SCS-C01 Amazon AWS Certified Security Specialty – Important points for Exams part 1

1. Important Pointers – Domain 1

Hey everyone and welcome back. In today’s video we’ll be discussing about some of the important pointers with respect to exam for the domain bun of incident response. Now, the first thing that you need to remember before you go ahead and sit for exams is how you can go ahead and deal with exposed access and secret keys. So Exam might have a question which will look into your ability ability on whether you know, on how will you handle if someone has leaked the access and secret key within your organization. So in case someone has done that, these are the important pointers that you need to remember. First is you need to determine the access which is associated with those exposed keys. So if the exposed keys is associated with the user who does not have any access then attacker will not be able to do anything there.

So that is one important part to remember. Second is you need to invalidate the exposed keys by making them inactive. This is also very important. So make sure that the keys which are exposed you make it inactive. Then very important point to remember is that you need to add an explicit deny policy with that specific IAM principle. This is one either you add an explicit deny policy which is ideally recommended one because this allows you to automate this entire scenario where the keys are leaked or you can just remove all the policies which are associated with the im user whose keys are being breached. And last important point is review the logs to see the possible backdoors. It might happen that someone has created a new user from those exposed keys.

So you need to make sure that you review the logs to check if there are any hidden backdoors which the attacker has placed. Now the second important pointer is you need to know on how you can deal with the compromise EC two instance. Now again, this is a fairly common scenario in organization where the EC two instance gets breached. So in order to handle that, there are four important pointers that you need to remember. First is you need to lock the instance down through security group so it remains isolated. This is important so that only the foreign sick guy or only the security guy who will be analyzing should be able to access that EC two instance. That EC two instance should not have any unsolicited inbound or outbound connection. Then is take the EBA snapshot, then is take the memory dump.

So when you take the EBS snapshot it will not have the contents which are present within the memory. So you need to also take a memory dump. Once you have this, you can go ahead and do the forensic analysis. So these are some of the important pointers that you need to remember.Now definitely forensic, understanding forensic is not something which is part of the certification. Just remember this specific flow. Now the next important part to remember is that you should remember what guard duty service is all about. So basically, guard duty is a threat intelligence service which collects logs from various sources. Like you have cloud trail, you have VPC flow log, you have DNS logs.

And after it collects these logs, it runs its own threat analytics on top of that to report if there are any suspicious activity which are going in your AWS account. Now, other than that, you should also know the penetration testing in AWS. So basically earlier what used to happen was people used to blindly run penetration testing software and that used to break a lot of things on the AWS side as well. So now AWS has made it mandatory to have a prior approval for the penetration test. This can be done by submitting the penetration testing form. Now, AWS along with that have also started to provide certain pre authorized scanners in AWS marketplace which are tuned to scan AWS. So this is one important point to remember. So there are a lot of preauthorized.

So the authorization is already done prior, but again, you need to make sure that you run the preauthorized scanner which are available within the AWS marketplace. Now, the other point that you need to remember is about the EC to abuse notice. Now, many times what happens is customer would receive an EC to abuse notice primarily on occasion where their AWS workloads with the customer is running does not conform to the acceptable usage policy. Now, one of the sample questions that you might see an example, let’s understand that. So it says that you are a security engineer in XYZ Company. You came to know that the access and secret keys which was associated with one of the developer was leaked on the internet and people are using it to access the environment.

Now, what actions will you take to disable the key immediately? All right, so now we know the question. So let’s look into the answer. First is immediately remove all the policies associated with the user of the access key. Second is deactivate the access key on immediate basis. Third is deactivate the access key and immediately revoke all the session. And for this, contact the AWS support immediately to ask them to initiate the blockage of the key. Now, I’m sure that you already know by now on what is the right answer. In case, just for reference, the first one is the right one which is immediately remove all the policies associated with the user of the access key. So this is the most correct answer out of four.

2. Important Pointers – Domain 2

Hey everyone and welcome back. In today’s video we’ll be discussing about some of the important pointers for exam for the domain to. Now one of the very important thing that you must remember before sitting for the exam is understanding the VPC flow log format. This is extremely important. You might get lot of questions related to troubleshooting and they’ll give you the VPC flow log and they’ll ask you on what are are the steps that you will take to troubleshoot that specific scenario. So this is a sample. If you see this is a sample VPC flow and you need to understand that the first field is the version number, second is the account ID. Then you have the interface. This is source IP, destination IP, the source port, destination port, the protocol and so on.

So this is some of the important format that you need to understand. So let’s understand this with a sample question where it says that recently one of your VPC flow logs are filled with following lines. What does this interpret to? So basically they are asking is they have given you the VPC flow log and they are telling you on what exactly this VPC flow log interpret to. And there are four options over here. So we already know that this is the version account ID. You have the interface, source IP, destination IP, source port, destination port and so on. So the first is that this is the client. So basically it says client with IP ten 00:51 57 is trying to connect and the request is blocked. So this seems to be okay.

The last portion seems to be okay because the request is rejected, but it says that the client with IP 100. So this is not the case because someone is trying to connect from this specific IP which is 115-731-4928. So client with this IP is trying to connect to the server which has 100 5157 IP. So straight away we can reject the first option over here. Now the remaining three options seems to be correct in terms of first field which is client with IP one one five. All right. So now we know that the answer is among the last three. Now second one says client with IP one one five is trying to connect to 100 already till here it is correct on port 88 and the request is rejected. So now you need to know which field among this is the source port and the destination port.

So one one five IP is trying to connect on port 23. We already know because this is a source port and this is the destination port. So one one five is trying to connect to 100 on port 23. So this is the destination port. So your 88 is not correct then is much more. So the third option might confuse if you do not know, it says client with IP one one five is trying to connect on 100 on port one 200:53. So you need to remember that this is the source port, this port belongs to the client and the next port belongs to the destination server. And the last option says client with IP one one five is trying to connect to 100 on port 23 and request is rejected. So this is the right option, the fourth one is the right option. So I’m sure with this example you got a glimpse on how the questions related to VPC flow logs can come and your understanding about the VPC flow lock format is extremely important.

Now, the second important pointer for the domain too is your understanding on AWS Inspector. So, AWS Inspector basically scans the target based on various baselines and it supports various rule packages, including common vulnerabilities and exposure, also referred as CBE. You have CIS benchmarks. You have Security best practices. You also have runtime Behavioral analysis. Now, in order to scan the target, you need to provide a key value pair, which is basically the tag which is associated with the target. Now, AWS Inspector would also need the agent to be installed within the target server. Now, the third important pointer for the domain too is the understanding about the EC to Systems Manager. Now, Systems Manager in turn contains lot of services, so at a high level overview, you need to understand what each one of these are.

Now, the first one is run Command, which basically allows us to run a set of command document. On the target instance you have patch compliance, which basically allows us to check the compliance of a specific EC two instance, which is in respect to the patching activity. Then you have the patch baseline. Patch baseline basically determines what patches needs to be installed in the EC two instance and we can also include the approval process for the same. The maintenance window basically allows us to provide scheduling for a specific activity that can be carried out for the target instance. And very important one is the parameter store. It allows us to store the secrets centrally and applications which are deployed in the EC to instance can query for the secrets which are stored in the parameter store.

So, parameter store is one of the shining and a very important service among the Systems Manager with respect to security. Now, next important pointer that you need to remember is the config and the Cloud Watch logs. Config, AWS config allows us to record the configuration changes and we can also it also has various set of rules and it gives us a nice graph related to the compliance when it comes to the rule sets that are added to the specific compliance. Cloud Watch Logs you might see some questions which are related to troubleshooting where you have an EC two instance which has the Cloud Watch logs agent. However, that agent is not being able to forward the logs to Cloud Watch logs, so you’re not able to see the system logs in the Cloud Watch Logs console so what might be the issue? So some kind of a troubleshooting question might come.

So you need to understand these three pointers which are required to have the logs pushed from the EC to instance to the Cloud Watch logs. First is to assign an appropriate im role to the EC two instance and that im role should have the policy to be able to push logs to Cloud Watch Logs. Second thing is once you have the im role and policy connected then is you need to install the Cloud Watch agent in the EC to instance and then configure the appropriate configuration and start the Cloud Watch agent. So these are the three important pointers that you need to remember. Now. AWS Athena. Service is also important. You need to know on what Athena is and how it will help in terms of security analysis. Now Athena is generally used for use cases where we want to analyze logs which are stored in S Three.

It can be Cloud Trail, it can be VPC flow logs and other logs where you can analyze based on SQL statements in a serverless manner. Now in exams if you see any use case where you want to analyze logs in S Three and you don’t really want to set up the entire infrastructure like EC Two instance or Elk Stack, then Athena is the right option there. So the pointer number seven which is important is the AWS Wave. Do know that AWS Wax cannot be attached to EC Two instance directly. You need to attach ID through the ALB which is the application load balancer or the cloud fund distribution. And it is also important to know the Wave terminology like conditions, rules, web ses and association. We have a great video on Wave if in case you do not remember, just go through those videos and just write down the nodes.

3. Important Pointers – Domain 3

Hey everyone and welcome back. In today’s video we will be discussing about some of the important pointers for the domain three of the security specialty certification. Now, the first thing that you need to remember is the DDoS Mitigation. This is a pretty important topic. So here you need to know what are the services in AWS which can help you protect against the distributed denial of service attacks. So these are some of the services. So the exam question might have a lot of services where you might have to choose three or four right ones. So the first one is AWS Shield. You have Cloud Front. You have Auto scaling. You have Route 53, you have Vape. You even have Cloud Watch. So these are some of the services which can help you there. The next important pointer is the IPS in AWS.

So it’s like if your organization wants to implement the IPS in AWS, since AWS does not really have span port, the way of implementing is little different. So what you need to do is you need to install the IPS agent in the EC two instances which would scan the traffic and it would typically report to the central IPS server which is running there. So this is one of the ways in which you can go ahead with implementing IPS. Now, with respect to Cloud Front, you need to understand the origin access identity and it’s basically used to log the access to your S three bucket so that it only accepts a request from the Cloud Front distribution. I’ve seen a lot of startups. What they do is they have the code in S three which is public and they do not have Oi. So although they are redirecting that Cloud Front traffic to S three, but the people can bypass the Cloud Front and directly connect to S three.

So by bypassing Cloud Front they not only bypass the capability related to Caching, but also the security aspects like geolocation or even a web application firewall. Now, you should also know that Cloud Front supports the SNI with the help of dedicated IP for compatibility for older browsers if it is required. Now you should be prepared for the EC to instance key pair troubleshooting. So we have a video, great video on that. So I would really recommend that you go through that. So basically what happens if you launch an easy to instance and the key pair gets deleted after the EC Two instance gets launched. So you need to understand that whatever key through which you launch the instance that the public key gets stored within the authorized underscore keys file in the Linux box.

Now, in case if you create an AMI from that EC Two instance and even copy it through a different region, the original key from which the EC to instance was launched, that key will still be present within the authorized key unless and until you remove it. Now, the important pointer number four is Direct Connect. Now Direct Connect is basically a dedicated connection between your data center and AWS. Now here one important pointer with respect to security that you need to understand is that the traffic in the direct connection is not encrypted. So if you want to enable encryption for the traffic or for the data which is flowing through the Direct Connect connection, then you need to establish the VPN tunnel through it. So this is the last pointer, is one of the very important pointer for the Direct Connect topic.

Now when it comes to the VPN and multicast, do remember that AWS does not support multicast. If you need to have a multicast support, then you can make it possible through VPN. Now along with that, you should be having a worry about VPC Peering and VPC Endpoints. Do know that VPC peering now supports Inter region peering? Earlier interregion was not present. Now VPC Endpoint basically allows connection to various AWS services via the high speed internal network which is also referred as the AWS Private Link. So do remember this aspect as well. So in exam if there is a use case where you want to have a data transfer between EC two, instance two, S three and you don’t want to go through the internet, what is the solution? So the solution is through VPC Endpoint which makes use of AWS private Link.

So that private link. Do remember that word. Also remember that transit VPC is not directly supported for that external appliances needed. In fact, AWS has recently launched the support of transit VPC. But since the exam questions would be little outdated, you would have to answer them accordingly. Now the next important point that you need to remember is the integration of lambda with s three. So in case lambda wants to pull the objects from s three, then you should not put the access and secret key within the lambda function. In that case, you can create an appropriate role for lambda and you can associate that role to the lambda function. Now along with that, there is a typical use case that you will find in organizations for antivirus scan in s three.

So in one of the organizations that I was working with, what used to happen was anytime an object used to get uploaded to an s three bucket, the lambda function used to get triggered, that lambda function would pull that specific object from s three. It will do the scan and it will store the result. So in case if you want to know, like whenever an object gets uploaded to s three, your lambda should get triggered. So in that case you, you can add a trigger based on event type in AWS Lambda. Now along with that, you should remember the EC to instance metadata, know that it can be accessible through 169 two five, 4116, 9254. And if you want to block access for users inside EC two instances from accessing the metadata, then you can do it through the IP tables.

Now, related to EBS, you should know the pointer related to the secure data wiping. So AWS wipes the data from EBS before it is made available for EU. So it might happen that your organization is storing some secrets within EPS and when you terminate EC two instance, your EBS volume would also go. Now, in that case, AWS will not immediately delete the data. One important part to remember is that AWS will wipe the data from EPS before it is made available for reuse. So this is one important part to remember. Now, in case if you want to wipe your data, you can make use of the industry standard tools to wipe the data before terminating the EBS volume. Now, along with that, you should also remember that when the storage device reaches its end of use, then they get decommissioned via detailed steps which are mentioned via NISD or DoD.

Now, I have seen a lot of my colleagues, once the pen drive stops working, or once their hard disk drive stops working, they just throw it in a thrash. However, it might be possible that the attacker would still be able to retrieve the data from that specific pendrive from that specific hard disk drive. So it is very important that you follow the industry standard procedure before decommissioning your hard disk drive. Now, one of the ways in which NISD and DoD works is to break your hard disk drive into very small, small pieces. So even if an attacker gets hold of that, he’ll not be able to fetch the data of that. Now again, that is just one pointer. There are various steps which are mentioned in this detailed standards to decommission the storage device.

Now, important pointer number eight you should know the EC to tenancy attribute specifically shared, Dedicated and Host. So do know that shared is basically when EC two instances runs on a shared hardware between your account and between multiple customers. Dedicated is basically when EC two instance stands only on the hardware which is shared among the instances in the same AWS account. And host is basically a dedicated host which provides a granular level hardware access. Along with that, you should remember when it comes to cloud front that you can enable CloudFront logs to the destination s three bucket. Lot of people do not do that, but always make sure that you have your CloudFront logs stored within the destination s three bucket.

Now, coming back to the AWS Certificate manager, do remember that you cannot export public certificates created by ACM.It simply cannot be exported. However, the private certificates that you create from ACM, they can be used directly in EC Two or even through the containers. Now, last but not the least, do understand web application firewall and what it is and also understand what is the difference between rules, conditions, web, ACS and association. We again have a separate video associated with that. You can go through that. And also remember that web can only be associated with the application load, balancer and cloud front. And along with that, just before you sit for exam, just know what Bastion hosts are and what AWS artifact service.