How to pass AWS Security Specialty

The below topics were appeared in the exam:

IAM
– Sharing role with External ID with other account
– IAM Policy syntax
– Protect root, password, Delete access key, MFA.
– SCP, permission boundary
– Revoke access key when key is disclosed
– When use Active Directory you must use IAM Role
CloudTrail
– Track user activity, check if account was leaked
– How to trigger Multi region, multi account.
– How to prevent user change the Trail settings.
– Integrity validation -> Make sure log is not modified, changed when save
S3
– Understand about the encryption, SSE-KMS, SSE-S3, SSE-C and Client Encryption default setting and using Bucket policy to force encryption.
KMS
– Understand AWS managed, customer managed, material key
– Minium to delete key is 7 dasys, if you want to delete the key immediately, delete the material key
– How to rotate the encryption key, if we use KMS then we don’t need to re-encrypt the current data.
– What is encryption letter, what is data key, cipher ?
Macie
– To detect the sensitive data on S3.
CloudFront
– When using with ALB, how to prevent access directly to ALB but only through the CloudFront ?
– Use OI to prevent access directly to S3 but not use the CDN
– ACM
AWS ELB
– How to improve the performance when access to EC2 using Elastic Load balance ? -> Use NLB
VPC
– Security Group inbound vs outbound
– Stateless vs Stateful firewall.
– NACL, Route Table.
– NACL should use IP range, for Security Group can use nested (add SG into a SG)
– Peering
Shield Advanced
– DDOS
WAF
– SQL Injection, limit number of the request to prevent DDOS.
Config
– Config remediate action with Lambda to check/remediate the non-compliance resources in multisite
CloudWatch
– Why CW cannot receive log -> network issues, no permission,
– GuardDuty vs Security Hub

Practice materials:

https://www.udemy.com/course/aws-certified-security-specialty/?fbclid=IwAR39lenknkhX0v0OjBLntEI_GlgxADiuivNvvQKxOciBrKA7wjVsMFnFUmM