OVERVIEW
Overview & Exam Structure
▼
About This Guide
This practice guide distills 50+ exam-style scenarios into key concept cards organized by SCS-C03 domain. Each card covers the scenario theme, the core AWS concept being tested, a concise explanation, and the AWS services involved.
Use this alongside the main study guide to reinforce your understanding of how concepts appear in exam questions.
SCS-C03 Exam Structure
| Domain | Weight | Focus Areas |
|---|---|---|
| 1. Threat Detection & Incident Response | 14% | GuardDuty, Detective, incident workflows, forensics |
| 2. Security Logging & Monitoring | 18% | CloudTrail, CloudWatch, Config, log analysis |
| 3. Infrastructure Security | 20% | VPC, WAF, Shield, NACLs, Security Groups, firewalls |
| 4. Identity & Access Management | 16% | IAM policies, roles, federation, SCPs, ABAC |
| 5. Data Protection | 32% | KMS, encryption, S3 security, Secrets Manager, ACM |
Exam Strategy
Data Protection is 32% of the exam — spend the most time here. KMS key policies, S3 encryption enforcement, and Secrets Manager rotation are heavily tested.
Questions often test whether you know the correct combination of services, not just individual service features.
How to Use This Guide
- Read the scenario — understand what the question is really asking
- Study the key concept — this is the core knowledge being tested
- Review the explanation — understand why this is the correct approach
- Note the services — build mental maps of which services solve which problems
DOMAIN 1
Threat Detection & Incident Response (14%)
▼
Concept 1.1
GuardDuty C2 Detection + SSM Inventory Response
A security team needs to detect command-and-control (C2) activity on EC2 instances and automatically gather inventory data from potentially compromised instances for investigation.
GuardDuty Finding Types
Automated Response
GuardDuty detects C2 activity through DNS-based and network-based findings (e.g.,
Backdoor:EC2/C&CActivity.B). When a finding fires, use EventBridge to trigger a Lambda function that invokes SSM Inventory collection on the flagged instance, gathering installed packages, running processes, and network connections for forensic analysis.Services: GuardDuty EventBridge Lambda Systems Manager
Concept 1.2
EC2 Incident Response Preparation
An organization wants to ensure that when an EC2 instance is compromised, they can preserve evidence and prevent accidental termination during investigation.
Termination Protection
EBS Snapshots
Instance Metadata
Key IR steps for EC2: 1) Enable termination protection to prevent accidental deletion. 2) Create EBS snapshots of all attached volumes for forensic analysis. 3) Capture instance metadata (security groups, IAM role, VPC info). 4) Isolate the instance by changing its security group to one that denies all traffic. 5) Tag the instance as under investigation. Do NOT stop or terminate the instance as this loses volatile memory data.
Services: EC2 EBS VPC Security Groups
Concept 1.3
GuardDuty Multi-Region + EventBridge Alerting
A company operates in multiple AWS regions and needs centralized threat detection with real-time alerting when high-severity findings are detected.
Multi-Region GuardDuty
EventBridge Cross-Region
GuardDuty must be enabled in every region you operate in — threats can originate from any region. Use a GuardDuty delegated administrator in AWS Organizations for centralized management. Set up EventBridge rules in each region to forward high-severity findings to a central region, then route to SNS for notifications. GuardDuty findings are region-specific; there is no global view without aggregation.
Services: GuardDuty EventBridge SNS AWS Organizations
Concept 1.4
CloudTrail Event History for Compromised Access Keys
An IAM access key has been exposed on a public repository. The security team needs to determine what actions were performed using the compromised key.
CloudTrail Lookup Events
Access Key Remediation
Immediately disable (not delete) the compromised access key to preserve the key ID for investigation. Use CloudTrail Event History or query CloudTrail logs in S3 to filter events by the access key ID. Check for unauthorized API calls, resource creation, or data exfiltration. Review the last 90 days of events in Event History, or use Athena for longer lookback in S3-stored logs. After investigation, delete the key and rotate all credentials for the affected IAM user.
Services: CloudTrail IAM Athena
Concept 1.5
CloudTrail + Athena for Former Employee Investigation
A company suspects a recently terminated employee accessed AWS resources before their credentials were revoked. They need to investigate activity over the past 6 months.
Athena Log Analysis
CloudTrail S3 Logs
CloudTrail Event History only provides the last 90 days via console. For longer investigation periods, query CloudTrail logs stored in S3 using Amazon Athena. Create an Athena table pointing to the CloudTrail S3 bucket, then run SQL queries filtering by the user's IAM ARN or username. This allows searching across months of activity data for specific API calls, accessed resources, and source IPs.
Services: CloudTrail Athena S3
Concept 1.6
EC2 Key Pair Recovery via Volume Detachment
An administrator has lost the SSH key pair for an EC2 instance and needs to regain access without terminating the instance.
EBS Volume Detach/Attach
Authorized Keys
Stop the instance (not terminate). Detach the root EBS volume. Attach it as a secondary volume to another instance. Mount it and modify the
~/.ssh/authorized_keys file to add a new public key. Unmount and detach the volume, reattach it as the root volume of the original instance, and start it. Alternatively, use EC2 Instance Connect or SSM Session Manager which don't require key pairs at all.Services: EC2 EBS SSM Session Manager
Concept 1.7
GuardDuty + Security Hub Integration
A security operations team wants a centralized dashboard showing findings from GuardDuty, Inspector, and Macie with automated compliance checks.
Security Hub Aggregation
ASFF Format
AWS Security Hub aggregates findings from GuardDuty, Inspector, Macie, Firewall Manager, and third-party tools into the AWS Security Finding Format (ASFF). Enable Security Hub in all accounts via Organizations. Findings are normalized and can trigger automated remediation via EventBridge. Security Hub also runs automated security checks against standards like CIS AWS Foundations Benchmark and AWS Foundational Security Best Practices.
Services: Security Hub GuardDuty Inspector Macie
Concept 1.8
Automated Forensic Evidence Collection
When a security incident is detected, the team needs to automatically collect forensic artifacts (memory dumps, disk snapshots, logs) before any manual intervention could alter evidence.
Step Functions Orchestration
Forensic Automation
Use Step Functions to orchestrate an automated forensic workflow triggered by GuardDuty findings via EventBridge. The workflow: 1) Isolate the instance (swap security group). 2) Create EBS snapshots. 3) Capture instance metadata via EC2 API. 4) Enable termination protection. 5) Notify the security team via SNS. 6) Create a forensic timeline in a dedicated S3 bucket. This ensures consistent evidence collection regardless of who is on-call.
Services: Step Functions Lambda EventBridge GuardDuty S3
Concept 1.9
Amazon Detective for Investigation
After receiving a GuardDuty finding, the security analyst needs to investigate the scope of the potential breach by visualizing related entity relationships and activity patterns.
Detective Behavior Graphs
Entity Profiling
Amazon Detective automatically collects log data from VPC Flow Logs, CloudTrail, and GuardDuty findings to build a behavior graph. It uses ML to create visualizations showing resource interactions, API call patterns, and geolocation data. From a GuardDuty finding, you can pivot directly into Detective to see what else the flagged entity (IP, IAM principal, EC2 instance) has done. Detective retains up to 12 months of data for investigation.
Services: Detective GuardDuty CloudTrail VPC Flow Logs
Exam Tips — Domain 1
Isolate, don't terminate: The correct IR response for EC2 is always to isolate (change SG) and snapshot, never terminate.
GuardDuty is regional: It must be enabled per-region. Use Organizations delegated admin for centralized management.
Disable, don't delete compromised access keys — deleting removes the key ID needed for CloudTrail investigation.
Detective vs. GuardDuty: GuardDuty detects threats; Detective investigates them with behavior graphs.
DOMAIN 2
Security Logging & Monitoring (18%)
▼
Concept 2.1
CloudWatch Logs Insights for Forensic Log Analysis
A security team needs to quickly search through millions of log events to find specific patterns related to a suspected breach, such as failed login attempts from unusual IP addresses.
Logs Insights Queries
Log Group Analysis
CloudWatch Logs Insights provides an interactive query language for searching and analyzing log data. Use purpose-built query syntax with commands like
filter, stats, sort, and parse. Example: filter @message like /UnauthorizedAccess/ | stats count(*) by sourceIPAddress. It automatically discovers fields in JSON logs. Queries run against one or more log groups and return results in seconds even over large datasets.Services: CloudWatch Logs CloudWatch Logs Insights
Concept 2.2
API Gateway Access Logging + Logs Insights
An API Gateway is being targeted with suspicious requests. The team needs to enable detailed logging and analyze request patterns to identify the attack source.
API Gateway Access Logs
Execution Logs
API Gateway supports two types of logging: Execution logs (detailed request/response processing, useful for debugging) and Access logs (customizable, who accessed the API, how, and with what result). Enable access logging with a custom log format that includes
$context.identity.sourceIp, $context.requestTime, $context.status. Route logs to CloudWatch and query with Logs Insights to identify suspicious patterns, top callers, and error rates.Services: API Gateway CloudWatch Logs Logs Insights
Concept 2.3
Kinesis for Real-Time Docker Log Forensics
Containers running on ECS are generating security-relevant logs that need to be analyzed in real-time for threat patterns, not just stored for later review.
Kinesis Data Streams
Real-Time Processing
Configure ECS containers to send logs to Kinesis Data Streams using the
awslogs or awsfirelens log driver. Use a Kinesis Data Analytics application or Lambda consumer to process logs in real-time, applying security rules and alerting on suspicious patterns. For archival, use Kinesis Data Firehose to deliver to S3. This architecture provides sub-second detection latency compared to polling-based approaches.Services: Kinesis Data Streams ECS Lambda Kinesis Data Firehose
Concept 2.4
KMS Key Rotation Auditing via CloudTrail
An auditor asks the security team to prove that all KMS customer managed keys have automatic rotation enabled and to show when the last rotation occurred.
KMS Automatic Rotation
CloudTrail KMS Events
Use
aws kms get-key-rotation-status to check if rotation is enabled for each key. CloudTrail logs the RotateKey event when automatic rotation occurs. Automatic rotation generates new key material every year (configurable 90-2560 days) while keeping the same key ID — previously encrypted data doesn't need re-encryption. Use AWS Config rule cmk-backing-key-rotation-enabled for continuous compliance checking. Note: AWS managed keys rotate automatically every year and cannot be configured.Services: KMS CloudTrail AWS Config
Concept 2.5
EventBridge Rules for KMS Key Deletion Monitoring
The company needs to be alerted immediately when anyone schedules a KMS key for deletion, as this could cause data loss or indicate malicious activity.
EventBridge Rules
KMS Key Deletion Protection
Create an EventBridge rule matching CloudTrail's
ScheduleKeyDeletion API event. KMS requires a mandatory waiting period of 7-30 days before deletion, giving time to respond. The EventBridge rule can trigger SNS for immediate notification and Lambda for automated response (e.g., canceling the deletion with CancelKeyDeletion, or alerting the security team). Also monitor DisableKey events as disabled keys can't encrypt/decrypt.Services: EventBridge KMS CloudTrail SNS Lambda
Concept 2.6
AWS Config Managed Rules (restricted-ssh)
The security policy requires that no EC2 security groups allow inbound SSH (port 22) from 0.0.0.0/0. The team needs continuous monitoring and automatic detection of violations.
Config Managed Rules
Compliance Monitoring
Use the AWS Config managed rule
restricted-ssh which checks that security groups don't allow unrestricted SSH access. Config continuously evaluates resources against rules and marks them as COMPLIANT or NON_COMPLIANT. For automated remediation, pair with Config remediation actions using SSM Automation documents to automatically remove the offending inbound rule. Config also provides a compliance timeline showing when resources became non-compliant.Services: AWS Config SSM Automation Security Groups
Concept 2.7
S3 Server Access Logging vs. CloudTrail Data Events
A compliance requirement mandates logging all access to an S3 bucket containing sensitive data. The team needs to choose between S3 server access logging and CloudTrail S3 data events.
S3 Access Logging
CloudTrail Data Events
S3 Server Access Logging: Free, best-effort delivery, logs to another S3 bucket, includes bucket-owner-level detail, can have delays. CloudTrail Data Events: Paid, reliable delivery, logs to CloudTrail/S3, includes IAM identity details, near real-time. For security and compliance, CloudTrail Data Events are preferred because they provide IAM identity info, integrate with EventBridge for alerting, and have guaranteed delivery. S3 access logs are useful for access pattern analysis and are free.
Services: S3 CloudTrail
Concept 2.8
VPC Flow Logs for Network Forensics
A suspected data exfiltration event requires the security team to analyze network traffic patterns from a specific EC2 instance over the past week.
VPC Flow Logs
Network Analysis
VPC Flow Logs capture IP traffic information at the VPC, subnet, or ENI level. They log source/destination IPs, ports, protocol, packet/byte counts, and action (ACCEPT/REJECT). Publish to CloudWatch Logs or S3. For forensic analysis, query with Athena (S3) or Logs Insights (CloudWatch). Custom log format can include additional fields like
vpc-id, tcp-flags, pkt-srcaddr. Note: Flow Logs do NOT capture packet content — use VPC Traffic Mirroring for that.Services: VPC Flow Logs Athena CloudWatch Logs
Concept 2.9
CloudWatch Alarms for Unauthorized API Calls
The CIS AWS Foundations Benchmark requires monitoring for unauthorized API calls, console sign-in failures, and root account usage.
Metric Filters
CIS Benchmarks
Create CloudWatch metric filters on CloudTrail log groups to detect specific patterns: unauthorized API calls (
errorCode = "AccessDenied"), root account usage (userIdentity.type = "Root"), console sign-in failures, IAM policy changes, and VPC changes. Each metric filter feeds a CloudWatch Alarm that triggers SNS notifications. This is a core CIS AWS Foundations Benchmark requirement. Security Hub automates these checks with its CIS standard.Services: CloudWatch CloudTrail SNS Security Hub
Exam Tips — Domain 2
CloudTrail vs. Config: CloudTrail logs who did what (API calls). Config tracks what changed (resource configuration over time).
Real-time = Kinesis: When a question says "real-time" log processing, think Kinesis Data Streams. CloudWatch Logs has near-real-time but not true real-time processing.
Athena for historical: For queries beyond 90 days, always use Athena against CloudTrail S3 logs.
Flow Logs ≠ packet capture: VPC Flow Logs capture metadata only. Use Traffic Mirroring for actual packet content.
DOMAIN 3
Infrastructure Security (20%)
▼
Concept 3.1
WAF Rate-Based Rules for Layer 7 DDoS
A web application behind an ALB is experiencing an HTTP flood attack (Layer 7 DDoS). The team needs to automatically block IP addresses generating excessive requests.
WAF Rate-Based Rules
Layer 7 DDoS Mitigation
AWS WAF rate-based rules automatically block IPs that exceed a specified request threshold within a 5-minute window (minimum: 100 requests). Unlike regular rules, rate-based rules track request counts per IP and automatically add/remove IPs from the block list. Attach the WAF Web ACL to the ALB or CloudFront distribution. For advanced DDoS protection, combine with Shield Advanced which provides 24/7 DDoS response team (DRT) access and cost protection.
Services: WAF ALB CloudFront Shield Advanced
Concept 3.2
CloudFront + OAI/OAC for S3 Access Restriction
A company serves static content from S3 via CloudFront but needs to ensure users cannot bypass CloudFront and access S3 directly.
Origin Access Identity (OAI)
Origin Access Control (OAC)
Use Origin Access Control (OAC) (recommended, replaces OAI) to restrict S3 bucket access to only CloudFront. OAC creates a special identity that CloudFront uses to authenticate with S3. Update the S3 bucket policy to allow
s3:GetObject only from the CloudFront distribution using a condition on AWS:SourceArn. Remove any public access on the bucket. OAC supports SSE-KMS encrypted objects (OAI does not). Block public access via S3 Block Public Access settings.Services: CloudFront S3 OAC/OAI
Concept 3.3
NACL Default Deny Behavior and Statelessness
After creating a new NACL and associating it with a subnet, all traffic to instances in that subnet is being blocked, even though security groups allow the traffic.
NACL Statelessness
Default Deny
A custom NACL has a default rule that denies all inbound and outbound traffic. You must explicitly add allow rules. Unlike security groups, NACLs are stateless — you must create rules for both inbound AND outbound traffic, including ephemeral port ranges (1024-65535) for return traffic. Rules are evaluated in number order (lowest first); the first matching rule is applied. The default VPC NACL allows all traffic, but custom NACLs deny all by default.
Services: VPC NACLs VPC
Concept 3.4
NACL vs Security Groups for IP Blocking
The security team needs to block a specific malicious IP address from accessing any resources in a subnet. They need to decide between NACL and Security Group approaches.
NACL Deny Rules
SG Allow-Only
Use NACLs to block specific IPs because NACLs support deny rules; security groups are allow-only (no explicit deny). Add a NACL inbound rule with a low rule number (e.g., 50) denying traffic from the malicious IP, placed before any allow rules. Security groups cannot block specific IPs — they can only allow specified sources. NACLs apply at the subnet level; security groups apply at the instance ENI level.
| Feature | NACL | Security Group |
|---|---|---|
| Level | Subnet | Instance (ENI) |
| Deny rules | Yes | No (allow only) |
| Statefulness | Stateless | Stateful |
| Rule evaluation | Number order | All rules evaluated |
| Default | Custom: deny all | Deny all inbound, allow all outbound |
Services: VPC NACLs Security Groups
Concept 3.5
VPC Traffic Mirroring for IDS/IPS
A company needs to implement network-based intrusion detection (IDS) by capturing and analyzing actual packet content from EC2 instances.
Traffic Mirroring
Packet Capture
VPC Traffic Mirroring copies network traffic from an ENI (mirror source) to a target (mirror target) for inspection. The target can be an ENI or a Network Load Balancer behind which IDS/IPS appliances run. Use mirror filters to select specific traffic (e.g., only TCP port 443). Traffic Mirroring captures actual packet content, unlike VPC Flow Logs which only capture metadata. Supported on Nitro-based instances. Use for deep packet inspection, threat monitoring, and compliance.
Services: VPC Traffic Mirroring NLB EC2
Concept 3.6
Route Table Isolation for Database Security
Database instances in a private subnet must have no internet access while still being accessible from application servers in another subnet.
Private Subnet Routing
Network Isolation
Place database instances in a private subnet with a route table that has NO route to an Internet Gateway or NAT Gateway. Only include the local VPC route. Application servers in a separate subnet communicate with databases via the local VPC route. For database patching or external connectivity needs, use VPC endpoints (for AWS services) or a VPN connection. This ensures databases cannot reach the internet and internet cannot reach databases, even if security groups were misconfigured.
Services: VPC Route Tables VPC Endpoints
Concept 3.7
Systems Manager Session Manager for Secure Remote Access
The security team wants to eliminate SSH key management and close port 22 on all EC2 instances while still allowing administrators to access instances for troubleshooting.
Session Manager
No Bastion Host Needed
SSM Session Manager provides shell access to EC2 instances without opening inbound ports, managing SSH keys, or running bastion hosts. The SSM agent on the instance initiates an outbound connection to the SSM service. Access is controlled via IAM policies. All session activity is logged to CloudTrail, and session data can be logged to S3 or CloudWatch Logs for audit. Requires the instance to have an IAM role with
AmazonSSMManagedInstanceCore policy and outbound connectivity to SSM endpoints (or VPC endpoint).Services: SSM Session Manager IAM CloudTrail
Concept 3.8
Direct Connect for Hybrid Architecture
A financial institution requires a dedicated, private network connection between their on-premises data center and AWS, bypassing the public internet for regulatory compliance.
Direct Connect
Private Connectivity
AWS Direct Connect provides a dedicated physical connection between on-premises and AWS. Traffic does NOT traverse the public internet, providing consistent network performance and reduced bandwidth costs. For encryption, add a Site-to-Site VPN over Direct Connect (Direct Connect alone is private but not encrypted). Use Direct Connect Gateway to connect to VPCs in multiple regions. A Virtual Private Gateway (VGW) is the VPC-side endpoint. For redundancy, establish connections at two different Direct Connect locations.
Services: Direct Connect VPN VGW Direct Connect Gateway
Concept 3.9
AWS Network Firewall for VPC Traffic Filtering
A company needs stateful packet inspection, intrusion prevention, and domain-based filtering for all traffic entering and leaving their VPCs.
Network Firewall
Stateful Inspection
AWS Network Firewall is a managed service that provides stateful inspection, intrusion prevention (IPS), and web filtering for VPCs. Deploy in a dedicated firewall subnet. It supports Suricata-compatible IPS rules. Key capabilities: domain name filtering (allow/deny lists), protocol detection, and TLS inspection. Route traffic through the firewall using VPC route table entries pointing to the firewall endpoint. Managed by Firewall Manager across multiple accounts in AWS Organizations.
Services: Network Firewall Firewall Manager VPC
Concept 3.10
PrivateLink for Secure Service Access
An application needs to access an AWS service (e.g., S3, KMS) or a third-party SaaS service without traffic leaving the AWS network or traversing the internet.
VPC Endpoints
PrivateLink
Interface endpoints (powered by PrivateLink) create an ENI in your subnet with a private IP, routing traffic to the service privately. Gateway endpoints (S3 and DynamoDB only) add a route to your route table. Use VPC endpoint policies to restrict which actions can be performed through the endpoint (e.g., limit to specific S3 buckets). PrivateLink keeps traffic within the AWS network. Endpoint policies are independent of IAM policies — both must allow the action.
Services: PrivateLink VPC Endpoints S3 KMS
Concept 3.11
Shield Advanced for DDoS Protection
A company running a high-profile e-commerce site needs enterprise-grade DDoS protection with financial protection against scaling costs during attacks.
Shield Advanced
DDoS Cost Protection
Shield Standard is free and automatically protects against common Layer 3/4 DDoS attacks. Shield Advanced ($3,000/month) adds: real-time attack visibility, access to the AWS DDoS Response Team (DRT), cost protection (credits for scaling charges during DDoS attacks), advanced attack mitigation for CloudFront, ALB, NLB, Elastic IP, and Global Accelerator. Shield Advanced also integrates with WAF — WAF fees are included. Health-based detection uses Route 53 health checks for faster response.
Services: Shield Advanced WAF CloudFront Route 53
Exam Tips — Domain 3
Block IPs = NACL: Only NACLs can explicitly deny traffic. Security groups are allow-only.
No SSH keys = Session Manager: When the question mentions eliminating SSH key management or bastion hosts, Session Manager is the answer.
OAC over OAI: For CloudFront + S3, OAC is the modern approach and supports SSE-KMS.
Encryption over Direct Connect: Direct Connect alone is private but NOT encrypted. Add VPN for encryption.
Gateway vs Interface endpoints: Gateway = S3 and DynamoDB only (free). Interface = everything else (paid, uses ENI).
DOMAIN 4
Identity & Access Management (16%)
▼
Concept 4.1
Lambda Execution Roles (Not Access Keys)
A developer hard-codes IAM access keys into a Lambda function to access DynamoDB. The security team needs to remediate this and establish the correct pattern.
Execution Roles
No Hard-Coded Credentials
Lambda functions should never use hard-coded access keys. Instead, assign an IAM execution role to the Lambda function. The Lambda service automatically provides temporary credentials via STS to the function's runtime environment. The execution role's policy should follow least privilege — only grant the specific DynamoDB actions needed (e.g.,
dynamodb:GetItem) on the specific table ARN. Use aws/lambda resource-based policy for invocation permissions.Services: Lambda IAM STS DynamoDB
Concept 4.2
IAM Access Analyzer Policy Generation from CloudTrail
An organization wants to create least-privilege IAM policies based on actual service usage rather than guessing what permissions are needed.
Access Analyzer Policy Generation
Least Privilege
IAM Access Analyzer can generate IAM policies based on access activity logged in CloudTrail. Specify a CloudTrail trail and a time period (up to 90 days). Access Analyzer analyzes the logs to determine which services and actions were actually used, then generates a policy granting only those permissions. Also use Access Analyzer to validate policies against best practices and to find external access — it identifies resources shared with external principals (cross-account, public).
Services: IAM Access Analyzer CloudTrail IAM
Concept 4.3
Cross-Account IAM Roles with Trust Policies
Account A (production) needs to allow an application in Account B (development) to read from an S3 bucket in Account A without sharing long-term credentials.
Cross-Account Roles
Trust Policy
In Account A, create an IAM role with: 1) A trust policy that allows Account B's principal to assume the role (
"Principal": {"AWS": "arn:aws:iam::ACCOUNT-B:root"}). 2) A permissions policy granting S3 read access. In Account B, grant the application's role permission to call sts:AssumeRole on the cross-account role ARN. The application calls AssumeRole to get temporary credentials. This is more secure than sharing access keys and allows fine-grained control with external ID conditions.Services: IAM STS S3
Concept 4.4
Permission Boundaries for Regional Restriction
A company wants to allow developers to create IAM roles but restrict those roles to only work in specific AWS regions (e.g., us-east-1 and eu-west-1).
Permission Boundaries
Delegated Administration
Permission boundaries set the maximum permissions an IAM entity can have. Even if the entity's identity policy grants broader access, the effective permissions are the intersection of the identity policy and the permission boundary. Create a permission boundary policy with a condition:
"aws:RequestedRegion": ["us-east-1", "eu-west-1"]. When developers create roles, require them to attach this permission boundary. The roles they create can never exceed the boundary's permissions, preventing privilege escalation.Services: IAM Permission Boundaries
Concept 4.5
SCP + Permission Boundaries for Delegated Admin
An organization wants to allow team leads to manage IAM in their accounts but prevent them from creating overly permissive roles or removing security guardrails.
Service Control Policies
Defense in Depth
Layer SCPs and permission boundaries for defense in depth. SCPs at the OU level restrict what actions are possible in the account (e.g., deny deleting CloudTrail trails). Permission boundaries restrict what permissions delegated admins can assign to roles they create. SCP denies override everything — even the account root user. Use SCP to: prevent leaving the organization, enforce region restrictions, require encryption. Permission boundaries prevent privilege escalation by delegated admins.
Services: Organizations SCPs IAM Permission Boundaries
Concept 4.6
ABAC with Tags for Secrets Manager
A company with multiple project teams wants to allow each team to manage only their own secrets in Secrets Manager, without creating separate policies per team.
Attribute-Based Access Control
Tag-Based Policies
ABAC uses tags for access control instead of maintaining separate policies per resource. Create a single IAM policy with conditions matching the user's tag to the resource's tag:
"Condition": {"StringEquals": {"aws:ResourceTag/Project": "${aws:PrincipalTag/Project}"}}. Tag IAM users and Secrets Manager secrets with a Project tag. New teams or secrets automatically inherit the right permissions based on tags — no policy updates needed. ABAC scales better than RBAC for dynamic environments.Services: IAM Secrets Manager Tags
Concept 4.7
Security Hub Cross-Organization Invitations
A security team managing multiple AWS accounts needs to aggregate security findings across all accounts in their AWS Organization from a central account.
Security Hub Delegated Admin
Multi-Account Aggregation
Designate a delegated administrator account for Security Hub in AWS Organizations. The delegated admin automatically has visibility into all member accounts' findings. Member accounts are added automatically when new accounts join the organization. The admin account can enable security standards and configure automation rules across all accounts. Findings can be aggregated into a single region using cross-region aggregation. Use custom actions to trigger EventBridge rules for automated responses.
Services: Security Hub AWS Organizations EventBridge
Concept 4.8
SAML Federation Certificate Management
A company uses SAML-based federation with an on-premises Active Directory for AWS console access. The SAML certificate is about to expire.
SAML 2.0 Federation
Certificate Rotation
SAML federation uses X.509 certificates to establish trust between the IdP and AWS. When the certificate expires, federation breaks. To rotate: 1) Generate a new certificate on the IdP. 2) Upload the new metadata XML to the AWS IAM SAML provider (
update-saml-provider). 3) The SAML provider in IAM can hold multiple certificates during rotation. 4) Update the IdP to use the new certificate. AWS supports SAML 2.0 for both console access (via federation endpoint) and API access (via AssumeRoleWithSAML).Services: IAM STS SAML 2.0
Concept 4.9
IAM Policy Evaluation Logic
A developer has an IAM policy that explicitly allows S3 access, but an SCP denies it. They can't understand why their S3 operations fail.
Explicit Deny Wins
Policy Evaluation Order
IAM policy evaluation follows a strict order: 1) Explicit deny in any policy = DENY (always). 2) SCP must allow (Organization level). 3) Resource-based policy can independently grant access. 4) Permission boundary must allow. 5) Session policy must allow. 6) Identity policy must allow. If any of these is missing an explicit allow (and it's not the resource-based policy), the result is an implicit deny. An explicit deny at ANY level overrides all allows. SCPs affect all principals in the account including root (but don't affect service-linked roles).
Services: IAM Organizations SCPs
Concept 4.10
Cognito User Pool Security Features
A web application needs user authentication with MFA, password policies, and protection against compromised credentials, without building a custom auth system.
Cognito User Pools
Advanced Security
Cognito User Pools provide managed user authentication with built-in security features: adaptive authentication (risk-based MFA challenges), compromised credentials detection (checks passwords against known breaches), custom password policies, and account takeover protection. User Pools handle sign-up, sign-in, and token management (JWT). Identity Pools (separate service) exchange tokens for temporary AWS credentials. For API access control, use a Cognito authorizer on API Gateway to validate JWT tokens.
Services: Cognito User Pools Cognito Identity Pools API Gateway
Exam Tips — Domain 4
Never hard-code keys: If a question mentions embedded credentials, the answer involves IAM roles (execution roles, instance profiles, task roles).
Explicit deny always wins: In any policy evaluation question, look for explicit denies first — they override everything.
ABAC = tags, RBAC = policies: When scaling access control for many teams/projects, ABAC with tags scales better.
Permission boundary ≠ permissions: Boundaries set the maximum; the user still needs identity-based policies to grant actual access.
DOMAIN 5
Data Protection (32%)
▼
Concept 5.1
KMS Key Policy Conditions (kms:ViaService)
An organization wants to ensure a KMS key can only be used for S3 encryption — not by any other AWS service or direct API calls.
kms:ViaService Condition
Key Policy Restrictions
The
kms:ViaService condition key restricts KMS key usage to requests that come from a specific AWS service. Example: "Condition": {"StringEquals": {"kms:ViaService": "s3.us-east-1.amazonaws.com"}}. This means the key can ONLY be used when S3 makes the encryption/decryption call on behalf of the user. Direct kms:Encrypt or kms:Decrypt API calls will be denied. Useful for enforcing that keys are only used for their intended purpose.Services: KMS S3
Concept 5.2
SSE-KMS for S3 Bucket Policy Enforcement
A security policy mandates that all objects uploaded to a specific S3 bucket must be encrypted with a specific KMS key. Unencrypted uploads must be denied.
S3 Bucket Policy Encryption
Default Encryption
Two mechanisms: 1) Bucket policy deny: Add a condition that denies
PutObject if the s3:x-amz-server-side-encryption header is not aws:kms or if s3:x-amz-server-side-encryption-aws-kms-key-id doesn't match the required key ARN. 2) Default encryption: Set the bucket's default encryption to SSE-KMS with the specific key. Note: default encryption applies only when the request doesn't specify encryption — the bucket policy deny is needed to enforce it. Both together provide defense in depth.Services: S3 KMS
Concept 5.3
S3 Object Lock: Compliance Mode vs. Governance Mode
A healthcare company must store medical records in S3 with WORM (Write Once Read Many) compliance for regulatory requirements. Records must be immutable for 7 years.
Object Lock Modes
WORM Storage
S3 Object Lock provides WORM storage with two retention modes:
| Feature | Governance Mode | Compliance Mode |
|---|---|---|
| Override possible? | Yes, with s3:BypassGovernanceRetention | No one, not even root |
| Retention can be shortened? | Yes, with permission | No, never |
| Use case | Testing, soft protection | Regulatory compliance (HIPAA, SEC) |
| Delete during retention? | With permission | Impossible |
For regulatory WORM requirements, use Compliance Mode. A Legal Hold can be added independently of retention period — it prevents deletion until removed, regardless of retention settings. Object Lock must be enabled at bucket creation time (requires versioning).
Services: S3 Object Lock S3 Versioning
Concept 5.4
RDS Encryption at Rest (Snapshot-Restore Approach)
An unencrypted RDS database needs to be encrypted at rest to meet compliance requirements. Encryption cannot be enabled on an existing unencrypted instance.
Snapshot-Copy-Restore
RDS Encryption
You cannot enable encryption on an existing unencrypted RDS instance directly. The process: 1) Create a snapshot of the unencrypted DB instance. 2) Copy the snapshot, enabling encryption with a KMS key during the copy. 3) Restore a new DB instance from the encrypted snapshot. 4) Update your application's connection string to point to the new instance. 5) Delete the old unencrypted instance and snapshot. All data, logs, snapshots, and read replicas of an encrypted instance are also encrypted.
Services: RDS KMS
Concept 5.5
Cross-Account EBS Encryption with KMS
An EBS snapshot encrypted with a KMS key in Account A needs to be shared with Account B so they can create volumes from it.
KMS Key Sharing
Cross-Account Snapshots
To share an encrypted EBS snapshot cross-account: 1) The KMS key policy must grant Account B permission to use the key (
kms:DescribeKey, kms:CreateGrant, kms:ReEncrypt*, kms:Decrypt). 2) Share the snapshot with Account B via ModifySnapshotAttribute. 3) In Account B, copy the snapshot re-encrypting with a KMS key owned by Account B. 4) Create volumes from the re-encrypted snapshot. Note: AWS managed keys (aws/ebs) cannot be shared cross-account — only customer managed keys (CMKs).Services: EBS KMS EC2
Concept 5.6
Secrets Manager Automatic Rotation for RDS
A company needs to automatically rotate database credentials for an RDS MySQL instance every 30 days without application downtime.
Secrets Manager Rotation
Lambda Rotation Function
Secrets Manager can natively rotate credentials for RDS, Redshift, and DocumentDB using built-in Lambda rotation functions. Configure a rotation schedule (e.g., every 30 days). The rotation uses a multi-user strategy: creates a clone of the original user with a new password, then swaps which one is "current." This avoids downtime as the old credentials remain valid until the next rotation. The application retrieves the current secret via
GetSecretValue API, which always returns the current version. Secrets are encrypted with KMS.Services: Secrets Manager Lambda RDS KMS
Concept 5.7
ACM Certificates with CloudFront (us-east-1 Requirement)
A company needs to configure HTTPS on a CloudFront distribution using a custom domain name and an ACM certificate.
ACM Region Requirement
CloudFront SSL/TLS
For CloudFront, ACM certificates must be issued in us-east-1 (N. Virginia), regardless of where your other resources are located. This is because CloudFront is a global service that uses us-east-1 as its control plane. For ALB, certificates must be in the same region as the ALB. ACM provides free public certificates with automatic renewal. Use DNS validation (recommended) or email validation to prove domain ownership. ACM certificates cannot be exported — they're managed entirely by AWS.
Services: ACM CloudFront Route 53
Concept 5.8
Secrets Manager + ECS Task Roles
Containers running on ECS Fargate need to securely access database credentials stored in Secrets Manager at startup, without embedding secrets in container images or environment variables.
ECS Task Roles
Secret Injection
ECS supports native Secrets Manager integration in task definitions. Reference a secret ARN in the task definition's
secrets section, and ECS injects the secret value as an environment variable at container startup. The ECS task execution role needs secretsmanager:GetSecretValue and KMS kms:Decrypt permissions. The task role (different from execution role) grants the container's runtime permissions. Never store secrets in container images, Dockerfiles, or task definition environment variables in plaintext.Services: ECS Secrets Manager IAM KMS
Concept 5.9
S3 Lifecycle + DynamoDB TTL for PII Cleanup
A GDPR-compliant application stores personal data in S3 and DynamoDB. Data must be automatically deleted after the retention period expires.
S3 Lifecycle Rules
DynamoDB TTL
For S3: Create lifecycle rules that transition objects to cheaper storage classes and then expire (delete) them after the retention period. Use prefix or tag filters to target PII objects specifically. For DynamoDB: Enable Time to Live (TTL) on a timestamp attribute. DynamoDB automatically deletes items when their TTL timestamp is in the past. TTL deletions don't consume write capacity units. Both mechanisms provide automated, cost-effective data cleanup for compliance. Combine with S3 Object Lock for retention enforcement.
Services: S3 DynamoDB
Concept 5.10
KMS CMK Troubleshooting (Key State, Permissions)
An application suddenly can't decrypt data, returning KMS errors. The security team needs to diagnose whether it's a key state issue, permission problem, or key deletion.
KMS Key States
KMS Troubleshooting
KMS key states: Enabled (normal use), Disabled (can't use, re-enable anytime), Pending Deletion (7-30 day waiting period, can cancel), Pending Import (imported key material expected), Unavailable (custom key store disconnected). Common issues: 1) Key is disabled or pending deletion. 2) Key policy doesn't grant the caller access. 3) Missing KMS grants. 4) IAM policy doesn't allow
kms:Decrypt. 5) Key is in a different region than the resource. Check CloudTrail for KMS API errors to identify the exact cause.Services: KMS CloudTrail IAM
Concept 5.11
CloudHSM vs. KMS for Key Management
A financial institution must store encryption keys in a FIPS 140-2 Level 3 validated hardware security module with full customer control over key material.
CloudHSM
FIPS 140-2 Level 3
| Feature | KMS | CloudHSM |
|---|---|---|
| FIPS validation | Level 2 (some Level 3) | Level 3 |
| Key control | Shared (AWS manages HSM) | Full customer control |
| Multi-tenant | Yes | Single-tenant (dedicated HSM) |
| Pricing | Per-request | Per-hour per HSM |
| Integration | Native with all AWS services | Custom via PKCS#11, JCE, OpenSSL |
| HA | Built-in | Must deploy across AZs |
Use CloudHSM when regulations require FIPS 140-2 Level 3, single-tenant HSM, or full customer control of key material. CloudHSM can also integrate with KMS via custom key stores, letting you use CloudHSM-backed keys with AWS services that integrate with KMS.
Services: CloudHSM KMS
Concept 5.12
S3 Bucket Encryption Default Settings
A security audit reveals some S3 buckets don't have default encryption configured. The team needs to ensure all current and future objects are encrypted.
S3 Default Encryption
SSE-S3 vs SSE-KMS
S3 now encrypts all new objects by default with SSE-S3 (AES-256). However, organizations may require SSE-KMS for audit trail (CloudTrail logs KMS usage) and key control. Configure default encryption on each bucket specifying SSE-KMS and the key. To enforce encryption type, add a bucket policy denying
PutObject without the correct encryption header. Use AWS Config rule s3-bucket-server-side-encryption-enabled to monitor compliance. SSE-C (customer-provided keys) requires the customer to manage key material and provide it with every request.Services: S3 KMS AWS Config
Concept 5.13
Macie for PII Discovery in S3
A company needs to automatically discover and classify sensitive data (PII, financial data, credentials) stored across hundreds of S3 buckets.
Macie Data Discovery
Sensitive Data Classification
Amazon Macie uses machine learning and pattern matching to discover and classify sensitive data in S3. It automatically identifies PII (names, addresses, SSNs), financial data (credit card numbers), and credentials (API keys, private keys). Create sensitive data discovery jobs that scan buckets on a schedule. Macie generates findings that integrate with Security Hub and EventBridge. It also provides a bucket inventory showing encryption status, public access, and shared access across all your S3 buckets.
Services: Macie S3 Security Hub
Exam Tips — Domain 5
ACM + CloudFront = us-east-1: This is the most commonly tested ACM fact. Always us-east-1 for CloudFront certificates.
Can't encrypt existing RDS: Snapshot → Copy (encrypt) → Restore is the only path.
Compliance Mode = immutable: No one, not even root, can delete objects in Compliance Mode. Governance Mode can be overridden.
AWS managed keys can't be shared: For cross-account encryption, you must use customer managed keys (CMKs).
kms:ViaService: Locks a key to a specific service — prevents direct API use.
Secrets Manager vs. Parameter Store: Secrets Manager has built-in rotation. Parameter Store is simpler and cheaper but requires custom Lambda for rotation.
REFERENCE
Key Services Cheatsheet
▼
Threat Detection Services
| Service | What It Does | Key Fact |
|---|---|---|
| GuardDuty | Threat detection from CloudTrail, VPC Flow Logs, DNS | Regional; must enable per-region |
| Detective | Investigate findings with behavior graphs | 12-month data retention |
| Security Hub | Aggregates findings, compliance checks | Uses ASFF format; delegated admin |
| Inspector | Vulnerability scanning for EC2/ECR/Lambda | Agentless for ECR; SSM agent for EC2 |
| Macie | PII discovery in S3 | ML-based classification |
Logging & Monitoring Services
| Service | What It Does | Key Fact |
|---|---|---|
| CloudTrail | API call logging | 90 days in Event History; S3 for longer |
| CloudWatch Logs | Log aggregation and analysis | Logs Insights for queries |
| AWS Config | Resource configuration tracking | Managed rules for compliance |
| VPC Flow Logs | Network traffic metadata | No packet content; metadata only |
| EventBridge | Event routing and automation | Near real-time; pattern matching |
Infrastructure Security Services
| Service | What It Does | Key Fact |
|---|---|---|
| WAF | Layer 7 web application firewall | Rate-based rules for DDoS |
| Shield Standard | Free Layer 3/4 DDoS protection | Automatic, always-on |
| Shield Advanced | Enhanced DDoS + DRT + cost protection | $3,000/month; includes WAF |
| Network Firewall | VPC stateful inspection, IPS | Suricata-compatible rules |
| Firewall Manager | Centralized firewall rule management | Requires Organizations + Config |
Identity & Access Services
| Service | What It Does | Key Fact |
|---|---|---|
| IAM | Users, roles, policies, groups | Explicit deny always wins |
| STS | Temporary credentials | AssumeRole for cross-account |
| Organizations + SCPs | Multi-account management, guardrails | SCPs affect all users including root |
| IAM Access Analyzer | External access detection, policy generation | Uses CloudTrail for policy generation |
| Cognito | User authentication for apps | User Pools = auth; Identity Pools = AWS creds |
Data Protection Services
| Service | What It Does | Key Fact |
|---|---|---|
| KMS | Key management, encryption | FIPS 140-2 Level 2; kms:ViaService condition |
| CloudHSM | Dedicated HSM, full key control | FIPS 140-2 Level 3; single-tenant |
| ACM | SSL/TLS certificate management | CloudFront = us-east-1 only |
| Secrets Manager | Secret storage with rotation | Native RDS rotation; encrypted with KMS |
| S3 Object Lock | WORM storage | Compliance mode = no one can delete |
Common Service Comparisons
Secrets Manager vs. Systems Manager Parameter Store
| Feature | Secrets Manager | Parameter Store |
|---|---|---|
| Built-in rotation | Yes (native RDS) | No (custom Lambda) |
| Cost | $0.40/secret/month | Standard: Free |
| Cross-account | Yes (resource policy) | No |
| Max size | 64 KB | 8 KB (standard) / 8 KB (advanced) |
NACL vs. Security Group
| Feature | NACL | Security Group |
|---|---|---|
| Level | Subnet | Instance ENI |
| State | Stateless | Stateful |
| Deny rules | Yes | No |
| Rule order | Numbered (lowest first) | All evaluated |
| IP blocking | Yes | No |
S3 Object Lock: Governance vs. Compliance
| Feature | Governance Mode | Compliance Mode |
|---|---|---|
| Override | With s3:BypassGovernanceRetention | No one |
| Root can delete? | With permission | No |
| Shorten retention? | Yes | No |
| Use case | Testing, internal policy | Regulatory (HIPAA, SEC 17a-4) |
KMS Key Types
| Type | Management | Cross-Account | Rotation |
|---|---|---|---|
| AWS Owned | AWS (invisible) | N/A | Varies |
| AWS Managed | AWS (visible) | No | Every year (automatic) |
| Customer Managed | Customer | Yes | Configurable (90-2560 days) |
Final Exam Reminders
Read carefully: Exam questions often have 2-3 plausible answers. Look for the one that is MOST secure, LEAST operational overhead, or MOST cost-effective based on what the question asks.
Service combinations: Many correct answers involve 2-3 services working together. Understand how services integrate.
Eliminate distractors: If an option suggests a manual process when an automated AWS service exists, it's usually wrong.
Region awareness: Many services are regional. Know which ones are global (IAM, CloudFront, Route 53, WAF for CloudFront).