My AWS Certified Security Specialty Exam Experience – Tips and Important Notes
The AWS Certified Security – Specialty is included in the top 10 Most Popular Cybersecurity Certifications based on Global Knowledge’s 2020 IT Skills and Salary Report. Beating some of the famous security certifications on the list (e.g. CEH, CompTia: Security+) only shows how influential AWS has been to the IT industry in the previous years. Not only Security Professionals can benefit from this certification. Whether you’re a Cloud Engineer, Developer, or System Administrator, having a good understanding of the AWS security best practices and how they can be implemented will certainly make you a valuable asset in your company.
In this article, I’ll share the key takeaways from the exam that I’ve run into, what I did to prepare for it, and some tips for answering the exam questions.
1. Avoid brain overloading. Find the best time of the day for you to learn. Also, know your attention span limit. You might be spending long hours reading or watching courses in an attempt to finish them early but not really gaining any benefit from it. Set a schedule and don’t forget to take in-between breaks if you’re planning to pull a long study session.
Here is the list of my learning materials:
- AWS Certified Security Specialty Exam Study Path
2. Avoid Exam Dumps! Brain dumps are really tempting; however, they’re unreliable and might just confuse you. I’ve seen a lot of exam dumps on the Internet and most of them contain incorrect answers with no proper explanations. You won’t really get any learning benefit from it aside from familiarizing yourself with the questions. Having experienced the exam firsthand, I can confidently tell you that learning the concepts and taking legitimate practice tests is what enabled me to pass it.
Here are the links to the practice tests that I’ve taken, including our own set of mock exams, of course:
3. Apply what you learn. There are complex concepts that you won’t simply grasp by just reading the documentation. You’ll learn multiple times faster through hands-on exercises. Experiment and see the services for yourself. Recreate the scenario that you see in practice tests or follow these labs to hone your AWS skills.
1. AWS KMS
I’ve run into a lot of AWS KMS questions dealing with different AWS services integration. Don’t expect questions that ask whether you have to encrypt data or not because you’re already expected to do that. Instead, prepare yourself to solve different data encryption problems based on a given requirement.
For example, you need to understand when to use a key policy or grants in controlling access to an AWS KMS CMK. How does key rotation work in AWS KMS? How does AWS KMS integrate with Amazon S3? What are the steps in enforcing in-transit and server-side encryption to an S3 bucket? These are some of the scenarios that you’ll be asked on the exam.
2. Master AWS Identity and Access Management (IAM)
The exam is expecting you to think like a security engineer so you have to develop that security mindset. And you can’t implement security without knowing IAM. You’ll be heavily tested on your IAM knowledge since it is the foundational service for controlling access within the AWS Cloud. So be sure to learn the concepts below thoroughly:
IAM Policy Evaluation Logic
IAM JSON Policy Elements
IAM User vs IAM Role/Service-linked role
SCPs and Permission Boundaries
Check out these awesome learning materials that helped me understand them:
3. AWS Systems Manager
I encountered many questions revolving around AWS Systems Manager. AWS seems to be really pushing their customers to use this service. And I think it makes sense since there are a lot of tasks that can be simplified with Systems Manager. I won’t be able to list all possible questions about it, but you need to be at least aware of the following items going to the exam:
Choose AWS Systems Manager Run Command over bastion hosts.
Use AWS Systems Manager to connect to EC2 instances that have compromised SSH keys.
Use AWS Systems Manager Patch Manager to automate patching.
You have to install the SSM agent before you can do any of the above.
4. AWS CloudTrail
There were also a lot of AWS CloudTrail questions than I was expecting. And most of them are either multi-step or troubleshooting problems where you have to choose 2 or 3 answers. So it’s not enough to know it at a basic level. Know what you can and can’t do with it. Deep dive into it and learn how to implement a real-world solution. For instance, learn how to create a central CloudTrail Logging across accounts. Follow this guide as your hands-on exercise.
5. Amazon GuardDuty vs Amazon Inspector
Take note of their difference as they can both be used for incident detection. Amazon GuardDuty is a threat detection service that helps protect your AWS account. On the other hand, Amazon Inspector assesses compliance within your EC2 instance for improved security of applications deployed on AWS.
Important Amazon GuardDuty concepts:
Trusted IP list and threat list
EC2 finding types
Important Amazon Inspector concepts:
These are just threat detection and assessment tools. You need to take further steps for any remedial actions.
I stopped reading and doing practice tests to stay relaxed and well-rested a day before the exam. You may take light review sessions, but don’t push yourself too hard. I used the Review Mode feature of the practice test in the Tutorials Dojo Portal to skim through the practice tests. This is a lighter way to condition my mind and refresh the concepts that I’ve learned.
Tips during the exam
The exam will give you 170 minutes to answer all 65 questions. Don’t rush it. I recommend giving yourself enough time (about 2 minutes per item) to read and to process the information that you need in choosing the best option.
Prioritize answering questions that you’re familiar with. In doing so, you’ll be able to build confidence as you progress. Self-confidence is very important throughout the exam. If you keep on encountering difficult questions one after another, chances are you’ll lose focus and you’ll start doubting your answers even for the easy ones.
Use the flag button. Select an answer nonetheless even if you’re unsure of it, then flag it for review. If you didn’t have enough time to recheck it at the last minute, at least you’d have a 25% chance of hitting the correct answer (for Single Choice items) which is far better than not completely answering it.