VPC Security is a fundamental component of AWS infrastructure security, primarily managed through Security Groups and Network Access Control Lists (NACLs). These two mechanisms work together to provide layered defense for resources within a Virtual Private Cloud (VPC).

**Security Groups** act as virtual firewalls at the instance level (ENI level). Key characteristics include:
- **Stateful**: Return traffic is automatically allowed regardless of outbound rules. If you allow inbound traffic on port 443, the response is automatically permitted.
- **Allow-only rules**: You can only specify allow rules; there are no explicit deny rules.
- **Default behavior**: All inbound traffic is denied by default, and all outbound traffic is allowed by default.
- **Rule evaluation**: All rules are evaluated before deciding whether to allow traffic.
- **Chaining**: Security groups can reference other security groups, enabling flexible, identity-based access control.

**Network ACLs (NACLs)** operate at the subnet level and provide an additional layer of security. Key characteristics include:
- **Stateless**: Return traffic must be explicitly allowed through outbound rules. You must configure ephemeral port ranges for response traffic.
- **Allow and deny rules**: Both allow and deny rules can be specified, enabling explicit blocking of specific IPs or ranges.
- **Default behavior**: The default NACL allows all inbound and outbound traffic. Custom NACLs deny all traffic by default.
- **Rule evaluation**: Rules are evaluated in numerical order (lowest first), and processing stops at the first match.
- **Subnet association**: Each subnet must be associated with exactly one NACL.

**Defense in Depth Strategy**: For the SCS-C02 exam, understanding the layered approach is critical. Security Groups provide instance-level protection while NACLs add subnet-level control. Best practices include using Security Groups as the primary defense mechanism and NACLs for broad subnet-level blocking (e.g., denying known malicious IP ranges). Together, they form a robust multi-layered security architecture essential for protecting AWS workloads.

AWS Network Firewall is a managed, stateful network firewall and intrusion detection/prevention service designed to protect Amazon VPC environments. It is a critical component within Domain 3 (Infrastructure Security) of the AWS Certified Security – Specialty (SCS-C02) exam.

**Key Features:**

1. **Stateful and Stateless Inspection:** AWS Network Firewall supports both stateless rule groups (operating on individual packets based on source/destination IP, port, and protocol) and stateful rule groups (which track connection states and can inspect traffic at the application layer).

2. **Intrusion Prevention System (IPS):** It provides signature-based detection using Suricata-compatible IPS rules, enabling detection and blocking of known threats, malware, and exploits.

3. **Deep Packet Inspection:** The firewall can inspect traffic payloads, including TLS-encrypted traffic through TLS inspection capabilities, allowing visibility into encrypted communications.

4. **Domain Filtering:** You can create allow or deny lists based on domain names, enabling outbound traffic filtering to restrict access to specific websites or services.

5. **Integration with AWS Services:** Network Firewall integrates with AWS Firewall Manager for centralized policy management across multiple accounts and VPCs. It also sends logs to Amazon S3, CloudWatch Logs, and Kinesis Data Firehose for monitoring and analysis.

**Architecture:**
Network Firewall is deployed within a dedicated firewall subnet in your VPC. Traffic is routed through the firewall endpoint using VPC route table modifications. It operates transparently and scales automatically to handle traffic demands.

**Deployment Patterns:**
- Centralized deployment using AWS Transit Gateway for inspecting traffic across multiple VPCs
- Distributed deployment within individual VPCs
- Combined ingress/egress filtering

**Security Exam Relevance:**
For SCS-C02, understanding when to use Network Firewall versus Security Groups, NACLs, or AWS WAF is essential. Network Firewall fills the gap for advanced Layer 3-7 filtering, IPS capabilities, and protocol-level inspection that simpler controls cannot provide. It is ideal for compliance-driven environments requiring deep traffic inspection and centralized network security enforcement.

AWS Systems Manager (SSM) is a comprehensive management service that provides visibility and control over your AWS infrastructure. In the context of the AWS Certified Security – Specialty (SCS-C02) exam and Domain 3: Infrastructure Security, it plays a critical role in maintaining secure and compliant infrastructure.

**Key Security Features:**

1. **Session Manager**: Provides secure, auditable shell access to EC2 instances without opening inbound ports, eliminating the need for SSH keys or bastion hosts. All sessions are logged to CloudTrail, S3, and CloudWatch.

2. **Patch Manager**: Automates the process of patching managed instances with security-related updates. You can define patch baselines, maintenance windows, and compliance rules to ensure systems remain up-to-date.

3. **Parameter Store**: Securely stores configuration data, secrets, and passwords. It integrates with AWS KMS for encryption and supports hierarchical storage with fine-grained IAM access controls.

4. **Inventory**: Collects metadata about instances, installed applications, network configurations, and more, enabling compliance auditing and drift detection.

5. **State Manager**: Ensures instances maintain a defined configuration state, automatically remediating configuration drift.

6. **Run Command**: Executes commands remotely across multiple instances without SSH access, with full audit logging.

7. **Compliance**: Provides a dashboard showing patch compliance and configuration consistency across your fleet.

**Security Architecture Considerations:**

- SSM Agent communicates outbound to Systems Manager endpoints, eliminating inbound port requirements.
- Instances require an IAM instance profile with appropriate SSM permissions (AmazonSSMManagedInstanceCore).
- VPC Endpoints (PrivateLink) can be configured for SSM to keep traffic within the AWS network.
- All API calls are logged in CloudTrail for auditing.

**Integration Points:**
Systems Manager integrates with AWS Config, CloudWatch, EventBridge, and AWS Organizations for centralized security management across multiple accounts.

For the SCS-C02 exam, understanding how Systems Manager eliminates direct instance access, enforces patching compliance, manages secrets securely, and maintains infrastructure configuration is essential for infrastructure security questions.

Amazon Inspector is an automated security assessment service offered by AWS that helps improve the security and compliance of applications and workloads deployed on AWS. It is a critical service within Domain 3: Infrastructure Security of the AWS Certified Security – Specialty (SCS-C02) exam.

Amazon Inspector continuously scans AWS workloads for software vulnerabilities and unintended network exposure. It automatically discovers and scans running Amazon EC2 instances, container images stored in Amazon ECR, and AWS Lambda functions for known vulnerabilities and network reachability issues.

Key features of Amazon Inspector include:

1. **Automated Discovery and Scanning**: Inspector automatically detects eligible resources and begins scanning them without manual configuration. It uses an SSM (Systems Manager) agent for EC2 assessments.

2. **Vulnerability Management**: It leverages the Common Vulnerabilities and Exposures (CVE) database to identify software vulnerabilities, providing detailed findings with severity ratings and remediation guidance.

3. **Network Reachability Analysis**: Inspector evaluates network configurations to identify unintended network exposure, such as open ports accessible from the internet.

4. **Risk Scoring**: Each finding includes an Inspector risk score that contextualizes vulnerabilities based on factors like network accessibility and exploitability, going beyond standard CVSS scores.

5. **Integration with AWS Services**: Inspector integrates with AWS Security Hub for centralized security findings, Amazon EventBridge for automated workflows, and AWS Organizations for multi-account management.

6. **Continuous Monitoring**: Unlike one-time assessments, Inspector provides continuous scanning, automatically re-scanning resources when new CVEs are published or when changes occur in the environment.

7. **Software Bill of Materials (SBOM)**: Inspector can export SBOMs for monitored resources, supporting compliance and supply chain security requirements.

For the SCS-C02 exam, understanding Inspector's role in vulnerability management, its integration points, the difference between network and host assessments, and how it supports a defense-in-depth strategy is essential. It plays a vital role in maintaining a strong security posture across AWS infrastructure.

AWS Certificate Manager (ACM) is a fully managed service that simplifies the provisioning, management, and deployment of SSL/TLS certificates for use with AWS services and internal resources. In the context of the AWS Certified Security – Specialty (SCS-C02) exam, ACM is a critical component of infrastructure security under Domain 3.

**Key Features:**

1. **Certificate Provisioning:** ACM allows you to request public SSL/TLS certificates at no cost for AWS-integrated services. It also supports importing third-party certificates and issuing private certificates through ACM Private Certificate Authority (PCA).

2. **Automated Renewal:** ACM automatically renews certificates it manages before expiration, eliminating the risk of service outages due to expired certificates. This is a significant security advantage.

3. **Integration with AWS Services:** ACM integrates seamlessly with services like Elastic Load Balancer (ELB), Amazon CloudFront, API Gateway, and Elastic Beanstalk, enabling encrypted communications across your infrastructure.

4. **Private Certificate Authority:** ACM PCA enables organizations to create a private CA hierarchy for internal resources, issuing private certificates for mutual TLS authentication, IoT devices, and microservices communication.

5. **Domain Validation:** ACM supports DNS validation and email validation to prove domain ownership. DNS validation is preferred as it enables automatic renewal.

**Security Considerations:**

- ACM stores private keys securely using AWS KMS and never allows them to be exported for ACM-issued certificates.
- Certificate transparency logging is enabled by default for public certificates.
- IAM policies and resource-based policies control access to ACM operations.
- ACM certificates are regional, except when used with CloudFront (which requires us-east-1).

**Best Practices:**

- Use DNS validation for automated certificate lifecycle management.
- Implement least-privilege IAM policies for certificate management.
- Monitor certificate expiration using Amazon CloudWatch and AWS Config rules.
- Use ACM PCA for internal PKI infrastructure rather than self-signed certificates.

ACM plays a vital role in ensuring encrypted data in transit, which is fundamental to maintaining a robust security posture across AWS infrastructure.

Amazon CloudFront is AWS's Content Delivery Network (CDN) service that plays a critical role in infrastructure security. Here's a comprehensive overview of CloudFront Security:

**Origin Security:**
CloudFront supports Origin Access Control (OAC) and legacy Origin Access Identity (OAI) to restrict direct access to S3 bucket origins. For custom origins, you can use custom headers, SSL/TLS certificates, and security groups to ensure only CloudFront can reach your backend.

**Encryption in Transit:**
CloudFront enforces HTTPS between viewers and edge locations (Viewer Protocol Policy) and between edge locations and origins (Origin Protocol Policy). You can configure policies like 'Redirect HTTP to HTTPS' or 'HTTPS Only.' CloudFront supports TLS 1.2/1.3 and allows custom SSL certificates via AWS Certificate Manager (ACM).

**Access Controls:**
CloudFront supports signed URLs and signed cookies for restricting access to private content. These use trusted key groups or trusted signers with RSA key pairs to control who can access your distributions.

**AWS WAF Integration:**
CloudFront natively integrates with AWS WAF, enabling you to create Web ACLs with rules to block SQL injection, XSS, rate-based attacks, geo-restrictions, and IP-based filtering at the edge.

**DDoS Protection:**
CloudFront is automatically protected by AWS Shield Standard, providing protection against common Layer 3/4 DDoS attacks. AWS Shield Advanced can be added for enhanced protection with 24/7 DRT support.

**Field-Level Encryption:**
CloudFront supports field-level encryption, allowing sensitive data fields to be encrypted at edge locations using asymmetric encryption, ensuring only authorized applications can decrypt the data.

**Security Policies:**
Security policies define minimum TLS protocol versions and cipher suites for HTTPS connections. You can choose policies like TLSv1.2_2021 for stronger security.

**Geo-Restriction:**
CloudFront enables geographic restrictions using allowlists or denylists to control content access by country.

**Logging and Monitoring:**
CloudFront provides standard and real-time logs, integrates with CloudWatch metrics, and supports CloudTrail for API-level auditing.