Coding 4 Bread
AWS Certified Security – Specialty

AWS Certified Security – Specialty Fundamentals — Quiz 1

AWS Certified Security – Specialty Fundamentals — Quiz 1 — Study Guide

AWS Certified Security – Specialty Fundamentals: Study Guide

Security is the backbone of every cloud deployment. Whether you're protecting sensitive customer data, preventing unauthorized access, or detecting threats before they cause damage, AWS provides a rich ecosystem of security services. This guide walks you through the core services and concepts you need to master for the AWS Security Specialty exam — and more importantly, to build genuinely secure architectures.

Identity & Access Management

IAM: The Foundation of Access Control

AWS Identity and Access Management (IAM) is the central service for managing who can do what in your AWS account. Every API call in AWS is authorized through IAM.

Key IAM concepts:

  • Users – Individual identities with credentials
  • Groups – Collections of users sharing permissions
  • Roles – Temporary identities assumed by services or users
  • Policies – JSON documents defining allowed/denied actions

    • {
  "Effect": "Allow",
  "Action": "s3:GetObject",
  "Resource": "arn:aws:s3:::my-bucket/*"
}

    Least Privilege Principle: Always grant only the permissions needed — nothing more. This is a foundational security principle on the exam.

    AWS Organizations & SCPs

    AWS Organizations lets you manage multiple AWS accounts centrally. Service Control Policies (SCPs) act as guardrails — they define the *maximum* permissions any account in your organization can have, enabling governance at scale.

    Amazon Cognito & Zero Trust

    Cognito handles user authentication for web and mobile apps. It supports MFA, social login, and integrates with Zero Trust architectures — where no user or device is trusted by default, even inside your network.

    Network Security

    Security Groups vs. Network ACLs (NACLs)

    These are the two layers of network access control in AWS VPCs:

    FeatureSecurity GroupsNACLs
    LevelInstance (resource) levelSubnet level
    StateStateful (return traffic auto-allowed)Stateless (must define inbound AND outbound rules)
    RulesAllow onlyAllow and Deny
    EvaluationAll rules evaluatedRules evaluated in order (numbered)
    Analogy: Think of NACLs as the building's front door policy (applies to everyone entering the floor/subnet), and Security Groups as the lock on each individual office door.

    AWS WAF (Web Application Firewall)

    AWS WAF is a serverless firewall that protects web applications from common exploits like SQL injection and cross-site scripting (XSS). It integrates with CloudFront, API Gateway, and Application Load Balancers. You define Web ACLs with rules to allow, block, or count requests.

    AWS Shield: DDoS Protection

  • Shield Standard – Free, automatic protection against common DDoS attacks for all AWS customers
  • Shield Advanced – Paid tier with 24/7 DDoS response team, cost protection, and enhanced detection

    • DDoS (Distributed Denial of Service) attacks flood your resources with traffic to make them unavailable. Shield protects availability — one of the core pillars of security.

    Data Protection & Encryption

    S3 Security

    S3 buckets store vast amounts of data, making them a common target. Key protections:

  • Block Public Access – Account-level setting to prevent accidental public exposure
  • Bucket Policies – Resource-based policies controlling access
  • Encryption in Transit – Enforce HTTPS using a bucket policy with aws:SecureTransport

    • {
  "Effect": "Deny",
  "Principal": "*",
  "Action": "s3:*",
  "Condition": {
    "Bool": { "aws:SecureTransport": "false" }
  }
}

    AWS KMS: Key Management Service

    KMS lets you create, manage, and control cryptographic keys used to encrypt data across AWS services. Keys never leave KMS unencrypted. Use Customer Managed Keys (CMKs) for fine-grained control over rotation and access policies.

    Secrets Manager

    Secrets Manager securely stores and automatically rotates credentials like database passwords and API keys. Unlike hardcoding secrets in code, applications retrieve them at runtime via API — eliminating a major vulnerability.

    Nitro Enclaves

    Nitro Enclaves provide isolated compute environments within EC2 instances for processing highly sensitive data (like cryptographic operations). They have no persistent storage, no network access, and no interactive access — maximum isolation.

    Threat Detection & Monitoring

    Amazon GuardDuty

    GuardDuty is a managed threat detection service that continuously monitors CloudTrail logs, VPC Flow Logs, and DNS logs using machine learning to identify suspicious behavior — like unusual API calls or communication with known malicious IPs.

    AWS Inspector

    Inspector performs automated vulnerability assessments on EC2 instances and container images, checking for unpatched software, open ports, and CVEs (Common Vulnerabilities and Exposures). It's your automated security scanner.

    AWS CloudTrail

    CloudTrail records every API call made in your AWS account — who did what, when, and from where. It's the foundation of auditing and forensic investigation. Always enable CloudTrail in all regions.

    AWS Security Hub

    Security Hub aggregates findings from GuardDuty, Inspector, Macie, and third-party tools into a single security posture dashboard. It maps findings to compliance standards like CIS AWS Foundations and PCI DSS.

    Compliance & Governance

    AWS Config

    Config continuously records the state of your AWS resources and evaluates them against compliance rules. If an S3 bucket becomes publicly accessible, Config can detect it and trigger automated remediation via Lambda.

    MFA (Multi-Factor Authentication)

    MFA adds a second layer of authentication beyond passwords. For the exam, remember:

  • Require MFA for sensitive IAM actions using the aws:MultiFactorAuthPresent condition
  • MFA delete on S3 prevents accidental or malicious bucket deletion

    • Quick Reference: Service Purposes

    ServicePrimary Purpose
    WAFBlock web exploits (SQLi, XSS)
    ShieldDDoS protection
    GuardDutyThreat detection & monitoring
    InspectorVulnerability scanning
    CloudTrailAPI auditing
    ConfigCompliance & configuration tracking
    KMSEncryption key management
    Secrets ManagerSecure credential storage & rotation
    Security HubCentralized security posture
    CognitoUser authentication
    Organizations/SCPsMulti-account governance

    Key Takeaways

  • IAM and least privilege are foundational — always grant minimum necessary permissions, use SCPs in Organizations to enforce guardrails across accounts
  • Network security has two layers: Security Groups (stateful, instance-level) and NACLs (stateless, subnet-level) — know the differences cold
  • Encryption everywhere: Use KMS for key management, enforce HTTPS on S3 with bucket policies, and use Secrets Manager instead of hardcoded credentials
  • Detection and monitoring: GuardDuty detects threats automatically, CloudTrail records all API activity for auditing, and Inspector scans for vulnerabilities — together they form a complete monitoring strategy
  • Compliance is automated: AWS Config tracks resource state and triggers remediation; Security Hub centralizes findings across services and maps them to compliance frameworks