AWS Certified Security Specialty – Path to Cloud Security

I passed my AWS Certified Security – Specialty exam on September 2018 and I would like to share some thoughts on my experience.

First of all, some people asked me why I chose the AWS path to cloud security instead of going for a vendor neutral cert like CCSP from (ISC)². Main reason for this is that, before diving into Cloud Security I thought it would be useful to get a good understanding of a cloud platform. I chose AWS cloud as they are the leader in Cloud Computing as of this writing. I studied and passed the AWS Certified Solutions Architect –  Associate exam first. This gave me a good overview of the AWS platform and its capabilities. It took me around another month to prepare for the Security Specialty exam.

AWS Security Specialty exam covers following Domains:

Domain 1: Incident Response 12%

Domain 2: Logging and Monitoring 20%

Domain 3: Infrastructure Security 26%

Domain 4: Identity and Access Management 20%

Domain 5: Data Protection 22%

How I prepared for the exam

Prerequisites

As I mentioned earlier, before tackling the Security Specialty exam you should have a good understanding about AWS services and their capabilities. You should know what each service can do and how they work together.

On 11th October 2018 AWS announced that they are removing exam pre-requisites. This means you can take professional and specialty exams without any associate exam. While this is good news for people that are already experienced with AWS, I do not recommend going straight for Specialty exams if you’re new to Cloud and AWS.

You should have a good understanding of cryptography. Topics such as KMS require that you understand what symmetric keys are and how they work. This exam doesn’t go into all security topics like an InfoSec exam. However, it’s good to have at least basic knowledge of InfoSec.

At least one AWS Free tier account! Remember best way to learn and retain what you learn is by actually practicing. To practice topics like cross account access, you will need two accounts.

Training

AWS Certified Security Specialty (SCS-C01) Exam Guide – This gives good overview of the exam and topics covered.

A Cloud Guru AWS Security Specialty course – I used this as the main course material. However, this doesn’t cover all the topics. This is expected as the exam is still relatively new and course creators are still updating and adding to the course.

White Papers and Links:

KMS best practices white paper:
https://d1.awsstatic.com/whitepapers/aws-kms-best-practices.pdf

AWS Config:
https://aws.amazon.com/blogs/security/how-to-use-aws-config-to-monitor-for-and-respond-to-amazon-s3-buckets-allowing-public-access/

S3 SSE:
https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html

Directory Services FAQ:
https://aws.amazon.com/directoryservice/faqs/

IAM JSON Policies: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json

Macie:
https://aws.amazon.com/blogs/aws/launch-amazon-macie-securing-your-s3-buckets/

Cloudtrail:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html

SAML:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html

Inspector:
https://docs.aws.amazon.com/inspector/latest/userguide/inspector_concepts.html

Reinvent videos

AWS re:Invent 2017: IAM Policy Ninja (SID314)

AWS re:invent 2017: Best Practices for Implementing AWS Key Management Service (SID330)

AWS re:Invent 2017: A Deep Dive into AWS Encryption Services (SID329)

Exam

Security Specialty exam is scored from 100-1000, with a minimum passing score of 750. Exam is bit difficult than associate level exams.

Questions are mostly scenario based. You get lot of troubleshooting questions as well.

You can download 10 Sample questions from AWS – I suggest you use this to get familiar with type of questions and to learn how to time yourself during the exam.

I don’t recommend buying sample question from third parties. If you don’t feel confident you can purchase an official practice exam from AWS.

If you can comfortably score 80% or more on sample questions you should be ready to take the exam. If you feel like you’re struggling you should take notes on weak areas and go back and work on them.

Summary

Passing the AWS Certified Security Specialty exam was certainly a fun experience for me. This was a welcome change from doing traditional InfoSec exams. I believe having an AWS associate exam and the Security Specially is a great way to demonstrate your cloud security skills, especially if your organization is in the process of migrating to the cloud. This will also provide a good foundation to deep dive into evolving cloud platforms and security.

If you like this article and find it useful, please share and comment below.

My OSCP Journey
Getting started with Certification exams

Comments

  1. Very Informative. Thanks for Sharing.

  2. Thanks a lot for sharing your experience

Leave a Reply

Your email address will not be published / Required fields are marked *