kiquetal/aws-security-speciality-2026

# AWS Certified Security - Specialty (SCS-C03) 学习仓库 为 **AWS Certified Security - Specialty (SCS-C03)** 考试打造的结构化、深度优先的学习环境。专为喜欢架构图和动手实验胜过长篇大论的高级工程师而建。 ## 目录 - [考试概览](#exam-snapshot) - [领域权重](#domain-weights) - [仓库结构](#repository-structure) - [学习方法](#study-approach) - [SCS-C03 的新变化（对比 C02）](#whats-new-in-scs-c03-vs-c02) - [IAM 策略约定](#iam-policy-conventions) - [开始使用](#getting-started) ## 考试概览 | Detail | Value | |--------|-------| | **考试** | SCS-C03（截至 2025 年 12 月为当前版本） | | **时长** | 170 分钟，65 道题（50 道计分） | | **及格分数** | 750 / 1000 | | **题型** | 单项选择、多项选择、排序、匹配 | | **费用** | $300 USD | ## 领域权重 | Domain | Weight | Study Weeks | |--------|--------|-------------| | D4: Identity and Access Management | 20% | 1–2 | | D5: Data Protection | 18% | 3–4 | | D3: Infrastructure Security | 18% | 5–6 | | D1: Detection | 16% | 7–8 | | D2: Incident Response | 14% | 9 | | D6: Governance | 14% | 10 | 策略：优先攻克权重最高的领域，在第 11–12 周进行跨领域复习。请参阅 [`study-plan.md`](study-plan.md) 获取完整的进度跟踪器。 ## 仓库结构 ``` . ├── study-plan.md # Weekly progress tracker (⬜/✅) ├── blueprint.md # Full SCS-C03 exam blueprint with task statements │ ├── notes/ # FAQ-style deep dives per service/topic │ ├── faq-iam.md # IAM fundamentals │ ├── faq-sts.md # STS, AssumeRole, cross-account │ ├── faq-iam-identity-center.md # Workforce SSO │ ├── faq-cognito.md # Customer-facing auth │ ├── faq-kms.md # Key types, grants, rotation matrix │ ├── faq-s3.md # Encryption, bucket policies, access points │ ├── faq-secrets-manager.md # Rotation, managed vs custom │ ├── faq-guardduty.md # Threat detection, protection plans │ ├── faq-cloudtrail.md # Event types, Lake vs S3+Athena, selectors │ ├── faq-waf-shield.md # WAF rules, Shield Advanced │ ├── faq-network-firewall.md # IDS/IPS, Suricata, stateful rules │ ├── faq-route53-resolver.md # DNS Firewall, Resolver Query Logs │ ├── faq-cloudfront-oac.md # OAC vs OAI, SSE-KMS integration │ ├── faq-session-manager.md # No-SSH admin access, logging layers │ ├── faq-organizations.md # SCPs, account structure │ ├── faq-rcp.md # Resource Control Policies (new in C03) │ ├── faq-ram-vs-rcp.md # RAM sharing vs RCP restricting │ ├── faq-security-services-comparison.md # GuardDuty vs Macie vs Inspector vs Config │ ├── security-services-map.md # Full detection → aggregation → response pipeline │ ├── policy-layers-reference.md # The 5 gates: SCP → RCP → boundary → identity → resource │ ├── iam-overview.md # IAM core concepts overview │ ├── attack-roadmap.md # Depth-first study order by difficulty tier │ ├── new-must-know-for-c03.md # 7 topics with no C02 precedent │ ├── scs-c03-appendix-b-changes.md # C02 → C03 recategorization analysis │ └── question-tracker.md # Every question attempted, scores, weak areas │ ├── diagrams/ # Mermaid source (.mmd) + rendered PNGs │ ├── policy-evaluation-with-rcps.* │ ├── iam-policy-evaluation-boundaries.* │ ├── iam-roles-sequence.png │ ├── security-services-comparison.* │ ├── security-services-complete-map.* │ ├── cross-account-s3-kms.* │ ├── kms-grants-cross-account.* │ ├── cloudfront-oac.* │ ├── session-manager-logging.* │ ├── session-manager-vpc-endpoints.* │ ├── route53-dns-firewall.* │ └── study-plan-gantt.png │ ├── examples/ # Production-ready policy JSON + CLI examples │ ├── index.md # Examples organized by domain │ ├── iam-policy-examples.md # Identity, resource, boundary, SCP, trust, RCP policies │ └── cross-account-s3-kms.md # Three-policy cross-account pattern │ ├── labs/ # Hands-on challenges (Terraform/CLI) │ └── iam-s3-readonly-challenge/ # S3 read-only + IP restriction lab │ └── aws-incident-response-demonstrated-microcredential/ └── README.md # Separate IR microcredential prep ``` ## 学习方法 每周遵循以下节奏： 1. **FAQ 笔记** — 加密、日志记录、IAM 权限、配额、考试陷阱（跳过基础定义） 2. **Mermaid 图表** — 关键模式的架构流程 3. **动手实验** — 在沙盒账户中完成 Terraform/CLI 挑战 4. **场景测验** — 每个领域 10 道以上的考试风格题目 5. **复习** — 更新 [`question-tracker.md`](notes/question-tracker.md)，填补知识盲区 当满足以下条件时，即算完成一周的学习：完成了 FAQ 笔记，创建了 ≥1 张图表，完成了 ≥1 个实验，测验得分 ≥80%，并记录了薄弱环节。 ## SCS-C03 的新变化（对比 C02） 这 7 个主题在 C02 中没有先例——出题者会将它们作为区分点进行考查： | # | Topic | Task | Status | |---|-------|------|--------| | 1 | Resource Control Policies (RCPs) | 6.1 | ✅ 深入学习 | | 2 | GenAI OWASP Top 10 | 3.2.7 | ❌ 需要 FAQ | | 3 | OCSF / Security Lake | 3.1.4 | ❌ 需要 FAQ | | 4 | Data masking (CloudWatch Logs + SNS) | 5.3.4 | ❌ 需要 FAQ | | 5 | Nitro inter-instance encryption | 5.1.3 | ❌ 需要 FAQ | | 6 | Imported key material differences | 5.3.3 | ✅ 深入学习 | | 7 | Multi-Region Keys + Private CA | 5.3.5 | ❌ 需要 FAQ | 请参阅 [`notes/new-must-know-for-c03.md`](notes/new-must-know-for-c03.md) 和 [`notes/scs-c03-appendix-b-changes.md`](notes/scs-c03-appendix-b-changes.md) 获取完整分析。 ## IAM 策略约定 本仓库中的所有策略均遵循考试最佳实践： - `"Version": "2012-10-17"` — 始终如此 - Specific actions — 永远不要使用 `Action: *` - Specific resource ARNs — 数据操作永远不要使用 `Resource: *` - Conditions — `aws:SourceIp`、`aws:MultiFactorAuthPresent`、`aws:PrincipalOrgID` - 显式拒绝作为防护机制 - 每个语句都包含 `Sid` ## 开始使用 1. 在 [`study-plan.md`](study-plan.md) 中查看你当前的周数 2. 阅读 [`blueprint.md`](blueprint.md) 中对应的领域任务 3. 复习 `notes/` 中的现有笔记并找出不足之处 4. 查看 [`notes/question-tracker.md`](notes/question-tracker.md) 了解需要重新测试的薄弱环节 5. 遵循上述每周学习节奏

标签：AMSI绕过, AWS, Cognito, DPI, Homebrew安装, IAM, IT认证, KMS, ProjectDiscovery, SCS-C03, SSO, STS, 云服务, 备考, 威胁检测, 学习笔记, 学习计划, 学习资料, 安全, 安全治理, 实验环境, 数据保护, 文档结构分析, 无线安全, 架构图, 架构师, 漏洞利用检测, 网络安全, 认证考试, 超时处理, 身份与访问管理, 隐私保护