MyCertStack logoMyCertStack

    AWS - Security Specialty Study Guide

    1: Threat Detection and Incident Response

    This chapter builds the detection and incident-response foundation that the AWS Certified Security - Specialty exam treats as the highest-weighted operational domain. It walks through the AWS incident-response framework, stakeholder routing, isolation playbooks, forensic capture, log-source selection across CloudTrail and CloudWatch, and the finding workflows of GuardDuty, Security Hub, Inspector, Macie, Detective, and Config.

    Learning Objectives

    By the end of this chapter, you will be able to:

    • Apply AWS best practices for incident response, including notification routing through Amazon SNS and Amazon EventBridge.
    • Identify and prioritize incident-response stakeholders and execute compromised-resource isolation with AWS Systems Manager Automation, AWS Lambda, security groups, and network ACLs.
    • Identify, contain, and recover from compromised compute and identity incidents, including forensic capture of Amazon EBS volume snapshots and Amazon EC2 memory dumps.
    • Select the right log source (AWS CloudTrail, Amazon CloudWatch, VPC Flow Logs, Route 53 Resolver query logs, service-specific logs) for forensics and root-cause analysis, and remediate vulnerabilities with AWS Systems Manager Patch Manager and config management.
    • Evaluate AWS service configurations that support the full incident-response lifecycle, and capture instance metadata, memory, snapshots, and log files in a forensically sound manner.
    • Evaluate findings produced by Amazon GuardDuty, AWS Security Hub, Amazon Inspector, AWS Config, Amazon Macie, Amazon Detective, and IAM Access Analyzer.
    • Detect threats with log analysis and cross-service event correlation using CloudWatch Logs Insights, Amazon Athena, Amazon OpenSearch Service, and Amazon Security Lake.
    • Select AWS-managed services that investigate and remediate identified incidents and threats, including Detective, Incident Manager, and the EventBridge plus Lambda plus SSM automation chain.

    Executive Summary

    • Detection on AWS is a layered control surface. GuardDuty provides continuous threat detection from VPC Flow Logs, DNS, and CloudTrail. Inspector adds vulnerability and CVE scanning. Macie classifies S3 data. Detective reconstructs the attack graph. Security Hub aggregates findings and runs security standards.
    • The AWS-published incident-response lifecycle phases are Prepare, Operate (Detect, Analyze, Contain, Eradicate, Recover), and Post-incident activity. Each phase maps to concrete AWS-native controls and automation hooks.
    • Notification routing is event-driven. EventBridge rules carry findings, CloudWatch alarm state changes, AWS Config compliance shifts, and Security Hub events to targets such as SNS, Lambda, Step Functions, and Systems Manager Incident Manager.
    • Isolation of a compromised resource is a careful sequence: quarantine the network (replace security groups with a deny-only group, add a NACL deny entry), preserve evidence (snapshot the EBS volumes, capture memory through SSM, record metadata), then disable IAM principals and revoke active STS sessions.
    • Log selection follows the data class. API mutations come from CloudTrail. Network flow patterns come from VPC Flow Logs. DNS queries come from Route 53 Resolver query logs. Operating-system and application telemetry come from the CloudWatch agent. Centralization, integrity, and retention belong in S3 with Object Lock and Security Lake normalization.

    Assumptions

    • The reader already understands AWS account structure, AWS Organizations, IAM principals, KMS encryption envelopes, and basic VPC networking at practitioner depth.
    • Region scope is global except where a service is single-Region by design. Findings, snapshots, and KMS keys are Region-scoped unless multi-Region keys or cross-Region replication are explicitly configured.
    • Terminology follows official AWS service naming. "CloudWatch Events" is referenced under its current name, Amazon EventBridge. "AWS Single Sign-On" is referenced as AWS IAM Identity Center.

    Sections in this chapter

    1. Free
    2. Free with account
    3. Free with account
    4. Free with account
    5. Free with account
    6. Free with account
    7. Free with account
    8. Free with account
    9. Free with account