AWS Certified Security – specialty (SCS-C02)

• AWS Security Specialty (SCS-C02) exam overview
• Exam format, scoring, and preparation strategy
• Learning approach and certification best practices
• AWS account reuse, Free Tier, billing & support plans
• Billing alerts and delegated access
• IAM admin user creation and AWS CLI setup

• AWS global infrastructure and pricing basics
• Shared Responsibility Model
• Security architecture fundamentals
• Server-based vs serverless architectures
• Decoupling applications using SQS and SNS
•  

• IP addressing, CIDR, public vs private IPs
• VPC components: subnets, route tables, IGW, NAT Gateway
• Security Groups vs Network ACLs
• Elastic IPs and IP management
• VPC endpoints (Gateway & Interface / PrivateLink)
• Bastion host, EC2 Instance Connect, Session Manager
• VPC Flow Logs and traffic flow analysis
•  

• VPC peering (intra & cross-region)
• AWS Transit Gateway
• Resource Access Manager (RAM)
• Hybrid networking: Site-to-Site VPN, Client VPN
• AWS Direct Connect
• Traffic mirroring and packet inspection

• EC2 provisioning, key pairs, metadata & user data
• IAM roles for EC2 and workloads
• AMIs, backups, and instance hardening
• Elastic Load Balancers (ALB, NLB) security
• Auto Scaling Groups and Spot instances
• End-to-end encryption (Client → LB → EC2)
•  

Amazon S3

• Object ownership, durability & consistency
• Storage classes and lifecycle policies
• Versioning and replication (CRR, SRR)
• Access control: IAM, bucket policies, ACLs
• Encryption: SSE-S3, SSE-KMS, SSE-C, client-side
• Object Lock, Legal Hold, Glacier Vault Lock
• S3 incident response

Other Storage

• EBS encryption
• EFS and FSx security concepts

• Amazon CloudWatch (metrics, alarms, logs)
• Log groups, streams, metric filters
• AWS CloudTrail (event history, org trails, log integrity)
• EventBridge for real-time security monitoring
• Log analysis using Athena & CloudWatch Logs Insights
• Root account activity monitoring

• DNS fundamentals and Route 53 routing policies
• Health checks and failover routing
• AWS Certificate Manager (ACM)
• Amazon CloudFront security
  • OAI vs OAC
  • Geo restrictions
• AWS Global Accelerator
• SSL/TLS concepts and custom domains

• IAM fundamentals and policy evaluation logic
• Identity-based vs resource-based policies
• Policy structure: Effect, Action, Resource, Condition
• Explicit deny, implicit deny, permission boundaries
• IAM roles and cross-account access
• Federation, SAML, SSO, Cognito
• Active Directory integration
• AWS STS and temporary credentials
• Confused Deputy problem and mitigation
• IAM security auditing and compliance

• Cryptography fundamentals
• Envelope encryption
• Encryption for S3, EBS, RDS, DynamoDB
• AWS KMS key types and policies
• Grants, APIs, and access control
• Key rotation and lifecycle
• Key material origin: KMS, CloudHSM, external
• Multi-Region KMS keys
• HMAC keys

• SNS and SQS permission models
• Secure service-to-service communication
• Messaging service access control

• AWS Organizations and account structures
• Service Control Policies (SCPs) and RCPs
• Data perimeter concepts
• Root account protection
• AWS Control Tower
• IAM Identity Center (SSO)
• Resource sharing using RAM
• Centralized networking using Transit Gateway

• AWS WAF and rule tuning
• AWS Shield (Standard & Advanced)
• Host-based firewalls (iptables, Windows Firewall)
• Amazon GuardDuty findings and response
• Amazon Macie for data discovery
• Security Hub, Detective, IAM Access Analyzer

• AWS Systems Manager
  • Session Manager
  • Patch Manager
  • Inventory & compliance
• AWS Config rules and automated remediation
• Amazon Inspector (EC2, network, container image scanning)
• AWS Trusted Advisor

• Cloud security incident response lifecycle
• Playbooks vs runbooks
• Credential compromise and data exfiltration response
• Root account compromise handling
• Log-based investigations
• Forensics data collection and preservation
• AWS penetration testing policy