AWS Certified Security - Specialty (SCS-C03) Domain 3

Infrastructure Security

Official Exam Guide: Domain 3: Infrastructure Security

Skill Builder: AWS Certified Security - Specialty Exam Prep

---

Domain Overview

Domain 3 (18%) focuses on network edge security, compute workload security, and network security controls.

---

Task 3.1: Design and implement security controls for network edge services

Key Skills:

• Define edge security strategies
• Implement network edge protection (CloudFront, WAF, Shield)
• Design AWS edge controls (geography, rate limiting, fingerprinting)
• Configure integrations with third-party services

Essential Documentation:

• Amazon CloudFront Developer Guide
• AWS WAF Developer Guide
• AWS Managed Rules for WAF
• AWS Shield Developer Guide

---

Task 3.2: Design and implement security controls for compute workloads

Key Skills:

• Design hardened AMIs and container images
• Apply instance profiles, service roles, execution roles
• Scan compute resources for vulnerabilities
• Deploy patches and maintain compliance
• Configure secure administrative access
• Discover and remediate vulnerabilities in pipelines
• Implement GenAI protections (OWASP Top 10 for LLMs)

Essential Documentation:

• EC2 Image Builder User Guide
• Amazon Inspector User Guide
• Systems Manager Patch Manager
• Systems Manager Session Manager
• EC2 Instance Connect
• Amazon CodeGuru Security

---

Task 3.3: Design and troubleshoot network security controls

Key Skills:

• Design network controls (security groups, NACLs, Network Firewall)
• Design secure hybrid/multi-cloud connectivity
• Configure security for hybrid communication
• Design network segmentation
• Identify unnecessary network access

Essential Documentation:

• VPC Security Groups
• Network ACLs
• AWS Network Firewall
• AWS Site-to-Site VPN
• AWS Direct Connect
• AWS Verified Access
• VPC Network Access Analyzer

---

AWS Service FAQs

• AWS WAF FAQs
• Amazon Inspector FAQs
• AWS Network Firewall FAQs
• Amazon CloudFront FAQs

---

Study Tips

1. Master WAF rules - AWS Managed Rules, rate-based rules, geo-blocking, bot control, OWASP Top 10 protections, custom rules.

2. Learn Inspector thoroughly - Container image scanning (ECR), Lambda function scanning, EC2 network reachability, software vulnerabilities (CVE).

3. Understand network segmentation - Public/private subnets, NACLs for subnet-level control, security groups for instance-level, Network Firewall for stateful inspection.

4. Practice patch management - Patch Manager baselines, maintenance windows, patch groups, compliance reporting, automated patching.

5. Study Session Manager - Secure shell access without SSH, audit trails in CloudTrail, port forwarding, run commands across fleet.

---

Note: This is Domain 3 of 6, representing 18% of exam content.