I am fresh off the AWS Security Specialty exam for 2021 having successfully sat for the exam last week. What a doozy! I've 4 other AWS certifications and for me, personally I found this one to be the most challenging. I do practice security in my day to day to ensure I am building secure systems and enjoy discussing designs with security professionals but I'm not in a dedicated security team or SysOps role so I'm not living and breathing security everyday.
In this post I'll give you a run down on the exam, what you can expect on the day and what materials I used to prepare for the exam.
As usual the official AWS doco gives you the best info on the exam. It's basically an exam for security professionals (shocker), so, think security in transit, rest, shared responsibility model, users, design, access to resources etc.
AWS recommend 2 years hands on experience securing workloads in AWS
As above, I'm not in a day to day security role but treat security very seriously and I have more than the 2 years experience. It's a recommendation not a requirement, if you're ready you're ready, don't let that stop you.
Covid has introduced a little more flexibility with exam testing and now you sit the exam in the comfort of your own home. All you need is a computer, internet, camera and microphone. Laptops are good for this. I went with pearson vue, this is the same provider I'd be using if I had to go into the physical testing office.
I already had an account as I've used them before. One thing I noticed was that there were so many time slots, you could basically register and sit the exam the same day from I could see and there slots every hour or less. This is really cool and incredibly flexible. This means I can book the exam around my work and personal life (you can sit an exam around mid-night if you want to).
Even though I've done these types of exams before, I complete the system test before the exam every time. It's just a simulation of the exam software before the actual test so that you know you're good to go.
Exam day remotely is no different from when you had to go into the physical testing office. It's the same application, same format, same flow, same flag, review etc.
OK, let's get down to it, this is likely why you are here. I'll try to give you as much information as possible hopefully without overstepping. I'll break it up into sections as best I can. Obviously on the day your mileage may vary so prep as much as you can or think you need and go for it.
This one seems obvious. Know the AWS services that are related to security, know the names and what they do. This is useful for any AWS exam, I find that many of the questions will rely on you knowing how the services fit together so understanding what they are is a good step in the right direction.
Tip: Get to know the architecture diagram symbols, create some designs. They don't have to be perfect.
When you provision servers in AWS remember to think of the shared security model. What part are you responsible for in the model? If deploy a virtual server how might you keep it updated using AWS and how might you check that it is updated? When we talk about updating servers we need to think of scale an automation, you don't want to be manually patching 100 servers. Hopefully that gives you a hint.
Tip: There are great services available in AWS that inspect your systems and provide reports. These types of services are valuable in many situations.
You're going about your business and then all of sudden there has been a breach. A security incident. What would you do?
- Where are the logs?
- How can you isolate it?
- What services may have detected the incident?
- Did someone use access keys? How can you check, can you disable the keys and how?
- How can you check the state policy before and after?
This where knowing the services comes in handy, you might get asked about protecting data in transit but it's easy to fall into a trap if you don't how certain services can provide this.
- Different types of encryption
- Load balancers
- Different types of load balancers
Tip: Speaking of load balancers, consider high availability design, multiple EC2 servers etc
As per the AWS best practice you are most likely already familiar with how to design secure workloads. You should be familiar with how to design private and public subnets, what might go into those and why.
You should be familiar with VPC's and when to use direct connect and/or VPN and why. Understand that there are other networking services as well like transit gateway and VPC peering.
If you have a bunch of networking floating around your AWS accounts how might you get a better a look at that. Can you turn on additional logging at the VPC level. If you turn on additional logging, where does it go? Can you search it, can you visualize it, can you customize it?
Security groups and Network Access Control Lists (NACL) will more than likely come up. You can deploy an EC2 without a security group and when you think about networks NACLS are always there. Know the difference between the two and how ordering might work.
I wasn't expecting too much of this, well any to be honest. But, as I'm a serverless guy it kinda worked out well for me. Think about traditional architecture design like a 2 tier web application hosted on virtual servers in AWS. What would that look like if its a static web site hosted in s3 and what key components can you think of? What would you need to do to secure it, to provide access, to encrypt the communications.
Again, understanding the different services goes along way here. There is a key difference between being notified of a security event and automation. If you want to be notified via email or similar in AWS what would you use? It's more than likely going to be SNS. But, if you think of what services have information related to security can they be integrated into SNS, what if you want to act on that information what else could you use?
Knowing how to enable logging in AWS is a big part of security. How do you know whats happening in your account if its not logged? How do you audit access and activity.
You should be pretty familiar with CloudWatch and CloudTrail, how are they different? What information can you search in each, can you export it? Can you archive it?
Tip: There are other services that can be used to stream data into AWS and then visualized.
Tip: AWS Organizations plays are part here, how does logging look like with many accounts.
Hopefully you're not one of those people who create an AWS account and use the root account for everything. If you are, stop. Why is that a bad idea and how might you protect the root account?
What are the different concepts inside IAM, what is a role or a group and how do they differ.
If you're an enterprise customer how might they want to provide access to AWS, they probably have Active Directory. Can they connect that somehow to IAM?
When it comes to policies get to know the basics, what are IAM policies, study them, make them, break them. Know the difference between IAM policies and bucket policies.
In AWS there are heaps of different ways to store secrets if you really think about it. Hey, if you're Corey Quinn you might even store them in Route 53 as a cheap database (joke). But, in reality there are probably like two services in AWS where you can store secrets. Thats going to be Secret Manager and System Manager Parameter Store.
Just get to know them at a high level, one has a bit more functionality when it comes to secret storage. Honestly, I have used Secret Manager to store some creds before, I know Parameter Store can but I've just used Secret Manager as its purpose built and provides more management. It was news to me that people were storing secrets in Parameter Store other than just well parameters. But, anyway. It is cheaper, so theres that?
Everyone's study style is different, I myself am a hands on kinda of learner, I need to get in and build it, break in to understand it. So I like to use practice exams with decent explanations and also pair that with the console to get a better understanding if I need to.
I use Jon Bonso's Tutorial Dojo, I've recommended him before (no affiliation):
I will say that this particular one wasn't as good as the others I've studied with Jon. I usually like this resource as it provides a bunch of different practice exams in varying modes, review and timed. The responses are usually filled with helpful responses and links to AWS materials so that you can work out where you went wrong or find or more.
However, the security responses and the questions just seemed bit lacking for some of the questions. I also found that it was very repetitive, there were many KMS questions. Maybe previous exams have had an overload of KMS related questions or something.
Never the less, this is the sole resource I used.
- Write down the services and come up with your own explanation for them
- Create architecture diagrams, draw.io is good
- If you don't have access to practice exams, write your own questions
- Get your hands dirty, you 100% need to use these services, get into the console and start building
- Get some sleep, if it's the night before the exam don't stay up cramming.
Try not to sweat it, if at the end of the day you don't pass you can always retake the exam. This sucks because it's expensive and you've put this time in, but it's not for nothing you have just had first hand experience on the exam and now you can use that for the next time.
I am interested in hearing from others about how they learn, what resources they use and what works for them. I am researching a project to help out in this space, so reach out if you can.
Hopefully this guide has been useful for somebody out there studying for the exam. This is one of the more difficult exams, I found that the variety of the questions and the number of services in the questions to be generally challenging.
If you've studied security before or are familiar with the practices around security design, encryption, policy etc this will help to go along way but you'll still need to understand how AWS tackle it and what services are used.