AWS Certified Security - Specialty Exam Tips and Tricks

17 Aug 2018

If you’re planning on taking the AWS Security Specialty exam, I’ve compiled a quick list of tips that you may want to remember headed into the exam.

I passed the exam on August 18th, 2018. Before taking this exam, I held all three Associate-level certifications. This exam was harder than any Associate exam by far!

  1. Remember that Cloudwatch/any AWS service cannot monitor your EC2 filesystems without an agent installed!
  2. Know KMS inside and out - this includes API commands like Decrypt, viaService, etc.
  3. Know the KMS key deletion policies and the differences between imported key material and AWS managed keys.
  4. Understand how cross-account access to various resources works.
  5. I had a lot of questions asking how to stop attacks from moving horizontally across EC2 instances in a subnet. Most of the time you need to stop the instance and take a snapshot for forensic purposes. You also need to make sure that security groups in an Auto-Scaling Group do not allow for transmission between instances on the same tier.
  6. Understand the difference between AWS Config, Trusted Advisor, and Cloudtrail. They try to mix these up CONSTANTLY to trick you.
  7. Understand how AWS works to limit the “blast radius” of compromised keys in KMS, and the concept of perfect forward secrecy.
  8. Budget your time and flag questions that fluster you. Come back to them later.
  9. Use the test to take the test. Sometimes you will get a question that asks you about a property of an AWS service. Later in the test, you may find a question that references that exact property and gives you the correct answer.
  10. There are usually two blatantly incorrect answers, and two answers that could be right. Narrow down your choices.
  11. CloudHSM was not present on my exam, but questions about Kinesis and Athena were.

Training Materials I Used

Videos I Watched

Whitepapers I Read