3 Steps to Becoming an AWS Security Specialist

Considering the importance of security in everything digital, the role of Security Architect/Specialist is a growing specialization in the cloud industry. If you are looking to further develop your understanding of AWS Security (or maybe you want to become an AWS Security specialist), you may be struggling with where to begin. I’ll admit, given the amount of information and the complexity of the topic, it can be difficult to know what to study and in what order. That’s exactly the challenge that I’ll tackle for you in this post: 3 steps to becoming an AWS Security Specialist.

Personally, I’ve always had a keen interest in security. Because it’s constantly evolving, there is always so much to learn. As new threats and exposures are discovered, new barriers, guards, and protective measures have to be designed and implemented.

Security is about much more than just data protection. In fact, it is a key element in a wide range of areas, some of which can be classified as follows:
Security is about much more than just data protection. In fact, it is a key element in a wide range of areas, some of which can be classified as follows:
I’ve been particularly interested in how AWS provides and implements different security mechanisms to help us as customers secure the integrity, confidentiality, and availability of data we store within AWS.

AWS is devoted to developing new security services (and enhancing existing services) to increase the level of security that can be applied. In addition to the management services that are available, AWS offers a myriad of ways to help us optimize, control, monitor, and manage our infrastructure covering the areas mentioned above.

Step 1: Security Fundamentals

Knowing where to start all depends on the level of your current AWS knowledge. To appeal to the wider audience, I will suggest steps for increasing your AWS security knowledge from the perspective of someone who is fairly new to AWS. By doing so, you can take away what you need depending on your AWS experience, or you can use it as a starting point to becoming an AWS Security specialist.

Before you start to immerse yourself in the world of AWS security, I feel it’s important to gain a solid understanding of some of the fundamentals of the AWS architecture and its core services.  For example:

These topics are mainly covered by the AWS Solution Architect – Associate certification. By understanding these elements, you’ll have a solid foundation of the AWS infrastructure and framework and how services are architected. It’s important to have this awareness from a security standpoint as you need to know about any penetration points within the AWS infrastructure.

Step 2: Essential AWS Security Services

Next, I would focus on increasing your knowledge and awareness of the different security services that AWS offers. Today, the following services fall under the category of ‘Security, Identity, & Compliance,’ which would be a good place to start.

  • Identity & Access Management (IAM)
    • IAM allows you to control who and what can access your AWS resources and when through the use of identities, permissions, and a series of authentication and authorization methods.
  • Amazon Inspector
    • This helps you find security vulnerabilities within your EC2 instances and any applications running on them during any stage of development and deployment.
  • AWS Certificate Manager
    • Certificate Manager handles the responsibility of creating and managing SSL/TLS certificates for your web applications and sites.
  • AWS Directory Service
    • This service allows your directory-aware resources and workloads to use managed Active Directory within your environment.
  • AWS WAF & Shield
    • The WAF service helps prevent websites and web applications from being maliciously attacked by common web attack patterns such as SQL injection and cross-site scripting.
    • Shield protects your web applications from Distributed Denial of Service (DDoS) attacks.
  • AWS Artifact Portal
    • Artifact provides on-demand access to security and compliance reports and select online agreements.

Although the following two services do not fall within the same console category as the ones above, these are also critical services for encrypting your data:

  • AWS Key Management Service (KMS)
    • This service allows you to easily encrypt your data with protected keys that cannot be exposed to anyone in plain text. The service is regionally based across all AZs in the region, making it highly available with full auditing functions to encrypt your data at AWS and within your applications.
  • AWS CloudHSM
    • Hardware Security Module, or HSM, is another service that encrypts your data with protected keys. With this dedicated appliance, you control the encryption keys and cryptographic operations performed by the HSM.

For each of the services listed above, you will want to understand the following:

  • What the service does and what it is used for
  • What it provides you from a security perspective
  • When and where you might use the service
  • How the service works by understanding the components within it and how they interact with each other and other services

AWS Services
Each service provides a very different function and feature set. One service that you will want to master is IAM. Because it tightly integrates with many of the other AWS services, a full understanding of IAM will help you manage access security throughout your entire AWS architecture.

These are not the only services that can help you mitigate, monitor, and manage security threats and exposures within your environment. In addition, I highly recommend at least an awareness of the following services, which can also be used to help mitigate security issues and help from an audit and governance perspective:

  • AWS CloudTrail
    • AWS CloudTrail gives you have the ability to capture and log AWS API calls made by users and/or services.
  • AWS Config
    • AWS Config provides visibility of your entire AWS infrastructure from a configuration perspective.  It also acts as a resource inventory and a compliance checker, and it can manage configuration changes of your resources.
  • Amazon CloudWatch
    • CloudWatch is a monitoring service for cloud resources and the applications you run on AWS. CloudWatch can collect metrics, set and manage alarms, and automatically react to changes in your AWS resources.
  • AWS Trusted Advisor
    • Trusted Advisor is an AWS support tool that assists with cost reduction, performance optimization, and security improvements.

AWS Services
Although not defined as security services in their own right, these management services provide a level of monitoring, logging, analysis, and auditing to help you identify potential security threats and breaches and to align with specific compliance and governance controls. As mentioned earlier, monitoring and compliance are closely tied to cloud security.

To gain an upper hand in detecting, minimizing, and preventing any kind of security breach, you need to be able to track, log, and analyze as much as you can within your environment.
In addition to the services already mentioned, there is also a large number of built-in, service-specific security mechanisms that you will want to be familiar with, for example:

  • Simple Storage Service (S3): Bucket Policies, Access Control Lists (ACLs), Lifecycle Policies, MFA Delete, Encryption (Server-Side, Client-Side), Access Logs
  • Elastic Compute Cloud (EC2): Key Pairs, Access Keys, Security Groups
  • Virtual Private Cloud (VPC): Network Access Control Lists (NACLs), Route Tables, Subnet design
  • CloudFront: HMAC-SHA1 signatures, SSL enabled endpoints, Geo restriction

AWS has detailed information on service-specific security in this whitepaper on AWS Security.

Step 3: Other Security topics

As you start to navigate some of the topics and services recommended here, you will probably come across other security principles and methodologies (not just specific to AWS).
Here is just a sampling of other topics that you’ll want to understand in order to architect, design, and implement stronger security within your AWS environment:

  • Encryption: Different encryption methods, how encryption works, encryption protocols, encryption of data in transit and at rest
  • Layered Security: How to architect layered security and design methods from application-level to physical-level security
  • Attack Methods: Distributed Denial of Service (DDos), SQL Injection, Cross-site scripting, etc.
  • Risk Management: How to manage, mitigate and control risks, implement contingencies, and understand consequences
  • Governance, Compliance & Certifications: For example, PCI DSS, HIPAA, SOC, FedRAMP, CSA, etc.

Next Steps

To fully understand and master all of the different services and security topics mentioned here will take a lot of time and effort. Trust me, it’s worth it.
Organizations will always need to protect their data and services running in the cloud, and they will continue to invest in services and professionals who fully understand those services, to ensure that their business data is not compromised in any way.

If you’re ready to start building your skills as an AWS Security specialist, I would highly recommend starting with the courses and learning paths linked throughout this post. In addition to these, I would also recommend taking the following learning paths:
AWS Security Services  AWS Governance & Compliance  AWS Cloud Management Tools  AWS Auditing & Monitoring  AWS Access Key & Management Security
The Cloud Academy Blog is also a great resource for different AWS Security topics, many of which I have written myself.

I also highly recommend reading AWS’s own security whitepapers.

If you have any questions, please leave them in the comments and I’ll be happy to answer them.

Avatar

Written by

Stuart Scott

Stuart is the AWS content lead at Cloud Academy where he has created over 40 courses reaching tens of thousands of students. His content focuses heavily on cloud security and compliance, specifically on how to implement and configure AWS services to protect, monitor and secure customer data and their AWS environment.

Related Posts

Chester Avey
Chester Avey
— September 10, 2019

7 Key Cybersecurity Threats to Cloud Computing

When businesses consider cloud computing, one of the major advantages often cited is the fact that it can make your business more secure. In fact, in recent years many businesses have chosen to migrate to the cloud specifically for its security benefits. So, it might surprise you to lea...

Read more
  • Cybersecurity
  • Security
Avatar
Adam Hawkins
— August 9, 2019

DevSecOps: How to Secure DevOps Environments

Security has been a friction point when discussing DevOps. This stems from the assumption that DevOps teams move too fast to handle security concerns. This makes sense if Information Security (InfoSec) is separate from the DevOps value stream, or if development velocity exceeds the band...

Read more
  • AWS
  • cloud security
  • DevOps
  • DevSecOps
  • Security
Avatar
Paola Di Pietro
— July 19, 2019

Top 10 Things Cybersecurity Professionals Need to Know

There has been an increase in data breaches over the recent years. With almost 143 million Americans who have had their data compromised in data breaches. These breaches include all sorts of sensitive data, including financial information, election controversies, social security, just t...

Read more
  • Azure
  • cyber security
  • Security
Avatar
Stuart Scott
— July 18, 2019

AWS Fundamentals: Understanding Compute, Storage, Database, Networking & Security

If you are just starting out on your journey toward mastering AWS cloud computing, then your first stop should be to understand the AWS fundamentals. This will enable you to get a solid foundation to then expand your knowledge across the entire AWS service catalog.   It can be both d...

Read more
  • AWS
  • Compute
  • Database
  • fundamentals
  • networking
  • Security
  • Storage
Avatar
Adam Hawkins
— April 16, 2019

The Convergence of DevOps

IT has changed over the past 10 years with the adoption of cloud computing, continuous delivery, and significantly better telemetry tools. These technologies have spawned an entirely new container ecosystem, demonstrated the importance of strong security practices, and have been a catal...

Read more
  • DevOps
  • Security
Avatar
Adam Hawkins
— March 21, 2019

How DevOps Increases System Security

The perception of DevOps and its role in the IT industry has changed over the last five years due to research, adoption, and experimentation. Accelerate: The Science of Lean Software and DevOps by Gene Kim, Jez Humble, and Nicole Forsgren makes data-backed predictions about how DevOps p...

Read more
  • DevOps
  • Security
Avatar
Stuart Scott
— November 29, 2018

New Security & Compliance Service: AWS Security Hub

This morning’s Andy Jassy keynote was followed by the announcement of over 20 new services across a spectrum of AWS categories, including those in Security and Compliance, Database, Machine Learning, and Storage.   One service that jumped out to me was the AWS Security Hub, currently...

Read more
  • AWS
  • re:Invent 2018
  • Security
Alex Brower
Alex Brower
— October 17, 2018

Interview: Q&A with John Visneski

Security is a top priority for organizations of all types, with research firm IDC projecting 10% spending growth to $91 billion dollars in 2018. For leadership, security is important considering the cost, regulation, and reputation at stake when breaches occur. According to a joint ...

Read more
  • Security
John Visneski
John Visneski
— October 2, 2018

Building Security Teams in a Competitive Talent Market: These Are The Droids You’re Looking for

John Visneski is the Head of Security and DPO at The Pokemon Company International. If you missed the webinar we organized in collaboration with John Visneski you can still watch it on demand, simply click here.  The reasoning behind the popularity of this perspective is clear, if no...

Read more
  • Security
Albert Qian
Albert Qian
— September 25, 2018

Microsoft Ignites Cloud Industry With Nadella Keynote

On Monday, Microsoft kicked off its Ignite conference, an annual gathering of developers and IT professionals. Over the next week, attendees will learn about upcoming Microsoft innovations in IoT, artificial intelligence, machine learning, and cloud (all while getting some good networki...

Read more
  • Events
  • IoT
  • Machine Learning
  • Security
Avatar
Cloud Academy Team
— August 29, 2018

4 Reasons You Need to Include Business Stakeholders in Cloud Training

Digital transformation is changing how organizations in every industry approach their business strategy, serving as the foundation of their technology initiatives. Chief among this includes cloud adoption, which is not just a path to IT savings, but also increasingly where companies are...

Read more
  • Cloud Adoption
  • Security
Aaron McKeown
Aaron McKeown
— August 1, 2018

Build a Security Culture Within Your Organization

At this year’s AWS Summit Sydney, I was invited to speak about security culture and share a few practical examples of how organizations can build a positive security culture through increased visibility and enablement at all levels. But, what is a positive security culture? At Xero, we...

Read more
  • Security