Bash, the Crucial Exams Chat Bot
AI Bot
Secure DevOps & CI/CD Pipeline Security (SCS-C03) Flashcards
AWS Certified Security Specialty SCS-C03 Flashcards
Study our Secure DevOps & CI/CD Pipeline Security (SCS-C03) flashcards for the AWS Certified Security Specialty SCS-C03 exam with 47+ flashcards. View as flashcards, a searchable table, or as a fun matching game.
| Front | Back |
| Give an example of policy engine | OPA |
| Give an example of shift left activity | Run static analysis and dependency checks in pre commit and CI pipelines |
| How do you prevent secrets in code | Use Secrets Manager or Systems Manager Parameter Store do not hardcode secrets in repositories |
| How to ensure provenance of builds | Record build metadata sign artifacts and store provenance in an immutable log |
| How to handle transient CI credentials | Issue short lived credentials and prefer assume role patterns to reduce long lived secrets |
| How to harden build servers | Patch regularly restrict network access minimize installed tools and run builds as non root |
| How to rotate secrets | Automate rotation using Secrets Manager or scripts and update consumers securely |
| How to secure Terraform state | Store state in encrypted remote backends use IAM controls and enable state locking |
| How to secure third party actions in CI | Pin versions review source and run in restricted environments with limited permissions |
| Name a best practice for container registries | Restrict push access use immutability and scan images on push |
| Name a popular IaC scanning tool | tfsec |
| Name an access control best practice for third party actions | Use dedicated roles limit scopes and review action source and permissions |
| Name three ways to secure AWS CodePipeline | Use IAM least privilege enable artifact encryption with KMS enable CloudTrail and CloudWatch logging |
| What does shift left testing mean | Move security testing earlier into development such as local tests pre commit and CI |
| What is a compliance pipeline check | Automated verification that resources comply with regulatory or internal policies |
| What is a security gate in CI | An automated check that must pass such as linting scanning tests or policy evaluation before promoting artifacts |
| What is an SBOM | Software Bill Of Materials list of components and versions used to track vulnerabilities and licenses |
| What is artifact immutability | Store build outputs as immutable versions to prevent modification after signing |
| What is blue green deployment | Maintain two identical environments and switch traffic to new version after validation |
| What is canary rollback criteria | Define metrics thresholds such as error rate latency or alarms that trigger automatic rollback |
| What is container image provenance | Metadata that links image to source code build and dependencies for traceability |
| What is dependency scanning | Automated analysis of libraries to find known vulnerabilities and outdated versions |
| What is deployment canary testing | Gradual rollout to a subset of users to detect issues before full release |
| What is drift detection | Compare deployed resources to IaC to find unauthorized or out of band changes |
| What is IaC scanning | Automated scanning of CloudFormation Terraform and other templates to find insecure patterns |
| What is image scanning used for | Detect vulnerable packages malware and misconfigurations in container images |
| What is least privilege in pipelines | Grant the minimum permissions needed to run each pipeline action and resource |
| What is pipeline hardening | Implement least privilege restrict access to pipeline resources encrypt artifacts enable logging and auditing |
| What is policy as code | Define security rules in machine readable policies and enforce them automatically in CI |
| What is runtime policy for deployments | Controls applied at deployment time such as quotas network policies and pod security standards |
| What is SBOM use in pipelines | Generate SBOMs during build to track components and accelerate vulnerability response |
| What is secret scanning | Automated detection of secrets in source code history and in commits |
| What is secrets injection | Runtime retrieval of secrets from a secure store instead of embedding in build or containers |
| What is signing of IaC templates | Apply cryptographic signatures to templates to ensure authenticity before deployment |
| What is SLSA | An integrity framework for supply chains that defines levels of build provenance and tamper resistance |
| What should you do when a dependency has a CVE | Evaluate impact update or patch or apply mitigations and redeploy |
| When should you scan container images | Scan at build time and before deployment and on a regular basis in registries |
| When to run SAST in CI | Early in the pipeline ideally pre merge to detect coding issues before integration |
| Why enable audit logging for CI systems | To monitor changes detect unauthorized activity and support incident investigation |
| Why enforce immutable infrastructure | Reduce drift ensure reproducible deployments and facilitate rollback |
| Why integrate DAST in pipelines | Find runtime vulnerabilities and misconfigurations in running applications before production |
| Why isolate build environments | Limit blast radius prevent cross project contamination and ensure clean build artifacts |
| Why perform dependency pinning | Pin to specific versions to avoid unexpected upgrades and improve reproducible builds |
| Why sign build artifacts | Ensure provenance prevent tampering and enable traceability of production deployments |
| Why use canary analysis tools | To automate traffic shifting monitoring and rollback based on defined health metrics |
| Why use multi stage builds | Reduce final image surface by building tools separated and copying only runtime artifacts |
| Why validate CloudFormation templates | To catch syntax errors insecure resources and missing properties before deployment |
About the Flashcards
Flashcards for the AWS Certified Security Specialty exam help students review terminology, concepts, and key practices for securing CI/CD pipelines and software supply chains. Cards cover pipeline hardening, least-privilege access, artifact immutability, SBOMs, SLSA levels, and signing for build provenance, plus container image and dependency scanning to detect vulnerabilities.
Additional cards emphasize shift-left testing, SAST and DAST placement, IaC scanning and template signing, Terraform/CloudFormation validation, secure Terraform state, policy as code (OPA), secret injection and rotation, audit logging, security gates in CI, and deployment practices such as canary and blue-green rollouts with rollback criteria.
Topics covered in this flashcard deck:
- Pipeline hardening
- Artifact provenance & signing
- Image and dependency scanning
- Infrastructure as Code
- Secrets and access control
- Deployment strategies & testing