AWS Security Specialty Recertification: Why Staying Updated is Crucial


I recently recertified my AWS Certified Security Specialty (SCS-C02) exam, and it reminded me just how fast cloud platforms like AWS evolve. In this post, I’ll share my updated insights and strategies for tackling this specialty certification, along with key takeaways from my own recertification experience.

Some might assume that recertification is an easy task, especially if you’ve already passed the exam before. However, that’s far from the truth when it comes to AWS. The platform is continuously evolving, with new services being introduced, existing ones updated, and even some service names changing. If you approach the exam without staying informed on these updates, there’s a real chance of failing. Recertification requires just as much dedication and preparation as the initial attempt, if not more, to ensure you’re fully updated with the latest AWS knowledge.

Based on my experience I recommend you focus on the following areas:

AWS KMS
Make sure you read the whole section and understand the concepts!
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html

KMS key rotation
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

Note: You cannot import new key material to update existing keys. You will also need to update the alias to the new key.

S3 Glacier vault Lock policy
https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock.html

Note: Vault lock policy has to be used for compliance. Once locked in no one can change it.

Delegate access across AWS accounts using IAM roles
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

AWS Incident response guide
Make sure you understand how to respond to common incidents!
https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/destination-containment.html

AWS S3 Object Lock
How to use Amazon S3 Object Lock
https://www.youtube.com/watch?v=XQVm0ebdz3E

Object lock conditions:
Object lock has to be enabled during the bucket creation time! (This can be enabled now after creation. However, exam version SCS-C02 is not updated to reflect this!).
Versioning has to be enabled
Batch processing has to be used to covert existing objects!

CloudTrail
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html#

By default, trails and event data stores log management events, but not data or Insights events.
CloudTrail includes predefined templates that log all data events for the resource type
Custom templates for specific functions

AWS CloudTrail Lake lets you run SQL-based queries on your events. CloudTrail Lake converts existing events in row-based JSON format to Apache ORC format.

Organization trail
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html

What is AWS Directory Service?
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html

Amazon MACIE
https://docs.aws.amazon.com/macie/latest/user/data-classification.html
Automated sensitive data discovery – uses sampling techniques to identify and select representative S3 objects (NOT ALL).

Sensitive data discovery Jobs – provide deeper, more targeted analysis.

GuardDuty finding types
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-bucketanonymousaccessgranted

Make sure you memorise common finding types!

AWS Certificate Manager (ACM)
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html

To use an ACM certificate with CloudFront, you must request or import the certificate in the US East (N. Virginia) region.

You cannot associate ACM certificates with an EC2 instance that is not connected to a Nitro Enclave.

CloudFormation Stack policy
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html

You cannot specify Principal users in a stack policy. It’s always “*”.

The Principal element is required, but supports only the wild card (*), which means that the statement applies to all principals.

EC2 instance connetion types
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect.html
Make sure you understand different connection types and what is required.

Amazon EC2 instance connect requires SSH keys in the instance. Sessions Manager doesn’t need keys.

If you find this post helpful or have questions please leave a comment below.

Sajeeva SA October 13, 2024

Recertifying AWS Certified SysOps Administrator

Leave a Reply

Your email address will not be published / Required fields are marked *