Pre-Test Takeaways - GlobeSec.ai

Core Themes

T1 "Use the Native Feature"

▼

AWS almost always has a built-in solution. Don't build pipelines when a checkbox exists.

Session Manager → built-in S3 logging (not CloudWatch → Firehose → S3)
AMI sharing → built-in launch permissions (not RAM, not copy)
Nitro v3 → built-in hardware encryption (not ALB, not Network Firewall)

Exam pattern: When you see "least operational overhead" or "minimum effort," pick the option with the fewest moving parts.

T2 "The Caller Pays" (Permission Responsibility)

▼

Permissions are always checked against the entity making the call, not the service in the middle.

EC2 instance role  →  calls SSM API  →  SSM calls KMS
                                               ↑
                                         KMS checks EC2 role
                                         (not SSM service role)

This is why reading a SecureString requires kms:Decrypt on the EC2 instance role, not on SSM. The same pattern applies to:

Lambda reading encrypted S3 objects → Lambda role needs kms:Decrypt
ECS task reading Secrets Manager → Task role needs both permissions
Any service reading encrypted data → the caller needs decrypt

T3 "Two-Key Access" (Read + Decrypt)

▼

Encrypted data always requires two permissions. One to reach the data, one to unlock it.

Scenario	Permission 1 (Read)	Permission 2 (Decrypt)
SSM SecureString	`ssm:GetParameter`	`kms:Decrypt`
S3 object (KMS)	`s3:GetObject`	`kms:Decrypt`
Secrets Manager	`secretsmanager:GetSecretValue`	`kms:Decrypt`
DynamoDB (KMS)	`dynamodb:GetItem`	`kms:Decrypt`

If either is missing → Access Denied.

T4 "Delegation, Not Centralization"

▼

Keep the management account clean. Delegate service administration to member accounts.

Delegated administrator → member account manages Config, GuardDuty, Security Hub across org
Management account → billing only
StackSets execution role → lives in target accounts, not the admin account

The management account should touch as little as possible. The exam loves testing whether you know that delegation exists.

T5 "Error Messages Tell You the Problem Category"

▼

Don't just know what's right — know how to diagnose from the error.

Error Message	Category	Look For
"Access Denied"	Permissions	IAM role, SCP, KMS key policy
"Already Exists"	Naming conflict	Duplicate resource name
"UnauthorizedOperation"	Missing IAM permission	Check caller's policies
"Throttling"	Rate limit	Too many API calls

In Q3, "Access Denied" + "some accounts fail" = execution role permissions. If the error said "already exists," the answer would have been naming conflict.

T6 "Scope Matters" (Individual vs. Package vs. Standard)

▼

AWS has different tools for different scopes. Know which tool matches which scope.

Scope	Tool
One Config rule across org	`put-organization-config-rule`
Package of Config rules across org	`put-organization-conformance-pack`
Predefined security standards	AWS Security Hub
Custom remediation + rules	Conformance pack with remediation actions

The exam tests whether you read "as a package" or "individual rule" — one word changes the answer.

T7 "Hardware vs. Software Security"

▼

When AWS offers hardware-level security, it's usually the answer for "no overhead" questions.

Feature	Level	Overhead
Nitro v3 encryption	Hardware	Zero
TLS certificates (ACM)	Software	Low
Network Firewall TLS inspection	Software	High
Custom encryption in app code	Application	Highest

Tools & Services Reference

AWS Systems Manager (SSM)

A remote control for all your servers

Component	Purpose
Session Manager	SSH-like access to EC2 without opening port 22. Logs all commands.
Parameter Store	Key-value store for config data and secrets. Free tier available.
Patch Manager	Automated OS patching across fleets.
Automation	Runbooks for common tasks (restart instance, create AMI).
Run Command	Execute commands on multiple instances at once.

Parameter Store Types:

String — plain text (e.g., database hostname)
StringList — comma-separated values
SecureString — encrypted with KMS (e.g., passwords, API keys)

Parameter Store vs. Secrets Manager:

	Parameter Store	Secrets Manager
Cost	Free (standard)	$0.40/secret/month
Auto-rotation	No	Yes (built-in Lambda rotation)
Cross-account	No	Yes (resource policy)
Best for	Config values, non-rotating secrets	Database creds, rotating secrets

AWS KMS (Key Management Service)

Create, manage, and use encryption keys — the backbone of all AWS encryption

Key Types:

Type	Who Manages	Example
AWS-managed key	AWS creates & rotates	`aws/ssm`, `aws/s3`, `aws/ebs`
Customer-managed key (CMK)	You create, you control policy	Custom key for cross-account sharing
AWS-owned key	AWS uses internally	You never see these

Critical KMS Actions:

Action	What It Does
`kms:Encrypt`	Encrypt data with a key
`kms:Decrypt`	Decrypt data (needed to READ encrypted resources)
`kms:GenerateDataKey`	Create a data key for envelope encryption
`kms:CreateGrant`	Delegate key usage to another principal
`kms:DescribeKey`	View key metadata

AWS CloudFormation StackSets

Deploy stacks across multiple accounts and regions in a single operation

Management Account                    Target Accounts
┌─────────────────────┐               ┌──────────────────────┐
│ Admin Role           │──assumes──▶  │ Execution Role        │
│ (orchestrates)       │               │ (creates resources)   │
│                      │               │                       │
│ Stack Set Template   │               │ Stack Instance        │
│ (what to deploy)     │               │ (actual resources)    │
└─────────────────────┘               └──────────────────────┘

Mode	Execution Role	Best For
Service-managed	AWS auto-creates roles via Organizations	Org-wide deployments
Self-managed	You manually create roles in each account	Specific account targeting

When StackSets fail in some accounts: Check the execution role in the failed accounts — it likely has missing permissions.

AWS Config

Continuously monitors and records resource configuration — "Is this resource compliant?"

Component	Purpose
Config Rules	Evaluate if a resource is compliant (e.g., "are all S3 buckets encrypted?")
Conformance Pack	A package of multiple Config rules + remediation actions deployed together
Config Recorder	Records configuration changes to resources
Aggregator	Collects Config data across multiple accounts/regions into one view

Config vs. CloudTrail:

	AWS Config	CloudTrail
Answers	"What does this resource look like?"	"Who did what and when?"
Tracks	Resource configuration state	API calls
Example	"Is this S3 bucket public?"	"Who made the bucket public at 3pm?"

AWS Organizations

Centrally manage and govern multiple AWS accounts

Component	Purpose
Management Account	Root account, pays the bills, creates the org
Member Accounts	Workload accounts grouped in OUs
OUs	Hierarchical grouping of accounts
SCPs	Guardrails — restrict maximum permissions
Delegated Administrator	Member account that manages a service for the org

Management Account (billing only)
    ├── Security Account (delegated admin)
    │       ├── Manages: Config, GuardDuty, Security Hub
    │       ├── Manages: Macie, Inspector, Access Analyzer
    │       └── Manages: Firewall Manager
    ├── Log Archive Account
    │       └── Central S3 bucket for CloudTrail logs
    └── Workload Accounts (Dev, Staging, Production)

SCPs — What They Do and Don't Do:

SCPs CAN	SCPs CANNOT
Restrict/deny actions	Grant permissions
Set maximum permission boundary	Override the management account
Apply to all users/roles in member accounts	Apply to service-linked roles

Amazon EC2 Nitro System

Hardware platform that modern EC2 instances run on

Version	Instances	Auto-Encryption
Nitro v1	C5, M5, R5	No
Nitro v2	C5n, M5n	No
Nitro v3+	C6i, M6i, R6i, C7g, M7g	Yes — automatic

What Nitro v3 encrypts: All traffic between Nitro v3+ instances in the same VPC. Hardware-level AEAD with 256-bit keys. Zero configuration, zero performance overhead, always on.

AMI (Amazon Machine Image)

Template containing OS + applications used to launch EC2 instances

Method	What It Does
Launch Permissions	Share AMI with specific account IDs (same region)
Copy	Copy AMI to another region (within YOUR account)
Public	Make AMI available to everyone (not recommended)

NOT shared via: RAM, IAM roles, S3 bucket policies.
If encrypted with custom KMS key: Share BOTH the AMI permissions AND the KMS key policy.

Exam Trigger Words → Answers

When You See This...	The Answer Is...
"Share AMI with other accounts"	Modify AMI launch permissions
"Log session commands to S3"	Session Manager S3 logging in preferences
"StackSets fails in some accounts"	Execution role permissions in failed accounts
"Non-management account manages org service"	Delegated administrator
"Deploy Config rules as a package"	Organization conformance pack
"EC2 reads SecureString"	Instance role needs `ssm:GetParameter` + `kms:Decrypt`
"Automatic encryption, no overhead, between EC2s"	Nitro v3+ instances
"Least operational overhead"	Native/built-in feature, fewest services
"Access Denied" error	Permissions issue (IAM role, SCP, or KMS)
"Some accounts fail, others succeed"	Per-account config issue (roles, permissions)

Quick Decision Tree

Need to share an AMI?
  → Modify launch permissions

Need to encrypt traffic between EC2s?
  → Nitro v3+ (automatic, no overhead)

Need to read encrypted parameter?
  → Caller needs: read permission + kms:Decrypt

Need to deploy Config rules as a package?
  → Organization conformance pack

Need non-management account to manage org services?
  → Register delegated administrator

Need to log Session Manager commands?
  → Enable S3 logging in Session Manager preferences

Need to figure out why StackSets failed in some accounts?
  → Check execution role permissions in failed accounts