AWS Academy Cloud Security Foundations

Instructor Guide
Version 1.0.2
100-ACSECF-10-EN-IG
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.

This work may not be reproduced or redistributed, in whole or in part,

without prior written permission from Amazon Web Services, Inc.
Commercial copying, lending, or selling is prohibited.

All trademarks are the property of their owners.

AWS Training and Certification AWS Academy Cloud Security Foundations

Contents
Introduction 4

Introduction to Security on AWS 7

Securing Access to Cloud Resources 12

Securing Your Infrastructure 16

Protecting Data in Your Application 20

Module 6: Logging and Monitoring 24

Responding to and Managing an Incident 28

Bridging to Certification 32

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3
AWS Training and Certification Introduction

Welcome
Module timing estimates
Time estimates are as follows:

Estimated duration
Content
in minutes
Lecture (total for all slide sections) 40
Activity: AWS Documentation Scavenger Hunt 20
Total content delivery time 60

Module objectives
The purpose of this module is to introduce students to the AWS Academy Cloud Security Foundations
(ACSF) course prerequisites and objectives and provide an overview of what the course will cover.

Course prerequisites and objectives

This section opens by discussing the prerequisites for this course before moving to the course
objectives.
Slide 4 (Course prerequisites) provides an overview of the knowledge and skills that students are
expected to have attained prior to taking this course. The knowledge and skills described on this slide
aren’t all specific to AWS, and you might use this information to identify areas of overlapping focus
between cloud and traditional computing environments.
This course requires a strong foundation in IT concepts and skills. To ensure success in this course,
students should have the following:
• Completed the AWS Academy Cloud Foundations course or have equivalent experience
• Working knowledge of distributed systems
• Working knowledge of general networking concepts
• Working knowledge of multi-tier architectures
• Familiarity with cloud computing concepts
Working knowledge implies that they are able to work with a subject successfully, though they might
not have an in-depth understanding of how it works. Familiarity implies that they have been exposed to
and have a basic understanding of concepts.
Slide 5 (Course objectives)
After completing this course, students should be able to do the following:
• Identify security benefits and responsibilities of using the Amazon Web Services (AWS) Cloud
• Use the identity and access management features of AWS
• Describe how to secure network access to AWS resources
• Explain the available methods for encrypting data at rest and data in transit
• Determine which AWS services can be used for monitoring and incident response

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 4
AWS Training and Certification Introduction

Course overview
This section introduces the modules that make up the course. Students are introduced to the content of
each module along with any activities, demonstrations, and labs that are contained in each module.

AWS Certified Security – Specialty certification

Slide 11 (Preparing for certification) reiterates that this course will not—and is not intended to—fully
prepare students for the AWS Certified Security – Specialty certification exam. Advise students to
thoroughly review the Exam Guide for guidance in preparing for the exam.

Course scenario
Slide 13 (Course scenario) prompts you to show the video that introduces the cloud migration journey
of a fictional bank, AnyBank. This scenario is used to introduce each module in this course in the context
of a series of meetings between the bank's Chief Technology Officer, María Garcia, and their Chief
Information Officer, John. The scenario provides a way to explore topics of cloud-computing security in
the context of relatable business needs. This scenario is intended to provide an example of real-world
applicability of the technical concepts that students will learn in this course.
You can find this video within this module’s section of the course materials.

Activity: AWS Documentation Scavenger Hunt

For this activity, students will use the AWS documentation website at https://docs.aws.amazon.com to
search for the answers to the questions on slide 15 (AWS Documentation Scavenger Hunt). The
purpose of this activity is to familiarize students with the content and location of resources within the
AWS documentation site, and build competence and confidence in their ability to effectively locate and
reference the appropriate materials.
The questions and their answers are as follows:
1. Where can you find a link to the AWS CloudTrail User Guide?
A. On the main documentation page, go to the Management & Governance section.
B. Choose the AWS CloudTrail link.
C. The AWS CloudTrail Documentation page has a link to the user guide.
2. Where would you find information about managing accounts in the AWS Security Hub User
Guide?
A. On the main documentation page, go to the Security, Identity, & Compliance section.
B. Choose the AWS Security Hub link.
C. On the AWS Security Hub Documentation page, choose the AWS Security Hub User
Guide link.
D. In the navigation pane for the user guide, choose Managing accounts.
3. Which section of the website has quick start guides for security, identity, and compliance?
A. On the main documentation page, go to the General Resources section.
B. Choose the Quick Starts link.
C. In the filters, under Content Type, select AWS Quick Starts.
D. Then, under Technology Category, select Security & Compliance.
E. Quick start guides for security, identity, and compliance are listed.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 5
AWS Training and Certification Introduction

4. Where can you find links to learn how active AWS customers are using AWS within their
organizations?
A. On the main documentation page, go to the General Resources section.
B. Choose the Case Studies link.
C. On the Customer Success Stories page, scroll down to the cards section. Here you can
apply filters to find case studies based on location, industry, use case, and other
characteristics.
5. How might you navigate to the technical guide titled AWS Security Incident Response Guide?
There are multiple ways to find this guide, but the following are two options:
• Option 1
A. On the main documentation page, go to the General Resources section, and choose
the AWS Whitepapers link.
B. On the AWS Whitepapers & Guides page, in the filters, under Content Types, select
Technical Guide.
C. Under Technology Categories, select Security, Identity, & Compliance.
D. The AWS Security Incident Response Guide is one of the listed resources.
• Option 2
A. On the main documentation page, go to the Additional Resources section, and
choose the AWS Security Documentation link.
B. On the AWS Security Documentation page, go to the More Security Information
section, and choose the Security Resources link.
C. On the Security Learning page, in the filters, under Content Type, select Technical
Guide.
D. The AWS Security Incident Response Guide is one of the listed resources.

Additional resources
This module contains the following resource links:
• AWS Certified Security – Specialty Exam Guide
• AWS Certified Security – Specialty
• AWS Documentation

Trends in Cloud Computing document

The Trends in Cloud Computing document provides an overview of some of the latest trends in cloud
computing at AWS, along with resources that students can use to stay informed.
Cloud computing is always changing, and AWS is always innovating. AWS is regularly introducing new
services and features and making improvements, such as lower costs, more granular billing options, new
Regions, and faster performance. Because of these changes, it is vital to stay up to date on what is
happening.
This document is available in the student materials section of the course. Students are encouraged to
review this document periodically to stay informed. This will help them make more informed decisions,
stay competitive, and continue to develop their cloud expertise.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 6
AWS Training and Certification Introduction to Security on AWS

Introduction to Security on AWS

Module timing estimates
Time estimates are as follows:

Estimated duration
Content
in minutes
Lecture (total for all slide sections) 55
Activity: Shared Responsibility Model 20
Sample exam question activity 5
Knowledge check 20
Total content delivery time 100

Module objectives
The purpose of this module is to introduce students to how to provide security in the AWS Cloud. The
second section introduces the concept of security, and the triad of confidentiality, integrity, and
availability, or CIA. The second section also recalls the benefits of cloud computing and introduces the
security models that are used in the cloud. The security principles section is based on the design
principles mentioned in the Security Pillar: AWS Well-Architected whitepaper. These principles provide
guidance and best practices on how to strengthen the security posture of the customer’s cloud
environment. This module also covers the AWS shared responsibility model, and identifies customer and
AWS responsibilities.
At the end of this module, students should be able to do the following:
• Identify security features and benefits of cloud computing.
• Identify the security principles that the AWS Cloud is structured around.
• Identify which part of an application the user is responsible to secure in the cloud.

Introduction
Slides 5–7 (Bank business scenario) introduce the business scenario that is used throughout the course,
framed within the context of the content that this module covers.

Security in the AWS Cloud

This section introduces and describes the benefits of the cloud.
Slide 9 (Benefits of the cloud) identifies the value proposition of the cloud. Students learn the benefits
and advantages of cloud computing.
Slide 10 (Security is familiar) introduces the students to the CIA triad of confidentiality, integrity, and
availability, which was originally developed to highlight the important aspects of information security
within an organization.
Slides 11–15 (AWS Cloud security) describe the tools and features that AWS offers to help customers
meet the security objectives around controllability, auditability, visibility, agility, and automation. For

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 7
AWS Training and Certification Introduction to Security on AWS

example, AWS CloudFormation can be used for the automation and agility elements. Later in the course,
when you discuss an AWS service, you can refer back to these elements.

Security design principles

In this section, students learn a number of principles that can help strengthen their workload security.
Slides 18–24 (Security principles) identify these security principles, which are based on the Security
Pillar: AWS Well-Architected whitepaper. The security pillar describes how to take advantage of cloud
technologies to protect data, systems, and assets in a way that can improve the security posture. This
paper provides in-depth, best practice guidance for architecting secure workloads on AWS.

Shared responsibility model

In this section, students learn about the AWS shared responsibility model for security.
Slide 27 (Shared responsibility model) provides a review of the AWS shared responsibility model. It is
important for students to understand the responsibilities. For example, the customer should ensure the
security of their OS (guest OS), applications, and workloads running on Amazon Elastic Compute Cloud
(Amazon EC2) instances.
The following chart supports the discussion with the students during the class.

Topic Who is Explanation

responsible
Customer data Customer The customer is responsible for securing their data, which they
might store in an Amazon Simple Storage Service (Amazon S3)
bucket, for example. AWS provides features (such as Block Public
Access, bucket policies, and AWS Identity and Access Management
[IAM] features) that make securing data relatively simple.
However, it’s important that customers are responsible to manage
access to any data that they store in their accounts.
Platform, Customer AWS provides customers with IAM service features that they can
applications, use to implement fine-grained access control to account resources.
identity and However, the customer is responsible for creating the IAM users,
access groups, roles, and policies that enforce the identity and access
management management security on the account. Likewise, customers are
responsible for securing applications that they build by using AWS
services (for example, applications that are installed on EC2
instances).
Operating Customer The operating system that is referred to here is (for example) the
system, guest OS of an EC2 instance. If the customer runs EC2 instances,
network, and they are responsible for managing the guest operating system
firewall (including updates and security patches). The customer is also
configuration responsible for any application software or utilities that they
installed on the instances. Finally, the customer is responsible for
configuring the AWS provided firewall (which is called a security
group) on each instance.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 8
AWS Training and Certification Introduction to Security on AWS

Topic Who is Explanation

responsible
Client-side data Customer Customers are responsible for managing their data. This
encryption and responsibility includes encrypting data on the client side, for
data integrity, example, by encrypting data before they upload it to the AWS
authentication Cloud.
Server-side Customer Customers are responsible for encrypting sensitive data. For
encryption (file example, server-side encryption is a feature that is offered on
system and Amazon S3, but the customer is responsible for implementing it as
data) needed.
Network traffic Customer Customers are responsible for managing their data as it passes
protection over the network—for example, from on-premises environments
(encryption, to the AWS Cloud. This responsibility includes using encryption
integrity, options and using IAM tools to apply the appropriate permissions.
identity) AWS provides services, such as virtual private clouds (VPCs),
Amazon Cognito, and AWS Key Management Service (AWS KMS).
These services make it easier for customers to protect data that
passes through the network.
Compute AWS The compute that’s referred to here is part of the AWS Global
Infrastructure. For example, AWS runs the compute that makes
the AWS Lambda service work.
Storage AWS The physical storage hardware is part of the infrastructure of the
AWS Cloud. AWS is responsible for protecting the infrastructure
that runs all the services that are offered in the AWS Cloud.
Therefore, AWS is responsible for physical data storage security.
Databases AWS The security of AWS managed database offerings—such as
Amazon Relational Database Service (Amazon RDS) and Amazon
DynamoDB—is the responsibility of AWS. However, if a customer
installs a database (such as MySQL) on an EC2 instance, it would be
the customer’s responsibility to maintain the database.
Networking AWS AWS is responsible for protecting the infrastructure that runs all
the services that are offered in the AWS Cloud. This infrastructure
includes the networking hardware in the facilities that run AWS
Cloud services.
Regions AWS An AWS Region is a physical location around the world where AWS
clusters data centers. Because it’s part of the physical
infrastructure of the cloud, AWS is responsible for securing a
Region. Each AWS Region consists of multiple, isolated, and
physically separate Availability Zones within a geographic area.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 9
AWS Training and Certification Introduction to Security on AWS

Topic Who is Explanation

responsible
Availability AWS AWS is responsible for protecting Availability Zones, which are part
Zones of the infrastructure that runs all the services that are offered in
the AWS Cloud. Each AWS Region consists of multiple, isolated,
and physically separate Availability Zones within a geographic area.
Each Availability Zone consists of one or more data centers.
Edge Locations AWS Edge locations are part of the AWS hardware infrastructure. They
enable low latency for services such as Amazon CloudFront. More
than 200 edge locations exist worldwide, and every edge location
connects to an AWS Region.

Slide 28 (Shared responsibility example) focuses on the customer portion of the shared responsibility
model. It’s important for students to understand the role that they will play in their company’s security
infrastructure and what to expect from AWS.
Slide 29 (Security in the cloud) guides the students on how to put practices in place that influence
security. Customers maintain complete control over their content and are responsible for managing
critical security requirements. Customers control what security they choose to implement to protect
their own data, platform, applications, identity and access management, and operating system. This
means that the shared responsibility model changes depending on the AWS services that the customer
uses.
Slides 30–34 (Activity: Shared Responsibility Model) provide an activity to examine customer and AWS
responsibilities in the AWS shared responsibility model. Slides 31 and 33 contain architecture diagrams
with different AWS services and resources. For each scenario, lead the class in a conversation about who
is responsible for each component listed on the slide: AWS or the customer. Slides 32 and 34 provide
the answers.
It is always important to emphasize the “security in the cloud”, which is responsibility of the customer,
and the “security of the cloud”, which falls under AWS responsibility.
Slide 35 (Managed services organization) and slide 36 (MSO responsibility model) introduce the
students to the centralized governance model. Emphasize that this centralized team can be internal to
the organization (typically called a managed services organization, or MSO) or a third party (typically
called a managed service provider, or MSP). In either case, the primary roles and responsibilities of this
team are similar.

Module wrap-up
Knowledge check
After you present the Module summary slide, ask students to complete the knowledge check.
Sample exam question
Slide 39 (Sample exam question) displays the following question. The keywords have been underlined
for you here:
According to the shared responsibility model, who is responsible for configuring security group
rules to determine which ports are open to an EC2 Linux instance?

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 10
AWS Training and Certification Introduction to Security on AWS

Prompt students to identify the keywords, and then discuss the plausibility of each answer.
Explanations of each answer choice:
• A: AWS maintains the configuration of its infrastructure devices, but the customer is responsible
for configuring their own guest operating systems (including networking traffic protection),
databases, and applications.
• B: The customer is responsible for controlling network access to EC2 instances, and security
group rules control access to EC2 instances. [correct answer]
• C: Security group rules filter traffic based on protocols and port numbers, and the customer is
responsible for configuring the networking traffic protection.
• D: AWS maintains the configuration of its infrastructure devices, but the customer is responsible
for configuring their own guest operating systems (including networking traffic protection),
databases, and applications.
Slide 42 (Sample exam question answer) displays the keywords. Click once to reveal the letter of the
correct answer.
The correct answer is B.

Additional resources
This module contains the following resource links:
• What Is Cloud Computing?
• Security Pillar: AWS Well-Architected Framework
• Shared Responsibility Model
• AWS Managed Service Provider (MSP) Program

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 11
AWS Training and Certification Securing Access to Cloud Resources

Securing Access to Cloud Resources

Module timing estimates
Time estimates are as follows:

Estimated duration
Content
in minutes
Lecture (total for all slide sections) 90
Demonstration: Amazon S3 Cross-Account Resource-Based Policy 15
Lab: Using Resource-Based Policies to Secure an S3 Bucket 60
Sample exam question activity 5
Knowledge check 20
Total content delivery time 190

Module objectives
The purpose of this module is to introduce the AWS Identity and Access Management (IAM) service, and
to present some of the key terms and elements of the service. This module explains how IAM provides
authentication and authorization. The module examines how IAM integrates with other AWS services.
This module also covers how to use AWS Organizations to manage identities in a hierarchical and
effective manner.
At the end of this module, students should be able to do the following:
• Authorize access to AWS services by using IAM users, groups, and roles.
• Differentiate between different types of security credentials in IAM.
• Authorize access to AWS services by using identity-based and resource-based policies.
• Identity other AWS services that provide authentication and access management services.
• Centrally manage and enforce policies for multiple AWS accounts.

Introduction
Slides 5–7 (Bank business scenario) introduce the business scenario that is used throughout the course,
framed within the context of the content that this module covers.
Slide 8 (Shared responsibility model) reveals the section of the shared responsibility model that is
relevant to the content in this module and its accompanying lab.

IAM fundamentals
This section introduces the IAM service; provides a brief overview of users, groups, roles, and policies;
and discusses the terminology used in the service. This section describes how requests work within IAM
and then explains how IAM provides the key aspects of the service—authentication and authorization—
to customers. The section ends with an introduction to service endpoints, explaining what they are and
how they control and monitor access to the cloud and AWS resources. These resources include the AWS

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 12
AWS Training and Certification Securing Access to Cloud Resources

Management Console, AWS Command Line Interface (AWS CLI), AWS Software Development Kits (SDKs),
and other AWS services.
Slide 10 (AWS Identity and Access Management [IAM]) introduces the students to the IAM service. The
slide describes the functions of the service and its general benefits, including the capabilities that it
provides to AWS administrators.
Slide 11 (What IAM provides) describes the two key purposes of using IAM: to provide authentication
and authorization to AWS resources. This slide explains the differences between authentication and
authorization. Authentication describes who is allowed access to the resources, while authorization
describes what they are allowed access to.
Slide 12 (IAM overview) and slide 13 (IAM terminology) provide an introduction to the basic elements
and terminology of the IAM service. Students are introduced to the manner in which IAM groups and
manages assets, as well as how those assets are used to provide access to AWS resources.
Slide 15 (Service endpoints) explains that the AWS SDKs and AWS CLI access AWS services by using
service endpoints. A service endpoint is a URL that is defined for each service based on the AWS Region.

Authenticating with IAM

In this section, students learn the basics of how IAM provides authentication.
Slide 18 (IAM roles) builds upon the description of IAM roles by explaining how they operate. This slide
introduces the AWS Security Token Service (AWS STS). The slide explains that AWS STS is responsible for
providing the temporary security credentials that allow IAM roles to perform their functions.
Slide 19 (IAM credentials for authentication) explains that two primary types of credentials are used for
authentication. The credential type that you use depends on how you access AWS. Make sure to note
that multi-factor authentication (MFA) is an optional layer of security that can be added, as evidenced
by the MFA Option tags on the slide.
Slide 20 (Multi-factor authentication [MFA]) introduces students to the MFA concept and describes
how it benefits the overall security posture. Make sure to note that using MFA is considered a best
practice due to the additional layer of security that it provides.
Slide 21 (Authentication scenario) provides a step-by-step visual representation of the process an IAM
role goes through to access resources. In this example, a group from an external account (development
account, Developers group) needs access to an Amazon Simple Storage Service (Amazon S3) bucket on
the primary account (production account). The Developers group uses a role, UpdateApp, within the
production account to get the permissions that are required to access the S3 bucket.

Authorizing with IAM

In this section, students learn the basics of how IAM provides authorization.
Slide 25 (Policies and permissions) explains how to control access to your AWS resources by using IAM
policies that grant or deny permissions. Most IAM policies are defined using JavaScript Object Notation
(JSON) files. Make sure to emphasize that anything not explicitly granted access in a policy is denied by
default.
Slide 26 (Identity-based and resource-based policies) describes an identity-based and resource-based
policies.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 13
AWS Training and Certification Securing Access to Cloud Resources

Examples of authorizing with IAM

Slide 31 (Example: Identity-based policy) and slide 32 (Example: Cross-account, resource-based policy)
provide a comparison of an identity-based policy and a resource-based policy. The comparison can help
students to see the differences in how these two policy types control access. Students also see how to
implement this control in the JSON format.
Slide 33 (Example IAM policy: Allow statement) and slide 34 (Example IAM policy: Deny statement)
give an example of an allow statement and a deny statement within a single policy. These slides explain
how to use both allow and deny policies to secure resources within the AWS Cloud.

Demonstration: Amazon S3 Cross-Account Resource-Based Policy

Slide 36 prompts you to show a video demonstration.
The video shows how to grant access to resources created in one AWS account to a user in another AWS
account. The demonstration shows how the user in the second account is able to switch roles to gain
access to a resource in the first account. Finally, the video shows how to use a resource-based policy to
restrict access to a specified resource.

Additional authentication and access management services

This section provides an overview of additional authentication and access management services that are
available in the AWS Cloud. This section begins with an explanation of what identity federation is and
how AWS services support it. The section continues by describing how AWS Single Sign-On (AWS SSO),
AWS Directory Service, and Amazon Cognito provide authentication and access management.

Using AWS Organizations

This section introduces the AWS Organizations service. This section describes how the service provides
the ability to create an organization. The section explains how Organizations provides centralized
account creation, management, and policy creation capabilities. The section also discusses how
Organizations provides service control policies (SCPs). You can use SCPs to ensure that your accounts
remain within your organization's access control guidelines.

Lab: Using Resource-Based Policies to Secure an S3 Bucket

Before the lab, discuss the lab scenario and the lab tasks with students:
1. Accessing the console as an IAM user
2. Attempting read-level access to AWS services
3. Analyzing the identity-based policy applied to the IAM user
4. Attempting write-level access to AWS services
5. Assuming an IAM role and reviewing a resource-based policy
6. Understanding resource-based policies
After students complete the lab, debrief the lab by leading the class in a conversation about the key
takeaways from the lab. Debriefing the lab is encouraged. It can help students make connections
between their hands-on experience and the concepts that you discussed in the preceding lecture.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 14
AWS Training and Certification Securing Access to Cloud Resources

Module wrap-up
Knowledge check
After you present the Module summary slide, ask students to complete the knowledge check.
Sample exam question
Slide 52 (Sample exam question) displays the following question. The keywords have been underlined
for you here:
How would a system administrator add an additional layer of login security to protect a user's
access to the AWS Management Console?
Prompt students to identify the keywords, and then discuss the plausibility of each answer.
Explanations of each answer choice:
• A: Using Cloud Directory would not add any additional layers of login security to the AWS
Management Console.
• B: An audit of IAM roles will show you the IAM users that currently have roles assigned, but this
does not add any additional security.
• C: MFA is a simple best practice that adds an extra layer of protection on top of a user name and
password. [correct answer]
• D: With CloudTrail, you can log the date, time, and identity of users accessing your directory
data. However, this does not provide additional login security.
Slide 53 (Sample exam question answer) displays the keywords. Click once to reveal the letter of the
correct answer.
The correct answer is C.

Additional resources
This module contains the following resource links:
• What Is IAM?
• AWS Services that Work with IAM
• Security Best Practices in IAM
• AWS Security Credentials
• Policies and Permissions in IAM
• Identity-Based Policies and Resource-Based Policies
• Managed Policies and Inline Policies
• Testing IAM Policies with the IAM Policy Simulator
• Permissions Boundaries for IAM Entities
• Identity Federation in AWS
• What Is AWS Single Sign-On?
• AWS Directory Service: Managed Microsoft Active Directory in AWS
• What Is Amazon Cognito?
• What Is AWS Organizations?
• Service Control Policies (SCPs)

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 15
AWS Training and Certification Securing Your Infrastructure

Securing Your Infrastructure

Module timing estimates
Time estimates are as follows:

Estimated duration
Content
in minutes
Lecture (total for all slide sections) 90
Lab: Securing VPC Resources by Using Security Groups 90
Sample exam question activity 5
Knowledge check 20
Total content delivery time 205

Module objectives
The purpose of this module is to introduce how to secure your infrastructure. This module explains how
to use a virtual private cloud (VPC), and describes VPC components and security features. The module
examines how to use security groups, network access control lists (ACLs), and subnets to make networks
more secure and efficient. The module also describes how internet gateways, NAT gateways, and route
tables control where network traffic is directed. Finally, the module describes how Elastic Load
Balancing (ELB) automatically distributes incoming application traffic and scales resources to meet traffic
demands.
At the end of this module, students should be able to do the following:
• Define the components of a VPC.
• Recognize account boundaries.
• Describe Amazon Web Services (AWS) services that are available to protect their network and
resources.

Introduction
Slides 5–7 (Bank business scenario) introduce the business scenario that is used throughout the course,
framed within the context of the content that this module covers.
Slide 8 (Shared responsibility model) reveals the section of the shared responsibility model that is
relevant to the content in this module and its accompanying lab.

Structure of a three-tier web application

This section begins by reviewing an architecture diagram of a three-tier web application environment.
The environment consists of presentation, business logic, and data storage layers. In later sections, you
can tie back to this diagram by describing which tier or tiers a particular service or feature helps you to
secure.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 16
AWS Training and Certification Securing Your Infrastructure

Using a VPC
In this section, students will learn about the Amazon Virtual Private Cloud (Amazon VPC) service,
including benefits, components, and security features.
Slide 12 (Amazon Virtual Private Cloud [Amazon VPC]) focuses on Amazon VPC providing a logically
isolated section of the AWS Cloud where you can launch resources in a virtual network that you define.
After an explanation of VPC benefits, students dive deeper into VPCs and subnets.

Setting up public and private subnets and internet protocols

This section describes how to set up public and private subnets and internet protocols.
Slide 15 (Internet gateway) discusses the two purposes that an internet gateway serves.
Slide 17 (Private subnet) discusses how interfaces that are attached to Amazon Elastic Compute Cloud
(Amazon EC2) instances in private subnets are not reachable from outside the parent VPC.
Slide 18 (Public subnet) discusses how a public subnet must have a public IP address assigned and needs
an entry in a route table to an internet gateway.
Slide 19 (IP addressing) discusses how IP addresses enable resources in a VPC to communicate with
each other and with resources over the internet. When you create a VPC, you assign an IPv4 Classless
Inter-Domain Routing (CIDR) block (a range of private IPv4 addresses) to it. After you create a VPC, you
cannot change the address range, so it is important to choose it carefully.
Slide 24 (Route tables and routes) discusses how a route table contains a set of rules (called routes) that
direct network traffic. Each route specifies a destination and a target. Each subnet in a VPC must be
associated with a route table.

Using AWS security groups

This section provides information about using security groups as part of securing your infrastructure.
Slides 27–28 (Security groups) provide an overview of how a security group acts as a virtual firewall to
control inbound and outbound traffic for an EC2 instance. The slide outlines that, for each security
group, you add one set of rules that control the inbound traffic to instances and a separate set of rules
that control the outbound traffic. Default security groups deny all inbound traffic and allow all outbound
traffic. To permit inbound traffic, you must add inbound rules to the security group.

Using AWS network ACLs

This section provides information about using network access control lists (ACLs) as part of securing your
infrastructure.
Slides 31–32 (Network ACLs) provide an overview of how a network ACL acts as a virtual firewall to
control traffic in and out of one or more subnets. By default, a network ACL allows all inbound and
outbound IPv4 traffic.
Note that a security group works at the instance level, while a network ACL works at the subnet level.
Slide 33 (Comparing security groups and network ACLs) uses a table to compare security groups and
network ACLs. Attributes include scope, supported rules, state, and order of rules.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 17
AWS Training and Certification Securing Your Infrastructure

Using AWS load balancers

This section provides information about using load balancers as part of securing your infrastructure.
Slide 37 (Elastic Load Balancing [ELB]) describes how ELB automatically distributes incoming application
traffic across multiple targets, such as EC2 instances, containers, and IP addresses. ELB scales your load-
balancing device as traffic to your application changes over time and can scale to the vast majority of
workloads automatically.
Slide 39 (Load balancers in action) provides a diagram that shows how load balancers work.

Pulling it all together

This section examines how all of the security pieces work together.
Slide 42 (Workflow) displays a diagram that shows all of the security pieces that have been discussed
and how they can be used together.
Slide 43 (Best practices to protect your network) provides an overview of best practices to protect your
network. These include controlling traffic at all layers, inspecting and filtering your traffic at the
application level, automating network protection, and limiting exposure.

Protecting your compute resources

This section describes best practices to protect your compute resources.
Slide 45 (Amazon Inspector) describes how Amazon Inspector is an automated security assessment
service that helps improve the security and compliance of applications deployed on AWS.
Slide 47 (AWS Systems Manager) describes how Amazon Inspector uses the widely deployed AWS
Systems Manager Agent (SSM Agent) to collect the software inventory and configurations from your EC2
instances. Systems Manager gives you visibility and control of your infrastructure on AWS. Systems
Manager provides a unified user interface so you can view operational data from multiple AWS services.

Lab: Securing VPC Resources by Using Security Groups

Before the lab, discuss the lab scenario and the lab tasks with students:
1. Analyzing the VPC and private subnet resource settings
2. Analyzing the public subnet resource settings
3. Testing HTTP connectivity from public EC2 instances
4. Restricting HTTP access by using an IP address
5. Scaling restricted HTTP access by referencing a security group
6. Restricting HTTP access by using a network ACL
7. Connecting to the AppServer by using a bastion host and SSH
8. Connecting directly to a host in a private subnet by using Session Manager
After students complete the lab, debrief the lab by leading the class in a conversation about the key
takeaways from the lab. Debriefing the lab is encouraged. It can help students make connections
between their hands-on experience and the concepts that you discussed in the preceding lecture.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 18
AWS Training and Certification Securing Your Infrastructure

Module wrap-up
Knowledge check
After you present the Module summary slide, ask students to complete the knowledge check.
Sample exam question
Slide 56 (Sample exam question) displays the following question. The keywords have been underlined
for you here:
A system administrator created a single EC2 instance, and set up network ACLs and the
appropriate subnet routing. However, they want to provide an extra layer of security by applying
a firewall to control access to and from the EC2 instance. Which action should the system
administrator take?
Prompt students to identify the keywords, and then discuss the plausibility of each answer.
Explanations of each answer choice:
• A: A network ACL acts as a firewall for associated subnets to control inbound and outbound
traffic, but it operates at the subnet level.
• B: A security group acts as a virtual firewall for your EC2 instances to control inbound and
outbound traffic. [correct answer]
• C: A route table is used to control where network traffic is directed. It does not function as a
firewall.
• D: A load balancer automatically distributes incoming application traffic and scales resources to
meet traffic demands. It does not function as a firewall.
Slide 57 (Sample exam question answer) displays the keywords. Click once to reveal the letter of the
correct answer.
The correct answer is B.

Additional resources
This module contains the following resource links:
• What Is Amazon VPC?
• Connect to the Internet Using an Internet Gateway
• NAT Gateways
• NAT Instances
• Compare NAT Gateways and NAT Instances
• VPC Sizing
• Public IPv4 Addresses
• Associate Elastic IP Addresses with Resources in Your VPC
• Configure Route Tables
• Control Traffic to Resources Using Security Groups
• Control Traffic to Subnets Using Network ACLs
• Logging IP Traffic Using VPC Flow Logs
• What is Elastic Load Balancing?
• Data Protection in Elastic Load Balancing
• Amazon Inspector

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 19
AWS Training and Certification Protecting Data in Your Application

Protecting Data in Your Application

Module timing estimates
Time estimates are as follows:

Estimated duration
Content
in minutes
Lecture (total for all slide sections) 90
Lab: Encrypting Data at Rest by Using AWS KMS 75
Sample exam question activity 5
Knowledge check 20
Total content delivery time 190

Module objectives
The purpose of this module is to introduce how to protect data at rest and data in transit. The module
begins with an overview of why it’s important to protect data at rest. Then, the module introduces
protection features in Amazon Simple Storage Service (Amazon S3). Next is an overview of client-side
and server-side encryption, and the types of encryption that Amazon S3 supports. After that, the
module discusses how to protect data in transit, best practices for protecting data in Amazon S3, and
additional data protection services.
At the end of this module, students should be able to do the following:
• Describe how to protect data at rest and in transit.
• Identify Amazon S3 protection features.
• Encrypt data in Amazon S3.
• Differentiate between client-side encryption (CSE) and server-side encryption (SSE).
• Identify Amazon Web Services (AWS) services that help protect their data.

Introduction
Slides 5–8 (Bank business scenario) introduce the business scenario that is used throughout the course,
framed within the context of the content that this module covers.
Slide 9 (Shared responsibility model) reveals the section of the shared responsibility model that is
relevant to the content in this module and its accompanying lab.

Protect data at rest

This section begins by explaining why it’s important to protect data at rest. Next, this section discusses
the types of access control mechanisms that Amazon S3 supports.
Slide 12 (Data at rest in Amazon S3) explains that, by default, all S3 buckets are private and can be
accessed only by users who are explicitly granted access. Also, this slide explains that you can apply
bucket policies to define granular access to different objects inside a bucket.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 20
AWS Training and Certification Protecting Data in Your Application

Slide 13 (Granting permissions) defines the difference between an identity-based policy and a resource-
based policy.

Amazon S3 protection features

This section introduces Amazon S3 protection features to consider when developing and implementing
security policies.
Slide 16 (Amazon S3 Block Public Access) through slide 18 (Amazon S3 Object Lock) describes the Block
Public Access, Versioning, and Object Lock features of Amazon S3. By using these features, you can
protect data assets against unintended access, modification, deletion, and corruption. Versioning and
Object Lock can help you manage object retention.

Protection through encryption

In this section, students receive an introduction to client-side and server-side encryption, and an
overview of the encryption options in Amazon S3. This section also provides an example of how to use
AWS Key Management Service (AWS KMS) to encrypt and decrypt Amazon Elastic Block Store (Amazon
EBS) volume data.
Slide 21 (Encryption: What, how, and why) defines what encryption is and how it protects data. The
slide explains that encryption is a means of securing digital data using one or more mathematical
techniques, along with a password or key, which is used to decrypt the information. Students learn that
the encryption process translates information by using an algorithm that makes the original information
unreadable. The process converts plaintext data into an alternative form known as ciphertext.
Slide 22 (Comparing client-side and server-side encryption) provides a side-by-side comparison of
client-side and server-side encryption. Students learn that AWS supports both types of encryption and
that each approach has its own advantages. Finally, they learn that, for an enhanced security profile,
they could employ both techniques.
Slide 25 (Types of Amazon S3 server-side encryption) describes the three options to maintain the
encryption keys for server-side encryption in Amazon S3:
• SSE with customer-provided keys (SSE-C)
• SSE with Amazon S3 managed keys (SSE-S3)
• SSE with AWS KMS keys (SSE-KMS)
Slide 26 (Encryption overview) and slide 27 (Decryption overview) walk students through the process
of encrypting and decrypting a file. The first slide explains what happens when a file is uploaded to
Amazon S3, and the second slide describes what happens when there is a request to open a stored
encrypted object.
Slide 28 (AWS Key Management Service [AWS KMS]) introduces the students to the AWS KMS service.
The slide describes the service’s functions, including the capability to create and control the keys that
are used to encrypt data, and centrally manage and securely store keys.
Slide 29 (AWS KMS example with Amazon EBS) describes an encryption solution for Amazon EBS
resources that are associated with Amazon Elastic Compute Cloud (Amazon EC2) instances.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 21
AWS Training and Certification Protecting Data in Your Application

Lab: Encrypting Data at Rest by Using AWS KMS

Before the lab, discuss the lab scenario and the lab tasks with students:
1. Creating an AWS KMS key
2. Storing an encrypted object in an S3 bucket
3. Attempting public access to the encrypted object
4. Attempting signed access to the encrypted object
5. Monitoring AWS KMS activity by using CloudTrail
6. Encrypting the root volume of an existing EC2 instance
7. Disabling the encryption key and observing the effects
After students complete the lab, debrief the lab by leading the class in a conversation about the key
takeaways from the lab. Debriefing the lab is encouraged. It can help students make connections
between their hands-on experience and the concepts that you discussed in the preceding lecture.

Protect data in transit

In this section, students learn about protecting data in transit.
Slide 36 (Why protect data in transit?) focuses on the reason for protecting data in transit when
running applications in the cloud. This involves protecting network traffic between clients and servers,
and network traffic between servers.
Slide 37 (Protecting data in transit) highlights that data in transit protection happens through network
encryption. All AWS service endpoints support TLS to create a secure HTTPS connection to make API
requests.
Slide 39 (AWS Certificate Manager [ACM]) through slide 41 (ACM Private CA considerations)
introduces the students to the AWS Certificate Manager service. These slides describe the functions of
the service and its general considerations, including the capabilities to provide a single interface to
manage both public and private certificates.

Best practices to protect data in Amazon S3

This section discusses general best practices and guidelines for protecting data in Amazon S3. Students
will learn that some best practices might not be appropriate or sufficient for their environment—teach
them to treat these practices as helpful considerations rather than prescriptions.

Additional data protection services

This section provides examples of additional AWS services that are commonly used as part of the data
protection strategy. Describe each service and explain where it fits as part of an organization's cloud
security plan.

Module wrap-up
Knowledge check
After you present the Module summary slide, ask students to complete the knowledge check.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 22
AWS Training and Certification Protecting Data in Your Application

Sample exam question

Slide 59 (Sample exam question) displays the following question. The keywords have been underlined
for you here:
A company requires that data stored in AWS be encrypted at rest. Which approach would meet
this requirement?
Prompt students to identify the keywords, and then discuss the plausibility of each answer.
Explanations of each answer choice:
• A: Using EBS-optimized Amazon EC2 instances alone does not guarantee protection of instances
at rest.
• B: This does not encrypt data at rest for Amazon S3 objects.
• C: You don’t store data in an instance store.
• D: Server-side encryption protects data at rest. [correct answer]
Slide 60 (Sample exam question answer) displays the keywords. Click once to reveal the letter of the
correct answer.
The correct answer is D.

Additional resources
This module contains the following resource links:
• Using Versioning in S3 Buckets
• How S3 Object Lock Works
• Blocking Public Access to Your Amazon S3 Storage
• Protecting Data Using Encryption
• Protecting Data Using Server-Side Encryption
• AWS Key Management Service (AWS KMS)
• How AWS Services Use AWS KMS
• Generating a Presigned URL to Upload an Object
• How to Securely Provide Database Credentials to Lambda Functions by Using AWS Secrets
Manager

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 23
AWS Training and Certification Module 6: Logging and Monitoring

Logging and Monitoring

Module timing estimates
Time estimates are as follows:

Estimated duration
Content
in minutes
Lecture (total for all slide sections) 90
Demonstration: Security Hub 15
Lab: Monitoring and Alerting with CloudTrail and CloudWatch 75
Sample exam question activity 5
Knowledge check 20
Total content delivery time 225

Module objectives
The purpose of this module is to introduce logging and monitoring in the AWS environment. This
module explains the concepts of logging and monitoring, and gives students insight into the information
that is contained within log files. The module examines how that information is used in a monitoring
environment to enhance security throughout the AWS environment. This module also covers best
practices for logging and monitoring, and introduces additional AWS services that can be used to
improve the overall security posture of an AWS environment.
At the end of this module, students should be able to do the following:
• Log and monitor access and control to help identify security threats.
• Read and interpret log reports to identify security threats.
• Monitor and report on your AWS resources and applications.
• Recognize when to use Amazon CloudWatch and when to use AWS CloudTrail.

Introduction
Slides 5–8 (Bank business scenario) introduce the business scenario that is used throughout the course,
framed within the context of the content that this module covers.

Importance of logging and monitoring

This section begins by defining logging and describing common elements of a log file. Next, this section
introduces examples of how to use log files, and explains why they are an important element of an
organization's security practices. Finally, this section discusses the concept of monitoring and introduces
students to AWS services that provide monitoring capabilities, which are covered later in the module.
Slide 11 (What is logging?) and slide 12 (Why is logging important?) define logging as the collection and
recording of activity and event data. Students learn that a service itself or a secondary service can
provide logging capabilities, and the information that is logged will vary by service.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 24
AWS Training and Certification Module 6: Logging and Monitoring

The discussion continues on to explain why logging is important for organizations, and identifies some
common legal requirements, such as the United States Health Insurance Portability and Accountability
Act (HIPAA), the European Union's General Data Protection Regulation (GDPR), and Brazil's General Data
Privacy Law (LGPD), which organizations might be subject to depending on their roles and locations.
Slide 13 (What is monitoring?) introduces students to two of the AWS monitoring services that the
module will discuss, CloudTrail and CloudWatch, with a brief description of each service.

Capture and collect

In this section, students learn about CloudTrail, and how it integrates into an overarching monitoring
and logging solution.
Slide 16 (AWS CloudTrail) and slide 17 (API security-relevant information) focus on CloudTrail and the
services that it provides. After an explanation of what the CloudTrail service is and does, students dive
deeper into what CloudTrail records for each API call, and how they can use the information that is
recorded.

Activity: Reading a Log File

For this activity, you will walk students through an example of a CloudTrail log file. You will examine the
elements of the log and what information each element provides.
Slide 19 (Reading a log: Identity of the caller) looks at the log file snippet that displays the identity of
the user who performed the action. Walk students through the elements of the userIdentity section,
drawing attention to the type, principalId, and userName portions, which provide identity information.
Take a moment to review the snippet with the students and ask them to answer the following questions
individually or as a group:
• What type of account did the log collect information about?
• What can you determine from the arn element?
Slide 20 (Reading a log: Time and origin of the request) focuses on the elements of the log file that
provide the request's time and origin information. Point out that the eventTime timestamp is captured
in Universal Time Coordinated (UTC), which is denoted by the letter Z at the end of the timestamp.
Explain each line of the example, noting the information that is provided.
Take a moment to review the snippet with the students and ask them to answer the following questions
individually or as a group:
• What does the eventSource field give you information about?
• In the eventName field, what does the StopInstances value indicate?
• What method was used to perform this action? (Console, AWS CLI, or other)
Slide 21 (Reading a log: Request parameters and response elements) focuses on what happened. Draw
attention to the currentState element, pointing out that it is in the process of stopping. Next, point out
the previousState, which shows running. This provides evidence that the request changed the state.
Take a moment to review the snippet with the students and ask them to answer the following questions
individually or as a group:
• In the instanceId field, what does the i-ebeaf9e2 value indicate?
• What was the action that was performed?

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 25
AWS Training and Certification Module 6: Logging and Monitoring

AWS services with built-in logs

In this section, students learn about commonly used AWS services that provide logging as an element of
the service. The examples used are Amazon Simple Storage Service (Amazon S3) access logs, Amazon
Virtual Private Cloud (Amazon VPC) Flow Logs, and Elastic Load Balancing (ELB) access logs. Each of these
built-in log types provides both common information and information that is unique to each service.
Explain to students that the logs generated by these and other services can be used in conjunction with
the CloudTrail and CloudWatch services, giving examples if desired.

Monitor and report

This section focuses on monitoring and reporting with a focus on the CloudWatch service.
Slide 29 (Comparing CloudTrail and CloudWatch) provides a short table that describes what each
service provides and how they differ from one another in what they provide.

Best practices for logging and monitoring

This section discusses general best practices for logging and monitoring, which students can use in their
AWS environments.

Additional AWS services for logging and monitoring

This section provides examples of additional AWS services that are commonly used as part of the logging
and monitoring process. Describe each service and explain where it fits in as part of an organization's
cloud security plan.

Demonstration: Security Hub

Slide 38 prompts you to show a video demonstration about using Security Hub.

Lab: Monitoring and Alerting with CloudTrail and CloudWatch

Before the lab, discuss the lab scenario and the lab tasks with students:
1. Creating a CloudTrail trail with CloudWatch Logs enabled
2. Creating an SNS topic and subscribing to it
3. Creating an EventBridge rule to monitor security groups
4. Creating a CloudWatch alarm based on a metrics filter
5. Querying CloudTrail logs by using CloudWatch Logs Insights
After students complete the lab, debrief the lab by leading the class in a conversation about the key
takeaways from the lab. Debriefing the lab is encouraged. It can help students make connections
between their hands-on experience and the concepts that you discussed in the preceding lecture.

Module wrap-up
Knowledge check
After you present the Module summary slide, ask students to complete the knowledge check.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 26
AWS Training and Certification Module 6: Logging and Monitoring

Sample exam question

Slide 46 (Sample exam question) displays the following question. The keywords have been underlined
for you here:
A system administrator discovers that a user has deleted an Amazon S3 bucket without
authorization, which triggered an incident response. Which AWS service can they use to
determine the identity of the user that committed the incident?
Prompt students to identify the keywords, and then discuss the plausibility of each answer.
Explanations of each answer choice:
• A: CloudWatch can alert you that an anomalous action has taken place, but it does not tell you
the identity of the user who took the action.
• B: AWS Config can give you a record of configurations, but it cannot tell you the identity of the
user who made a change.
• C: CloudTrail can provide a record of actions taken within your environment. CloudTrail logs
include information such as the action type, identity of user, and time and date of the action.
• D: Trusted Advisor can help you to assess the security posture of your AWS environment but
does not alert on anomalous behavior.
Slide 47 (Sample exam question answer) displays the keywords. Click once to reveal the letter of the
correct answer.
The correct answer is C.

Additional resources
This module contains the following resource links:
• AWS CloudTrail
• Logging Requests Using Server Access Logging
• Logging IP Traffic with VPC Flow Logs
• Access Logs for Your Application Load Balancer
• Amazon CloudWatch
• AWS Trusted Advisor
• Amazon EventBridge User Guide
• AWS Security Hub
• AWS Config

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 27
AWS Training and Certification Responding to and Managing an Incident

Responding to and Managing an Incident

Module timing estimates
Time estimates are as follows:

Estimated duration
Content
in minutes
Lecture (total for all slide sections) 90
Lab: Remediating an Incident by Using AWS Config and Lambda 75
Sample exam question activity 5
Knowledge check 20
Total content delivery time 190

Module objectives
The purpose of this module is to help you respond to and manage an incident. The module describes the
phases of incident response and the AWS services that support each phase. The module also provides
best practices for handling an incident.
At the end of this module, students should be able to do the following:
• Identify an incident.
• Describe AWS services that are used for incident recognition and remediation.
• Identify best practices for incident response.

Introduction
Slides 5–7 (Bank business scenario) introduce the business scenario that is used throughout the course,
framed within the context of the content that this module covers.

Identifying an incident
This section covers how to identify an incident.
Slide 10 (Incident recognition and response) breaks down incident response as a set of information
security policies and procedures that can be used to identify, contain, and eliminate cyberattacks.
The goal of incident response is to enable an organization to quickly detect and halt attacks, which helps
to minimize damage and prevent future attacks of the same type.
Slide 11 (Recognizing incidents) provides examples of incidents that might not require immediate
analysis and remediation.
Slide 12 (Phase 1: Discovery and recognition) outlines phase 1 of incident response, including incident
identification, logging, and categorization; incident notification and escalation; and investigation and
diagnosis.
Slide 13 (Phase 2: Resolution and recovery) outlines phase 2 of incident response, including forensic
isolation, staging a fix, deploying the fix, and incident closure.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 28
AWS Training and Certification Responding to and Managing an Incident

AWS services that support the discovery and recognition phase

In this section, students will learn about AWS services that support the discovery and recognition phase
of incident response.
Slide 16 (Discovery and recognition phase) focuses on AWS services that help an enterprise identify an
attack. Services include AWS Trusted Advisor, Amazon CloudWatch, Amazon Inspector, Amazon
GuardDuty, AWS Shield, and AWS Config.
Slide 17 (AWS Trusted Advisor) outlines how the Trusted Advisor service draws upon best practices
learned from serving hundreds of thousands of AWS customers. Trusted Advisor inspects your AWS
environment, and then makes recommendations when opportunities exist to improve performance and
help close security gaps.
Slide 18 (Amazon CloudWatch) describes how CloudWatch provides a reliable, scalable, and flexible
monitoring solution that you can start using within minutes. By using this service, you don't need to set
up, manage, and scale your own monitoring systems and infrastructure.
Slide 19 (Amazon Inspector) describes how Amazon Inspector is a vulnerability management service
that continuously scans your AWS workloads for vulnerabilities. Amazon Inspector automatically
discovers and scans Amazon Elastic Compute Cloud (Amazon EC2) instances and container images that
reside in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities and unintended
network exposure.
Slide 20 (Amazon GuardDuty) describes how GuardDuty is a continuous security monitoring service. It
can help to identify unexpected and potentially unauthorized or malicious activity in your AWS
environment.
Slide 21 (AWS Shield) describes how Shield helps to protect an enterprise network against a distributed
denial of service (DDoS) attack. A DDoS attack is a malicious attempt to disrupt the normal traffic of a
targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a
flood of internet traffic.
Slide 22 (AWS Config) describes how AWS Config is a continuous monitoring and assessment service
that provides you with an inventory of your AWS resources and records changes to the configuration of
those resources.

AWS services that support the resolution and recovery phase

This section describes AWS services that support the resolution and recovery phase of incident
response.
Slide 26 (Resolution and recovery) describes how AWS offers several different services that help with
resolution and recovery, including AWS Systems Manager, AWS CloudFormation, Amazon Simple
Notification Service (Amazon SNS), AWS Step Functions, and AWS Lambda.
Slide 27 (AWS Systems Manager) describes how Systems Manager gives you visibility and control of
your infrastructure on AWS. Systems Manager provides a unified user interface so you can view
operational data from multiple AWS services and automate operational tasks across your AWS
resources.
Slide 28 (AWS CloudFormation) describes how CloudFormation is a service that helps you model and set
up your AWS resources so that you can spend less time managing those resources and more time
focusing on your applications that run in AWS.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 29
AWS Training and Certification Responding to and Managing an Incident

Slide 29 (Amazon Simple Notification Service [Amazon SNS]) describes how Amazon SNS is an event-
driven web service that provides the ability for applications, end users, and devices to instantly send and
receive notifications from the cloud.
Slide 30 (AWS Step Functions) describes how Step Functions is a low-code, visual workflow service that
developers use to build distributed applications, automate IT and business processes, and build data and
machine learning pipelines using AWS services.
Slide 31 (AWS Lambda) describes how Lambda is serverless, event-driven compute service that provides
the ability to run code on demand without provisioning or managing servers.
Slide 32 (Lambda for incident response) provides an example of an event-driven system for incident
response. In this example, a detective mechanism invokes a responsive mechanism to automatically
remediate an event.
Slide 33 (Working together for incident response) provides an example of how to respond to a
compromised instance by using Step Functions, Lambda, CloudFormation, and Amazon SNS.

Best practices for handling an incident

Slide 36 (Industry best practices for handling incidents) outlines best practices in responding to and
managing an incident.

Lab: Remediating an Incident by Using AWS Config and Lambda

Before the lab, discuss the lab scenario and the lab tasks with students:
1. Examining and updating IAM roles
2. Setting up AWS Config to monitor resources
3. Modifying a security group that AWS Config monitors
4. Creating and running an AWS Config rule that calls a Lambda function
5. Revisiting the security group configuration
6. Using CloudWatch logs for verification
After students complete the lab, debrief the lab by leading the class in a conversation about the key
takeaways from the lab. Debriefing the lab is encouraged. It can help students make connections
between their hands-on experience and the concepts that you discussed in the preceding lecture.

Module wrap-up
Knowledge check
After you present the Module summary slide, ask students to complete the knowledge check.
Sample exam question
Slide 44 (Sample exam question) displays the following question. The keywords have been underlined
for you here:
An administrator would like to use a continuous monitoring and assessment service that
provides an inventory of AWS resources. Which AWS service would meet their need?
Prompt students to identify the keywords, and then discuss the plausibility of each answer.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 30
AWS Training and Certification Responding to and Managing an Incident

Explanations of each answer choice:

• A: Lambda is a serverless, event-driven compute service that lets you run code for virtually any
type of application or backend service without provisioning or managing servers. It does not
monitor your environment.
• B: CloudTrail captures API calls made by or on behalf of your AWS account. The service does not
provide an inventory of AWS resources.
• C: AWS Config continuously captures configuration changes associated with your resources,
sends notifications when changes occur, can be used to trigger an AWS Lambda function, and
integrates with other AWS services to remediate issues. [correct answer]
• D: Fargate is a serverless compute service for containers. The service does not monitor your
environment.
Slide 45 (Sample exam question answer) displays the keywords. Click once to reveal the letter of the
correct answer.
The correct answer is C.

Additional resources
This module contains the following resource links:
• AWS Trusted Advisor
• Amazon CloudWatch User Guide
• Amazon Inspector User Guide
• Amazon GuardDuty User Guide
• AWS Shield
• AWS Config Developer Guide
• AWS Systems Manager User Guide
• AWS CloudFormation User Guide
• Amazon Simple Notification Service Developer Guide
• AWS Step Functions Developer Guide
• AWS Lambda Developer Guide

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 31
AWS Training and Certification Bridging to Certification

Bridging to Certification
Module timing estimates
Time estimates are as follows:

Estimated duration
Content
in minutes
Lecture (total for all slide sections) 40
Total content delivery time 40

Module objectives
The purpose of this module is to familiarize students with resources that can help them prepare for the
AWS Certified Security – Specialty exam.
At the end of this module, students should be able to do the following:
• Identify the next steps to prepare for the AWS Certified Security – Specialty certification.
• Identify where to find resources.

Continuing on the AWS Academy Security learning path

This section covers the main content domains, weightings, and objectives of the AWS Certified Security
– Specialty exam. This section also presents specific resources that students can use to prepare for the
exam.
Emphasize to students that this is an introductory course. To prepare for the certification exam, they
should review AWS whitepapers, read the Exam Guide and sample questions, and complete practice
question sets in AWS Skill Builder. In particular, students should review the AWS Well-Architected
Framework whitepaper and the whitepapers for each framework pillar. Students should also review the
AWS frequently asked questions (FAQs) to broaden their technical understanding. Reinforce the fact
that Specialty-level exams require in-depth experience and extensive study to properly prepare for a
passing score.
Slides 7–11 (Certification exam domain objectives) include the weightings and objectives for each
domain of the exam. The weighting percentages represent only scored content.
Slides 12–13 (Exam readiness resources) list resources that students can use to prepare for the exam
and help assess whether they are ready to take the exam. The Exam Guide provides information about
the competencies that the exam assesses. The Sample Exam Questions demonstrate the format of the
exam questions. Other resources include the AWS Well-Architected Framework, AWS whitepapers and
guides, and AWS FAQs.
Slide 14 (Exam readiness training) provides information about the Exam Readiness: AWS Certified
Security – Specialty training, which is offered in classroom and free digital formats. The slide notes
include links to both training formats.
Slide 15 (AWS Training and Certification portal) introduces students to the AWS Training and
Certification portal, where they can schedule an exam and access their AWS Certification information.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 32
AWS Training and Certification Bridging to Certification

Slide 16 (Official practice question sets) provides a step-by-step guide to access the AWS Certification
official practice question sets, which are free and available through AWS Skill Builder.

AWS documentation and frameworks

This section presents further resources that can help students prepare for the exam. This section
provides information about and links to AWS documentation, the security pillar of the AWS Well-
Architected Framework, security-related AWS training, and additional resources that students can use to
grow their technical skills.

Additional resources
This module contains the following resource links:
• AWS Certified Security – Specialty Exam Guide
• AWS Certified Security – Specialty Sample Exam Questions
• AWS Well-Architected
• AWS Whitepapers and Guides
• AWS FAQs
• Exam Readiness: AWS Certified Security – Specialty (Classroom)
• Exam Readiness: AWS Certified Security – Specialty (Digital)
• AWS Training and Certification portal
• AWS Skill Builder
• AWS Documentation
• Security Pillar: AWS Well-Architected Framework
• AWS Technical Essentials (Classroom)
• AWS Technical Essentials (Digital)
• AWS Security Fundamentals (Digital)
• Getting Started with AWS Security, Identity, and Compliance (Digital)
• Introduction to AWS Identity and Access Management (IAM) (Digital)
• Introduction to Amazon Virtual Private Cloud (VPC) (Digital)
• Securing and Protecting Your Data in Amazon Simple Storage Service (Amazon S3) (Digital)
• AWS Security Governance at Scale (Classroom)
• AWS Security Best Practices: Monitoring and Alerting (Digital)
• AWS Security Training
• Amazon Web Services: Overview of Security Processes
• Best Practices for Security, Identity, & Compliance
• Security Pillar: AWS Well-Architected Framework – Detection
• AWS Key Management Service Best Practices
• An Overview of the AWS Cloud Adoption Framework
• AWS Best Practices for DDoS Resiliency
• Building a Scalable and Secure Multi-VPC AWS Network Infrastructure
• Security & Compliance Quick Reference Guide

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 33