Finally, it’s here!
SCS-C01. registered last night, it is only $150 – which is much better than the usual $300 for each of the other two Specialty Exams. This beta exam will only be available from January 15th to March 2nd – so I scheduled mine when… ? Feb 28th. I’ll be compiling a resource list for anyone else who wants to do this exam.
Ok, now the nitty gritty, what resources are needed?
Official Exam Guide
First, here is the pdf of the AWS Exam Guide for the BETA SCS-C01
Now, here is my resource collection:
I can start by telling you I’ve already purchased the
AWS Certified Security – Specialty Course from acloud.guru
It’s the course from the original BETA exam that came out (early 2017?), but it covers all the fundamentals and the guys at acloud.guru update their content regularly when it comes to Exam courses. I believe the cost on this is $60. Outstanding value!
UPDATE from acloud.guru Founder Ryan Kroonenburg – Ryan sat this exam on Jan 15th in London. He made this video giving general exam experience feedback and he also said that he will be updating the above mentioned acloud.guru AWS Security course based on his experience.
Next, I think this Exam will hit every corner of the AWS Universe, which means diving deep into the AWS Security and Compliance Whitepapers
Out of those, The Well Architected Framework – Security Pillar would be the one to know like the back of your hand.
Re:Invent 2017 Security Vids
After that, the AWS RE:Invent 2017 IAM Policy Ninja Video is an incredible resource and to be sure, I will watch (and practice) this multiple times over the next several weeks. And other RE:Invent 2017 Security Vids:
Now the AWS recomended Training for the SCS-C01 BETA exam:
Exam Topic Specific Resources SCS-C01
Domain 1: Incident Response
1.1 Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys.
1.2 Verify that the Incident Response plan includes relevant AWS services
1.3 Evaluate configuration of automated alerting and execute possible remediation of security-related incidents and emerging issues
Domain 2: Logging and Monitoring
2.1 Design and implement security monitoring and alerting.
2.2 Troubleshoot security monitoring and alerting.
2.3 Design and implement a logging solution.
2.4 Troubleshoot logging solutions
Domain 3: Infrastructure Security
3.1 Design edge security on AWS.
3.2 Design and implement a secure network infrastructure.
3.3 Troubleshoot a secure network infrastructure.
3.4 Design and implement host-based security
Domain 4: Identity and Access Management
4.1 Design and implement a scalable authorization and authentication system to access AWS resources.
4.2 Troubleshoot an authorization and authentication system to access AWS resources.
Domain 5: Data Protection
5.1 Design and implement key management and use.
5.2 Troubleshoot key management.
5.3 Design and implement a data encryption solution for data at rest and data in transit.
Based on acloud.guru Founder Ryan Kroonenburg’s Feeback on the Exam, I’ve added some more study links:
There were news stories out this morning about kb4056892 ( Microsoft’s Patch for Spectre and Meltdown ) bricking AMD chips.
In reading them, it was hard to get a sense of how REAL of an issue this is, since media is great at propagating Fear Uncertainty and Doubt. None of the major stories on this I have read so far gives any metrics or any specifics.
So.. I got my own – It seems the source of all the FUD in the media on this is coming from this Microsoft answers forum: I had some time to comb through 13 pages on the forum get some samples, and it appears all of these reported issues are Consumer based AMDs, ( samples from the forum below) are older Athlon Series, released by AMD in 2005 – 2006 – and Turion, also released in 2005:
AMD Athlon 64 X2 4600+ and windows 10 pro
AMD Athlon 64 X2 6000+, Asus MB
AMD Athlon 64 X2 5200+ and Asus M3N78 Mb
AMD Athlon 64 X2 6400+ BBE, Asus MB
AMD Althlon 64 x2 5000+
ten years old AMD Athlon X2 64
Athlon X2 4200+
AMD processor Athlon 64 X2 6000+ and Win10 Home 32-bit
Athlon X2 5600 (Brisbane) W10 64 bit Home
Athlon 64 X2 6000 (Windsor) W10 64 bit Pro machine
indows 10 x64 Pro Build (1709 16299.125) with an HP Pavilion Entertainment PC DV2-2116WM with AMD Turion 64 X2.
AMD Turion x2 dual-core mobile rm-72 and Win 10 Pro 64 bits
Athlon X2 4850e, Windows 10 pro
AMD Athlon 64 X2 4400+.
AMD Athlon 3200+
AMD Athlon 64 X2 6000+, Asus M3A78-V3, Win 10 Home (32bit)
HP60 with AMD Turion X2 RM70 32 bit
AMD Athlon 64 X2 5600+
AMD Athlon 4850e dual processor machine
AMD Athlon 64 X2 6000+
DualCore AMD Athlon 64 X2
AMD Athlon 5050e 2.60 GHz on Asrock AOD790GX/128M
Which fields AWS ELB passes on after a SSL Termination:
X-Forwarded-For: <original client IP>, <first proxy IP>, <second proxy 2 IP>...
X-Forwarded-Proto: <protocol name>
X-Forwarded-Port: <port number>
CloudNode Notes on XFF on ELB
I am building this to place all the resources in one place that you’ll need to build out PA AnyConnect in your PA Firewall.
First, kudos to PaloAlto, you ca do GlobalProtect VPN without a license as long as you do not want the host intrusion (HIP).
These links provide the basics, I’ll add in any missing parts / fill in the blanks below.
Guide to Building GlobalProtect
Certificate Configuration on PA
Generate a a Self-Signed Cert for Testing
First caveat I am running into with this, is attempting to configure Global Protect on VM Series Firewall in AWS. I am thinking because all the interfaces are DHCP, that I may have to do some funkiness like terminating Global Protect on loopback and creating a NAT policy.
An example I am trying is here
Making a new cert? Here are some things below that should help.
#The openssl command to generate a private key is:
openssl genrsa 2048 > private-key.pem
#The CSR is generated based on the private key. The following command is used for the CSR creation:
openssl req -new -key private-key.pem -out csr.pem
Once you’ve completed your certificate with one of the Major Certificate Authorities You can then import your certificate into Amazon’s Certificate Management Service to be used on ELB. Amazon also will create SSL Certificates
Once you have your cert created, encrypt your private key:
gpg -c ./private-key.pem
#and remove the original
rm -f ./private-key.pem
Qualys [ SSLLABs ] Cert Checker
sslshoppers Certificate checker
This one is quick and dirty, folks – some quick resources if you are doing AWS Directory Services on AWS.
How to automatically Configure your systems to join an AD Domain on AWS
Terraform Directory Services for AWS Page
AWS System Manager Documents from the ‘IT Hollow Blog’
Quick windows shortcuts
#Open up Network control Panel quicky
#Open up System Settings Quickly: