Skip to main content

3 Steps to Becoming an AWS Security Specialist

ƒConsidering the importance of security in everything digital, the role of Security Architect/Specialist is a growing specialization in the cloud industry. If you are looking to further develop your understanding of AWS Security (or maybe you want to become an AWS Security specialist), you may be struggling with where to begin. I’ll admit, given the amount of information and the complexity of the topic, it can be difficult to know what to study and in what order. That’s exactly the challenge that I’ll tackle for you in this post: 3 steps to becoming an AWS Security Specialist.

Personally, I’ve always had a keen interest in security. Because it’s constantly evolving, there is always so much to learn. As new threats and exposures are discovered, new barriers, guards, and protective measures have to be designed and implemented.

Security is about much more than just data protection. In fact, it is a key element in a wide range of areas, some of which can be classified as follows:
Security is about much more than just data protection. In fact, it is a key element in a wide range of areas, some of which can be classified as follows:
I’ve been particularly interested in how AWS provides and implements different security mechanisms to help us as customers secure the integrity, confidentiality, and availability of data we store within AWS.

AWS is devoted to developing new security services (and enhancing existing services) to increase the level of security that can be applied. In addition to the management services that are available, AWS offers a myriad of ways to help us optimize, control, monitor, and manage our infrastructure covering the areas mentioned above.

Step 1: Security Fundamentals

Knowing where to start all depends on the level of your current AWS knowledge. To appeal to the wider audience, I will suggest steps for increasing your AWS security knowledge from the perspective of someone who is fairly new to AWS. By doing so, you can take away what you need depending on your AWS experience, or you can use it as a starting point to becoming an AWS Security specialist.

Before you start to immerse yourself in the world of AWS security, I feel it’s important to gain a solid understanding of some of the fundamentals of the AWS architecture and its core services.  For example:

These topics are mainly covered by the AWS Solution Architect – Associate certification. By understanding these elements, you’ll have a solid foundation of the AWS infrastructure and framework and how services are architected. It’s important to have this awareness from a security standpoint as you need to know about any penetration points within the AWS infrastructure.

Step 2: Essential AWS Security Services

Next, I would focus on increasing your knowledge and awareness of the different security services that AWS offers. Today, the following services fall under the category of ‘Security, Identity, & Compliance,’ which would be a good place to start.

  • Identity & Access Management (IAM)
    • IAM allows you to control who and what can access your AWS resources and when through the use of identities, permissions, and a series of authentication and authorization methods.
  • Amazon Inspector
    • This helps you find security vulnerabilities within your EC2 instances and any applications running on them during any stage of development and deployment.
  • AWS Certificate Manager
    • Certificate Manager handles the responsibility of creating and managing SSL/TLS certificates for your web applications and sites.
  • AWS Directory Service
    • This service allows your directory-aware resources and workloads to use managed Active Directory within your environment.
  • AWS WAF & Shield
    • The WAF service helps prevent websites and web applications from being maliciously attacked by common web attack patterns such as SQL injection and cross-site scripting.
    • Shield protects your web applications from Distributed Denial of Service (DDoS) attacks.
  • AWS Artifact Portal
    • Artifact provides on-demand access to security and compliance reports and select online agreements.

Although the following two services do not fall within the same console category as the ones above, these are also critical services for encrypting your data:

  • AWS Key Management Service (KMS)
    • This service allows you to easily encrypt your data with protected keys that cannot be exposed to anyone in plain text. The service is regionally based across all AZs in the region, making it highly available with full auditing functions to encrypt your data at AWS and within your applications.
  • AWS CloudHSM
    • Hardware Security Module, or HSM, is another service that encrypts your data with protected keys. With this dedicated appliance, you control the encryption keys and cryptographic operations performed by the HSM.

For each of the services listed above, you will want to understand the following:

  • What the service does and what it is used for
  • What it provides you from a security perspective
  • When and where you might use the service
  • How the service works by understanding the components within it and how they interact with each other and other services

AWS Services
Each service provides a very different function and feature set. One service that you will want to master is IAM. Because it tightly integrates with many of the other AWS services, a full understanding of IAM will help you manage access security throughout your entire AWS architecture.

These are not the only services that can help you mitigate, monitor, and manage security threats and exposures within your environment. In addition, I highly recommend at least an awareness of the following services, which can also be used to help mitigate security issues and help from an audit and governance perspective:

  • AWS CloudTrail
    • AWS CloudTrail gives you have the ability to capture and log AWS API calls made by users and/or services.
  • AWS Config
    • AWS Config provides visibility of your entire AWS infrastructure from a configuration perspective.  It also acts as a resource inventory and a compliance checker, and it can manage configuration changes of your resources.
  • Amazon CloudWatch
    • CloudWatch is a monitoring service for cloud resources and the applications you run on AWS. CloudWatch can collect metrics, set and manage alarms, and automatically react to changes in your AWS resources.
  • AWS Trusted Advisor
    • Trusted Advisor is an AWS support tool that assists with cost reduction, performance optimization, and security improvements.

AWS Services
Although not defined as security services in their own right, these management services provide a level of monitoring, logging, analysis, and auditing to help you identify potential security threats and breaches and to align with specific compliance and governance controls. As mentioned earlier, monitoring and compliance are closely tied to cloud security.

To gain an upper hand in detecting, minimizing, and preventing any kind of security breach, you need to be able to track, log, and analyze as much as you can within your environment.
In addition to the services already mentioned, there is also a large number of built-in, service-specific security mechanisms that you will want to be familiar with, for example:

  • Simple Storage Service (S3): Bucket Policies, Access Control Lists (ACLs), Lifecycle Policies, MFA Delete, Encryption (Server-Side, Client-Side), Access Logs
  • Elastic Compute Cloud (EC2): Key Pairs, Access Keys, Security Groups
  • Virtual Private Cloud (VPC): Network Access Control Lists (NACLs), Route Tables, Subnet design
  • CloudFront: HMAC-SHA1 signatures, SSL enabled endpoints, Geo restriction

AWS has detailed information on service-specific security in this whitepaper on AWS Security.

Step 3: Other Security topics

As you start to navigate some of the topics and services recommended here, you will probably come across other security principles and methodologies (not just specific to AWS).
Here is just a sampling of other topics that you’ll want to understand in order to architect, design, and implement stronger security within your AWS environment:

  • Encryption: Different encryption methods, how encryption works, encryption protocols, encryption of data in transit and at rest
  • Layered Security: How to architect layered security and design methods from application-level to physical-level security
  • Attack Methods: Distributed Denial of Service (DDos), SQL Injection, Cross-site scripting, etc.
  • Risk Management: How to manage, mitigate and control risks, implement contingencies, and understand consequences
  • Governance, Compliance & Certifications: For example, PCI DSS, HIPAA, SOC, FedRAMP, CSA, etc.

Next Steps

To fully understand and master all of the different services and security topics mentioned here will take a lot of time and effort. Trust me, it’s worth it.
Organizations will always need to protect their data and services running in the cloud, and they will continue to invest in services and professionals who fully understand those services, to ensure that their business data is not compromised in any way.

If you’re ready to start building your skills as an AWS Security specialist, I would highly recommend starting with the courses and learning paths linked throughout this post. In addition to these, I would also recommend taking the following learning paths:
AWS Security Services  AWS Governance & Compliance  AWS Cloud Management Tools  AWS Auditing & Monitoring  AWS Access Key & Management Security
The Cloud Academy Blog is also a great resource for different AWS Security topics, many of which I have written myself.

I also highly recommend reading AWS’s own security whitepapers.

If you have any questions, please leave them in the comments and I’ll be happy to answer them.

Written by

Stuart Scott

Stuart is the AWS content lead at Cloud Academy where he has created over 40 courses reaching tens of thousands of students. His content focuses heavily on cloud security and compliance, specifically on how to implement and configure AWS services to protect, monitor and secure customer data and their AWS environment.

Related Posts

Stuart Scott
— November 29, 2018

New Security & Compliance Service: AWS Security Hub

This morning’s Andy Jassy keynote was followed by the announcement of over 20 new services across a spectrum of AWS categories, including those in Security and Compliance, Database, Machine Learning, and Storage.  One service that jumped out to me was the AWS Security Hub, currently...

Read more
  • Amazon Web Services
  • re:Invent 2018
  • Security
Alex Brower
Alex Brower
— October 17, 2018

Interview: Q&A with John Visneski

Security is a top priority for organizations of all types, with research firm IDC projecting 10% spending growth to $91 billion dollars in 2018. For leadership, security is important considering the cost, regulation, and reputation at stake when breaches occur. According to a joint ...

Read more
  • Security
John Visneski
John Visneski
— October 2, 2018

Building Security Teams in a Competitive Talent Market: These Are The Droids You’re Looking for

John Visneski is the Head of Security and DPO at The Pokemon Company International. If you missed the webinar we organized in collaboration with John Visneski you can still watch it on demand, simply click here. The reasoning behind the popularity of this perspective is clear, if no...

Read more
  • Security
Albert Qian
Albert Qian
— September 25, 2018

Microsoft Ignites Cloud Industry With Nadella Keynote

On Monday, Microsoft kicked off its Ignite conference, an annual gathering of developers and IT professionals. Over the next week, attendees will learn about upcoming Microsoft innovations in IoT, artificial intelligence, machine learning, and cloud (all while getting some good networki...

Read more
  • Events
  • IoT
  • Machine Learning
  • Security
Cloud Academy Team
— August 29, 2018

4 Reasons You Need to Include Business Stakeholders in Cloud Training

Digital transformation is changing how organizations in every industry approach their business strategy, serving as the foundation of their technology initiatives. Chief among this includes cloud adoption, which is not just a path to IT savings, but also increasingly where companies are...

Read more
  • Cloud Adoption
  • Security
Aaron McKeown
Aaron McKeown
— August 1, 2018

Build a Security Culture Within Your Organization

At this year’s AWS Summit Sydney, I was invited to speak about security culture and share a few practical examples of how organizations can build a positive security culture through increased visibility and enablement at all levels. But, what is a positive security culture?At Xero, we...

Read more
  • Security
Albert Qian
Albert Qian
— June 19, 2018

Preparing for the Microsoft Azure 70-535 Exam

The credibility of Microsoft Azure continues to grow in the first quarter of 2018 with an increasing number of enterprises migrating their workloads, resulting in a jump for Azure from 10% to 13% in market share. Most organizations will find that simply “lifting and shifting” applicatio...

Read more
  • Azure
  • Compute
  • Database
  • Security
Stuart Scott
— May 17, 2018

4 Best Practices to Get Your Cloud Deployments GDPR Ready

With GDPR coming into force later this month, security and compliance will be the top-most priority for any cloud deployment that contains personal data of EU citizens.While leading providers have moved to make their platforms and services compliant, ensuring compliance requires more ...

Read more
  • GDPR
  • Security
Cloud Academy Team
— May 7, 2018

AWS Summit London 2018: Our Top Picks

Cloud Academy is proud to be a sponsor of AWS Summit London coming up May 9-10 at the ICC, ExCeL, London.Join us in booth S24, Level 1 where our AWS experts will be on hand to answer your questions and walk you through our latest content and newest platform features.Ask us about y...

Read more
  • AWS Summits
  • GDPR
  • Security
George Gerchow
— March 26, 2018

GDPR Compliance: Low Cost, Zero-Friction Action Items

George Gerchow is Chief Security Officer at Sumo Logic and Adjunct Honorary Lecturer at Cloud Academy. View the on-demand recording of our recent webinar, Establishing a Privacy Program: GDPR Compliance & Beyond with Mr. Gerchow and Jen Brown, Data Protection Officer at Sumo Logic....

Read more
  • GDPR
  • Security
Cloud Academy Team
— March 9, 2018

New on Cloud Academy, March ’18: Machine Learning on AWS and Azure, Docker in Depth, and more

Introduction to Machine Learning on AWSThis is your quick-start guide for building and deploying with Amazon Machine Learning. By the end of this learning path, you will be able to apply supervised and unsupervised learning, ML algorithms, deep learning, and deep neural networks on AW...

Read more
  • Cloud Migration
  • Docker
  • Machine Learning
  • Security
Logan Rakai
— March 2, 2018

Three Must-Use Azure Security Services

Keeping your cloud environment safe continues to be the top priority for the enterprise, followed by spending, according to RightScale’s 2018 State of the Cloud report.The safety of your cloud environment—and the data and applications that your business runs on—depends on how well y...

Read more
  • Azure
  • Security