Wilson Mar bio photo

Wilson Mar


Calendar YouTube Github


Securing secrets in Bash shell scripts while learning to pass the AWS Certified Security - Specialty (SCS-C01) exam

US (English)   Norsk (Norwegian)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   Napali   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean


Secure Bash Script


NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

  1. Manually obtain an AWS account and setup AWS login from Terminal. See my instructions.
  2. Manually or in IaC create AWS KMS (Key Mangement Service) instance (or use an existing one if it exists)
  3. Manually Add & encrypt key (if one is not specified)

I am working on a Bash/Z shell script so you can copy and paste a single command and paste on your Terminal to do all the following:

  1. Install AWS CLI after pre-requisites (NodeJs)
  2. Request that you (manually) obtain an account and setup AWS login from Terminal
  3. Define IAM credentials (if one isn’t specified)
  4. Auto-rotate keys service every month?

  5. Retrieve key within shell and format JSON response

This would be using https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

An alternative is AKEYLESS, which enables authentication with several clouds (AWS IAM, Azure AD, SAML, LDAP, API key). See https://akeyless.readme.io/docs/cli

AWS Security Certification SCS-C01

The AWS Certified Security - Specialty certification SCS-C01 home page is at

The exam costs $300 USD (50% off if you’ve cleared another certification).

Practice exam: 40 USD.

PROTIP: The exam is difficult because you need to correctly answer at least 75% of 65 multiple-choice questions in over 3 hours without breaks (170 minutes). Many of the questions are long paragraphs and have multiple answers.

Domain Topics for AWS Security

  1. 12% (Network and) Incident Response (Forensics)
  2. 20% Logging and Monitoring
  3. 26% Infrastructure Security
  4. 20% Identity and Access Management (IAM)>
  5. 22% Data Protection

Exam Readiness 2h free video by Blaine Sundrud

Cert Prep: AWS Security Specialty Certification

CloudAcademy’s 31h video cert prep

VIDEO: 1h COURSE: Demystifying the AWS Certified Security Specialty Exam by Michael Brown covers the options for Key Management (FIPS 140-2 HSM):

  • AWS KMS (Key Management Service) - shared service managed by AWS
  • Cloud HSM - private hardware HSM cluster on AWS
  • On-premise HSM

  • The AWS Encryption SDK
  • Amazon DynamoDB encryption client
  • AWS Secrets Manager

Links to learning content on specific topics specified in Amazon’s exam guide PDF:

  1. (Network and) Incident Response (Forensics) 12%
    1. Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys.
    2. Verify that the Incident Response Plan includes relevant AWS services.
    3. Evaluate the configuration of automated alerting, and execute possible remediation of security-related incidents and emerging issues.

  2. Logging and Monitoring 20%
    1. Design and implement security monitoring and alerting.
    2. Troubleshoot security monitoring and alerting.
    3. Design and implement a logging solution.
    4. Troubleshoot logging solutions.

  3. Infrastructure Security 26%
    1. Design edge security on AWS (NACLs, VPC Flow Logs)
    2. Design and implement a secure network infrastructure.
    3. Troubleshoot a secure network infrastructure.
    4. Design and implement host-based security.

  4. Identity and Access Management 20%
    1. Design and implement a scalable authorization and authentication system to access AWS resources.
    2. Troubleshoot an authorization and authentication system to access AWS resources.

  5. Data Protection 22%
    1. Design and implement key management and use.
    2. Troubleshoot key management.
    3. Design and implement a data encryption solution for data at rest and data in transit.

Topics (Abilities Validated by the Certification)

  • Security controls for workloads on AWS.
  • Specialized data classifications and AWS data protection mechanisms
  • Data encryption methods and AWS mechanisms to implement them
  • Secure Internet protocols and AWS mechanisms to implement them
  • AWS security services and features of services to provide a secure production environment

  • Production deployment using AWS security services and features
  • Tradeoff decisions with regard to cost, security, and deployment complexity given a set of application requirements
  • Security operations and risk

The Future of Security:

  • Static Code Analysis
  • Vulnerability Management
  • Compliance Checks
  • Web Application Scanning
  • Configuration Assessments

Golden AMI Pipeline of EC2 images at https://github.com/Qualys-Public


CAUTION: Amazon tests on GUI and CloudFormation, not Terraform>, Ansible, and other IaC. At time of writing CDK (Cloud Data Kit)> was too new to be included in the test.

Learning materials from AWS

Amazon Training offers a 3-day live/classroom Security Engineering on AWS course offered by various vendors for USD $1,485 - $2,095.

For those who can afford it, Amazon’s live instructor-led classes:

$600 for 1 day AWS Security Essentials

AWS Amazon Tech Talks Videos


https://pages.awscloud.com/Remediating-Amazon-GuardDuty-and-AWS-Security-Hub-Findings_2019_0320-SID_OD.html?&trk=ep_card-el_a131L000005uKBhQAM&trkCampaign=NA-FY19-AWS-DIGMKT-WEBINAR-SERIES-March_2019_0320-SID&sc_channel=el&sc_campaign=pac_2018-2019_exlinks_ondemand_OTT_evergreen&sc_outcome=Product_Adoption_Campaigns&sc_geo=NAMER&sc_country=mult Remediating Amazon GuardDuty and AWS Security Hub Findings

https://pages.awscloud.com/AWS-Transit-Gateway-Reference-Architectures-for-Many-Amazon-VPCs_2019_0811-NET_OD.html?&trk=ep_card-el_a131L0000057bPDQAY&trkCampaign=NA-FY19-AWS-DIGMKT-WEBINAR-SERIES-August_2019_0811-NET&sc_channel=el&sc_campaign=pac_2018-2019_exlinks_ondemand_OTT_evergreen&sc_outcome=Product_Adoption_Campaigns&sc_geo=NAMER&sc_country=mult AWS Transit Gateway Reference Architectures for Many Amazon VPCs

Videos of 2019 #reInforce which take a dive deep into cloud security, IAM, and compliance. Steve Schmidt, CISO of Amazon Web Services.

Articles from AWS on Security

Among https://aws.amazon.com/whitepapers

Security and Compliance documentation

Compliance resources

Well architected Framework

Within Digital Training library pops up a new window:

AWS KMS Cryptographic Details (details what happens behind the scenes with HSMs)

PDF: DDoS Mitigation whitepaper

Data Residency: AWS Policy Perspectives

AWS Cloud Security Learning

Scale-Out Computing on AWS

Building a Scalable and Secure Multi-VPC AWS Network Infrastructure

GxP Compliance Automation

3rd-party video courses


Pluralsight’s Security video courses:


ACloudGuru’s 20 hour AWS Certified Security - Specialty 2020 includes a practice exam along with sections on “Incident Response & AWS In The Real World” and “Updates Based On Student Feedback”.

is part of their 173 hour Learning Path of video courses.

ACloudGuru’s Exam Simulator


LinkedIn Learning


OReilly’s website does not provide lab time, but does have famous authors.

Chad Smith


Qwiklabs.com provides time (an hour at a time) on servers to perform their step-by-step instructions on specific topics.

Practice Tests

About $200 USD is you get all of them.

  • $41.30 USD (money back) ad https://www.vmexam.com/aws/scs-c01-aws-certified-security-specialty for 205+ questions for 2 months.

  • The AWS Certification Quiz Show: CQ E13 (AWS Security - Specialty) Nov 3, 2019 with Paul Hawkins (using ___)

  • $25 https://www.braincert.com/course/21137-AWS-Certified-Security-Specialty-Practice-Exams provides 150 questions (3 practice tests - 50 questions each)

  • $11 https://www.udemy.com/course/scs-c01-aws-certified-security-specialty-practice-tests/

  • $40 https://www.whizlabs.com/aws-certified-security-specialty/

  • $69 for 333 questions ($100 with software) at https://www.dumpskey.com/amazon/aws-security-specialty-braindumps or https://www.ebay.com/itm/Amazon-AWS-Certified-Security-Specialty-SCS-C01-Exam-Test-QA-SIM-PDF-Simulator-/253754800538 or https://www.dumps4download.com/scs-c01-dumps.html

Major AWS cloud services

My webpage on cyber-security covers industry-wide terms (vendor-agnostic).


  • Load balancer

Lifecycle Actions

Sequence to develop a secure web application within AWS cloud:

  1. Use accounts with MFA, not long term passwords.
  2. SSH from key pairs generated.
  3. Protect S3 CloudTrail and Billing buckets.
  4. Don’t create public access to S3 buckets.
  5. Creaet “Admin” roles with limited privilege.
  6. Leverage IAM roles for EC2.
  7. Control traffic to EC2 using clear Security Groups.
  8. Enable communication by users and between app and database with roles having minimal IAM policies necessary.
  9. Setup apps with SSL certificates for HTTPS communication in transit.
  10. Decrypt data using a key.
  11. Setup read-only application and infrastructure logs [CloudTrail].
  12. Setup API Gateway and firewalls to manage access.
  13. Setup alerts
  14. Watch trends in application and infrastructure logs periodically.
  15. Setup backups using read and
  16. HA and Multi-region operation
  17. Review billings monthly.

Security Principles

  • Least privilege

  • Handle keys with care
    • Asociate IAM Role to compute resource
    • Programmatic AssumeRole via STS SDK
  • Encrypt “All the Things”
    • Require KMS Keys
    • Data at rest: Use only encrypted EBS volumes
    • S3 buckets
    • RDS or Aurora databases
    • Data in transit: S3 bucket config, CloudFront Cert. Manager
  • Monitor continuously
    • CloudTrail Logs (cross region)
    • S3 Access Logging
    • VPC Flow Logs
    • Billing Logs
  • Audit Regularly
    • Trusted Advisor
    • AWS Config
    • Custom Scripts

At a high level, within AWS Cloud Security at aws.amazon.com/security is the mantra:

  • Prevent
  • Detect
  • Respond
  • Remediate

Security Landscape

  • Governance
  • Management (CloudWatch, CloudTrail, Config)
  • Protection
  • Encryption (AWS CloudHSM, KMS)
  • Detection (A Macie, AWS Firewall Manager, AWS Security Hub, AWS Guard Duty)

AWS CAF (Cloud Adoption Framework)


  • Business
  • People
  • Governnce
  • Platform
  • Security
  • Operations

AWS policies

AWS uses several types of “policies” to determine whether to allow or deny access requests made by a principal (such as a user).

AWS policies can be defined in-line or “managed” by AWS policy “objects” defined in JSON documents attached to IAM identities or AWS resources (entities).

Each AWS policy defines “permissions policies” and “permissions boundaries”:

Permissions policies are attached to a resource in AWS (identified by an ARN). Within a single account, AWS evaluates all permissions policies together. Permissions policies are the most common policies. You can use the following policy types as permissions policies:

  • When a managed or inline policy is attached to an IAM user, user group, or role, the policy defines the permissions for that entity. They are called “Identity-based policies”.

  • Resource-based policies attach a JSON policy document to an AWS resource (if that service supports resource-based policies).

  • Each Access Control List (ACL) is also attached to resources (a list of principals with permission to access resource which supports ACLs).

Permissions boundaries (an advanced AWS feature) controls the maximum permissions that each entity can have. When more than one permissions boundaries applies to a request, AWS evaluates each permissions boundary separately. You can apply a permissions boundary in the following situations:

  • AWS Service Control Policies (SCPs) are applied to designated member accounts within an AWS Organizations organization or organizational unit (OU).

  • IAM users or roles – You can use a managed policy for a user or role’s permissions boundary. See Permissions Boundaries for IAM Entities in the IAM User Guide.

  • Access control lists (ACLs) control what specific principals can access a resource. ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure.


Create a multi-account setup with web servers running on EC2 instances as well as web services running through API Gateway, Lambda and S3.

Use CloudFront, WAF, Shield. Install CloudWatch Logging agents on a few EC2 instances, consolidate logs in a central account, implement log file validation (extra credit — write a script to actually validate files based off events when new file is posted).

Grant one account read and read/write access to another account’s S3 buckets using IAM roles.

Protect your EC2 instances with a homegrown proxy (install Squid or something), give them internet access and use NACLs and security groups to open a finite set of ports and restrict some IPs (use a VPN for testing),

Apply Service Control Policies through the organization (as examples, restrict regions or mandate S3 encryption. They can be found here: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html). Do this every day of the week before your exam and recite the script in your sleep the day of the exam :)

Do all of this in CloudFormation and Terraform

– from Chiradeep Chhaya

Create AWS Security Group using CLI:

aws ec2 authorize-security-group-ingress --group-id "sg-$AWS_GROUP" \
   --ip-permissions FromPort=10,ToPort=23,IpProtocol=tcp,IpRanges="[{CidrIp=$IP/$CIDR}]"

Hardening before creating AMI:

  • Exclude SSH authorized keys
  • Remove and disable passwords for all user accounts
  • Securely delete all shell history and system log files containing sensitive data find /root/.history /home//*.history -exec rm -f {} \;
  • Clear event logs

Amazon/AWS Products

AWS Firewall Manager

etc. to simplify WAF admin across accounts.

Security Hub


Amazon Inspector for EC2

Weekly Runs vulnerability assessments of AWS Networks and Hosts based on templates reaching targets.

  1. Install agent using keypair on targets (instances):

    ssh -i awsgm.pem ec2-user@ec2-12-345-456-444.compute.-1.amazonaws.com
    wget https://inspector-agent.amazonaws.com/linux/latest/install
    sudo bash install
  2. Run using service-linked Role, collecting for an hour.

Findings by severity.

Generate report, which include “CIS Benchmarks”.

AWS Trusted Advisor

5 categories for AWS accounts:

  • FREE Security (MFA, ports)
  • FREE Service Limits (Auto Scaling)

  • Cost optimization (upgrade)
  • Performance
  • Fault Tolerance

COURSE: Qwiklabs.com “Auditing Your Security with AWS Trusted Advisor”

AWS Organizations

Account management service to consolidate accounts.

Amazon Macie

VIDEO Makes use of Machine Learning technology developed within Amazon.

identify and classify PII (Personally Identifiable Information) in events and sessions involving critical assets (in S3)m , by content type, using regex.

Issue risk alerts by location.

AWS Config

Get Started: Settings, Rules, Review.

The type of rules that can be setup and how to automatically remediate non-compliant rules utilizing lambda

Recorder Snapshot of current configs.

Config items with history.

Config stream automatically updated (notifies SNS)

AWS Config logs

VPC Flow Logs


  1. VPC
  2. Your VPCs
  3. Create Flow Log
  4. Filter All
  5. Destination Log Group
  6. IAM Role
  7. Security Rules
Log FormatDescription
2Version of log
123456789012AWS Account
eni-081b2cff388ebbea33Network interface id IP address IP address
8080Origin port
3398Dest. port
158251432Epoch start
158251812Epoch end
OKLogging status

AWS Guard Duty

Identifies findings by using machine learning to analyze logs from:

  • DNS logs (login attempts?)
  • VPC flow logs (Network traffic)
  • CloudTrail Event logs (API calls)
  • CloudTrail Management Events
  • CloudTrail S3 Data Events

Findings invoke CloudWatch Events EventBridge which send:

  • Notifications to SNS
  • Invocation of Lambda

Enable for 30-day trial. Use sample files with Trusted IP Lists. member accounts.

Amazon Detective

New in 2020, Amazon Detective enables an Org management Administrator to delegate a Detective Administrator account for the org. Administrator to invite members (even outside the org) to contribute data.

Detective provides visualizations (with Machine Learning and statistical analysis) to interactively explore and trace through time-based findings from Guard Duty:

  • login attempts
  • API calls (from CloudTrail)
  • Network Traffic (VPC flows)

Detective is classified as a Security Investigation service.

Abuse Notice


Key Management

PDF: AWS Key Management Service Best Practices

KMS options:

  • API commands (Encrypt, Decrypt, Recrypt)
  • CMK – AWS created vs Imported
  • How to enforce annual rotation of keys

difference between CloudTrail vs Cloudwatch

SSL communication from on-premise to ec2 including how legacy applications communicate when changing from an ELB to ALB.

S3 access

Bucket ACL’s but know the difference between an ACL and Policy Cross-Account Access (S3)


How to regain access to an EC2 or change the key pair if they’ve been compromised

How does AWS WAF and Shield work

When and why should you implement a proxy server

Network Access Control List (Stateless) vs Security Groups (SG’s are stateful)

AWS Organizations – including Service Control Policies and enforcements


Cloudfront OAI communicate to S3

Think static website or content

AWS Athena and viewing VPC flow logs

Query the VPC flow logs

VPC flow logs – How can you automate or make sure VPC flow logs are enabled (Hint: AWS Config & Lambda)

Troubleshooting Why some instances are writing logs to Cloudwatch and others aren’t or they stopped after a period of time

Data in Transit



Only HTTP, not UDP protocol.

read intro to AWS Security Processes</a>

  • Confidentiality (MFA)
  • Integrity (Cert Manager, IAM, Bucket policies)
  • Availability (Multi-AZ, Auto-scaling)

IAM Policies

  1. On the AWS console, Search “IAM” and click “IAM” from the search results for the IAM dashboard.

  2. Click “Policies” under “Access management” from the left sidebar.

  3. Click the “Create policy” button for the Create Policy page.

  4. Click the “JSON” tab.

  5. In a browser tab to the GitHub, get an applicable sample IAM Policy JSON to copy from:


  6. In the editor window, paste the sample JSON IAM policy.

    IAM Policy JSON statements

    IAM Policy JSON statements can consist of these components:

    • Effect: can either be Allow or Deny the associated actions.

    • Action: lists actions to be allowed or denied.

    • Resource: lists resources to perform specified actions.

    • Condition: lists additional restrictions regarding when a policy can be in effect.

    Types of IAM policies:

    • AWS managed policies
    • Customer (administrator) managed policies
    • Inline policies
    • S3 Bucket policies

  7. Click the “Next: Tags” button.

  8. In many enterprises, “Add tags” is not optional to specify where to charge expenses.

  9. Click the “Next: Review” button.

  10. Name the policy according to your enterprise naming conventions, then click the “Create policy” button.

  11. PROTIP: For those using RBAC, select a pre-defined user group rather than creating a new one.

  12. Attach the policy to define the required access to that group.

Create an IAM Group and Add a User

A user group is a collection of IAM users. User groups are used to specify permissions to a collection of users. Groups simplify permission management by letting us grant, change, and remove permissions for multiple users simultaneously.

In this task, we’ll create a user group and attach an IAM identity-based policy. Then, we’ll create an IAM user and add it to our user group, giving it the same set of permissions defined by the policy.

After the completion of this task, the provisioned infrastructure would be similar to the one shown in the figure below:

Architecture diagram

Architecture diagram Let’s create a user group on IAM and attach the pre-created policy to it:

Search “IAM” on the AWS console and click “IAM” from the search results. This takes us to the IAM dashboard.

Click “User groups” under “Access management” from the left sidebar.

Click the “Create group” button to create a new user group.

Name the group IAMLabGroup.

Scroll down to the “Attach permissions policies - Optional” section and search for the IAMLabPolicy policy using the search bar.

Select the IAMLabPolicy policy and click the “Create group” button.

With that, we’ve successfully created a user group with the IAMLabPolicy policy attached. Any users added to this group will have the same policy attached to them.

Now, let’s create an IAM user and add it to the IAMLabGroup group by following the given steps:

Click “Users” under “Access management” from the left sidebar. This takes us to a list of all available users in our account.

Click the “Add users” button to create a new user.

Name the user IAMLabUser.

Check the “Provide user access to the AWS Management Console - optional” option.

For “Console password”, we can either select the “Autogenerated password” option or the “Custom password” option and set a password of our choice. We’ll select the “Autogenerated password” option.

Uncheck the “Users must create a new password at next sign-in (recommended).” option and click the “Next” button.

On the “Set permissions” page, select the “Add user to group” option from the “Permissions options” section.

Search for the IAMLabGroup using the search bar in the “User groups” section.

Select IAMLabGroup and click the “Next” button.

On the “Review and create” page, click the “Create user” button.

We’ll now see the “Console sign-in details.” Copy the “Console sign-in URL”, “User name”, and “Console password”, and keep them safe or download the credentials by clicking the “Download .csv file” button.

Click the “Return to users list” button.

We’ve now created a new user and added it to the IAMLabGroup group. Any users within this group will automatically have the IAMLabPolicy policy attached to them.

Now, let’s log in as the new user we’ve just created. Follow the given steps to proceed:

Open a new incognito window and use that to log in as IAMLabUser without logging out from your current AWS session. We are using a new incognito window because we can’t have multiple AWS sessions running on the same browser.

Navigate to the “Console sign-in URL” we copied in the previous step. This takes us to the AWS console sign-in page with the account ID already entered.

Enter IAMLabUser for “IAM user name.”

Enter the “Console password” that we copied in the last step for “Password.”

Click the “Sign in” button to log in to the console.

We’ve successfully signed in as the IAMLabUser user. We’ll set up the rest of the infrastructure using this newly created user.

https://d1.awsstatic.com/training-and-certification/docs-security-spec/AWS_Certified_Security_Specialty_Exam_Guide_v1.5.pdf Exam Blueprint



AWS data centers: facilities, networking, hardware, software OS,

  • infrastructure services (EC2, EBS, VPC),
  • Container services (S3, MySQL RDS, EMR, Beanstalk),
  • Astracted services via APIs (SQS, SES, Glacier)

Controls: Visibility (AWS Config)

Auditability, Controllability (KMS, HSM FIPS-140-2 compliance dedicated hw), Agility (adapt to changes Cloud Formation, Elastic Beanstalk)

Automation (OpsWorks, CodeDeploy)


https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_management_console_access.html https://github.com/coinbase/assume-role






AWS Artifact is a no-cost self-service portal to AWS’ compliance reports such as SOC2.

Blog articles

  • https://jayendrapatil.com/aws-certification-security-identity-services-cheat-sheet/ Cheat Sheet

  • https://www.netenrich.com/2019/01/aws-certified-security-specialty-exam-tips/

  • https://medium.com/@cbchhaya/aws-certified-security-specialty-scs-c01-4b8a62d3c680 suggests 4 months of preparation using 4 account setup and used attached as well as detached accounts with AWS Organizations.

Do you really know this stuff? Take the practice test For the AWS Certified Security – Specialty SCS-C01

Social Twitter Feeds:

  • @awscloud
  • @awssecurityinfo
  • @awsidentity

More on Security

This is one of a series on Security in DevSecOps:

  1. Security actions for teamwork and SLSA
  2. DevSecOps

  3. Code Signing on macOS
  4. Transport Layer Security

  5. Git Signing
  6. GitHub Data Security
  7. Encrypt all the things

  8. Azure Security-focus Cloud Onramp
  9. Azure Networking

  10. AWS Onboarding
  11. AWS Security (certification exam)
  12. AWS IAM (Identity and Access Management)
  13. AWS Networking

  14. SIEM (Security Information and Event Management)
  15. Intrusion Detection Systems (Goolge/Palo Alto)
  16. Chaos Engineering

  17. SOC2
  18. FedRAMP
  19. CAIQ (Consensus Assessment Initiative Questionnaire) by cloud vendors

  20. AKeyless cloud vault
  21. Hashicorp Vault
  22. Hashicorp Terraform
  23. OPA (Open Policy Agent)

  24. SonarQube
  25. WebGoat known insecure PHP app and vulnerability scanners
  26. Test for OWASP using ZAP on the Broken Web App

  27. Security certifications
  28. Details about Cyber Security

  29. Quantum Supremecy can break encryption in minutes
  30. Pen Testing
  31. Kali Linux

  32. Threat Modeling
  33. WebGoat (deliberately insecure Java app)