17 Aug 2018
If you’re planning on taking the AWS Security Specialty exam, I’ve compiled a quick list of tips that you may want to remember headed into the exam.
I passed the exam on August 18th, 2018. Before taking this exam, I held all three Associate-level certifications. This exam was harder than any Associate exam by far!
- Remember that Cloudwatch/any AWS service cannot monitor your EC2 filesystems without an agent installed!
- Know KMS inside and out - this includes API commands like
Decrypt, viaService, etc. - Know the KMS key deletion policies and the differences between imported key material and AWS managed keys.
- Understand how cross-account access to various resources works.
- I had a lot of questions asking how to stop attacks from moving horizontally across EC2 instances in a subnet. Most of the time you need to stop the instance and take a snapshot for forensic purposes. You also need to make sure that security groups in an Auto-Scaling Group do not allow for transmission between instances on the same tier.
- Understand the difference between AWS Config, Trusted Advisor, and Cloudtrail. They try to mix these up CONSTANTLY to trick you.
- Understand how AWS works to limit the “blast radius” of compromised keys in KMS, and the concept of perfect forward secrecy.
- Budget your time and flag questions that fluster you. Come back to them later.
- Use the test to take the test. Sometimes you will get a question that asks you about a property of an AWS service. Later in the test, you may find a question that references that exact property and gives you the correct answer.
- There are usually two blatantly incorrect answers, and two answers that could be right. Narrow down your choices.
- CloudHSM was not present on my exam, but questions about Kinesis and Athena were.
Training Materials I Used
Videos I Watched
Whitepapers I Read