AWS Certified Security - Specialty (SCS-C03) Domain 1

Detection

Official Exam Guide: Domain 1: Detection

Skill Builder: AWS Certified Security - Specialty Exam Prep

---

Domain Overview

Domain 1 (16%) focuses on designing and implementing monitoring/alerting solutions, logging solutions, and troubleshooting security monitoring.

---

Task 1.1: Design and implement monitoring and alerting solutions

Key Skills:

• Analyze workloads to determine monitoring requirements
• Design workload monitoring strategies (resource health checks)
• Aggregate security and monitoring events
• Create metrics, alerts, dashboards for anomaly detection
• Automate regular assessments and investigations

Essential Documentation:

• Amazon GuardDuty User Guide
• Amazon Security Lake User Guide
• AWS Security Hub User Guide
• Amazon Macie User Guide
• AWS Config Developer Guide
• Systems Manager State Manager

---

Task 1.2: Design and implement logging solutions

Key Skills:

• Identify log ingestion and storage sources
• Configure logging for AWS services and applications
• Implement log storage and data lakes (Security Lake)
• Analyze logs using AWS services
• Normalize, parse, and correlate logs
• Configure appropriate log sources based on threats

Essential Documentation:

• AWS CloudTrail User Guide
• Amazon CloudWatch Logs User Guide
• CloudWatch Logs Insights
• Amazon Athena User Guide
• VPC Flow Logs
• Transit Gateway Flow Logs
• Route 53 Resolver Query Logs

---

Task 1.3: Troubleshoot security monitoring, logging, and alerting

Key Skills:

• Analyze functionality, permissions, and configuration of resources
• Remediate misconfiguration (CloudWatch Agent, missing logs)

Essential Documentation:

• Lambda Function Logging
• API Gateway Logging
• CloudFront Logging
• CloudWatch Agent Installation

---

AWS Service FAQs

• Amazon GuardDuty FAQs
• AWS Security Hub FAQs
• Amazon Macie FAQs
• AWS CloudTrail FAQs

---

Study Tips

1. Master threat detection services - GuardDuty for threats, Macie for sensitive data, Security Hub for centralized findings, Inspector for vulnerabilities.

2. Learn log aggregation - Security Lake for OCSF format, CloudWatch Logs for centralization, Athena for querying S3 logs, OpenSearch for analysis.

3. Understand CloudTrail thoroughly - Organization trails, event selectors, data events, management events, S3 data events, Lambda data events.

4. Practice monitoring design - Which logs to enable (VPC Flow Logs, CloudTrail, ALB logs, CloudFront logs), retention policies, cost optimization.

5. Study Config rules - Conformance packs, auto-remediation, aggregators for multi-account, custom rules with Lambda.

---

Note: This is Domain 1 of 6, representing 16% of exam content.