I recently took, and passed, the AWS Certified Security – Specialty exam and wanted to share my experience with others. The exam is designed to test your knowledge of security practices and features on the AWS platform. In this blog post, I will discuss some of the important topics covered in the exam and provide study material references. Additionally, I will share five tips that may help you prepare for the exam.
Before we get started, I would like to mention that passing the AWS Certified Security – Specialty exam requires preparation and/or lots of hands-on experience. The exam covers a wide range of security topics, and it is essential to have a good understanding of AWS security features and services. It is recommended that you have at least two years of experience working with AWS security services before taking this exam.
The AWS Certified Security – Specialty exam covers a broad range of topics, including but not limited to:
- Identity and Access Management (IAM) – IAM is one of the essential AWS services that manage user access to AWS resources. In the exam, you will be tested on IAM policies, roles, and best practices.
- Security Automation – AWS offers several services for automating security tasks, such as AWS Config, AWS CloudFormation, and AWS CloudTrail. Understanding these services is crucial to securing your AWS environment.
- Encryption – AWS offers several encryption services, including Key Management Service (KMS), AWS Certificate Manager, and AWS CloudHSM. You should have a good understanding of encryption concepts and practices to pass the exam.
- Network Security – AWS offers several networking services, such as Amazon VPC, AWS Direct Connect, and AWS VPN. In the exam, you will be tested on how to secure your network infrastructure.
- Incident Response – AWS offers several services for detecting and responding to security incidents, such as AWS GuardDuty, AWS Security Hub, and Amazon Inspector. You should understand how to use these services to respond to security incidents.
The following study materials can help you prepare for the exam:
- Use study courses – You can use ones provides by AWS itself, like AWS Security Fundamentals and AWS Security Services. There are also good thirdpary providers out there like A Cloud Guru and Tutorial Dojo.
- AWS Security Best Practices – This whitepaper covers the best practices for securing your AWS environment. It is a must-read for anyone preparing for the AWS Security Specialty exam.
- AWS Security Blog – The AWS Security Blog is an excellent resource for staying up-to-date with the latest security features and services on the AWS platform.
In my exam I found, somewhat unexpectedly, there was a heavy emphasis on AWS Cloudfront. The questions included more global topics like integration with WAF, but also very specific question about security headers.
Another topic you must really understand is the AWS Key Management Service. You truly understand the mechanics of KMS like, when it’s possible to do automatic key rotation and when it’s not possible. Generating key material in different scenarios. And when to use what type of KMS key depending on the encryption requirement.
Understand IAM User and Bucket Policies. There is a scenario in the exam that describes a company with two Amazon S3 buckets, one with a bucket policy defined that allows/denies access to the IAM user, and the other without a bucket policy defined. Make sure you understand which bucket or buckets the user can access.
There is also a scenario in the exam where there is a problem with the S3 Glacier Vault Lock policy. Make sure you understand the flow of the Vault Lock Policy so you can take the proper course of action to resolve the issue.
Lastly, I have two tips. One for passing the exam and a second tip for those of you who are curious about the exam result.
- Make sure to read properly – There are a couple of scenarios where multiple answers are technically correct. The correct answer will depend details like being the most cost effective. Be very aware this in scenarios where they mention AWS Secrets Manager andAWS Systems Manager Parameter Store.
- Check Exam Results at 5 am Eastern Time – Because of the addition of proctored exams you no longer get the result immediately after taking the exam. AWS takes extra time to check the proctor video streams for potential fraud. As a consequence the exam results are now posted to the AWS training website at 5 am Eastern Time. You will receive the notification a couple of hours later, but you can check your results on the website from 5am ET.