• AWS Certified Security Specialty Practice Exams



• FREE AWS Certified Security Specialty Practice Exams – Sampler

• AWS Certified Security – Specialty (SCS-C01) Sample Exam Questions

• AWS Practice Exam

Key Takeaways From The Exam

1. AWS KMS

I’ve run into a lot of AWS KMS questions dealing with different AWS services integration. Don’t expect questions that ask whether you have to encrypt data or not because you’re already expected to do that. Instead, prepare yourself to solve different data encryption problems based on a given requirement. 

For example, you need to understand when to use a key policy or grants in controlling access to an AWS KMS CMK. How does key rotation work in AWS KMS? How does AWS KMS integrate with Amazon S3? What are the steps in enforcing in-transit and server-side encryption to an S3 bucket? These are some of the scenarios that you’ll be asked on the exam.

2. Master AWS Identity and Access Management (IAM)

The exam is expecting you to think like a security engineer so you have to develop that security mindset. And you can’t implement security without knowing IAM. You’ll be heavily tested on your IAM knowledge since it is the foundational service for controlling access within the AWS Cloud. So be sure to learn the concepts below thoroughly:

• IAM Policy Evaluation Logic

• IAM JSON Policy Elements

• IAM User vs IAM Role/Service-linked role

• SCPs and Permission Boundaries

Check out these awesome learning materials that helped me understand them:

• AWS Security, Identity, and Compliance Services Overview

• Become an IAM Policy Master in 60 Minutes or Less

• Choose AWS Systems Manager Run Command over bastion hosts.

• Use AWS Systems Manager to connect to EC2 instances that have compromised SSH keys.

• Use AWS Systems Manager Patch Manager to automate patching.

• You have to install the SSM agent before you can do any of the above.

4. AWS CloudTrail

There were also a lot of AWS CloudTrail questions than I was expecting. And most of them are either multi-step or troubleshooting problems where you have to choose 2 or 3 answers. So it’s not enough to know it at a basic level. Know what you can and can’t do with it. Deep dive into it and learn how to implement a real-world solution. For instance, learn how to create a central CloudTrail Logging across accounts. Follow this guide as your hands-on exercise.

5. Amazon GuardDuty vs Amazon Inspector

Take note of their difference as they can both be used for incident detection. Amazon GuardDuty is a threat detection service that helps protect your AWS account. On the other hand, Amazon Inspector assesses compliance within your EC2 instance for improved security of applications deployed on AWS.

Important Amazon GuardDuty concepts:

• Suppression rules



• Trusted IP list and threat list

• EC2 finding types

Important Amazon Inspector concepts:

• Rules packaged

These are just threat detection and assessment tools. You need to take further steps for any remedial actions.

I have also added common scenarios and recommended solutions that you might encounter in your exam in this exam study guide.

Tips before the exam

I stopped reading and doing practice tests to stay relaxed and well-rested a day before the exam. You may take light review sessions, but don’t push yourself too hard. I used the Review Mode feature of the practice test in the Tutorials Dojo Portal to skim through the practice tests. This is a lighter way to condition my mind and refresh the concepts that I’ve learned.

Tips during the exam

The exam will give you 170 minutes to answer all 65 questions. Don’t rush it. I recommend giving yourself enough time (about 2 minutes per item) to read and to process the information that you need in choosing the best option.

Prioritize answering questions that you’re familiar with. In doing so, you’ll be able to build confidence as you progress. Self-confidence is very important throughout the exam. If you keep on encountering difficult questions one after another, chances are you’ll lose focus and you’ll start doubting your answers even for the easy ones.

Use the flag button. Select an answer nonetheless even if you’re unsure of it, then flag it for review. If you didn’t have enough time to recheck it at the last minute, at least you’d have a 25% chance of hitting the correct answer (for Single Choice items) which is far better than not completely answering it.