AWS Certified Security - Specialty (SCS-C03) Domain 5

Data Protection

Official Exam Guide: Domain 5: Data Protection

Skill Builder: AWS Certified Security - Specialty Exam Prep

---

Domain Overview

Domain 5 (18%) focuses on data in transit protection, data at rest protection, and protecting confidential data/secrets/keys.

---

Task 5.1: Design and implement controls for data in transit

Key Skills:

• Require encryption when connecting to resources
• Design secure and private access mechanisms
• Configure inter-resource encryption in transit

Essential Documentation:

• HTTPS Listeners for Application Load Balancers
• SSL/TLS Certificates for Load Balancers
• AWS PrivateLink
• VPC Interface Endpoints
• AWS Client VPN
• EMR Encryption Options

---

Task 5.2: Design and implement controls for data at rest

Key Skills:

• Design data encryption at rest based on requirements
• Configure mechanisms to protect data integrity
• Design lifecycle management and retention solutions
• Configure secure data replication and backup

Essential Documentation:

• AWS KMS Developer Guide
• AWS CloudHSM User Guide
• Protecting Data Using Encryption
• S3 Object Lock
• S3 Glacier Vault Lock
• S3 Versioning
• AWS Backup Developer Guide
• AWS DataSync User Guide

---

Task 5.3: Design and implement controls for confidential data, credentials, secrets, and keys

Key Skills:

• Design credential and secret rotation
• Manage imported key material
• Understand differences between imported and AWS-generated keys
• Mask sensitive data
• Manage encryption keys and certificates

Essential Documentation:

• AWS Secrets Manager User Guide
• Importing Key Material in KMS
• External Key Stores
• CloudWatch Logs Data Protection
• AWS Certificate Manager User Guide
• AWS Private Certificate Authority

---

AWS Service FAQs

• AWS KMS FAQs
• AWS CloudHSM FAQs
• AWS Secrets Manager FAQs
• AWS Certificate Manager FAQs

---

Study Tips

1. Master KMS thoroughly - Customer managed keys, AWS managed keys, key policies, grants, encryption context, key rotation, multi-Region keys.

2. Learn encryption patterns - Server-side encryption (SSE-S3, SSE-KMS, SSE-C), client-side encryption, envelope encryption, key hierarchy.

3. Understand S3 encryption - Default encryption, bucket policies to enforce encryption, S3 Object Lock (WORM), Glacier Vault Lock.

4. Practice secrets management - Secrets Manager automatic rotation, RDS/Redshift integration, Parameter Store (standard vs advanced), rotation Lambda.

5. Study certificate management - ACM for public certificates, Private CA for internal PKI, certificate renewal, certificate validation methods (DNS, email).

---

Note: This is Domain 5 of 6, representing 18% of exam content.