Domain 3: Infrastructure Security

Domain 3: Infrastructure Security is a critical component of the AWS Certified Security – Specialty (SCS-C02) exam, typically accounting for approximately 26% of the total exam content. This domain focuses on designing, implementing, and troubleshooting security controls for edge services, networks, and compute workloads within AWS environments. **Key areas covered include:** 1. **Edge Security:** This involves configuring services like Amazon CloudFront, AWS WAF (Web Application Firewall), and AWS Shield to protect against DDoS attacks, SQL injection, cross-site scripting, and other web-based threats. Understanding how to implement SSL/TLS termination, geo-restriction, and origin access controls is essential. 2. **Network Security:** Candidates must understand VPC architecture, including security groups, network ACLs, VPC Flow Logs, and subnet design (public vs. private). Knowledge of VPC peering, Transit Gateway, VPN connections, AWS Direct Connect, and PrivateLink is crucial. Implementing network segmentation and microsegmentation strategies to limit blast radius is also tested. 3. **Compute Security:** This covers securing EC2 instances, Lambda functions, containers (ECS/EKS), and Elastic Beanstalk environments. Topics include hardening AMIs, managing key pairs, implementing instance metadata service (IMDSv2), and using Systems Manager for patch management. 4. **Hybrid and Multi-Account Architectures:** Understanding how to secure connectivity between on-premises environments and AWS, including VPN tunnels and Direct Connect with encryption, is important. 5. **Centralized Security Management:** Using AWS Firewall Manager, AWS Network Firewall, and AWS Organizations to enforce consistent security policies across multiple accounts and regions. 6. **Troubleshooting:** Candidates should be able to diagnose connectivity issues, analyze VPC Flow Logs, and resolve security group or NACL misconfigurations. The domain emphasizes defense-in-depth strategies, applying multiple layers of security controls at the edge, network, and host levels. Understanding how these services integrate with monitoring tools like CloudWatch, CloudTrail, and GuardDuty for comprehensive threat detection is also expected. Domain 3: Infrastructure Security is a critical component of the AWS Certified Security – Specialty (SCS-C02) exam, typically accounting for approximately 26% of the total exam content. This domain focuses on designing, implementing, and troubleshooting security controls for edge services, networks…