{"id":101427,"date":"2026-07-10T18:33:24","date_gmt":"2026-07-10T13:03:24","guid":{"rendered":"https:\/\/www.whizlabs.com\/blog\/?p=101427"},"modified":"2026-07-10T18:34:33","modified_gmt":"2026-07-10T13:04:33","slug":"aws-security-projects-scs-c03","status":"publish","type":"post","link":"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/","title":{"rendered":"10 AWS Security Projects SCS-C03 Candidates Should Build"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">If the AWS Certified Security Specialty (SCS-C03) is on your list this year, you probably already work with AWS. The exam is built on that assumption. It is a specialty-level cert, and it tests depth in security across six domains:\u00a0<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Threat detection and incident response<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Logging and monitoring<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Infrastructure security<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Identity and access management<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Data protection<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Governance<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">Sit with a few practice questions and you will notice that working on AWS security projects is inevitable to pass SCS-C03. Because in the exam, they rarely ask what a service does. They hand you a situation instead.\u00a0 An application is storing unencrypted data. An account is showing unusual API activity. Then they ask what you would do.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">And when you read the four options, all of them look right. KMS does encrypt buckets. Bucket policies do block public access. Macie does find sensitive data. There are no false options to cross out. The only way to pick correctly is to recognise the situation, and you recognise situations you have handled before.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">That is the case for hands-on practice, and it is the thinking behind this blog.\u00a0<\/span><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_76 ez-toc-wrap-left counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ea7e02;color:#ea7e02\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ea7e02;color:#ea7e02\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#10_AWS_Security_Projects_to_Practice_in_Whizlabs\" >10 AWS Security Projects to Practice in Whizlabs<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#Data_protection_Macie_and_KMS\" >Data protection: Macie and KMS<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#Project_1_Discover_sensitive_data_in_S3_with_Amazon_Macie\" >Project 1: Discover sensitive data in S3 with Amazon Macie<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#Project_2_Encrypt_S3_EBS_and_AMIs_with_AWS_KMS\" >Project 2: Encrypt S3, EBS and AMIs with AWS KMS<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#Threat_detection_GuardDuty_Inspector2_and_CloudTrail\" >Threat detection: GuardDuty, Inspector2 and CloudTrail<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#Project_3_Detect_threats_across_your_account_with_GuardDuty\" >Project 3: Detect threats across your account with GuardDuty<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#Project_4_Run_continuous_vulnerability_scans_with_Inspector2\" >Project 4: Run continuous vulnerability scans with Inspector2<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#Project_5_Build_an_audit_trail_with_CloudTrail_and_CloudWatch_alerts\" >Project 5: Build an audit trail with CloudTrail and CloudWatch alerts<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#Incident_response_Lambda\" >Incident response: Lambda<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#Project_6_Automate_incident_response_with_Lambda\" >Project 6: Automate incident response with Lambda<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#Application_security_WAF_and_Secrets_Manager\" >Application security: WAF and Secrets Manager<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#Project_7_Block_real_attacks_with_AWS_WAF\" >Project 7: Block real attacks with AWS WAF<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#Project_8_Handle_credentials_securely_with_Secrets_Manager\" >Project 8: Handle credentials securely with Secrets Manager<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#Network_monitoring_VPC_Flow_Logs_and_Athena\" >Network monitoring: VPC Flow Logs and Athena<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#Project_9_Investigate_network_traffic_with_VPC_Flow_Logs_and_Athena\" >Project 9: Investigate network traffic with VPC Flow Logs and Athena<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#Compliance_AWS_Config\" >Compliance: AWS Config<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#Project_10_Enforce_compliance_automatically_with_AWS_Config\" >Project 10: Enforce compliance automatically with AWS Config<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#How_to_work_through_these\" >How to work through these<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#Frequently_Asked_Questions\" >Frequently Asked Questions<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#How_do_I_prepare_for_the_AWS_Security_Specialty_SCS-C03_exam\" >How do I prepare for the AWS Security Specialty (SCS-C03) exam?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#How_much_hands-on_practice_do_I_need_for_SCS-C03\" >How much hands-on practice do I need for SCS-C03?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-security-projects-scs-c03\/#Which_AWS_services_should_I_focus_on_for_SCS-C03\" >Which AWS services should I focus on for SCS-C03?<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"10_AWS_Security_Projects_to_Practice_in_Whizlabs\"><\/span><strong>10 AWS Security Projects to Practice in Whizlabs<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Instead of study tips, it gives you ten AWS security projects to build. Each one is a small, real piece of security work a cloud engineer would do: encrypting storage, setting up threat detection, writing WAF rules, automating a response. Together they cover all six exam domains, and each project is tagged with its domain so you can track your coverage as you go.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Data_protection_Macie_and_KMS\"><\/span><b>Data protection: Macie and KMS<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"Project_1_Discover_sensitive_data_in_S3_with_Amazon_Macie\"><\/span><strong>Project 1: Discover sensitive data in S3 with Amazon Macie<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><i><span style=\"font-weight: 400;\">Exam domain: Data Protection<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400;\">Companies collect a lot of data in S3 over the years. Customer exports, backups, files people uploaded and forgot. Some of it contains names, card numbers or addresses, and usually nobody knows which files. You cannot protect data you have not found.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Macie handles this. It scans S3 buckets using pattern matching and machine learning, and reports what sensitive data it found and where. It also flags risky bucket settings like public access and missing encryption.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-101429 size-large\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-1-5-1024x638.webp\" alt=\"Discover sensitive data in S3 with Amazon Macie\" width=\"1024\" height=\"638\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-1-5-1024x638.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-1-5-300x187.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-1-5-768x478.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-1-5-1536x957.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-1-5-150x93.webp 150w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-1-5.webp 1678w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p><b>What you&#8217;ll do in this lab:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Enable Macie for the account<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Build a custom identifier for data patterns specific to your organisation<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Create and run a Macie scan job on an S3 bucket<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Read the findings<\/span><\/li>\n<\/ul>\n<p><b>In the exam:<\/b><span style=\"font-weight: 400;\"> Macie is the answer when a question involves finding sensitive data at scale. Running one real job makes those questions easy to spot.<\/span><\/p>\n<p><b>Build it:<\/b> <a href=\"https:\/\/www.whizlabs.com\/labs\/discover-sensitive-data-present-in-s3-bucket-using-amazon-macie\"><span style=\"font-weight: 400;\">Discover sensitive data present in S3 bucket using Amazon Macie<\/span><\/a><span style=\"font-weight: 400;\"> (1 hour)<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Project_2_Encrypt_S3_EBS_and_AMIs_with_AWS_KMS\"><\/span><b>Project 2: Encrypt S3, EBS and AMIs with AWS KMS<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><i><span style=\"font-weight: 400;\">Exam domain: Data Protection<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400;\">AWS Key Management Service (KMS) appears more than any other service on the AWS Security Specialty exam. Every AWS service that stores data uses it for encryption, so a good grasp of KMS covers a large part of the Data Protection domain.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The idea itself is simple. KMS keeps your encryption keys in one place, controls who can use them through key policies, and connects to S3, EBS, RDS and most other storage services. This project covers that whole surface in one sitting.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-101430\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-2-5.webp\" alt=\"Encrypt S3, EBS and AMIs with AWS KMS\" width=\"1678\" height=\"1340\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-2-5.webp 1678w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-2-5-300x240.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-2-5-1024x818.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-2-5-768x613.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-2-5-1536x1227.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-2-5-150x120.webp 150w\" sizes=\"(max-width: 1678px) 100vw, 1678px\" \/><\/p>\n<p><b>What you&#8217;ll do in this hands-on lab:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Create a KMS key and enable automatic rotation<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Encrypt an S3 bucket and verify objects are encrypted on upload<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Set up cross-region replication for the encrypted bucket<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Encrypt an EBS volume, then an AMI and its snapshots<\/span><\/li>\n<\/ul>\n<p><b>In the exam<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Key rotation, key policies, envelope encryption and encrypted replication all get tested, and this project touches each of them. It is mandatory that you build this.<\/span><\/p>\n<p><b>Build it:<\/b> <a href=\"https:\/\/www.whizlabs.com\/labs\/encrypt-s3-bucket-ebs-volume-and-ami-using-aws-kms\"><span style=\"font-weight: 400;\">Encrypt S3 bucket, EBS Volume and AMI using AWS KMS<\/span><\/a><span style=\"font-weight: 400;\"> (1.5 hours)<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Threat_detection_GuardDuty_Inspector2_and_CloudTrail\"><\/span><b>Threat detection: GuardDuty, Inspector2 and CloudTrail<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"Project_3_Detect_threats_across_your_account_with_GuardDuty\"><\/span><b>Project 3: Detect threats across your account with GuardDuty<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><i><span style=\"font-weight: 400;\">Exam domain: Threat Detection and Incident Response<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400;\">GuardDuty is AWS&#8217;s threat detection service. It reads your CloudTrail logs, VPC Flow Logs and DNS logs, and uses threat intelligence and anomaly detection to flag things like unauthorised access attempts, suspicious network activity and account takeovers.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The useful skill here is reading its findings. A finding tells you what happened, which resource was affected and how serious it is, and knowing your way around that format matters more than knowing the feature list.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-101431\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-3-4.webp\" alt=\"Detect threats across your account with GuardDuty\" width=\"1678\" height=\"951\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-3-4.webp 1678w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-3-4-300x170.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-3-4-1024x580.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-3-4-768x435.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-3-4-1536x871.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-3-4-150x85.webp 150w\" sizes=\"(max-width: 1678px) 100vw, 1678px\" \/><\/p>\n<p><b>What you&#8217;ll do in this hands-on lab:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Enable GuardDuty on the account<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Explore the console and see where findings live<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Generate sample findings and go through what each one means<\/span><\/li>\n<\/ul>\n<p><b>In the exam:<\/b><span style=\"font-weight: 400;\"> GuardDuty is the default answer for continuous threat detection. Reading real findings for thirty minutes is the fastest way to learn what it does.<\/span><\/p>\n<p><b>Build it:<\/b> <a href=\"https:\/\/www.whizlabs.com\/labs\/introduction-to-amazon-guardduty\"><span style=\"font-weight: 400;\">Introduction to Amazon GuardDuty<\/span><\/a><span style=\"font-weight: 400;\"> (30 minutes)<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Project_4_Run_continuous_vulnerability_scans_with_Inspector2\"><\/span><b>Project 4: Run continuous vulnerability scans with Inspector2<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><i><span style=\"font-weight: 400;\">Exam domain: Threat Detection and Incident Response<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400;\">GuardDuty looks for threats coming in. Inspector2 looks at your own code and infrastructure. A Lambda function or an EC2 instance can carry a library with a known vulnerability, and that has nothing to do with network security.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Inspector2 scans your EC2 instances, container images and Lambda functions against known vulnerability databases. It returns findings with CVE identifiers and severity ratings, so you know what needs fixing first.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-101432\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-4.webp\" alt=\"Run continuous vulnerability scans with Inspector2\" width=\"1678\" height=\"1168\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-4.webp 1678w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-4-300x209.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-4-1024x713.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-4-768x535.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-4-1536x1069.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-4-150x104.webp 150w\" sizes=\"(max-width: 1678px) 100vw, 1678px\" \/><\/p>\n<p><b>What you&#8217;ll do in this hands-on lab:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Activate Inspector2 on the account<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Create a Lambda function with layers<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Trigger the function and let Inspector scan it<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Review the vulnerability findings and severity ratings<\/span><\/li>\n<\/ul>\n<p><b>In the exam<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Questions about continuous vulnerability assessment across EC2, ECR or Lambda point to Inspector.<\/span><\/p>\n<p><b>Build it:<\/b> <a href=\"https:\/\/www.whizlabs.com\/labs\/find-vulnerabilities-on-inspector2-using-lambda-scanning\"><span style=\"font-weight: 400;\">Find vulnerabilities on Inspector2 using Lambda scanning<\/span><\/a><span style=\"font-weight: 400;\"> (1 hour)<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Project_5_Build_an_audit_trail_with_CloudTrail_and_CloudWatch_alerts\"><\/span><b>Project 5: Build an audit trail with CloudTrail and CloudWatch alerts<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><i><span style=\"font-weight: 400;\">Exam domain: Security Logging and Monitoring<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400;\">Every action in an AWS account is an API call, and CloudTrail records all of them. Who did what, from where, at what time. That record is what you rely on for security analysis, audits and investigations.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Logs on their own only help if someone reads them, so the second part of this project adds alerting. You create metric filters on the logs and connect them to a CloudWatch alarm, so a specific action in the account sends you an alert instead of sitting unread in a bucket.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-101433\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-5-1.webp\" alt=\"Build an audit trail with CloudTrail and CloudWatch alerts\" width=\"1678\" height=\"1168\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-5-1.webp 1678w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-5-1-300x209.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-5-1-1024x713.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-5-1-768x535.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-5-1-1536x1069.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-5-1-150x104.webp 150w\" sizes=\"(max-width: 1678px) 100vw, 1678px\" \/><\/p>\n<p><b>What you&#8217;ll do in this hands-on lab:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Configure CloudTrail to capture EC2 events and deliver them to an S3 bucket<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Open the raw log files and see what an API call looks like on record<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Create metric filters on the CloudWatch log group<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Set up an alarm that triggers on a specific action<\/span><\/li>\n<\/ul>\n<p><b>In the exam<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Detecting unauthorised access through log analysis comes up repeatedly, and this build is that exact scenario.<\/span><\/p>\n<p><b>Build it:<\/b> <a href=\"https:\/\/www.whizlabs.com\/labs\/configuring-cloudtrail-logs-for-ec2-events\"><span style=\"font-weight: 400;\">Configuring CloudTrail Logs for EC2 Events<\/span><\/a><span style=\"font-weight: 400;\"> (45 minutes) and <\/span><a href=\"https:\/\/www.whizlabs.com\/labs\/aws-access-control-alerts-with-cloudwatch-and-cloudtrail\"><span style=\"font-weight: 400;\">AWS Access control alerts with CloudWatch and CloudTrail<\/span><\/a><span style=\"font-weight: 400;\"> (1 hour)<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Incident_response_Lambda\"><\/span><b>Incident response: Lambda<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"Project_6_Automate_incident_response_with_Lambda\"><\/span><b>Project 6: Automate incident response with Lambda<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><i><span style=\"font-weight: 400;\">Exam domain: Threat Detection and Incident Response<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400;\">When something flags a compromised EC2 instance, the response time matters. If the finding waits in a queue for someone to read it, the instance stays compromised for hours. Automating the first response fixes that.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In this project you write a Lambda function that stops and terminates EC2 instances, then trigger it with a test event. This is the basic pattern behind auto-remediation. In production, the trigger would be a GuardDuty finding or a CloudWatch alarm instead of a test event, and the function would isolate the instance in seconds.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-101434\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-6.webp\" alt=\"Automate incident response with Lambda\" width=\"1678\" height=\"968\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-6.webp 1678w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-6-300x173.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-6-1024x591.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-6-768x443.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-6-1536x886.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-6-150x87.webp 150w\" sizes=\"(max-width: 1678px) 100vw, 1678px\" \/><\/p>\n<p><b>What you&#8217;ll do in this hands-on lab:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Launch two EC2 instances<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Write a Lambda function that stops and terminates instances<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Fire a test event and confirm both instances go down<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Verify the state change in the console<\/span><\/li>\n<\/ul>\n<p><b>In the exam<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Containment and auto-remediation questions in Domain 1 describe this pattern. Most candidates practise detection and skip response.<\/span><\/p>\n<p><b>Build it:<\/b> <a href=\"https:\/\/www.whizlabs.com\/labs\/lambda-function-to-shut-down-and-terminate-an-ec2-instance\"><span style=\"font-weight: 400;\">Lambda Function to Shut Down and Terminate an EC2 Instance<\/span><\/a><span style=\"font-weight: 400;\"> (30 minutes)<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Application_security_WAF_and_Secrets_Manager\"><\/span><b>Application security: WAF and Secrets Manager<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"Project_7_Block_real_attacks_with_AWS_WAF\"><\/span><b>Project 7: Block real attacks with AWS WAF<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><i><span style=\"font-weight: 400;\">Exam domain: Infrastructure Security<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400;\">A public application receives requests from the whole internet, including automated SQL injection attempts that start within hours of going live. AWS WAF filters those out. You write rules describing what a bad request looks like, attach them to a load balancer or CloudFront distribution, and matching requests never reach your servers.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This is the longest project on the list and the closest to production work. You build the full setup, then send bad requests at it yourself and watch them get blocked.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-101435\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-7.webp\" alt=\"Block real attacks with AWS WAF\" width=\"1678\" height=\"1116\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-7.webp 1678w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-7-300x200.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-7-1024x681.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-7-768x511.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-7-1536x1022.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-7-150x100.webp 150w\" sizes=\"(max-width: 1678px) 100vw, 1678px\" \/><\/p>\n<p><b>What you&#8217;ll do in this hands-on lab:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Launch two EC2 instances behind an Application Load Balancer<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Create a WAF Web ACL with rules for SQL injection, geo blocking and query strings<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Attach the Web ACL to the load balancer<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Test the load balancer and confirm the blocked requests fail<\/span><\/li>\n<\/ul>\n<p><b>In the exam<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Edge protection questions are much easier to reason through once you have written the rules yourself.<\/span><\/p>\n<p><b>Build it:<\/b> <a href=\"https:\/\/www.whizlabs.com\/labs\/implementing-aws-waf-with-alb-to-block-sql-injection-geo-location-and-query-string\"><span style=\"font-weight: 400;\">Implementing AWS WAF with ALB to block SQL Injection, Geo Location and Query string<\/span><\/a><span style=\"font-weight: 400;\"> (2 hours)<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Project_8_Handle_credentials_securely_with_Secrets_Manager\"><\/span><b>Project 8: Handle credentials securely with Secrets Manager<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><i><span style=\"font-weight: 400;\">Exam domain: Identity and Access Management<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400;\">Hardcoded credentials are one of the most common causes of cloud breaches. A key sits in plain text inside a function, the code gets shared or leaked, and whoever finds it has your access. Secrets Manager fixes this at the source. Credentials live encrypted in one managed place, applications fetch them at runtime, and rotation happens without code changes.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This lab has you build the insecure version first, then rebuild it properly. Seeing both versions side by side makes the difference clear.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-101436\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-8.webp\" alt=\"Handle credentials securely with Secrets Manager\" width=\"1678\" height=\"1116\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-8.webp 1678w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-8-300x200.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-8-1024x681.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-8-768x511.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-8-1536x1022.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-8-150x100.webp 150w\" sizes=\"(max-width: 1678px) 100vw, 1678px\" \/><\/p>\n<p><b>What you&#8217;ll do in this hands-on lab:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Write a Lambda function with hardcoded access keys that creates a DynamoDB table<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Store the same credentials in Secrets Manager<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Rebuild the function to fetch credentials from Secrets Manager at runtime<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Confirm both versions work and compare them<\/span><\/li>\n<\/ul>\n<p><b>In the exam<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Hardcoded credentials keep appearing as the wrong answer. Building both versions shows you why.<\/span><\/p>\n<p><b>Build it:<\/b> <a href=\"https:\/\/www.whizlabs.com\/labs\/how-to-retrieve-secrets-stored-in-aws-secrets-manager-with-aws-lambda\"><span style=\"font-weight: 400;\">How to retrieve secrets stored in AWS Secrets Manager with AWS Lambda<\/span><\/a><span style=\"font-weight: 400;\"> (1.25 hours)<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Network_monitoring_VPC_Flow_Logs_and_Athena\"><\/span><b>Network monitoring: VPC Flow Logs and Athena<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"Project_9_Investigate_network_traffic_with_VPC_Flow_Logs_and_Athena\"><\/span><b>Project 9: Investigate network traffic with VPC Flow Logs and Athena<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><i><span style=\"font-weight: 400;\">Exam domain: Infrastructure Security<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400;\">VPC Flow Logs record the traffic moving through your network: source, destination, port, and whether it was accepted or rejected. Without them, you have no record of what happened on the network. With them, you can answer questions like what traffic reached a subnet on a given day.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Athena makes the logs usable. It lets you query the log files in S3 with plain SQL, which is much more practical than reading them manually. This is a two-lab build: the first sets up the network and logging, the second sets up the querying.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-101437\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-9.webp\" alt=\"Investigate network traffic with VPC Flow Logs and Athena\" width=\"1510\" height=\"985\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-9.webp 1510w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-9-300x196.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-9-1024x668.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-9-768x501.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-9-150x98.webp 150w\" sizes=\"(max-width: 1510px) 100vw, 1510px\" \/><\/p>\n<p><b>What you&#8217;ll do in this hands-on lab:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Create a VPC with an internet gateway and subnet<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Enable Flow Logs and launch an EC2 instance to generate traffic<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Point Athena at the logs stored in S3<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Run SQL queries against the traffic data<\/span><\/li>\n<\/ul>\n<p><b>In the exam<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Network forensics questions describe traffic you need to trace, and this setup is how you trace it.<\/span><\/p>\n<p><b>Build it:<\/b> <a href=\"https:\/\/www.whizlabs.com\/labs\/creating-aws-vpc-flow-logs-and-generating-traffic\"><span style=\"font-weight: 400;\">Creating AWS VPC Flow Logs and Generating Traffic<\/span><\/a><span style=\"font-weight: 400;\"> (1 hour) and <\/span><a href=\"https:\/\/www.whizlabs.com\/labs\/query-vpc-flow-log-using-amazon-athena\"><span style=\"font-weight: 400;\">Query VPC Flow log using Amazon Athena<\/span><\/a><span style=\"font-weight: 400;\"> (1 hour)<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Compliance_AWS_Config\"><\/span><b>Compliance: AWS Config<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"Project_10_Enforce_compliance_automatically_with_AWS_Config\"><\/span><b>Project 10: Enforce compliance automatically with AWS Config<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><i><span style=\"font-weight: 400;\">Exam domain: Management and Security Governance<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400;\">A compliance check that runs quarterly catches problems a quarter late. AWS Config checks continuously. It records the configuration of your resources, evaluates them against rules you define, and flags anything that drifts out of line as it happens. A security group that opens the wrong port gets reported immediately rather than at the next audit.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In this project, you set up Config, define a rule, then create one compliant and one non-compliant security group to watch the evaluation happen.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-101438\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-10.webp\" alt=\"Enforce compliance automatically with AWS Config\" width=\"1510\" height=\"985\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-10.webp 1510w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-10-300x196.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-10-1024x668.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-10-768x501.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Image-10-150x98.webp 150w\" sizes=\"(max-width: 1510px) 100vw, 1510px\" \/><\/p>\n<p><b>What you&#8217;ll do in this hands-on lab:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Set up AWS Config with the one-click option<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Create a Config rule<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Build two security groups, one compliant and one not<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Check the compliance status Config reports for each<\/span><\/li>\n<\/ul>\n<p><b>In the exam<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Governance is the domain candidates prepare for least, so these questions are reliable marks if you have done this once.<\/span><\/p>\n<p><b>Build it:<\/b> <a href=\"https:\/\/www.whizlabs.com\/labs\/check-the-compliance-status-of-security-group-using-aws-config\"><span style=\"font-weight: 400;\">Check the Compliance status of Security group using AWS Config<\/span><\/a><span style=\"font-weight: 400;\"> (1 hour)<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"How_to_work_through_these\"><\/span><b>How to work through these<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">All ten projects together take around 12 hours of lab time. That fits into two weekends, or a couple of weeks of evenings if you do one project a day.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Every one of these SCS-C03 hands-on labs runs inside the Whizlabs environment. You get a live AWS console with permissions already scoped, and nothing is charged to your own account. If you want to experiment beyond the guided steps, the AWS Sandbox gives you an open environment for that.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">If you are preparing for SCS-C03, the <\/span><a href=\"https:\/\/www.whizlabs.com\/aws-certified-security-specialty\/\"><span style=\"font-weight: 400;\">Whizlabs AWS Certified Security Specialty course<\/span><\/a><span style=\"font-weight: 400;\"> pairs these labs with practice tests, so you can check how much of this is sticking before you book the exam.<\/span><\/p>\n<p><strong>References:<\/strong><br \/>\n<a href=\"https:\/\/docs.aws.amazon.com\/aws-certification\/latest\/security-specialty-03\/security-specialty-03.html\" target=\"_blank\" rel=\"noopener\">https:\/\/docs.aws.amazon.com\/aws-certification\/latest\/security-specialty-03\/security-specialty-03.html<\/a><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Frequently_Asked_Questions\"><\/span><b>Frequently Asked Questions<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"How_do_I_prepare_for_the_AWS_Security_Specialty_SCS-C03_exam\"><\/span><b>How do I prepare for the AWS Security Specialty (SCS-C03) exam?<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Combine reading with hands-on practice. The exam is scenario based, so knowing what a service does is not enough, you need to have configured it and seen how it behaves. Work through the ten projects in this blog to cover all six exam domains, then use practice tests to find the gaps that are left.<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"How_much_hands-on_practice_do_I_need_for_SCS-C03\"><\/span><b>How much hands-on practice do I need for SCS-C03?<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span style=\"font-weight: 400;\">The ten projects here take around 12 hours of lab time in total, and that covers every domain on the exam. Spread across two weekends or a couple of weeks of evenings, it is enough hands-on exposure for most candidates, especially alongside practice tests.<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Which_AWS_services_should_I_focus_on_for_SCS-C03\"><\/span><b>Which AWS services should I focus on for SCS-C03?<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span style=\"font-weight: 400;\">KMS is the most heavily tested service on the paper, so start there. After that, GuardDuty, CloudTrail, IAM, WAF, Macie, Inspector, Secrets Manager and AWS Config cover the bulk of scenario questions. Every one of these appears in the projects above.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>If the AWS Certified Security Specialty (SCS-C03) is on your list this year, you probably already work with AWS. The exam is built on that assumption. It is a specialty-level cert, and it tests depth in security across six domains:\u00a0 Threat detection and incident response Logging and monitoring Infrastructure security Identity and access management Data protection Governance Sit with a few practice questions and you will notice that working on AWS security projects is inevitable to pass SCS-C03. Because in the exam, they rarely ask what a service does. They hand you a situation instead.\u00a0 An application is storing unencrypted [&hellip;]<\/p>\n","protected":false},"author":448,"featured_media":101428,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"default","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[4,3343],"tags":[],"class_list":["post-101427","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aws-certifications","category-cybersecurity"],"uagb_featured_image_src":{"full":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Blog-Banner-3.webp",1200,628,false],"thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Blog-Banner-3-150x150.webp",150,150,true],"medium":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Blog-Banner-3-300x157.webp",300,157,true],"medium_large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Blog-Banner-3-768x402.webp",768,402,true],"large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Blog-Banner-3-1024x536.webp",1024,536,true],"1536x1536":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Blog-Banner-3.webp",1200,628,false],"2048x2048":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Blog-Banner-3.webp",1200,628,false],"profile_24":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Blog-Banner-3-24x24.webp",24,24,true],"profile_48":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Blog-Banner-3-48x48.webp",48,48,true],"profile_96":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Blog-Banner-3-96x96.webp",96,96,true],"profile_150":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Blog-Banner-3-150x150.webp",150,150,true],"profile_300":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Blog-Banner-3-300x300.webp",300,300,true],"tptn_thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Blog-Banner-3-250x250.webp",250,250,true],"web-stories-poster-portrait":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Blog-Banner-3-640x628.webp",640,628,true],"web-stories-publisher-logo":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Blog-Banner-3-96x96.webp",96,96,true],"web-stories-thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2026\/07\/Blog-Banner-3-150x79.webp",150,79,true]},"uagb_author_info":{"display_name":"Hamsha Vhardhni R","author_link":"https:\/\/www.whizlabs.com\/blog\/author\/hamsha-vhardhni-r\/"},"uagb_comment_info":0,"uagb_excerpt":"If the AWS Certified Security Specialty (SCS-C03) is on your list this year, you probably already work with AWS. The exam is built on that assumption. It is a specialty-level cert, and it tests depth in security across six domains:\u00a0 Threat detection and incident response Logging and monitoring Infrastructure security Identity and access management Data&hellip;","_links":{"self":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/101427","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/users\/448"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/comments?post=101427"}],"version-history":[{"count":8,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/101427\/revisions"}],"predecessor-version":[{"id":101446,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/101427\/revisions\/101446"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media\/101428"}],"wp:attachment":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media?parent=101427"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/categories?post=101427"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/tags?post=101427"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}