AWS Certified Security Specialty SCS-C02

AWS KMS

A managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.

AWS Shield Advanced

A paid service that provides detailed attack diagnostics and the ability to detect and mitigate sophisticated DDoS attacks.

Amazon GuardDuty

A service that provides intelligent threat detection for your AWS infrastructure and resources. It identifies threats by continuously monitoring the network activity and account behavior within your AWS environment.

Amazon Detective

A service that collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.

AWS Managed CMK

A CMK that is created and managed by AWS services integrated with KMS.

AWS Security Hub

A service that provides a comprehensive view of your security posture within AWS as well as your compliance with security industry standards and best practices.

Tokenization

A process that converts highly sensitive data such as credit card numbers or health care data into a token

Nitro Enclaves

Which Amazon EC2 feature allows customers to run a tokenization process that securely converts highly sensitive data such as credit card numbers or health care data?

CloudTrail log file validation

Which CloudTrail feature can you enable to protect your CloudTrail Logs from being tampered and from unauthorized access?

Network Access Analyzer

A feature that identifies unintended network access to your resources on AWS

AWS Audit Manager

A service that helps you to continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards.

Amazon Inspector

Which service can you use to automate the detection of common vulnerabilities and exposures (CVE), software vulnerabilities and unintended network exposure by continually scanning your Amazon EC2 instances, AWS Lambda functions, and container workloads?

IAM Access Analyzer

Generates IAM policies based on access activity in your AWS CloudTrail logs. Identifying resources shared with an external entity.

AWS Cost Anomaly Detection

Helps you detect and receive alerts on abnormal or sudden spending increases in your AWS account.

FullAWSAccess

An SCP named ________ is attached by default to every organization root, OU, and account in AWS Organizations which allows all actions and all services.

AWS IAM Identity Center

A service that allows you to securely create or connect your workforce identities and manage their access centrally across AWS accounts and application

S3 Object Lock

A feature in Amazon S3 that allows you to store objects using a write-once-read-many (WORM) model.

Retention Period

A type of S3 Object Lock where the lock has a fixed period of time.

Legal Hold

A type of S3 Object Lock where the lock remains in place until you explicitly remove it.

Origin Access Control

A CloudFront feature that allows customers to easily secure their S3 origins by permitting only designated CloudFront distributions to access their S3 buckets using short-term credentials.

AWS Command Line Interface

It is a unified tool to manage your AWS services. With just one tool to download and configure, you can control multiple AWS services from the command line and automate them through scripts.

AWS Software Development Kits (SDKs)

It is a set of platform-specific building tools for developers. You require components like debuggers, compilers, and libraries to create code that runs on a specific platform, operating system, or programming language.

AWS Management Console

It is a web application that comprises and refers to a broad collection of service consoles for managing AWS resources.

AWS CloudTrail

An AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account.

Amazon CloudWatch

A service that monitors applications, responds to performance changes, optimizes resource use, and provides insights into operational health.

AWS Config

Provides a detailed view of the configuration of AWS resources in your AWS account.

AWS Organizations

An account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage.

AWS Systems Manager

The operations hub for your AWS applications and resources and a secure end-to-end management solution for hybrid and multicloud environments that enables secure operations at scale.

AWS Trusted Advisor

An online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment.

Amazon VPC

A virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud.

Security groups

It controls the traffic that is allowed to reach and leave the resources that it is associated with.

AWS Certificate Manager (ACM)

Handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications.

AWS Directory Service

It provides multiple directory choices for customers who want to use existing Microsoft AD or Lightweight Directory Access Protocol (LDAP)-aware applications in the cloud.

AWS Firewall Manager

A security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations.

AWS Identity and Access Management (IAM)

You can specify who or what can access services and resources in AWS, centrally manage fine-grained permissions, and analyze access to refine permissions across AWS.

AWS Network Firewall

A stateful, managed, network firewall and intrusion detection and prevention service for your virtual private cloud (VPC) that you create in Amazon Virtual Private Cloud (Amazon VPC).

AWS WAF

A web application firewall that lets you monitor the HTTP(S) requests that are forwarded to your protected web application resources.

AWS Well-Architected Tool

A designed to help you review the state of your applications and workloads against architectural best practices, identify opportunities for improvement, and track progress over time.

AWS Well-Architected Framework

Describes key concepts, design principles, and architectural best practices for designing and running workloads in the cloud.

AWS Resource Access Manager (AWS RAM)

Helps you securely share your resources across AWS accounts, within your organization or organizational units (OUs), and with IAM roles and users for supported resource types.

AWS Service Catalog

Lets you centrally manage your cloud resources to achieve governance at scale of your infrastructure as code (IaC) templates, written in CloudFormation or Terraform configurations.

AWS CloudFormation template

You can create templates for the service or application architectures you want and have AWS CloudFormation use those templates for quick and reliable provisioning of the services or applications (called "stacks").

AWS Config Aggregators

A resource type in AWS Config that collects AWS Config data from multiple source accounts and Regions.

AWS Control Tower

Offers a straightforward way to set up and govern an AWS multi-account environment, following prescriptive best practices.

Amazon Cognito

It is a user directory, an authentication server, and an authorization service for OAuth 2.0 access tokens and AWS credentials.

Lambda@Edge

A extension of AWS Lambda that lets you deploy Python and Node.js functions at Amazon CloudFront edge locations.

CloudFront distribution

A web service that speeds up distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users.

EBS volume

You can use as primary storage for data that requires frequent updates, such as the system drive for an instance or storage for a database application.

Kinesis Data Streams

You can use to collect and process large streams of data records in real time.

Service control policies (SCPs)

A type of organization policy that you can use to manage permissions in your organization.

permissions boundary

A advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity.

S3 Block Public Access feature

Provides settings for access points, buckets, and accounts to help you manage public access to Amazon S3 resources.

Amazon CloudWatch agent

A software package that autonomously and continuously runs on your servers.

EventBridge Scheduler

A serverless scheduler that allows you to create, run, and manage tasks from one central, managed service.

AWS CloudHSM

A cryptographic service for creating and maintaining hardware security modules (HSMs) in your AWS environment.

AWS Systems Manager Parameter Store

Provides secure, hierarchical storage for configuration data management and secrets management.

Client-side encryption

The act of encrypting data before sending it to Amazon S3.

Requester Pays feature

The requester instead of the bucket owner pays the cost of the request and the data download from the bucket. The bucket owner always pays the cost of storing data.

IAM DB Authentication

You don't need to use a password when you connect to a DB instance. Instead, you use an authentication token.

authentication token

A unique string of characters that Amazon RDS generates on request.

Server-Side Encryption

The encryption of data at its destination by the application or service that receives it.

Amazon CloudFront

A web service that speeds up distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users.

Elastic Load Balancers

Automatically distributes your incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones.

AWS IoT Device Defender

A security service that allows you to audit the configuration of your devices, monitor connected devices to detect abnormal behavior, and mitigate security risks.

AWS IoT Core

Supports device connections that use the MQTT(Message Queuing Telemetry Transport) protocol and MQTT over WSS protocol and that are identified by a client ID.

AWS Config rules

Evaluate the configuration settings of your AWS resources. A rule can run when AWS Config detects a configuration change to an AWS resource or at a periodic frequency that you choose (for example, every 24 hours).

Amazon Kinesis Data Firehose

It is an extract, transform, and load (ETL) service that reliably captures, transforms, and delivers streaming data to data lakes, data stores, and analytics services.

AWS Security Token Service(STS)

The service that you can use to create and provide trusted users with temporary security credentials that can control access to your AWS resources.

Security headers

A group of headers in the HTTP response from a server that tell your browser how to behave when handling your site's content.

Enable Multi-Factor Authentication (MFA).

A multi-step account login process that requires users to enter more information than just a password.

One-way:outgoing

Users in this domain will not be able to access any resources in the specified realm.

Amazon S3 Glacier vault

It can have one resource-based vault access policy and one Vault Lock policy attached to it.

AWS Direct Connect

A cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS.

Vault Lock policy

A vault access policy that you can lock.

Amazon DynamoDB Encryption

A software library that helps you protect your table data before you send it to Amazon DynamoDB.

Amazon Simple Notification Service (Amazon SNS)

A managed service that provides message delivery from publishers to subscribers (also known as producers and consumers).

Instance metadata

The data about your instance that you can use to configure or manage the running instance.

Network Access Control Lists (ACLs)

Allows or denies specific inbound or outbound traffic at the subnet level.

CloudTrail event history

Provides a viewable, searchable, and downloadable record of the past 90 days of CloudTrail events.

IAM roles

An IAM identity that you can create in your account that has specific permissions.

Bucket policies and user policies

These two access policy options available for granting permission to your Amazon S3 resources. Both use JSON-based access policy language.

Amazon OpenSearch Service

A popular open-source search and analytics engine that provides a quick time to value and is well supported by a vibrant open-source community.

Amazon Kinesis Data Streams

Enables real-time processing of streaming big data. It provides ordering of records, as well as the ability to read and/or replay records in the same order to multiple Amazon Kinesis Applications.

Amazon S3

Provides a highly durable storage infrastructure designed for mission-critical and primary data storage

Amazon Cognito Identity Pool

Provided temporary AWS credentials for users who are guests (unauthenticated) and for users who have been authenticated and received a token.

Amazon QuickSight

A cloud-scale business intelligence (BI) service that you can use to deliver easy-to-understand insights to the people who you work with, wherever they are.

Amazon Athena

An interactive query service that makes it easy to analyze data directly in Amazon Simple Storage Service (Amazon S3) using standard SQL.

AssumeRole

An application calls the AWS STS API operation and passes the ARN of the role to use. The operation creates a new session with temporary credentials.

Amazon Cognito user pool

A user directory for web and mobile app authentication and authorization.

Amazon S3 default encryption

Provides a way to set the default encryption behavior for an Amazon S3 bucket.

subscription filter

Delivers every logged activity made by "Root" AWS credentials to a stream in Kinesis Data Streams called "RootAccess."

ViewBilling

Allow or deny IAM users permission to view billing pages in the console.

Amazon ECS

A fully managed container orchestration service that helps you easily deploy, manage, and scale containerized applications.

GenerateDataKeyWithoutPlaintext

This operation returns a data key that is encrypted under a KMS key that you specify.

Network Load Balancer

It functions at the fourth layer of the Open Systems Interconnection (OSI) model. It can handle millions of requests per second.

GetCredentialReport

Retrieves a credential report for the AWS account

Write-only

Logs API operations that modify (or might modify) your resources. For example, the Amazon EC2 RunInstances and TerminateInstances API operations modify your instances.

VPC endpoints

Enables customers to privately connect to supported AWS services and VPC endpoint services powered by AWS PrivateLink.

Organizational unit (OU)

You can use it to group accounts together to administer as a single unit. This greatly simplifies the management of your accounts.

Security Hub Insights

Pre-built or customizable views in AWS Security Hub that aggregate security findings, enabling the identification and prioritization of potential security risks and compliance issues across AWS accounts.