AWS Certified Security – Specialty [SCS-C02]

Set up an AWS account and learn the root account basics. Explore always free, 12-month free, and trial offers, and monitor charges with the My Billing Dashboard.

Configure billing alerts for free-tier and estimated charges using CloudWatch and AWS Budgets. Delegate billing access to IAM users and enable email alerts and budgets to monitor costs.

Set up an admin IAM group and user with programmatic and console access, apply Administrator Access, and configure the AWS CLI with a myadmin profile in us-west-2.

Create and manage EC2 keypairs for login, understand public and private keys, RSA, and pem or ppk file usage with PuTTY or SSH in the AWS console.

Contrast server-based and serverless designs by applying a three-tier online marketplace, then demonstrate building resilience across multiple availability zones with load balancers, auto-scaling, and RDS read replicas.

Decouple a tiered AWS solution with SQS and SNS to absorb spikes, route orders by shipping priority, and secure and monitor with SSL, Cognito, IAM, Secrets Manager, CloudWatch, and CloudTrail.

Explore a serverless order processing architecture using API Gateway, Lambda, and Step Functions to orchestrate scalable, resilient workflows with decoupled queues, multi-region routing, and cloud-native security.

Learn about public and private IP addressing, routing, and CIDR notation, and how routers, firewalls, and AWS VPC private blocks secure and route traffic.

Explore deploying a three-tier application in an AWS VPC across two availability zones, with public and private subnets, a router, route tables, an elastic load balancer, and an internet gateway.

Use security groups as instance-level, stateful firewalls to restrict traffic: web servers allow HTTP/HTTPS from anywhere; app servers from the web server; databases from the app server; outbound allowed.

Explore the subnet-level Network ACL, a stateless firewall that permits or denies inbound and outbound traffic, and requires allowing both requests and responses, with rules evaluated by numeric order.

Explain how private, public, and elastic IP addresses attach to AWS instances in a VPC, including IPv4 CIDR blocks, optional IPv6, and how elastic IP supports persistence.

Explore the default VPC across regions, including its 172.31.0.0/16 CIDR, public subnets per availability zone, and the internet gateway with main route table routing traffic.

Launch an EC2 instance in the default VPC public subnet, log in via SSH, and explore private, public, and elastic IPs, including stop/start effects and elastic IP allocation and attachment.

Generate and download an RSA key pair, secure the PEM file, and SSH into a Linux EC2 instance from a Mac using EC2-user.

Launch an Amazon Linux instance in a public subnet and configure a security group to allow ICMP ping and SSH, then explore inbound and outbound rules and the stateful behavior.

Launch an EC2 instance, create a custom network ACL on the default VPC, attach it to subnets, and test inbound and outbound rules; understand stateless behavior and ping/ssh traffic.

Learn how private subnet instances reach AWS services using NAT gateways or NAT instances, and connect privately via gateway and interface endpoints to S3, DynamoDB, and more.

Create a multi-az VPC with public and private subnets, and configure route tables, internet and NAT gateways. Use a bastion host with credential forwarding to access the private instance.

Deploy an EC2 instance connect endpoint in your VPC, configure security groups for SSH access, and connect to a private instance via the endpoint without a bastion host.

Explore how to connect multiple VPCs using peering connections and a transit gateway, enabling private IP communication via a hub with non overlapping CIDR ranges and managed route tables.

Set up a cross-region VPC peering between Oregon and Ireland, update routes to 10.0.0.0/16 and 172.31.0.0/16, and test private connectivity with ICMP ping.

Learn how to securely share your application with external clients using public endpoints or private link, via a network load balancer and interface endpoints in AWS.

Configure secure remote access to public and private subnets by deploying a bastion host or using Systems Manager Session Manager, with IAM controls and SSH/RDP port restrictions.

Walks through VPC traffic flow from a public subnet to an EC2 instance via the internet gateway, route table, network ACL, and security groups, including NAT for private subnets.

Explore site-to-site vpn, cloud hub with a transit gateway, and client vpn to securely connect on-premises and branch offices to aws, plus direct connect for consistent performance.

Discover how direct connect links your on-premises data center to AWS with a dedicated physical connection, enabling consistent performance, multiple locations, and access to VPCs, S3, and DynamoDB.

Install apache via ec2 user data, host a page, and inspect instance metadata such as ami id and hostname; then resize from t2 micro to t3 large.

Attach an IAM role to an EC2 instance to grant S3 read access and list buckets via the AWS CLI, using the instance metadata service for temporary credentials.

Explore EC2 storage options: block storage, file shares, and S3 object storage, comparing instance store and elastic block store, with SSD vs magnetic performance.

Elastic Block Store (EBS) provides persistent, network-attached block storage outside the host for EC2, with snapshots in S3, AMIs, and four volume types optimized for varied IOPS and throughput.

Use elastic file shares for Linux, Windows, and high-performance workloads with EFS, FSx for Windows, and FSx for Lustre. Centralize storage, enable cross-server access, and support cloud migrations and backups.

Launch an Amazon Linux instance, install and secure the lamp stack, then create a reusable ami with a pre-configured environment for rapid, pre-hardened web deployments.

Monitor AWS resources with CloudWatch metrics, alarms, and logs, including custom metrics, and retrieve or search logs in real-time; integrate with ElasticSearch, Splunk, and CloudTrail for audits.

Explore how CloudWatch collects metrics from elastic load balancers and EC2 instances, and how alarms trigger scaling, alerts, or actions to keep applications healthy.

Deploy the CloudWatch log agent to publish instance logs to log streams and log groups, attach metric filters, and set alarms to monitor and consolidate logs in CloudWatch.

Monitor EC2 CPU utilization with CloudWatch detailed monitoring, set up p90 based alarms to stop idle instances after 15 minutes of inactivity.

Explore elastic load balancing in AWS, including classic, application, and network load balancers, health checks, cross-zone distribution, and automatic scaling for fault tolerance and security.

Compare classic, application, and network load balancers and their roles in http layer 7 and tcp/udp layer 4 traffic. Explain how private link enables private communication within the AWS network.

Launch two web servers in a default VPC, configure security groups for the load balancer, and deploy a user data script that serves a hostname page and test.txt.

Launch and configure an application load balancer to route http traffic to an EC2 target group, perform health checks, and verify availability via test.txt.

Learn how aws auto scaling maintains capacity, replaces failed instances, rebalances across zones, scales with traffic, and uses lifecycle hooks, scheduling and predictive scaling with ec2, ecs, dynamodb, and aurora.

Maintain a constant web server fleet with auto scaling and register instances with an application load balancer and its target group, using ELB health checks.

Explore how auto scaling and ELB health checks detect server and application errors, replace unhealthy instances, and maintain a highly available capacity behind a load balancer.

Learn to configure an auto scaling group using a launch template with versioning, choosing spot or on demand purchases, and integrate with an application load balancer and target group.

S3 offers highly durable, scalable, low-cost storage with eleven nines durability and strong, all-operations consistency, enabling data analytics, backups, disaster recovery, and archival across regions with policy-based access.

Explore S3 storage classes for hot, warm, and cold data, including standard, infrequent access, Glacier deep archive, and intelligent tiering; apply lifecycle rules to optimize cost and access times.

Enable S3 bucket versioning to maintain a full history of object changes, assign unique version IDs, and restore previous versions or delete markers as needed.

Automate retention and storage tiering for s3 objects with lifecycle rules that move data to different storage classes based on age, prefix, tags, and versions.

Explore s3 access control with iam policies and roles, resource-level options. Use bucket policy, bucket access control list, and object access control list for cross-account access, logging, and per-object permissions.

Enable automatic, continuous S3 replication across regions or within the same region to meet compliance, reduce latency, and support disaster recovery by copying metadata and not replicating deletes.

Learn s3 performance strategies, including multipart transfers, parallel uploads, and byte-range fetch for large objects. Explore storage gateway file, volume, and tape modes for on premises integration.

Explore server-side encryption options in S3—SSE-S3, SSE-KMS, and SSE-C—and client-side encryption, and learn how envelope encryption protects data at rest and how bucket and key permissions govern access.

Explore AWS S3 advanced features like AWS managed SFTP for secure transfers, cross-origin resource sharing, pre-signed URLs, S3 Select, Macie, and object lock.

Explore S3 storage classes by creating a bucket, uploading to standard, infrequent access, intelligent tiering, glacier instant retrieval, glacier flexible retrieval, and deep archive, and compare retrieval times and costs.

Enable S3 versioning to store multiple object versions, read specific versions, and undo deletions with delete markers, and understand S3 maintains a full copy of each version with storage costs.

Configure S3 lifecycle rules to enforce a 365-day retention for current versions and a 30-day retention for previous versions in a versioned bucket, plus tag-based filtering (PHI) for sensitive data.

Implement a tiered S3 storage policy, transitioning current versions to Standard-IA after 45 days and to Glacier after 90 days, with one-year expiration and 30-day retention for previous versions.

Learn to configure cross-region S3 replication by enabling versioning on source and destination buckets, creating a replication rule, granting an IAM role, and validating replication status.

Explore server-side encryption with S3 managed keys and a customer master key in KMS, enabling read access control and encryption at rest for S3 objects.

Enable bucket level object lock to apply legal hold and retention periods, using governance or compliance modes and the PutObjectLegalHold and PutObjectRetention calls to control data protection.

Explore glacier vault lock with its write-once model and policies. Complete the 24-hour vault lock workflow using glacier cli or apis, distinct from s3 apis, to permanently secure archives.

Enable CloudTrail, S3 Inventory, and S3 Server Access logging to gain visibility into S3 activity, track API calls and object changes, and support incident response and forensic analysis.

Understand how the domain name system maps names to IPs, the role of TTL and caching, and Route 53 and its alias, A/AAAA, CNAME, and MX record types.

Learn how Route 53 handles domain registration, dns records management, and public and private hosted zones, plus routing policies, health checks, geolocation, latency, and ACM certificate integration.