads effectively using multiple AWS accounts and AWS Organizations to centrally manage security services with delegated administration and applying guardrails such as SCPs (Service Control Policies) as a technical solution to enforce policies across your organization. It also addresses how AWS Control Tower helps to consistently deploy architectures based on best practices and security guardrails to protect your workloads.
• Chapter 4: Identity and Access Management  This chapter explores AWS Identity and Access Management (IAM), which establishes the foundation for all resource interactions within AWS accounts. It covers authentication methods through various interfaces (AWS Console, CLI, and SDKs) and explains how to implement authorization through policies and permissions. The chapter also addresses critical security features, including multifactor authentication, identity federation, and AWS Secrets Manager, while emphasizing best practices for securing AWS environments. Key concepts include role-based access, cross-account permissions, and the principle of least privilege.
• Chapter 5: Security Logging and Monitoring  This chapter discusses how to gather information about the status of your resources and the events they produce through a four-stage framework: resources state, events collection, events analysis, and action. Key services include AWS Config, CloudTrail, CloudWatch, Inspector, Security Lake, Systems Manager, Trusted Advisor, and EventBridge, which work together to provide comprehensive visibility and automated responses to security events in AWS environments.
• Chapter 6: Infrastructure Protection  This chapter explores AWS networking concepts such as Amazon VPC, subnets, route tables, and other features that are related to network address translation (NAT gateways and NAT instances) and traffic filtering (security groups and network access control lists). It also addresses AWS Elastic Load Balancing and how security services such as AWS Web Application Firewall can provide secure access to your cloud-based applications. Finally, it discusses the AWS Shield and AWS’s unique approach to mitigate distributed denial-of-service attacks.
• Chapter 7: Data Protection  This chapter discusses protecting data using a variety of security services and best practices, including AWS Key Management Service (KMS), the cloud hardware security module (CloudHSM), and AWS Certificate Manager. It also covers creating a customer master key (CMK) in AWS KMS, protecting Amazon S3 buckets, and how Amazon Macie can deploy machine learning to identify personal identifiable information (PII).
• Chapter 8: Threat Detection and Incident Response  This chapter covers AWS threat detection services (including GuardDuty, Security Hub, Trusted Advisor, and Detective) and incident response procedures, emphasizing both manual and automated approaches to handling security incidents. It covers the incident response life cycle, common security scenarios, and best practices for creating and implementing response plans while leveraging AWS services and automation capabilities to detect and remediate security issues effectively.
• Appendix A: Answers to Review Questions  This appendix provides the answers to the review questions that appear at the end of each chapter throughout the book.
• Appendix B: Creating Your Security Journey in AWS  This appendix discusses how to create your strategy to improve your security posture, consistently prioritizing the most important initiatives that can provide you security benefits, such as mitigating critical risks as soon as possible, thus optimizing your team’s results.
• Appendix C: AWS Security Services Portfolio  This appendix provides an overview of the 24 AWS cloud services dedicated to security, identity, and compliance.
• Appendix D: DevSecOps in AWS  This appendix introduces DevSecOps, the AWS family of services that implement DevOps practices, and how security controls can be implemented in an automated pipeline.

How to Contact the Publisher

If you believe you’ve found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts, an error may occur.

In order to submit your possible errata, please email it to our Customer Service Team at wileysupport@wiley.com with the subject line “Possible Book Errata Submission.”

Interactive Online Learning Environment and Test Bank

Studying the material in the AWS Certified Security Study Guide: Specialty (SCS-C02) Exam is an important part of preparing for the AWS Certified Security Specialty (SCS-C02) certification exam, but we provide additional tools to help you prepare. The online test bank will help you understand the types of questions that will appear on the certification exam. The online test bank runs on multiple devices.

Sample Tests: The sample tests in the test bank include all the questions at the end of each chapter as well as the questions from the assessment test. In addition, there are two practice exams with 50 questions each. You can use these tests to evaluate your understanding and identify areas that may require additional study.

Flashcards: The flashcards in the test bank will push the limits of what you should know for the certification exam. There are 100 questions provided in digital format. Each flashcard has one question and one correct answer.

Glossary: The online glossary is a searchable list of key terms introduced in this exam guide that you should know for the AWS Certified Security Specialty (SCS-C02) certification exam.

Go to www.wiley.com/go/sybextestprep to register and gain access to this interactive online learning environment and test bank with study tools. To start using these tools to study for the AWS Certified Security Specialty (SCS-C02) exam, go to www.wiley.com/go/sybextestprep to register your book and receive your unique PIN. Once you have the PIN, return to www.wiley.com/go/sybextestprep, find your book, and click register or login and follow the link to register a new account or add this book to an...