# Content Domain 3: Infrastructure Security
<a name="security-specialty-03-domain3"></a>

**Topics**
+ [Task 3.1: Design, implement, and troubleshoot security controls for network edge services](#security-specialty-03-domain3-task1)
+ [Task 3.2: Design, implement, and troubleshoot security controls for compute workloads](#security-specialty-03-domain3-task2)
+ [Task 3.3: Design and troubleshoot network security controls](#security-specialty-03-domain3-task3)

## Task 3.1: Design, implement, and troubleshoot security controls for network edge services
<a name="security-specialty-03-domain3-task1"></a>

Skills in:
+ Skill 3.1.1: Define and select edge security strategies based on anticipated threats and attacks.
+ Skill 3.1.2: Implement appropriate network edge protection (for example, CloudFront headers, AWS WAF, AWS IoT policies, protecting against OWASP Top 10 threats, Amazon S3 cross-origin resource sharing [CORS], Shield Advanced).
+ Skill 3.1.3: Design and implement AWS edge controls and rules based on requirements (for example, geography, geolocation, rate limiting, client fingerprinting).
+ Skill 3.1.4: Configure integrations with AWS edge services and third-party services (for example, by ingesting data in Open Cybersecurity Schema Framework [OCSF] format, by using third-party WAF rules).

## Task 3.2: Design, implement, and troubleshoot security controls for compute workloads
<a name="security-specialty-03-domain3-task2"></a>

Skills in:
+ Skill 3.2.1: Design and implement hardened Amazon EC2 AMIs and container images to secure compute workloads and embed security controls (for example, Systems Manager, EC2 Image Builder).
+ Skill 3.2.2: Apply instance profiles, service roles, and execution roles appropriately to authorize compute workloads.
+ Skill 3.2.3: Scan compute resources for known vulnerabilities (for example, scan container images and Lambda functions by using Amazon Inspector, monitor compute runtimes by using GuardDuty).
+ Skill 3.2.4: Deploy patches across compute resources to maintain secure and compliant environments by automating update processes and by integrating continuous validation (for example, Systems Manager Patch Manager, Amazon Inspector).
+ Skill 3.2.5: Configure secure administrative access to compute resources (for example, Systems Manager Session Manager, EC2 Instance Connect).
+ Skill 3.2.6: Configure security tools to discover and remediate vulnerabilities within a pipeline (for example, Amazon Q Developer, Amazon CodeGuru Security).
+ Skill 3.2.7: Implement protections and guardrails for generative AI applications (for example, by applying GenAI OWASP Top 10 for LLM Applications protections).

## Task 3.3: Design and troubleshoot network security controls
<a name="security-specialty-03-domain3-task3"></a>

Skills in:
+ Skill 3.3.1: Design and troubleshoot appropriate network controls to permit or prevent network traffic as required (for example, security groups, network ACLs, AWS Network Firewall).
+ Skill 3.3.2: Design secure connectivity between hybrid and multi-cloud networks (for example, AWS Site-to-Site VPN, AWS Direct Connect, MAC Security [MACsec]).
+ Skill 3.3.3: Determine and configure security workload requirements for communication between hybrid environments and AWS (for example, by using AWS Verified Access).
+ Skill 3.3.4: Design network segmentation based on security requirements (for example, north/south and east/west traffic protections, isolated subnets).
+ Skill 3.3.5: Identify unnecessary network access (for example, AWS Verified Access, Network Access Analyzer, Amazon Inspector network reachability findings).