AWS Certified Security – Specialty Exam Study Guide
The AWS Specialty certification exams are intended for people who handle more specific responsibilities in AWS Cloud. Since these responsibilities demand a more advanced skill set with prior experience from a person, these AWS specialty exams are built so that they could reinforce and validate a person’s eligibility for that role. There are no associate and professional levels in a specialty learning path, so the exams serve as the whole package already. And since they are made that way, expect no less from the specialty certification exams, as they will be as tough as the professional exams.
The name of the certificate immediately points out what to focus on — AWS Security. Although we mentioned earlier that specialty exams tackle more specific roles, security in AWS is very broad and extensive. There are a lot of topics involved when we speak about AWS security, whether it be native AWS services or other third-party tools. If you need a comprehensive review material for learning these topics then this study guide is for you.
Having prior knowledge and experience in handling (cloud) security will allow you to understand the concepts and strategies that appear in AWS reference materials. You will also find it easier to comprehend scenario type questions in your exam. To know more about the AWS Security specialty exam, check out the official AWS Exam Blueprint here.
AWS documentations and whitepapers will be your best friends here. They are your primary source of information. We recommend reading the following papers:
- Introduction to AWS Security
- AWS: Overview of Security Processes
- AWS Well-Architected Framework
- Security Pillar – AWS Well-Architected Framework
- AWS Security Best Practices
- AWS Key Management Service Best Practices
- AWS Key Management Service Cryptographic Details
- Encrypting File Data with Amazon Elastic File System
- Secure Content Delivery with Amazon CloudFront
- Use AWS WAF to Mitigate OWASP’s Top 10 Web Application Vulnerabilities
- AWS Best Practices for DDoS Resiliency
- Security at Scale: Logging in AWS
- AWS Security Incident Response Guide
- Security at Scale: Governance in AWS
Add-On Compliance whitepapers:
- Security by Design
- AWS Risk & Compliance
- Architecting for HIPAA Security and Compliance on AWS
- Navigating GDPR Compliance on AWS
- Architecting for PCI DSS Scoping and Segmentation on AWS
Optional whitepaper for configuring AWS SSO + LDAP + Shibboleth
After you have studied the sources above, it would be wise to expose yourself with different scenarios and strategies in enforcing security in AWS. Re:Invent videos, AWS blogs, virtual classes, and even some AWS forums provide sample scenarios and strategies for you. The links below will redirect you to some of the references:
- AWS Security Fundamentals virtual lecture
- AWS Security Essentials virtual classroom
- Architecting on AWS virtual classroom
- Security Engineering on AWS virtual classroom
- AWS Security blogs
- AWS Re:Invent 2019 sessions
AWS Services to Focus On
When we talk about security as a discipline, especially in the context of cloud, we are tackling it as a combination of different domains. AWS enumerates its catalog of services and features under different domains based on their purposes. In this section, we will try to do the same and group AWS services according to their domains.
Identity and Access Control
- AWS Identity and Access Management – You must learn every detail of AWS IAM since this is AWS’ primary user management and access control service. Practice writing your own IAM policies.
- Resource-Based Policies – Although resource-based policies fall under AWS IAM, they tend to be ignored compared to user-based policies. Take note of which services support this type of policy and how they are different from user-based policies.
- S3 Presigned URLs – Know what is the purpose of S3 presigned URLs and how they differ from CloudFront signed URLs.
- CloudFront Signed URLs – Know what is the purpose of CloudFront signed URLs and how they differ from S3 presigned URLs or CloudFront signed cookies.
- Amazon Cognito – Read through the benefits of AWS Cognito and how to integrate it with web and mobile applications. Differentiate user pools from identity pools.
- AWS Single Sign-On – Learn how you can use AWS SSO together with other authentication protocols to securely authenticate users in your environment. AWS SSO is commonly integrated with LDAP.
- AWS Security Token Service – Know the purpose and use cases of Amazon STS. Try building a program that utilizes temporary tokens as credentials.
- AWS Directory Service – Know the different options you have for AWS Directory Service. Each option solves a different requirement and it is up to you to figure out how you can get your directory to gain access to your users and other information.
- AWS Organizations – AWS Organizations is a very helpful service when dealing with large scale enterprises with multiple AWS accounts. Know the benefits of using this service (like consolidated billing feature) and how to build an organization hierarchy with Organization Units and Service Control Policies.
- AWS Resource Access Manager – AWS RAM allows you to securely share resources with other AWS accounts. Experiment with this service to know how to share your resources and what restrictions are involved.
Application and Infrastructure Security
- EC2 key pairs – This goes without saying, but EC2 key pairs play a very important role in protecting your EC2 instances.
- AWS Systems Manager – AWS SSM secures your applications through services like Patch Baselines, Run Command, Session Manager, and more. By utilizing automation and code, you run less risk in human error and unwanted/untracked changes to your application.
- AWS WAF – AWS WAF is essential in protecting your applications from common exploits like SQL injection or XSS attacks. Differentiate WAF from Shield and Firewall Manager.
- AWS Shield – AWS Shield complements AWS WAF since this service offers DDoS protection. Read what features are different between Shield Basic and Shield Advanced.
- AWS Firewall Manager – This service simplifies administration overhead when setting up AWS WAF, AWS Shield and VPC security groups. Best to do a hands-on on the service.
- AWS KMS – Study the different types of KMS keys available and how you should manage them. Determine which AWS services support using AWS KMS for encryption.
- Amazon CloudHSM – Know when to use AWS KMS vs CloudHSM for your encryption needs.
- AWS SSM Parameter Store – It is important to know how AWS SSM Parameter Store can protect your referenceable information through SecureString.
- Amazon Secrets Manager – Secrets Manager is similar to Parameter Store wherein you can store and retrieve sensitive strings in AWS securely.
- SSE-S3 Encryption – Read when it is better to use SSE-S3 keys or KMS keys for server-side encryption. Also read how your encrypted buckets and objects are handled during operations such as replication, deletion, etc.
- S3 Glacier Vault Lock – Know the purpose of a Glacier Vault Lock and try implementing a policy yourself.
- Amazon Macie – Read how Macie automatically classifies and protects your data. This is one of those services that you will just understand better if you try it out.
- AWS Certificate Manager – Know which services integrate with your certificates stored in Certificate Manager. Try creating your own private CA and issue some custom certificates.
- Amazon VPC – Know everything on VPCs since they are basic building blocks for a protected AWS environment. Differentiate security groups vs network ACLs. Study VPC endpoints too.
- Amazon CloudFront – Study how CloudFront protects your endpoints from being publicly accessible. Read on setting up Origin Access Identity with S3 buckets. Know which services integrate with CloudFront, such as API Gateway and WAF. CloudFront has a feature that allows content access to only selected locations.
- AWS ELB – Study how ELB protects your web traffic and endpoints from malicious attacks. Understand how SSL certificates are being handled by ELB.
- Amazon API Gateway – Similar to ELB, API Gateway also protects your endpoints from being exposed to the public internet. Commonly used in serverless applications, study how APIs can secure Lambda functions. Also know what services it integrates with, such as WAF.
- AWS VPN – Although AWS VPN is fairly new, you should have an overview of what this service is and how to set it up in your AWS environment.
- AWS Direct Connect – Read how a dedicated line from your network to AWS can protect your inbound and outbound traffic. A common way to secure your traffic in Direct Connect is by using an AWS Site to Site VPN.
Logging and Monitoring
- Amazon CloudWatch – Know everything about Cloudwatch (Logs, Alarms, Events, Metrics)
- Amazon CloudTrail – Know everything about CloudTrail, like how to store and encrypt your log files, how to monitor different regions and capture different types of data.
- Service Logs (VPC, ELB, API Gateway, S3, CloudFront) – Multiple AWS services support logging which they forward to an S3 bucket. It would be good to have an idea of which services support logging. Logs are crucial when conducting incident response and analysis.
- Amazon Route 53 – Study how Route 53 can quickly handle network issues by performing DNS and endpoint health checks. Route 53 also helps in making your environment more resilient by performing automatic failovers.
Threat Detection, Prevention, Response and Remediation
- Amazon GuardDuty – Have an understanding of the use cases of Amazon GuardDuty.
- Amazon Inspector – Have an understanding of the use cases of Amazon Inspector.
- Amazon Detective – Know which services integrate with Amazon Detective. Also, have an understanding of the use cases of Amazon Detective.
- AWS Security Hub – Have an understanding of the use cases of AWS Security Hub.
Risk and Compliance Management
- AWS Artifact – Know the purpose of AWS Artifact and what kinds of reports it provides for you.
- AWS Config – AWS Config is an important compliance monitoring tool that you should learn about. Study the concepts and how they work. Practice writing a Config rule of your own to have a better understanding of the service.
Lastly, as we have repeatedly talked about, specialty exams are intended for experienced individuals. Therefore, you should go try out the services above in your own AWS account. Also, do not limit yourself to the Management Console. Some implementations can only be done via AWS CLI or AWS SDK. Be comfortable with them all.
Common Exam Scenarios
A company requires a solution that will automatically detect and enable disabled VPC Flow Logs.
Create an AWS Config rule that will detect disabled VPC Flow Logs. Create a CloudWatch event based on that Config Rule to trigger a Lambda Function for enabling VPC Flow Logs.
Verify if EC2 instances are using approved AMI. Create a notification if non-compliant instances are detected.
A Security Analyst needs to remediate the risks of having security groups that allow inbound traffic for the
Create an AWS Config rule that will automatically detect security groups that allow inbound traffic from the
You need to build a solution that will allow the Security team to review the IAM policy assigned to an IAM user before and after a security incident has occurred.
Use AWS Config
Automatically detect and remediate an incident where API logging is disabled
Create an AWS Config rule to detect disabled CloudTrail settings. Configure the rule to use an AWS Systems Manager Automation document to automatically re-enable CloudTrail logs.
Detect if someone is using the AWS account’s root access in creating new API keys without proper approval.
Set up an AWS Config rule to track the usage of the
A company requires a CMK that automatically rotates every year.
Create a CMK with AWS generated key material.
A company needs to rotate a CMK with imported key material
Create a new CMK with the new imported key material and point the existing alias to the new CMK.
A company has to manage the access control for hundreds of CMKs without having to edit key policies
Use grants in AWS KMS.
A Security Specialist must use additional authenticated data (AAD) to prevent tampering against the ciphertext.
Add the kms:EncryptionContext condition when defining the key policy for the CMK.
A company needs to migrate AWS resources encrypted with KMS into another region.
Use a new CMK in the target region.
|AWS WAF, AWS Shield|
An application hosted on an EC2 instance needs protection from common web exploits. Also, the outgoing traffic from the instance should be restricted only to trusted URLs.
Use AWS WAF for common web exploits protection and use a third-party solution to whitelist URLs for outbound traffic.
A Security Specialist needs to block high-volume requests from specific user-agent HTTP header
Use AWS WAF rate-based rule to limit the number of requests.
Which AWS Services has direct integration with AWS WAF?
Amazon CloudFront & Application Load Balancer
A company is serving static content using Amazon CloudFront, Amazon S3, and Amazon Route53. They must respond to DDoS attacks at L7, L4, and L3.
Use AWS Shield Advanced
Protect CloudTrail Logs from tampering and un-authorized access
Enable the CloudTrail log file validation
Some AWS accounts can’t send CloudTrail logs in a centralized logging account. What are the steps to troubleshoot the issue?
A Security Specialist has updated the log file prefix for a trail but encountered a “There is a problem with the bucket policy.” error
First, update the new log file prefix in the S3 bucket policy, then specify the updated log file prefix in the CloudTrail Console.
A Security Engineer needs to review user activities from a specific access key within the past 3 months.
Review the user activities through the CloudTrail Console
Some EC2 instances stop sending CloudWatch logs after a security incident. What are the steps to troubleshoot this issue?
After an update to IAM policy, an application stops sending custom metrics to AWS CloudWatch.
A Security Engineer must build a near real-time logging solution to collect logs from different AWS Accounts.
Use the Amazon CloudWatch cross-account log data sharing with subscriptions. Use Amazon Kinesis Data Firehose to deliver the logs.
A company has set up a notification system using CloudWatch and CloudTrail that will alert a Security Team when new access keys are created. The team is not receiving notifications.
Make sure that the value of
A company needs a threat detection system for monitoring malicious activities in an AWS Account
Use Amazon GuardDuty
A company is using an Active Directory server to resolve DNS for EC2 instances in a VPC. A security engineer noticed that one of the instances is being used for command-and-control (C2C) operations but GuardDuty has failed to recognize it.
GuardDuty does not recognize DNS requests coming from third-party DNS servers.
A company wants to perform a network port scan against EC2 instances in VPC but does not want to get alerts for specific instances.
Add the EIP of the specific instances to the trusted IP lists in Amazon GuardDuty.
A company has complex connectivity rules for Amazon EC2 instances. How should they manage these connection rules with no additional cost?
Implement the rules using the built-in host-based firewall such as
A Security Engineer needs to inspect packet data.
A Security Engineer has a virtual security appliance. The Engineer is using a security group and NACL to comply with security requirements. How can he allow traffic through the virtual security appliance?
Disable the Source/Destination check of the Elastic Network Interface (ENI) associated with the virtual security appliance.
A Security Engineer needs to remediate the risk of users exploiting the instance metadata service to access AWS resources in other accounts.
Restrict the access to the instance metadata service using
Validate Your Knowledge
The virtual classrooms we listed in the Study Materials section often include short quizzes at the end of each video. They will serve as guides on how to look for key terminologies in your exam questions, as well as how to break down your options to determine the most suitable answer for the question. Another virtual lecture we recommend you attending after you finished reviewing for the exam is the Exam Readiness: AWS Certified Security – Specialty Course. They provide sample questions that you can follow along and answer.
AWS also provides a sample exam on the AWS Certified Security Specialty page, which you can find here. Although this sample exam is not on the same level of difficulty one might expect on the real exam, it is still a helpful resource for your reviews. Lastly, Tutorials Dojo also has a set of high-quality practice exams and study guide eBook for the AWS Security Specialty certification. The practice exams and study guide eBook will help boost your preparedness for the real exam, and it will also help you determine which areas you are weak in, so you can focus your efforts on studying those areas.
Sample Practice Test Questions:
An organization is implementing a security policy in which their cloud-based users must be contained in a separate authentication domain and prevented from accessing on-premises systems. Their IT Operations team is launching and maintaining a number of Amazon RDS for SQL Server databases and EC2 instances. The organization also has an on-premises Active Directory service that contains the administrator accounts that must have access to the databases and EC2 instances.
How would the Security Engineer manage the AWS resources of the organization in the MOST secure manner? (Select TWO.)
- Using AWS Directory Service, set up an AWS Managed Microsoft AD to manage the RDS databases and EC2 instances.
- Set up and configure AWS Service Catalog to manage the RDS databases and EC2 instances.
- Set up a one-way incoming trust relationship from the existing Active Directory in the on-premises data center to the new Active Directory service in AWS.
- Set up a one-way incoming trust relationship from the new Active Directory in AWS to the existing Active Directory service in the on-premises data center.
- Set up a two-way trust relationship between the new Active Directory in AWS and the existing Active Directory service in the on-premises data center.
A company is planning to migrate its on-premises application to AWS. The application will be hosted in Elastic Beanstalk, which uses an external RDS database and an S3 bucket configured to use Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C). In this configuration, Amazon S3 does not store the encryption key you provide but instead, stores a randomly salted hash-based message authentication code (HMAC) value of the encryption key in order to validate future requests. The Security Engineer was assigned to implement the required security measures for the application.
Which of the following is a valid consideration that the Engineer should keep in mind when implementing this architecture?
- The salted HMAC value can be used to derive the value of the encryption key.
- You will lose access to the S3 object if you lose the encryption key.
- The salted HMAC value can be used to decrypt the contents of the encrypted object.
- The salted HMAC value can be used to decrypt the S3 object in the event that you lose the encryption key.
Click here for more AWS Certified Security Specialty practice exam questions.
Check out our other AWS practice test courses here:
With the growing number of security attacks each day, companies are now focusing their efforts in strengthening their digital security. This responsibility requires a team effort from both AWS engineers and industry professionals, which is why we have a shared responsibility model. Professionals will have to be equipped with the right tools and knowledge to protect what is valuable to them and to their company.
We hope that our guide has helped you achieve that goal, and we would love to hear back from you after your exam. Get some well-deserved rest, and we wish you the best of results.