Ultimate AWS Certified Security Specialty [NEW 2026] SCS-C03

GuardDuty detects compromised credentials, data exfiltration, and crypto-mining using artificial intelligence, machine learning, anomaly detection, and file discovery.

Learn how GuardDuty findings are sourced from CloudTrail, VPC Flow Logs, and EKS logs, with severity scoring and detailed fields, and how to automate responses via EventBridge, Lambda, and SNS.

Configure a multi-account GuardDuty strategy with delegated administrators to manage findings, suppression rules, and trusted IP lists across an organization. Automate responses with EventBridge, Lambda, and firewall rules.

GuardDuty uses trusted and threat IP lists to filter findings and detect malicious activity, while suppression rules archive low-value findings and DNS findings rely on the default VPC resolver.

Discover AWS Security Hub as a central dashboard that aggregates alerts from GuardDuty, Macie, and Inspector across multiple accounts, enabling automated security checks and quick actions.

Master advanced AWS Security Hub concepts, including cross-region aggregation, org-wide management, AWS Config enablement, security standards, GuardDuty integration, ASFF findings, insights, and automated remediation via EventBridge.

Explore Amazon Detective, a unified analytics tool that uses machine learning and graph theory to analyze GuardDuty, Macie, and CloudTrail data, revealing incident scope and attacker's actions.

See how GuardDuty findings feed into Detective, enabling machine learning triage to distinguish true positives, scope compromised systems and users, and re-enable CloudTrail to stop attacks.

Automates security assessments for EC2 instances, container images in ECR, and Lambda functions, continuously scanning for vulnerabilities and reporting findings to AWS Security Hub and EventBridge.

Explore AWS logs across CloudTrail, config rules, CloudWatch, VPC flow logs, ELB access logs, CloudFront logs, and WAF logs, stored in S3 and analyzed with Athena for security and compliance.

Learn how the unified CloudWatch agent collects metrics and logs from EC2 and on premise servers, including procstat monitoring of processes and memory usage, with SSM parameter store.

Observe the AWS console's new ui with a bright white backdrop and rounded blue buttons, while usability stays the same as the older interface.

Learn to install the unified CloudWatch agent on EC2, create an IAM role, configure and store the agent config in SSM parameter store, fetch it, and monitor logs and metrics.

Troubleshoot the unified CloudWatch agent by validating its config, checking logs, CWAgent namespace, IAM permissions, and connectivity to the logs endpoint, plus ensure security groups, network ACLs, and time sync.

Configure CloudWatch Logs with log groups, streams, retention; export and stream to Amazon S3, Kinesis Data Streams, Kinesis Data Firehose, Lambda, or OpenSearch; and query CloudWatch Logs Insights across accounts.

Explore CloudWatch Logs by examining log groups and streams, surface relevant lines with keyword searches, and manage retention, export to S3, metric filters, alarms, and CloudWatch Logs Insights queries.

Learn how CloudWatch alarms monitor metrics with states, periods, high-resolution options, trigger EC2 actions and auto-scaling, publish to SNS or Lambda, and build composite alarms across metrics with status checks.

Create a CloudWatch alarm on an EC2 t2 micro's CPU that terminates the instance if usage stays above 95% for 15 minutes, and test it with set alarm states API.

Analyze log data with CloudWatch contributor insights to build time series of top talkers and heavy network users, using built-in or custom rules on AWS logs to flag bad hosts.

Explore Amazon EventBridge, from CloudWatch Events to a central event bus that routes scheduled and event-driven actions across AWS services, partners, and custom buses, with schema registry support.

Explore how Amazon EventBridge uses rules to react to EC2 state changes, dispatching targets like SNS and Lambda, scheduling tasks, and managing event buses with a schema registry.

Learn Amazon Athena, a serverless SQL engine that analyzes S3 data without moving it, using Presto. Optimize with Parquet/ORC formats, partitioning, larger files, and federated queries via Lambda.

Explore querying data in Amazon S3 with Amazon Athena's serverless SQL, setting a query results bucket, and creating databases and tables to analyze access logs.

Troubleshoot insufficient permissions between quicksight and athena by ensuring quicksight can access s3 buckets with GetObject, and grant kms:Decrypt access on the s3 kms key to the quicksight IAM role.

Learn how CloudTrail provides governance and audit trails by logging AWS console, SDK, and CLI activity (management, data, CloudTrail Insights events), with exports to CloudWatch or S3 for retention.

Explore how CloudTrail intercepts api calls and tracks 90-day management events, then verify a terminated EC2 instance api call with event source, access key, and region.

Explore CloudTrail Lake, a central data store and managed data lake to aggregate and query events from multiple accounts with SQL, featuring immutable retention up to 10 years and dashboards.

Explore how to integrate Amazon EventBridge with CloudTrail to intercept API calls and trigger SNS alerts for events like DeleteTable in DynamoDB and AssumeRole API.

Learn how CloudTrail delivers logs to S3 hourly with digest files using SHA-256 hashes for tamper detection, and how event integrations via EventBridge support API monitoring across organization trails.

Detect EC2 start activity by streaming CloudTrail API calls to CloudWatch Logs, applying a metrics filter with a threshold, triggering a CloudWatch alarm and SNS alert for the security team.

Integrate CloudTrail with Athena to query CloudTrail logs stored in Amazon S3, create an Athena table from the CloudTrail console, and analyze activity for security and compliance.

Monitor account activity by configuring AWS config with a recorder and streaming CloudTrail API history to CloudWatch Logs. Use CloudWatch Logs Insights and Athena for queries beyond 90 days.

Macie uses machine learning to discover and protect PII in your S3 buckets, alert discoveries via EventBridge, and integrate with SNS and Lambda after a one-click enablement.

Master Macie advanced concepts by using managed and custom data identifiers to detect sensitive data in S3, with regex patterns and allow lists, and review discovery results via Athena.

Learn how Amazon S3 event notifications trigger actions by delivering bucket events to sns, sqs, lambda, or eventbridge, with filtering, archiving, and reliable, fast delivery.

Demonstrates configuring S3 event notifications and routing object created events to SQS, Lambda, SNS, or EventBridge, with a hands-on test uploading an object.

Learn how VPC flow logs capture IP traffic at the VPC, subnet, or ENI level, and flow to S3, CloudWatch Logs, or Kinesis for monitoring, analytics, and security troubleshooting.

practice vpc flow logs by creating flow logs to S3 and CloudWatch with accept, reject, or all traffic filters. use Athena to query logs and analyze potential attacks.

Understand which traffic VPC flow logs miss, including custom DNS server traffic, Windows activation, EC2 metadata, time sync, DHCP, mirrored traffic, and traffic to the VPC router's reserved IP.

Master VPC traffic mirroring to capture and inspect traffic non-intrusively, routing the source ENIs to a Network Load Balancer and security appliances for content inspection, threat monitoring, and troubleshooting.

Explore vpc traffic mirroring architectures, from autoscaling security appliances behind a network load balancer to cloud packet broker routing and cross-vpc mirroring via peering and transit gateway.

Discover how the VPC Network Access Analyzer automatically verifies VPC resources against your network access requirements, flagging non-compliant resources via a JSON Network Access Scope.

Route 53 query logging, detailing public DNS query logging to CloudWatch and resolver query logging for VPC traffic, with destinations like S3, CloudWatch Logs, and Kinesis Data Firehose.

Explore Amazon OpenSearch Service, enabling search across fields with partial matches and analytics, with managed or serverless provisioning, dashboards, and secure ingestion from Kinesis Data Firehose and CloudWatch Logs.

Secure OpenSearch with public access or VPC deployment using IP-based and identity-based policies. Use IAM signing, verify credentials, and enforce domain access policies via VPC endpoints and security groups.

Explore AWS penetration testing, focusing on eight services that require no prior authorization. Avoid DNS zone walking, DoS, DDoS, and port flooding; seek security team approval for other activities.

Perform a controlled DDoS simulation on AWS to validate resilience and incident response, targeting Shield Advanced-protected resources or Edge-Optimized API Gateways, with strict bandwidth and packet limits.

Contain compromised EC2 resources by isolating the instance and snapshotting EBS volumes for forensic analysis, while identifying S3, ECS, and RDS threats with GuardDuty, CloudTrail, and Amazon Detective.

GuardDuty detects compromised credentials; rotate exposed credentials, apply an STS date deny policy, and review CloudTrail for unauthorized activity on compromised IAM roles or accounts.

Explore EC2 key pairs enabling SSH via a private key with the public key in authorized_keys, and remediate exposed keys using a new key pair and SSM Run Command.

Explain how EC2 instance connect uses a short-lived key pushed to instance metadata, enabling API-driven SSH with CloudTrail logging and restricted port 22 access.

Learn to use the EC2 serial console to troubleshoot boot, network configuration, and reboot issues by accessing a Nitro-based instance through its serial port, with a single active session.

Discover multiple recovery methods to regain EC2 access after losing an SSH key pair, including EC2 user data, Systems Manager, EC2 Instance Connect, Serial Console, and EBS volume swap.

Recover a Windows EC2 instance with a lost password by detaching the root volume and using EC2Launch v2, EC2Config, EC2Rescue, or Systems Manager to reset the administrator password.

Diagnose and troubleshoot EC2 instances using EC2Rescue for Linux and Windows, collect logs, diagnose OpenSSH and kernel issues, and remediate problems with optional SSM automation and S3 uploads.

Submit an abuse report to the AWS trust and safety team for spam, port scanning, DDoS, intrusion attempts, or malware; you’ll get Health Dashboard alerts and EventBridge notifications via sns.

Manage a fleet of EC2 instances and on-premises servers at scale with Systems Manager, enabling patching automation, enhanced compliance, and integration with CloudWatch, Config, and dashboards.

Register EC2 instances in fleet manager by launching three Amazon Linux 2 instances, attach the SSM managed instance role, and verify the SSM agent creates managed nodes in fleet manager.

Learn how tags create resource groups across AWS services and enable SSM-based operations, automation, security, and cost allocation by grouping environments and teams.

Learn how SSM documents (JSON or YAML) define actions and run commands across EC2 fleets, with IAM and CloudTrail, and output to CloudWatch or S3, plus an Apache install example.

Explore how AWS SSM automations (runbooks) can restart EC2 instances, create AMIs or EBS snapshots, and be triggered by EventBridge, maintenance windows, or config remediation.

Explore the SSM parameter store as a secure, serverless configuration and secrets service with KMS encryption, versioning, IAM access, event notifications, CloudFormation integration, hierarchical parameters, and TTL-driven policies.

Practice using the Parameter Store in Systems Manager to create standard and secure parameters, manage hierarchy, and retrieve values via the command line interface (cli) with get-parameters and get-parameters-by-path.

Learn how AWS SSM inventory collects metadata from EC2 and on-premises instances, including software and configurations, stores in S3 for Athena and QuickSight analysis, and how state manager enforces states.

Automate patching across EC2 and on-premises servers with SSM Patch Manager, defining baselines and patch groups, and schedule maintenance windows for OS, application, and security updates.

Create a patch policy in patch manager to patch EC2 and on-premises instances, configure scan and install, set schedules, baselines, targets, and maintenance windows with run commands.

Explore how the SSM session manager provides a secure shell for EC2 and on-prem servers without SSH keys. IAM controls and logging to S3 or CloudWatch ensure auditability.

Explore how to use AWS session manager to start SSH-like sessions into EC2 instances without inbound SSH rules, execute commands, and enable CloudWatch and S3 logging for secure, auditable activity.

Terminate the three managed instances in Fleet Manager to prevent ongoing costs, completing the cleanup step before moving to the next lecture.

discover how bastion hosts provide ssh access to EC2 instances in a private subnet by chaining through a public bastion host, with security groups restricting access to trusted IPs.

Launch an EC2 in a private subnet behind a bastion host and SSH into it using a key pair and security group. The private instance has no outbound internet access.

Highlight NAT gateways as a managed, available solution with automatic scaling from 5 Gbps to 100 Gbps, elastic IP, public subnets, and private subnet internet access via the internet gateway.

Create a NAT gateway in a public subnet, allocate an elastic IP, and update the private route table to enable private instances to access the internet with availability across zones.

Connect your VPC to a corporate data center with site-to-site VPN using VGW and CGW, enabling route propagation and CloudHub for multi-site connectivity.

Establish a site-to-site vpn between on-premises and AWS by creating a customer gateway on your premises, a virtual private gateway on AWS, and connecting them.

Discover how AWS client VPN creates a private connection from your computer to a private VPC using OpenVPN, enabling access to EC2 instances by private IP and on-premises resources.

Discover three AWS Client VPN authentication types: active directory, mutual certificate, and single sign-on with SAML 2.0. Use directories, certificates, or identity providers to establish secure connections.

Learn how to connect vpcs across regions and accounts using vpc peering, enforce non-overlapping cidrs, update route tables, and reference security groups across peered vpcs.

Peer the demo vpc with the default vpc, then modify routes to allow cross-vpc traffic using a peering connection.

Enable DNS resolution via the Route 53 resolver in the VPC, and enable DNS hostnames so EC2 instances receive public hostnames; enabling both supports private hosted zones.

Enable dns hostnames and dns resolution in the vpc to resolve internal names. Create a private Route 53 hosted zone and a cname like google.demo.internal to google.com.

Harness VPC endpoints to access AWS services over a private network, using gateway endpoints for S3/DynamoDB and interface endpoints for CloudWatch and others; ensure DNS resolution and correct routes.

Explore how VPC endpoint policies attached to interfaces or gateway endpoints restrict api calls to specific resources and principals, and how they work with IAM and resource policies.

Explore how to access AWS services via VPC endpoints, including CodeDeploy and the codedeploy-commands-secure endpoint for EC2, Secrets Manager, SSM Session Manager, and private API Gateway endpoints.

Explore how AWS PrivateLink exposes a service in a service VPC to thousands of consumer VPCs via a network load balancer and ENIs, without VPC peering or internet gateways.

Explore using aws private link to create a private endpoint connection between services across VPCs, linking an endpoint service to a network load balancer and enabling private access.

Explore how network ACLs and security groups control traffic at subnet and instance levels. Understand stateless versus stateful behavior, inbound and outbound rules, default NACLs, ephemeral ports, and rule precedence.

Explore the differences between network ACLs and security groups in AWS, illustrating default NACL behavior, rule precedence, stateless versus stateful traffic, and how HTTP traffic is allowed or denied.

Examine security groups outbound rules with CIDR prefixes and compare custom versus AWS managed prefix lists to simplify sharing across accounts for services like S3, CloudFront, DynamoDB, and Ground Station.

Security groups are stateful and won’t terminate existing connections when rules change, as shown by SSH on port 22; use stateless network ACLs to block traffic immediately.

The transit gateway serves as a hub to connect many VPCs, VPNs, and direct connects. It enables transitive routing, cross-region and cross-account sharing, route tables, and ECMP to boost bandwidth.

Direct Connect establishes a private link from your on-premises to AWS VPC, using private or public VIFs for private resources and public services, with dedicated or hosted options and resiliency.

Explore an exam-ready architecture where a corporate data center connects to a VPC via Direct Connect as the primary, with a site-to-site VPN over the public internet as a backup.

Explore how CloudFront caches content at edge locations worldwide to reduce latency. Understand origins such as S3, VPC, or HTTP backends with origin access control, Shield, and Web Application Firewall.

Create a private S3 bucket and CloudFront distribution to serve files without public access, using bucket policy and pre-signed URLs with caching on the free plan.

Connect CloudFront to private backends using VPC origins, delivering from ALB, NLB, or EC2 in private subnets while avoiding public exposure and simplifying security groups.

Use CloudFront geo restriction to control distribution access by country via a geo IP database, and enable pay as you go to access allow and block lists for copyright protection.

Secure private content with CloudFront signed URLs or cookies, applying policies, expiration, IP ranges, trusted signers, and origin access control to protect S3.

Generate 2048-bit RSA keys and use trusted key groups in CloudFront to sign URLs, using private keys on EC2 and public keys for verification, with IAM governance.

Encrypt field level data at the edge with a public key to protect credit card information, keeping data encrypted in flight via https and decryptable only by the web server.

Explore how origin access control enables CloudFront to access SSE-KMS encrypted S3 data by signing requests with SigV4, replacing legacy OAI setups and avoiding Lambda@Edge.

Forward the authorization header to the origin by whitelisting it in a CloudFront cache policy; leverage a secret x-custom header to secure ALB access with Cognito JWT verification via Lambda@Edge.

Protect your web applications at layer seven with AWS WAF, a web application firewall, to guard against SQL injection, XSS, and bot traffic.

Learn how AWS Shield protects against DDoS, with Shield Standard (free) and Shield Advanced (paid). Shield Advanced automates WAF deployment to mitigate layer 7 attacks on EC2 and CloudFront.

Learn how AWS Firewall Manager centralizes and automates cross-account firewall policies, applying WAF, Shield Advanced, and other security rules across ALB, NLB, VPCs, and DNS firewalls.

Protect web apps from layer-7 exploits with waf by creating a web acl and rules, while shield handles ddos protection and firewall manager enables centralized security across accounts.

Practice aws waf by creating web ACL protections and IP sets in Frankfurt. Learn to add custom and managed rules, including rate limiting and sql injection protection for regional resources.

Explore how Shield Advanced yields CloudWatch metrics like DDoSDetected, DDoSAttackBitsPerSecond, DDoSAttackPacketsPerSecond, and DDoSAttackRequestsPerSecond to detect and understand a DDoS event.

Learn edge-based architecture for DDoS protection using CloudFront, Shield, Global Accelerator, and Route 53 to distribute traffic and mitigate attacks, with WAF and API gateway for application-layer defense.

Explore how the API gateway proxies requests to Lambda, enabling authentication, usage plans, versioning, deployment stages, and integration with AWS services for a serverless API.

Build a rest API in API Gateway by creating a regional API, adding GET methods backed by Lambda functions, deploying with a dev stage, and testing via the invoke URL.

Learn API gateway security with resource policies for public access and IP-based denial, private APIs via VPC interface endpoints across accounts, and throttling and usage plans with API keys.

Access aws artifact, a global portal for on-demand compliance documents and agreements from aws. Download iso, pci, soc reports and baa agreements after accepting an nda for internal audits.

Learn how Route 53 DNSSEC mitigates DNS poisoning by signing records with KSK and ZSK, establishing a chain of trust via DS records, and monitoring with CloudWatch alarms.

Learn how the AWS network firewall protects an entire VPC from layer 3 to 7 with centralized firewall manager across accounts and many VPCs, plus fine-grained rules and flow inspection.

Explore deployment architectures for the AWS network firewall, detailing firewall endpoints, protected and private subnets, route tables, NAT gateway, app balancer, and traffic flow for inbound and outbound traffic.

Explore Amazon SES, the simple email service that lets you send email securely, globally, and at scale via API or SMTP, with inbound support and configuration sets for real-time analytics.

Explore the anatomy of IAM policies, from version, id, and statements to action, NotAction, resources, and conditions, and master how explicit allow and deny, and various principle options shape access.

Explore IAM condition operators, including string and arn like comparisons, date checks, bool and ip address filters, with examples like S3 prefix matching and token issued times.

Explain global context keys in IAM conditions, including the requested region, PrincipleArn, SourceArn, and CalledVia, with notes on IP and VPC conditions and regional restrictions to us-east-1.

Explore IAM permission boundaries that restrict the maximum permissions for users and roles, showing how boundaries interact with identity-based policies and SCPs for safe delegation.

Apply IAM policy evaluation logic from default deny to explicit allows and denies, including permission boundaries, SCPs, session policies, and cross-account requirements for identity and resource policies.

Compare resource-based policies with IAM roles to enable cross-account access, and explain how role assumption grants temporary permissions while resource policies secure access to S3 buckets and SQS queues.

Explore ABAC in AWS, using tags to grant access by user attributes, like department or project, scaling permissions compared to RBAC without editing IAM policies.

Explore how multi-factor authentication protects AWS accounts with password plus a security device, including virtual and hardware MFA options, and enables safeguards like MFA delete and IAM conditions.

Learn about the IAM credentials report; its users, password status, keys, and MFA; download it for auditing; consider AWS Config with key rotation and SSM automation for aged keys.

Learn how IAM roles empower AWS services to act on your behalf, including EC2 and Lambda roles, how to pass roles with iam:PassRole, and how CloudTrail logs reveal role assignments.

Understand that every IAM role has a trust policy and a permission policy, with trust defining who can assume the role and examples like MFA and EC2 service principals.

Explore IAM security tools such as the IAM Credentials Report at account level and Access Advisor at the user level, and enforce least privilege by reviewing permissions and last access.

Generate and download a credentials report to compare root and user accounts, MFA, password rotation, and access keys; then use IAM Access Advisor to audit service usage and refine permissions.

Use IAM Access Analyzer to detect external sharing of S3, roles, KMS keys, Lambda, SQS, and Secrets Manager, validate policies, and generate tailored policies from CloudTrail logs.

Discover how AWS STS issues temporary credentials via AssumeRole, cross-account access, and SAML or web identity flows, with GetSessionToken for MFA-enabled access and cross-account S3 permissions.

Explore STS version 1 and version 2, comparing global and regional endpoints, token formats, latency and redundancy benefits, and how to obtain version 2 tokens for all regions.

Learn how the STS external ID strengthens the AssumeRole API by requiring a defined external ID in the trust policy to prevent the confused deputy attack.

Learn to revoke an IAM role's temporary credentials by attaching an inline AWSRevokeOlderSessions policy that denies actions when the token issue time is older than now, forcing reauthentication.

Explore the AWS EC2 instance metadata service and how to retrieve instance details, ami-id, temporary credentials, and placement data from within an EC2 instance, plus security controls.

Explain the difference between IMDSv1 and IMDSv2, detailing the two-step process to obtain a session token via a put to /latest/api/token and use it in metadata calls through headers.

Explore how S3 authorization evaluates bucket vs object level permissions using IAM and bucket policies, including the bucket owner enforced setting for object ownership.

Learn cross account access to S3 objects with IAM policies and bucket policies, and why object ownership with bucket owner simplifies security over ACL-based approaches.

Explore practical S3 bucket policies to enforce encryption in transit by denying non-https requests, restrict access by public IP CIDR ranges, and gate access using user IDs or role IDs.

Compare gateway endpoints for S3, which are free and inside VPC with DNS enabled, with interface endpoints offering private links via ENIs and on-premises access via Direct Connect or VPN.

When a bucket policy denies all access, use the AWS account root user to delete the policy and regain access, then create a new policy that won’t lock you out.

Discover how block public access settings protect S3 buckets by turning on bucket- or account-level controls, preventing data leaks even when a bucket policy would allow public access.

Learn how s3 access points simplify security management with per-point policies for finance, sales, and analytics data. Connect via dns names and use vpc endpoints for private access.

Create an S3 access point with internet origin, apply a policy to grant restricted get and put to a subdirectory, and enforce bucket policies that delegate access via access points.

Use S3 multi-region access points to create a global endpoint across regions, routing requests to the lowest latency bucket while enabling bidirectional replication and active/passive or active/active failover.

Create two regional buckets in eu-central-1 and us-east-1, attach them to a multi-region access point named my-global-app, enable bucket versioning, and set replication rules for two-way failover and access policies.

Understand how CORS enables and restricts cross-origin requests by inspecting origins, preflight checks, and Access-Control-Allow-Origin headers, with a practical S3 example.

Demonstrate cross-origin resource sharing by configuring S3 CORS and updating index.html to fetch an extra-page.html from another bucket.

Enable S3 access logs to audit all requests, storing entries in a separate logging bucket in the same region, and avoid using the same bucket to prevent logging loops.

Configure the destination bucket policy to allow s3:PutObject on destination-bucket/* from the source bucket ARN.

Enable S3 server access logging by creating a logging bucket and configuring a destination; upload files to generate logs and review details like API calls and access events.

Explore Cognito user pools, a serverless user database enabling sign-in, verification, password resets, and federated logins via Google, Facebook, or SAML, with JWTs and API gateway and load balancer.

Understand Cognito identity pools, federated identities, and temporary AWS credentials via STS for web and mobile users, including social login, guest access, and policy variables controlling S3 and DynamoDB.

Define Cognito user pool groups as collections of users with attached IAM roles to define permissions; users can belong to multiple groups, with the lowest precedence determining the default role.

Learn AWS identity federation, enabling external users to access resources via SAML 2.0, web identity with Cognito, or IAM Identity Center, using temporary credentials from STS.

Configure SAML 2.0 federation in AWS with your IdP, manage the IdP metadata file, and troubleshoot expiration or certificate changes by updating the IAM SAML provider via the CLI.

Explore how AWS IAM Identity Center provides single sign-on across multiple accounts and applications with permission sets and SAML 2.0 integration. Connect identity stores and manage roles for fine-grained access.

Configure IAM Identity Center permission sets using AWS-managed, inline, and customer-managed policies across accounts. Learn delegated administration, CloudFormation stack sets for policy consistency, and seamless one-click service integrations.

Explore AWS Directory Services, including AWS managed Microsoft AD, AD Connector, and Simple AD, and how they connect on-premise Active Directory with cloud resources using MFA, SSO, and forest trusts.

Learn how encryption in flight uses TLS/SSL and HTTPS to prevent man-in-the-middle attacks. Compare server-side at-rest encryption with data keys to client-side encryption where only the client can decrypt.

Learn how CloudHSM delivers dedicated hardware security modules you manage end to end, with key lifecycle control, multi-AZ high availability, and TLS offloading for secure apps.

Integrate CloudHSM with aws kms via a custom key store to encrypt ebs, s3, and rds data, with CloudTrail logging; share private subnets across accounts for access.

Explore aws kms and how it controls access and manages encryption keys, including envelope encryption. Compare symmetric and asymmetric key types and origins, including multi-region replication.

Explain how AWS KMS multi-region keys replicate the same key material across regions, enabling cross-region encryption and decryption for global DynamoDB and Aurora, with client-side encryption and access safeguards.

Discover how KMS encrypt and decrypt APIs protect secrets and how envelope encryption uses GenerateDataKey to produce a DEK and an encrypted DEK for client-side encryption.

Explore how AWS KMS handles key rotation, including automatic rotation for AWS managed keys and on-demand or manual rotations for customer-managed symmetric keys using aliases.

Learn how to manage KMS key deletion, including the 7–30 day waiting period, cancellation, metadata preservation, and AWS managed keys cannot be deleted. Monitor deletions with CloudTrail, CloudWatch, and SNS.

Master KMS key policies to control access, compare default and custom policies, and enable cross-account administration for encrypt, decrypt, and data key operations.

Grant access to specific KMS keys to other accounts using KMS key grants for operations like encrypt, decrypt, sign, and verify; grants are one key per grant and require deletion.

Explore kms:ViaService and kms:CallerAccount condition keys to restrict KMS key use to specific AWS services like EC2 and RDS, and control access via KMS key policies and grants.

Explore the KMS key authorization process and how denials, SCPs, and VPC endpoint policies gate access. Learn how key policies, grants, and IAM policies enable cross-account and delegated access.

Learn how to enable cross-account access for a KMS key using key policies, grants, and IAM roles, enabling encrypted EBS volumes and cross-account RDS snapshots.

Discover how asymmetric encryption works with AWS KMS using public and private keys. Explore RSA, ECC, and SM2 keys, digest signing, and verify API workflows for data integrity.

Explore KMS API call limits and the cost of frequent requests. Learn how data key caching with the AWS encryption SDK reuses keys to reduce API calls, latency, and costs.

Explore how to integrate KMS with EBS by creating EBS snapshots, launching new volumes with a different KMS key, automating cross-account encrypted snapshot copies, and setting per-region default EBS encryption.

Encrypt an unencrypted EFS file system by creating a new encrypted EFS and migrating data with AWS DataSync. Switch applications to the encrypted file system after the migration.

Learn how abac with kms uses resource tags to grant decrypt and encrypt access, enabling security at scale by tagging keys with environment prod.

Learn how KMS encrypts and decrypts SSM parameter store secure strings, including standard and advanced parameters that use envelope encryption with a data key.

Explore AWS Secrets Manager for storing and rotating secrets, with Lambda-driven rotation, KMS encryption, and multi-region replication to support RDS Aurora databases and disaster recovery.

Learn how AWS Secrets Manager rotates, manages, and retrieves secrets across their life cycle with database integrations, multi-region replication, and IAM resource policies.

Learn advanced secrets manager concepts, including envelope encryption with KMS data keys and using AWS managed keys. Rotate secrets automatically with Lambda for RDS, VPC, IAM, and cross-account sharing.

Explore object encryption in Amazon S3 with SSE-S3, SSE-KMS, SSE-C, and client-side encryption, and enforce in-transit security using HTTPS and bucket policies.

This lecture reviews S3 encryption options. SSE-S3 uses AWS-managed keys; SSE-KMS uses KMS; anonymous access depends on keys; CloudTrail records usage; SSE-C, client-side encryption, and Glacier AES-256.

The lecture explains default s3 encryption, usually sse-s3, how to change to sse-kms, and how bucket policies can force encryption by denying put requests without the correct encryption headers.

Explore practical S3 bucket policies to enforce https with in-flight encryption and to require a specific KMS key (ARN) for server-side encryption, using deny statements and relevant conditions.

Explore sse-kms with an s3 bucket key to cut kms api calls and costs by up to 99% using envelope encryption with a rotating data key and bucket key.

Learn how to upload large, kms-encrypted files to s3 using multipart uploads, generate data keys for each part, and grant decrypt permissions to reassemble and re-encrypt the final object.

Perform bulk encryption of unencrypted S3 objects using S3 Batch, by listing with S3 Inventory, filtering with Athena on encryption status, then encrypting via a KMS-backed batch job.

Learn how S3 Glacier vault lock uses a worm model to prevent changes or deletion, and how S3 object lock enforces retention with compliance or governance modes and legal holds.

Learn how Amazon S3 Glacier vault policies work, including the vault access policy and the vault lock policy, and how the lock process safeguards archives with a 24-hour testing window.

Create a Glacier vault, set access policies and a vault lock, and apply an irreversible lock policy that denies archive deletion under 365 days, completed within 24 hours.

Automate S3 lifecycle rules to move objects between storage classes and archive for cost efficiency, using transitions, expirations, prefixes or tags, plus versioning and S3 analytics to optimize.

Create a lifecycle rule for S3 buckets to move current and non-current object versions between storage classes and delete expired items, using transitions to standard IA, glacier, and deep archive.

Explore Amazon S3 replication, including cross-region replication (CRR) and same-region replication (SRR), with versioning, IAM permissions, and asynchronous copy across accounts for compliance, latency, logs, and testing.

Configure S3 replication by creating origin and replica buckets with versioning, set a replication rule, and verify cross-region object and version replication, including delete marker behavior.

Enable S3 replication to automatically replicate only new objects, use S3 batch replication to cover existing and failed items, and optionally replicate delete markers while avoiding chaining across buckets.

Secure RDS and Aurora with at-rest encryption via KMS at launch, enforce in-flight TLS and IAM authentication with 15-minute tokens, and encrypt unencrypted backups by restoring as encrypted clusters.

Understand elastic load balancing on AWS, routing traffic across multiple EC2 instances with a managed load balancer, health checks, and SSL termination across ALB, NLB, and GWLB.

Explore the network load balancer's layer 4 traffic handling for tcp and udp with ultra low latency, static ips per az, and target groups including ec2 or private ips.

Discover how client IP preservation works with network load balancers and how to attach security groups to the NLB. Troubleshoot connectivity using health checks, NACLs, and VPC peering.

Explore how elastic load balancers implement sticky sessions to keep a client on the same backend instance using cookies, with application-based and duration-based cookies.

Understand how SSL/TLS certificates enable in-flight encryption between clients and load balancers, with SNI supporting multiple domains on ALB and NLB, and manage certificates via ACM.

Explore how SSL/TLS certificates secure Elastic Load Balancers with ACM, SNI for hostname routing, and configurable security policies across ALB, NLB, and CLB, including forward secrecy and SAN considerations.

Learn how to configure TLS listeners on a network load balancer to terminate TLS at the NLB using an ACM certificate and preserve client IP addresses.

Learn how AWS Certificate Manager provisions and renews public and private SSL certificates for load balancers and CloudFront, with automatic renewal for ACM-issued certs and regional deployment.

Request a public certificate with AWS Certificate Manager, validate via DNS in Route 53, and deploy it to an Elastic Beanstalk load balancer with a 443 HTTPS listener.

Discover how ACM's private certificate authority issues end-entity X.509 certificates for internal TLS and PKI, enabling secure connections for users, computers, APIs, and IoT devices within your infrastructure.

Discover how AWS Backup centralizes automated backups across AWS services, enabling cross-region and cross-account protection with backup plans, tag-based policies, on-demand or scheduled backups, and vault lock for WORM protection.

Explore AWS Backup hands-on, creating a daily and monthly backup plan with retention rules, vaults, cross-region copies, and assign resources using IAM roles and environment tags.

Automate backups with Amazon Data Lifecycle Manager by tagging resources and creating, retaining, and deleting EBS snapshots and EBS-backed AMIs via policy-driven schedules; only resources managed by DLM are supported.

Learn about Nitro enclaves, highly isolated EC2-based enclaves for processing sensitive data (PII, healthcare, credit card data) with cryptographic attestation and KMS encryption, using Nitro CLI to create enclave images.

Explore AWS Organizations, manage multiple accounts with a central management account and OUs, consolidate billing, and apply cross-account service control policies to enforce security across OUs and accounts.

Build and manage an AWS organization with a master and child account, invite accounts, organize them into OUs, and apply service control policies including denying S3.

Learn how AWS organizations enables reserved instance sharing across accounts, apply the aws:PrincipalOrgID condition for org-wide access, and enforce tag policies to standardize tagging and monitor non-compliance.

Explore AWS Control Tower to automate secure, compliant AWS Organizations-based multi-account environments using account factory, service catalog, IAM Identity Center, guardrails, remediation, and a compliance dashboard.

Explore AWS Config for auditing and recording resource configuration, with managed or custom rules, event-driven remediations via SSM automation, and cross-region notifications to monitor compliance across accounts.

Explore the aws config hands-on: record resources, include global resources, and store data in an s3 bucket. Evaluate security groups with managed rules and remediation options.

Explore AWS Config remediation examples that automate security actions, such as disabling port 22 SSH on EC2 security groups and enabling S3 bucket logging with AWS-DisableIncomingSSHOnPort22 and AWS-ConfigureS3BucketLogging.

Learn how AWS Config aggregators centralize data from multiple accounts and regions into an aggregator account, with authorization via AWS Organizations. Deploy rules across accounts and regions using CloudFormation StackSets.

Explore conformance packs, bundles of AWS config rules and remediation actions deployed across accounts, regions, or an organization, including prebuilt or custom packs to evaluate resource compliance.

Manage organizational rules from the management or delegated admin account and deploy a single rule across all member accounts, contrasting with conformance packs that support many rules and account-level compliance.

Learn AWS Config use cases: audit IAM policies, detect CloudTrail status, unapproved AMIs, public security groups, unauthorized VPC gateways, unencrypted EBS, or public RDS, with remediation via EventBridge and SSM.

Explore AWS trusted advisor, a service providing high-level account assessments with core security checks across six categories, and how business or enterprise support unlocks full checks and programmatic access.

Explore Cost Explorer to visualize and manage AWS cost and usage over time, forecast up to 18 months, and find savings plans; generate reports, dashboards, and hourly or resource-level analyses.

Leverage AWS cost anomaly detection to monitor cost and usage data with machine learning that learns historical patterns, detects one-time spikes or ongoing increases, and provides root cause analysis.

Explore AWS well-architected framework and tool to review workloads across six pillars: operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability, using questions, lenses, and improvement plans.

Examine the AWS acceptable use policy and learn what you cannot do with AWS services, including illegal activity, rights violations, threats or harm, child sexual abuse content, DDoS, and spam.

Audit manager continuously audits AWS workloads against built-in frameworks such as CIS benchmarks, GDPR, HIPAA, and PCI DSS. It supports manual evidence uploads and generates linked compliance reports.

Discover how CloudFormation enables infrastructure as code on AWS by declaratively provisioning resources, automating deployment, and repeating architectures across environments with templates, tags, and custom resources.

Learn to create and manage AWS infrastructure with CloudFormation by uploading templates, launching an EC2 instance in us-east-1, using change sets, security groups, and elastic IPs as infrastructure as code.

CloudFormation uses dedicated service roles to create, update, and delete stack resources, enabling least-privilege access via IAM PassRole and a dedicated DemoRole with S3 permissions.

Learn how CloudFormation stack policies, defined in JSON, control update actions by allowing updates for selected resources while protecting the production database from unintentional changes.

Discover how CloudFormation dynamic references fetch values from SSM parameter store or Secrets Manager at runtime to securely configure resources using plain text, secure strings, and secrets.

Learn how termination protection prevents accidental CloudFormation stack deletes by enabling it in the console, and that deletion is blocked unless you disable protection with the right permissions.

Master CloudFormation drift detection by comparing stacks and StackSet configurations against templates, identifying unmanaged changes outside of CloudFormation, viewing drift details, and deciding to update templates or revert stacks.

Validate CloudFormation templates with CloudFormation Guard CLI against organization policy using a domain-specific language in rules.guard, ensuring S3 bucket ServiceSideEncryptionConfiguration AES256 via template.yaml and CI/CD.

Explore how AWS Service Catalog lets admins create products as CloudFormation templates, organize them into portfolios, and provide a self-service portal where users launch predefined, permission-controlled resources.

Explore AWS Resource Access Manager (RAM) to share VPC subnets across accounts within an organization, enabling a shared networking layer while keeping individual resources isolated.

Explore how AWS Fault Injection Simulator enables chaos engineering by running disruptive experiments on EC2, ECS, EKS, and RDS, using pre-built templates to test resilience and observability.

Explore how the AWS resilience hub centralizes resilience management by defining resilience goals, setting RTO and RPO, assessing against the well-architected framework, and delivering actionable recommendations with FIS testing.

Amazon ECR stores Docker images on AWS and offers private and public repositories. It integrates with ECS, uses IAM to pull images, supports vulnerability scanning, versioning, tags, and image lifecycle.

Secure Amazon container registry with KMS encryption via envelope encryption and KMS grants, enabled at repository creation, plus OS and language package vulnerability scanning with Amazon Inspector and cross-account policies.

ECS injects secrets as environment variables at runtime by referencing Secrets Manager and the SSM Parameter Store in the container definition, with IAM and KMS permissions.

Amazon EKS manages Kubernetes clusters on AWS and logs pod, node, and control plane activity. Send these events to CloudWatch Logs to keep history beyond 60 minutes, with log types.

Understand the Lambda execution role and permissions for CloudWatch, Kinesis, DynamoDB, SQS, VPC, and X-Ray. Follow best practices: one execution role per function and resource-based policies for cross-account access.

Learn to run Lambda inside your VPC by assigning subnets and security groups, creating an elastic network interface, and accessing RDS and DynamoDB via VPC endpoints or NAT gateways.

Create a python 3.8 lambda in a VPC, attach a lambda security group, and configure private subnets with a NAT gateway; grant ENI management permissions to enable network interfaces.

Create a Lambda function, test it, and confirm the response is Hello from Lambda. Publish version 1, create a dev alias, and generate a none-auth function URL.

Learn AWS Signer, a managed code-signing service that uses public and private keys to sign code, create signing profiles, and deploy trusted Lambda, IoT, and FreeRTOS code with revocable signatures.

Enable secure access to corporate internal applications without a VPN by applying zero trust, continuously verifying user identity and device for every request with AWS Verified Access.

Explore AWS Glue, a serverless ETL service that extracts data from S3 or RDS, transforms it, loads into Redshift, and uses Parquet with the Glue Data Catalog.

Safeguard aws glue with kms at rest for databases and tables, and tls in transit. Enable cross-account access via iam and data catalog policies for s3 and athena.

Amazon WorkSpaces provides a managed desktop as a service to provision Windows or Linux desktops in the cloud, eliminating on-premises VDI and using KMS for security.

Restrict access to Amazon WorkSpaces using IP access control groups that authorize CIDR ranges or public IPs. Enforce trusted devices with certificate-based authentication across Windows, macOS, and Android clients.

Use the Auto Scaling instance refresh to update EC2 instances from an old launch template to a new one, with a minimum healthy percentage and warmup time guiding the rollout.

Learn how AWS automatically wipes data on EBS volumes by zeroing underlying storage when you delete a volume, making manual wiping unnecessary.

Use CloudShell, a browser-based shell in the AWS console, to run AWS CLI and SAM CLI commands with credentials and persistent storage. Access EC2 and RDS in a VPC environment.

Learn how EC2 Image Builder automates creating, validating, and distributing AMIs via a builder EC2 instance, with automated tests, regional distribution, scheduling, and pay-for-resources.

Learn to use EC2 image builder hands-on by creating a pipeline and recipe, installing aws cli v2 and java 11, testing, and distributing a custom ami.

Troubleshoot EC2 image builder 403 on S3 by ensuring the instance profile has SSM Manage Instance Core and EC2 Image Builder policies. Grant write permission to S3 bucket for logs.

Explore Amazon Redshift security, including superusers, users, groups, databases, and schemas, and learn to manage permissions and authentication with IAM credentials and temporary credentials via GetClusterCredentials.

Learn how DynamoDB time to live automatically deletes items after an expiry timestamp stored as a number attribute in Unix epoch; expired items are marked for expiration and deletion.

Prepare for the AWS certified security specialty exam with focused coverage on exam structure and scoring, and domains: infrastructure security, identity and access management, data protection, and logging and monitoring.

Sign in to aws.training/certification, create an AWS Builder ID, and schedule your exam via Pearson VUE, online or in person, with a system test and ID ready.

Learn to save 50% on your next AWS exam using earned tokens and a voucher code. Claim benefits, copy the code, and apply it at checkout for the discount.

Non-native English speakers can request an extra 30 minutes under exam accommodation, get approval, and schedule the exam with extended time; other accommodations available from Pearson VUE.