AWS Certified Security - Specialty (SCS-C03) Domain 2
Incident Response
Official Exam Guide: Domain 2: Incident Response
Skill Builder: AWS Certified Security - Specialty Exam Prep
Domain Overview
Domain 2 (14%) focuses on designing and testing incident response plans, and responding to security events.
Task 2.1: Design and test an incident response plan
Key Skills:
- Design response plans and runbooks
- Configure services for incident preparedness
- Test and validate incident response effectiveness
- Automate incident remediation
Essential Documentation:
- Systems Manager OpsCenter
- AWS Shield Advanced Developer Guide
- AWS Fault Injection Service
- AWS Resilience Hub
- AWS Step Functions Developer Guide
- Application Recovery Controller
Task 2.2: Respond to security events
Key Skills:
- Capture and store forensic artifacts
- Search and correlate logs across services
- Validate findings and assess impact
- Contain, eradicate threats, and recover resources
- Conduct root cause analysis
Essential Documentation:
- Amazon Detective Administration Guide
- Creating EBS Snapshots
- Instance Isolation and Termination
- AWS Backup Developer Guide
AWS Service FAQs
Study Tips
-
Master incident response workflow - Prepare → Detect → Analyze → Contain → Eradicate → Recover → Post-incident analysis.
-
Learn forensics preservation - EBS snapshots for forensic analysis, memory dumps, isolate compromised instances, preserve logs.
-
Understand automated remediation - Systems Manager Automation, Step Functions for orchestration, Lambda for custom actions, EventBridge triggers.
-
Practice with Detective - Visualize security findings, investigate GuardDuty findings, analyze VPC Flow Logs, trace relationships.
-
Study DDoS response - Shield Advanced protections, AWS DDoS Response Team (DRT) engagement, WAF rate limiting, CloudFront distributions.
Note: This is Domain 2 of 6, representing 14% of exam content.