AWS Certified Security – Specialty Exam Study Guide
The AWS Specialty certification exams are intended for people who handle more specific responsibilities in AWS Cloud. Since these responsibilities demand a more advanced skill set with prior experience from a person, these AWS specialty exams are built so that they could reinforce and validate a person’s eligibility for that role. There are no associate and professional levels in a specialty learning path, so the exams serve as the whole package already. And since they are made that way, expect no less from the specialty certification exams, as they will be as tough as the professional exams.
The name of the certificate immediately points out what to focus on — AWS Security. Although we mentioned earlier that specialty exams tackle more specific roles, security in AWS is very broad and extensive. There are a lot of topics involved when we speak about AWS security, whether it be native AWS services or other third-party tools. If you need a comprehensive review material for learning these topics then this study guide is for you.
Having prior knowledge and experience in handling (cloud) security will allow you to understand the concepts and strategies that appear in AWS reference materials. You will also find it easier to comprehend scenario type questions in your exam. To know more about the AWS Security specialty exam, check out the official AWS Exam Blueprint here.
AWS documentations and whitepapers will be your best friends here. They are your primary source of information. We recommend reading the following papers:
- Introduction to AWS Security
- AWS: Overview of Security Processes
- AWS Well-Architected Framework
- Security Pillar – AWS Well-Architected Framework
- AWS Security Best Practices
- AWS Key Management Service Best Practices
- AWS Key Management Service Cryptographic Details
- Encrypting File Data with Amazon Elastic File System
- Secure Content Delivery with Amazon CloudFront
- Use AWS WAF to Mitigate OWASP’s Top 10 Web Application Vulnerabilities
- AWS Best Practices for DDoS Resiliency
- Security at Scale: Logging in AWS
- AWS Security Incident Response Guide
- Security at Scale: Governance in AWS
Add-On Compliance whitepapers:
- Security by Design
- AWS Risk & Compliance
- Architecting for HIPAA Security and Compliance on AWS
- Navigating GDPR Compliance on AWS
- Architecting for PCI DSS Scoping and Segmentation on AWS
Optional whitepaper for configuring AWS SSO + LDAP + Shibboleth
After you have studied the sources above, it would be wise to expose yourself with different scenarios and strategies in enforcing security in AWS. Re:Invent videos, AWS blogs, virtual classes, and even some AWS forums provide sample scenarios and strategies for you. The links below will redirect you to some of the references:
- AWS Security Fundamentals virtual lecture
- AWS Security Essentials virtual classroom
- Architecting on AWS virtual classroom
- Security Engineering on AWS virtual classroom
- AWS Security blogs
- AWS Re:Invent 2019 sessions
AWS Services to Focus On
When we talk about security as a discipline, especially in the context of cloud, we are tackling it as a combination of different domains. AWS enumerates its catalog of services and features under different domains based on their purposes. In this section, we will try to do the same and group AWS services according to their domains.
Identity and Access Control
- AWS Identity and Access Management – You must learn every detail of AWS IAM since this is AWS’ primary user management and access control service. Practice writing your own IAM policies.
- Resource-Based Policies – Although resource-based policies fall under AWS IAM, they tend to be ignored compared to user-based policies. Take note of which services support this type of policy and how they are different from user-based policies.
- S3 Presigned URLs – Know what is the purpose of S3 presigned URLs and how they differ from CloudFront signed URLs.
- CloudFront Signed URLs – Know what is the purpose of CloudFront signed URLs and how they differ from S3 presigned URLs or CloudFront signed cookies.
- Amazon Cognito – Read through the benefits of AWS Cognito and how to integrate it with web and mobile applications. Differentiate user pools from identity pools.
- AWS Single Sign-On – Learn how you can use AWS SSO together with other authentication protocols to securely authenticate users in your environment. AWS SSO is commonly integrated with LDAP.
- AWS Security Token Service – Know the purpose and use cases of Amazon STS. Try building a program that utilizes temporary tokens as credentials.
- AWS Directory Service – Know the different options you have for AWS Directory Service. Each option solves a different requirement and it is up to you to figure out how you can get your directory to gain access to your users and other information.
- AWS Organizations – AWS Organizations is a very helpful service when dealing with large scale enterprises with multiple AWS accounts. Know the benefits of using this service (like consolidated billing feature) and how to build an organization hierarchy with Organization Units and Service Control Policies.
- AWS Resource Access Manager – AWS RAM allows you to securely share resources with other AWS accounts. Experiment with this service to know how to share your resources and what restrictions are involved.
Application and Infrastructure Security
- EC2 key pairs – This goes without saying, but EC2 key pairs play a very important role in protecting your EC2 instances.
- AWS Systems Manager – AWS SSM secures your applications through services like Patch Baselines, Run Command, Session Manager, and more. By utilizing automation and code, you run less risk in human error and unwanted/untracked changes to your application.
- AWS WAF – AWS WAF is essential in protecting your applications from common exploits like SQL injection or XSS attacks. Differentiate WAF from Shield and Firewall Manager.
- AWS Shield – AWS Shield complements AWS WAF since this service offers DDoS protection. Read what features are different between Shield Basic and Shield Advanced.
- AWS Firewall Manager – This service simplifies administration overhead when setting up AWS WAF, AWS Shield and VPC security groups. Best to do a hands-on on the service.
- AWS KMS – Study the different types of KMS keys available and how you should manage them. Determine which AWS services support using AWS KMS for encryption.
- Amazon CloudHSM – Know when to use AWS KMS vs CloudHSM for your encryption needs.
- AWS SSM Parameter Store – It is important to know how AWS SSM Parameter Store can protect your referenceable information through SecureString.
- Amazon Secrets Manager – Secrets Manager is similar to Parameter Store wherein you can store and retrieve sensitive strings in AWS securely.
- SSE-S3 Encryption – Read when it is better to use SSE-S3 keys or KMS keys for server-side encryption. Also read how your encrypted buckets and objects are handled during operations such as replication, deletion, etc.
- S3 Glacier Vault Lock – Know the purpose of a Glacier Vault Lock and try implementing a policy yourself.
- Amazon Macie – Read how Macie automatically classifies and protects your data. This is one of those services that you will just understand better if you try it out.
- AWS Certificate Manager – Know which services integrate with your certificates stored in Certificate Manager. Try creating your own private CA and issue some custom certificates.
- Amazon VPC – Know everything on VPCs since they are basic building blocks for a protected AWS environment. Differentiate security groups vs network ACLs. Study VPC endpoints too.
- Amazon CloudFront – Study how CloudFront protects your endpoints from being publicly accessible. Read on setting up Origin Access Identity with S3 buckets. Know which services integrate with CloudFront, such as API Gateway and WAF. CloudFront has a feature that allows content access to only selected locations.
- AWS ELB – Study how ELB protects your web traffic and endpoints from malicious attacks. Understand how SSL certificates are being handled by ELB.
- Amazon API Gateway – Similar to ELB, API Gateway also protects your endpoints from being exposed to the public internet. Commonly used in serverless applications, study how APIs can secure Lambda functions. Also know what services it integrates with, such as WAF.
- AWS VPN – Although AWS VPN is fairly new, you should have an overview of what this service is and how to set it up in your AWS environment.
- AWS Direct Connect – Read how a dedicated line from your network to AWS can protect your inbound and outbound traffic. A common way to secure your traffic in Direct Connect is by using an AWS Site to Site VPN.
Logging and Monitoring
- Amazon Cloudwatch – Know everything about Cloudwatch (Logs, Alarms, Events, Metrics)
- Amazon Cloudtrail – Know everything about CloudTrail, like how to store and encrypt your log files, how to monitor different regions and capture different types of data.
- Service Logs (VPC, ELB, API Gateway, S3, CloudFront) – Multiple AWS services support logging which they forward to an S3 bucket. It would be good to have an idea of which services support logging. Logs are crucial when conducting incident response and analysis.
- Amazon Route 53 – Study how Route 53 can quickly handle network issues by performing DNS and endpoint health checks. Route 53 also helps in making your environment more resilient by performing automatic failovers.
Threat Detection, Prevention, Response and Remediation
- Amazon GuardDuty – Have an understanding of the use cases of Amazon GuardDuty.
- Amazon Inspector – Have an understanding of the use cases of Amazon Inspector.
- Amazon Detective – Know which services integrate with Amazon Detective. Also, have an understanding of the use cases of Amazon Detective.
- AWS Security Hub – Have an understanding of the use cases of AWS Security Hub.
Risk and Compliance Management
- AWS Artifact – Know the purpose of AWS Artifact and what kinds of reports it provides for you.
- AWS Config – AWS Config is an important compliance monitoring tool that you should learn about. Study the concepts and how they work. Practice writing a Config rule of your own to have a better understanding of the service.
Lastly, as we have repeatedly talked about, specialty exams are intended for experienced individuals. Therefore, you should go try out the services above in your own AWS account. Also, do not limit yourself to the Management Console. Some implementations can only be done via AWS CLI or AWS SDK. Be comfortable with them all.
Validate Your Knowledge
The virtual classrooms we listed in the Study Materials section often include short quizzes at the end of each video. They will serve as guides on how to look for key terminologies in your exam questions, as well as how to break down your options to determine the most suitable answer for the question. Another virtual lecture we recommend you attending after you finished reviewing for the exam is the Exam Readiness: AWS Certified Security – Specialty Course. They provide sample questions that you can follow along and answer.
AWS also provides a sample exam on the AWS Certified Security Specialty page, which you can find here. Although this sample exam is not on the same level of difficulty one might expect on the real exam, it is still a helpful resource for your reviews. Lastly, Tutorials Dojo also has a set of high-quality practice exams for the AWS Security Specialty certification. The practice exams will help boost your preparedness for the real exam, and it will also help you determine which areas you are weak in, so you can focus your efforts in studying those areas.
With the growing number of security attacks each day, companies are now focusing their efforts in strengthening their digital security. This responsibility requires a team effort from both AWS engineers and industry professionals, which is why we have a shared responsibility model. Professionals will have to be equipped with the right tools and knowledge to protect what is valuable to them and to their company.
We hope that our guide has helped you achieve that goal, and we would love to hear back from you after your exam. Get some well-deserved rest, and we wish you the best of results.