2018 AWS Security Specialty BETA Exam

Finally, it’s here!

AWS Certified Security – Specialty Beta Exam

SCS-C01.  registered last night, it is only $150 – which is much better than the usual $300 for each of the other two Specialty Exams.  This beta exam will only be available from January 15th to March 2nd – so I scheduled mine on Feb 28th. 

UPDATE 2/21/2018 –  It appears aCloud.guru has released new content for this exam! You need your own account for acloud.guru to get it – and the price of the course is worth the 99$. The course is still mixed with some older lectures, so I don’t think Ryan is totally done – but there is definitely new content up there!

UPDATE 3/3/2018 – I took the Specialty BETA exam on Feb 28th. The questions were tough, fair – and had very minimal, if any “word trickery” at all. It was the most straight forward certification exam I have ever taken, where you are presented with facts and are choices are well worded. Good job, AWS team!

I can’t really say too much about content, because of the NDA, but I can tell you some general things. Though the BETA is over now . . .

  • IAM Policies are a huge part of the exam, so please understand how all policies work; and when happens when multiple policies overlap one another. [ IAM Ninja video links below ].
  • KMS was also a large part of the exam; so no surprizes there, know your KMS in and out.
  • CloudWatch Agent. Know all the capabilities and what this agent does.
  • IAM Federation.

Also, on acloud.guru,  here is their discussion page with other people discussing their Exam experience.

Now comes the 90 wait to see if I passed. . . .  I’d like to see a PASS, but if I don’t I get  voucher for the general release!

Q: What happens if I do not pass the beta exam?
Candidates who do not pass the beta exam will receive a voucher to re-attempt the AWS Certified Security Specialty exam once it is released.

Ok, now the nitty gritty, what resources were needed for the BETA?

Official Exam Guide

First, here is the pdf of the  AWS Exam Guide for the BETA SCS-C01

Now, here is my resource collection:

I can start by telling you I’ve already purchased the

AWS Certified Security – Specialty Course from acloud.guru

It’s the course from the original BETA exam that came out (early 2017?), but it covers all the fundamentals and the guys at acloud.guru update their content regularly when it comes to Exam courses. I believe the cost on this is $60. Outstanding value!

acloud.guru Founder Ryan Kroonenburg – Ryan sat this exam on Jan 15th in London. He made this video giving general exam experience feedback and he also said that he will be updating the above mentioned acloud.guru AWS Security course based on his experience. UPDATE 2/5/2018 [ a rep from acloud.guru told me that the course would be updated at end of Febuary 2018 ]


Next, I think this Exam will hit every corner of the AWS Universe, which means diving deep into the AWS Security and Compliance Whitepapers

Out of those, The Well Architected Framework – Security Pillar would be the one to know like the back of your hand.

Re:Invent 2017 Security Vids

After that, the AWS RE:Invent 2017  IAM Policy Ninja Video is an incredible resource and to be sure, I will watch (and practice) this multiple times over the next several weeks. And other RE:Invent 2017 Security Vids:

AWS Philosophy of Security
Architecting Security and Governance Across Multiple-Accounts
Security Anti-Patterns: Mistakes to Avoid
Best Practices for Managing Security Operations on AWS
AWS Security State of the Union
Compliance and Top Security Threats in the Cloud
Incident Response in the Cloud
Five New Security Automation Improvements You Can Make by Using CloudWatch Events and AWS Config Rules
Using AWS Lambda as a Security Team
 CloudTrail to Enhance Governance and Compliance of Ama

Now the AWS recomended Training for the SCS-C01 BETA exam:

AWS Security Fundamentals e-course
Online Resources for AWS Security

Exam Topic Specific Resources SCS-C01

Domain 1: Incident Response

RE:Invent Video: Incident Response in the Cloud

1.1 Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys.

I received a notification that my AWS resources or account may be compromised. What should I do?

1.2 Verify that the Incident Response plan includes relevant AWS services

Building a Cloud-Specific Incident Response Plan

1.3 Evaluate configuration of automated alerting and execute possible remediation of security-related incidents and emerging issues

How to Remediate Amazon Inspector Security Findings Automatically
How to Detect and Automatically Remediate Unintended Permissions in Amazon S3 Object ACLs with CloudWatch Events

Domain 2: Logging and Monitoring

2.1 Design and implement security monitoring and alerting.

Designing Centralized Logging
CloudWatch Logging Agent
How to Monitor Host-Based Intrusion Detection System Alerts on Amazon EC2 Instances
How to Receive Alerts When Your IAM Configuration Changes
SID341 – Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection

2.2 Troubleshoot security monitoring and alerting.

Troubleshoot SNS Deliveries
Troubleshoot SES Notifications

2.3 Design and implement a logging solution.

Logging Whitepaper
How to Monitor and Visualize Failed SSH Access Attempts to Amazon EC2 Linux Instances

2.4 Troubleshoot logging solutions

Troubleshooting CloudWatch Events

Domain 3: Infrastructure Security

3.1 Design edge security on AWS.

AWS Shield
Protect Dynamic Content using Shield and Route53
Serving Private Content Through CloudFront
SID342 – Protect Your Web Applications from Common Attack Vectors Using AWS WAF
SID401 – Let’s Dive Deep Together: Advancing Web Application Security

3.2 Design and implement a secure network infrastructure.

Setting Up an AWS VPN Connection – Amazon Virtual Private Cloud
VPN Connections – Amazon Virtual Private Cloud – AWS Documentation
Well Architected Framework – Security Pillar
EC2 Systems Manager

3.3 Troubleshoot a secure network infrastructure.

Troubleshooting – Amazon Virtual Private Cloud – AWS Documentation
Troubleshoot Connecting to an Instance in a VPC – AWS – Amazon.com
Troubleshooting AWS Direct Connect – AWS Documentation
VPN Tunnel Troubleshooting – AWS – Amazon.com

3.4 Design and implement host-based security

IDS and IPS for EC2 Instances
How to Monitor Host-Based Intrusion Detection System Alerts on Amazon EC2 Instances
Amazon Inspector – Security Assessment Service

Domain 4: Identity and Access Management

4.1 Design and implement a scalable authorization and authentication system to access AWS resources.

AWS Identity and Access Management (IAM) Documentation
IAM Best Practices – AWS Identity and Access Management
Enabling SAML 2.0 Federated Users to Access the AWS Management …
SID337 – Best Practices for Managing Access to AWS Resources Using IAM Roles
AWS Cognito
SID344 – Soup to Nuts: Identity Federation for AWS
S3 Bucket Policy Examples

4.2 Troubleshoot an authorization and authentication system to access AWS resources.

Troubleshooting IAM – AWS Identity and Access Management
Troubleshooting IAM Roles – AWS Identity and Access Management
Troubleshoot IAM Policies – AWS Identity and Access Management
Troubleshooting Amazon EC2 and IAM – AWS Identity and Access …
Troubleshooting Amazon S3 and IAM – AWS Identity and Access …

Domain 5: Data Protection

5.1 Design and implement key management and use.

AWS Encryption SDK
AWS Key Management Service Concepts – AWS Documentation
RE:Invent Video – Best Practices for Implementing KMS
Whitepaper – Best Practices for KMS
SID345 – AWS Encryption SDK: The Busy Engineer’s Guide to Client-Side Encryption
Amazon Macie

5.2 Troubleshoot key management.

Verifying and Troubleshooting KMS Key Permissions – AWS .
Determining Access to an AWS KMS Customer Master Key – AWS Key …
Limits – AWS Key Management Service – AWS Documentation
Troubleshooting Key Signing Errors

5.3 Design and implement a data encryption solution for data at rest and data in transit.

How to Protect Data at Rest with Amazon EC2 … – AWS – Amazon.com
Encrypting Amazon RDS Resources – AWS Documentation
Encrypting Data at Rest ( non AWS BLOG )
Amazon Certificate Manager 
How to Encrypt and Decrypt Your Data with the AWS Encryption CLI
How to Address the PCI DSS Requirements for Data Encryption in Transit Using Amazon VPC
Architecture for HIPAA Compliance on AWS

The Full List of the Security, Compliance, and Identity Sessions, Workshops, and Chalk Talks at AWS re:Invent 2017

Based on acloud.guru Founder Ryan Kroonenburg’s Feeback on the Exam, I’ve added some more study links:

Cloud HSM FAQs
Cloud HSM AWS Documentation
Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3)
Protecting Data Using Client-Side Encryption in S3
IAM Policies and Bucket Policies and ACLs! Oh, My!
Posted in AWS, AWS Certified Solutions Architect, Cloud Security, Cyber Security | Leave a comment

SamSam Malware Hit Close to Home


This morning, the Denver Post reported that a variant of the SamSam malware struck Colorado Dept of Transportation (CDOT), affecting 2000 computers. 

“TrendMicro said the attack wasn’t due to an employee opening an infected email, but hackers gained access remotely using a vendor’s user name and password”

The computers that were compromised were running McAfee Anti-Virus.

My own take on this:

First, props to the team at CDOT for having all of their data backed up, so they did not need to pay the ransom, GREAT JOB gals and guys!

Second, this story backs up my own experience that legacy Anti-Virus products, (like the one mentioned above),  are not designed to detect and stop today’s advanced malware.  Legacy Anti-Virus products are good for checking audit boxes, but will fail you in the trenches, as seen here.

Instead, look to products like FireEye, PaloAlto Networks and MalwareBytes. The first two in that list use a combination of a software client on the host machine, upstream sandbox hardware and real-time cloud intel;  which act as a unified solution to detect and prevent advanced malware. For a stand-alone client, I’ve seen the MalwareBytes product find and remove malware artifacts that other solutions did not see. CarbonBlack also has a solid end point offering.

Third, Identity Access Management (IAM) is key!  Lost or stolen creds appear to be at the heart of many of the high profile compromises. (Think Target).  A solid IAM system integrates with all authorization systems + tie credentials to resources and roles; combine this with logging  – and you can go a long ways.  Every credential should be tied to a role, and lock down the role access based on strict job requirements based on principal of least privilege. All Log-ins should be monitored and base-lined so any deviations form the norm will generate an alert. I have used the SailPoint Product for centralized IAM in the past and it performs well.

My thoughts on this blog are only to educate the Security Professionals who protect us from the bad guys; and not a as a criticism.  Again, I have to tip my hat the the hard working team at CDOT for their back-up and recovery of their systems. They are demonstrating true resiliency.

Disclaimer: I do not work for; nor am I paid by any vendor listed in this post.

Posted in Uncategorized | Leave a comment

AVI Networks Product and Training thoughts

I had the privilege of attending an onsite, two-day deep dive training at AVI Networks on their Next Gen Application Delivery Platform (LoadBalancer). I wanted to share my thoughts on the product and the class.

The Product

AVI – What is it? Short answer is that AVI is a software only LoadBalancing Platform, built for use in Cloud – AWS, Azure, GCP – built for use in Containers, in VMware and yes even built for use in …. BARE METAL.

AVI – What makes it special?
AVI Software LoadBalancer was written to work in modern cloud environments and NOT a product that was ported from old-school data centers and shoe-horned into the Cloud. AVI Load Balancers can scale up or down in response to traffic load without manual intervention, as you would expect from a solution born in the Cloud era – and they scale BIG! How big? Zero to One million transactions per second!

* AVI also completely separates Control Plane and Data Plane  into different instances and functions; to the point that you could have a single AVI Controller and have many Service Engines(SE) across multiple different, hybrid environments. ( Service Engines are the Data Plane work-horses that do the CPU intensive Load-Balancing ) 

* What does this mean? Well, A single AVI Controller can administer a Service Engine in Azure, a Service Engine in AWS, and a Service Engine on-site running in VMware or a Service Engine in your bare metal box – yes  Controller operation of Service Engine management is Cloud/Environment agnostic – it does not matter where your Service Engines live, as long as the controller can reach them over the network.

The Controllers are not passive, like, say … a CheckPoint admin console box that collects logs and stores policies, in fact ,just the opposite – the Controllers are actively incharge of 100% of the orchestration of the deployment, scaling, health and configuration of its Service Engines.Full API control and SDK are available for AVI as well, so that means full automation.There are also full Ansible playbooks for AVI.

* AVI gives Great metrics around virutal service analytics. End-to-end, client RTT, Server RTT and App response, and more- so no more ‘guilty until proven innocent’ for the Network Team.

But wait . . . there’s more! AVI also has a Web Application Firewall that can attach directly to each Virtual Service( Pool ). The WAF uses the OWASP Core Rule Set (CRS ruleset)  and the AVI WAF interface is laid out in an intuitive, easy to use manner.

What else? Many of the AVI features in the GUI are what you might expect to be the equivalent of an “i-rule”, but instead of having to code out a rule, you just tick a box. A common example where AVI does this is ‘http to https redirection’ on the front end. Configuring certificate ciphers are easier in AVI as well compared to other popular legacy load-balancers. If you want to do custom rules, AVI does have a DataScript language

The class.

The instructor, Nathan, knew is stuff – he has been in the Load-Balancer space for many years and had many bridge strategies an examples from old-school load-balancers to AVI. The class was engaging and fun. Slide decks were well done. If I had my way, I would have wanted more labs, but I always want more labs. Nathan is a practiced presenter and was clear and concise in delivering the material.

There were a lot of students who are Engineers from Cisco in the class. I think there is more to it than Cisco HQ in San Jose being nearby the AVI HQ building. Cisco appears to have an interest in AVI, also noted by this Reseller partnership. https://blogs.cisco.com/cloud/avi-networks-and-cisco-join-forces-by-entering-into-a-strategic-reseller-agreement

The class could have easily been a full 5 days, due to the technical material covered, but the deep dives were in the right spot and they somehow managed to fit the meat and potatoes into two full days.

If you want to try AVI for yourself on AWS, you can spin it up from the Marketplace
but, no FREE tier, the Controller needs a t2.xlarge at least – but if you play with it for a few hours and kill it’s not much $$, you can probably keep it under ten bucks.

AVI CEO, Amit Pandey came to meet the class. First time a CEO has ever visited a technical class I attended. Amit was warm and personable. We also met Murali Basavaiah, one of the co-founders and Lead Engineers, who was also pleasant and helpful. The AVI culture seems to follow. One of the employees brought in his own personal Esspresso machine and made coffee for anyone in the class who wanted it. Good experience being on site with them for two days, I am grateful for the opportunity.


disclaimer: I do not work for AVI Networks, I am not paid by AVI Networks.

Posted in Uncategorized | Leave a comment

Spectre and Meltdown: kb4056892 Fix causing AMD Issues, seem to be only older AMD Processors

There were news stories  out this morning about kb4056892 ( Microsoft’s Patch for Spectre and Meltdown ) bricking AMD chips.

In reading them, it was hard to get a sense of how REAL of an issue this is, since media is great at propagating Fear Uncertainty and Doubt. None of the major stories on this I have read so far gives any metrics or any specifics.

So.. I got my own –  It seems the source of all the FUD in the media on this is coming from this Microsoft answers forum:  I had some time to comb through 13  pages on the forum get some samples, and it appears all of these reported issues are Consumer based AMDs, ( samples from the forum below) are older Athlon Series, released by AMD in 2005 – 2006 – and Turion, also released in 2005:

AMD Athlon 64 X2 4600+ and windows 10 pro
AMD Athlon 64 X2 6000+, Asus MB
AMD Athlon 64 X2 5200+ and Asus M3N78 Mb
AMD Athlon 64 X2 6400+ BBE, Asus MB
AMD Althlon 64 x2 5000+
ten years old AMD Athlon X2 64
Athlon X2 4200+
AMD processor Athlon 64 X2 6000+ and Win10 Home 32-bit
Athlon X2 5600 (Brisbane) W10 64 bit Home
Athlon 64 X2 6000 (Windsor) W10 64 bit Pro machine
indows 10 x64 Pro Build (1709 16299.125) with an HP Pavilion Entertainment PC DV2-2116WM with AMD Turion 64 X2.
AMD Turion x2 dual-core mobile rm-72 and Win 10 Pro 64 bits
Athlon X2 4850e, Windows 10 pro
AMD Athlon 64 X2 4400+.
AMD Athlon 3200+
AMD Athlon 64 X2 6000+, Asus M3A78-V3, Win 10 Home (32bit)
HP60 with AMD Turion X2 RM70 32 bit
AMD Athlon 64 X2 5600+
AMD Athlon 4850e dual processor machine
AMD Athlon 64 X2 6000+
DualCore AMD Athlon 64 X2
AMD Athlon 5050e 2.60 GHz on Asrock AOD790GX/128M


Posted in Uncategorized | Leave a comment

Spectre and Meltdown

UPDATE:  AWS has patched 99.9 percent of its infrastructure:



Wanted to share so that everyone is aware of new major Security Vulnerabilities:




CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre

CVE-2017-5754 is the official reference to Meltdown






Posted in Uncategorized | Leave a comment

ELB XFF Headers

Which fields AWS ELB passes on after a SSL Termination:

X-Forwarded-For: <original client IP>, <first proxy IP>, <second proxy 2 IP>...
X-Forwarded-Proto: <protocol name>
X-Forwarded-Port: <port number>

CloudNode Notes on XFF on ELB

Posted in Uncategorized | Leave a comment

PaloAlto VPN Primer

I am building this to place all the resources in one place that you’ll need to build out PA AnyConnect  in your PA Firewall.

First, kudos to PaloAlto, you ca do GlobalProtect VPN without a license  as long as you do not want the host intrusion (HIP).

These links provide the basics, I’ll add in any missing parts / fill in the blanks below.

Guide to Building GlobalProtect

Certificate Configuration on PA

Generate a a Self-Signed Cert for Testing

First caveat I am running into with this, is attempting to configure Global Protect on VM Series Firewall in AWS. I am thinking because all the interfaces are DHCP, that I may have to do some funkiness like terminating Global Protect on loopback and creating a NAT policy. 

An example  I am trying is here

Posted in Uncategorized | Leave a comment