After 7 days of intense studying, I sat for the Security Beta exam last Monday. I will say I was highly disappointed with the original beta exam and I wrote a lengthy comment at the end of the 2016 exam on how unfulfilling the exam felt and the exam just didn’t seem like it was worthy of AWS. While I would like to take credit for the reevaluation of the exam, I am quite sure a lot of us felt the same way. With that, the current beta exam is nothing like the one before and my overall feeling of the exam is quite good, a lot of great scenarios based on common security mistakes I have unfortunately encountered in real life.
So some things to study if you are planning to take this exam:
Like many people have said – I also did not get any HSM exam questions!!
Make sure you understand the differences between CloudFront Signed URL’s and Signed Cookies:
Make sure you understand the differences between CloudTrail, Cloudwatch Events, and Config/Rules. I had to write them down because many of the scenarios depended on your knowledge on which one is ‘best’ according to the request.
Understanding of AD and what are the steps to setup to AD Federation.
Policies, policies and did I mention Policies. Know IAM Policies, S3 Bucket policies (ACL’s) and KMS Policies by heart – when used in conjunction which one takes priority. You will need to be comfortable reading a policy with conditional statements (IP Addresses, MFA and/or Access Keys)
Know your encryption key types and when to use Client Side vs Server Side (S3 vs KMS).
Know how to configure a classic load balancer, depending on where TLS needs to terminate – at the balancer or the EC2. Have an understanding of ELB security configurations: Perfect Forward Secrecy, Server Order Preference, Predefined Security Policy.
KMS for me was asked the most (30%) or was used in several of the scenarios: Key Rotation and Key Deletion – Client Keys vs Managed AWS Keys vs Customer Managed Keys
Have a good understanding of Athena, Lambda, DynamoDB, API Gateway, and Cognito. Not that you need to know how to configure them but what role do they play in Security.
Understand what AWS Organizations can do.
How do you push EC2 Application logs into Cloudwatch – like what permissions should the EC2 have? What is the difference between metrics and log groups/streams?
Understand how Inspector works and what packages are available.
Understand how SSM can automate patching for your EC2 instances.
How do you build Security Groups based on a scenario?
Understand Glacier Vaults.
How to request penetration testing, understand there are pre-approved tools out there. Remember it is on a VPC basis and not the account.
How do you deal with a compromise of an EC2 it might be in an ELB or in an Auto-Scaling Group
Here’s info on CloudFront signed URLs vs signed cookies: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-choosing-signed-urls-cookies.html
I took the exam yesterday and it was pretty much what you outlined here. Neither did I get any HSM questions. I posted a list of topics and corresponding learning resources on my blog: https://pajdzik.com/2018/02/11/my-impressions-after-taking-the-aws-certified-security-speciality-beta-exam/