Review By: Karthikeyan Venkatraman
Time taken to Prepare
Detailed Review Of Preparation
I took up the AWS Security Specialty exam on 12th of March 2020 and below are some my learnings which I though could help you prepare better for you to appear for the exam.
1. AWS Work experience will help a lot towards cracking this exam. I have been working with AWS Services for 7+ years and practical experiences in working with services would be of great help. Practical hands on and troubleshooting experience over the services like VPC(Security Groups, NACL, Gateway Endpoints, Flow Logs), IAM, KMS, CloudTrail, AWS Config, Cloudwatch (Logs, Events and Metrics), and GuardDuty will bring in lot of comfort when you appear for the exam.
2. Below are some of the materials that I have referred,
Exam Readiness: AWS Certified Security - Specialty over www.aws.training which is more of starter course which i referred initially to get started. It has some good beginner content with which you would get a basic idea on how the exam has to be approached and the various
AWS Certified Security - Specialty 2020 - https://acloud.guru/learn/aws-certified-security-specialty - This helped gain much needed knowledge interms of what is needed to preapre for the exam and has a good coverage over all of the key areas for each of the sections that needs to be prepared. Practice Exam(Mock test) did provide a good feel and the course content was pretty useful. Extensive details around whitepapers that has to be referred for key concepts and the Reinvent videos to be walked through. The team has been trying their best to update their course content as much as possible.
AWS Certified Security – Speciality from Linux Acamdemy https://linuxacademy.com/course/aws-certified-security-specialty/ by Adrian Cantrill was really nice. I felt that quality of the labs session and the detailed information for each section was very impressive. The mock test/practice exam was not very much impressive for me but it was a very good revision and eye opener in lot many areas due to practical session.
FAQ's,ReInvent/ReInforce Videos,Whitepaers : as much as u can (KMS,IAM , AWS Config and Cloudwatch at the minimum). Some of Whitepaper references around Security Best practices, DDOS Resiliency and Reinvent videos suggested over acloudguru. I did go through some of Re:Inforce videos out of my own interest(AWS re:Inforce 2019: Encrypting Everything with AWS etc).
3. I'm not supposed to reveal any exam questions, but I shall shed some lights on areas that needs more clarity and understanding based on the question that I received would help to focus more on some of the areas, (This is based on the question that I got and it is not limited to the preparation for the exam)
IAM - Solid understanding over Identity-based policies, Resource based policies, Service Control Policies with understanding over AWS Organizations, Roles and Trust policies with clear understanding on STS is much needed.
S3 - Bucket Policies, Events, Encryption at Rest and at Transit, Integration touch points with KMS(Understanding on Default Encryption, SSE-S3. SSE-KMS etc)
CloudTaril,AWS Config and Cloudwatch - Data Integrity for Cloudtrail Log, Setting Up a Centralized CloudTrail Logs in S3 with multiple account setup, Data Events for S3 and Lambda, Config Rules(Managed and Custom rules), Log Stream, Pushing Custom Metrics and operating with Cloudwatch Log agents.
KMS - Understanding of Key policies(includes cross account accessing and using grants,encryption context etc), How different are the key policies from other policies, Understanding of Key Rotation,Envelope Encryption, Understanding how CloudHSM differs from KMS, Integrating with services such as SSM Parameter Store, EBS, S3, CloudTaril etc.
Troubleshooting(Almost present in every section of the exam and as mentioned in exam blueprint) is something that I feel is a skill that comes by practical hands on with services and going through various scenarios in real time. Hands on with VPC security groups, NACL's , Cloudtrail logs pushing to S3 and IAM policies evaluation are all in there in the exam.
Automation with service like Cloudwatch Events Rule, CloudTrail, Config , SNS, Cloudwatch Metric Filter and Lambda were obvious. Good understanding about which service could be used to automate the requirements could help answer better (CloudTrail or Cloudwatch Events or AWS Config)
GuardDuty(Centralized Logging, Knowing about findings and what this service can and cant offer), WAF (DDOS Protection with appropriate rules, Integration with ALB and Cloudfront), Shield (Have some understanding about Firewall manager as well),ACM (Private CA's, Region based) had hardly one or two question associated with all of these services.
4. Be time conscious with the exam, It is 170 minutes and 65 questions. Choose the best (will mostly end up in dilema choosing one answer between the final two amongst the four answers), choose the best known and flag it for review, have an eye over the time and have sometime to review the flagged ones.
Note: This exam is based on a compensatory scoring model which evaluates for a score of 1000 and 750 is the passing score. If I understood properly from the exam guide, it is not necessary to pass in all individual sections. However the results will have details on where we need improvement just in case we have not answered properly over those sections.
All the very best and you will definitely achieve it.
Benefits From Certification