I would like to take the time to tell you guys I took the test yesterday and made a 70 and failed. It was the hardest test I have ever taken and if you are looking here and just relying on ACloudGuru you will most likely fail. I would suggest using 2 or even 3 different resources for studying because this course goes in a weird direction and talks about things wrongly or things you dont need. For example section 2 you might as well skip as I did not get a single question about the shared responsibility model.
if you just want to use this course here are some extra things you should look at studying before taking the exam
1. Athena – came up like 10 times in answer choices
2. Quicksights
3. How to make sure that you do not use AWS provided DNS
4. NotPrinciple in IAM policies
5. why are your cloudtrail logs not logging? does the bucket not exist?
6. granting cross account access to auditors
7. Cognito groups and Cognito sync triggers and how to place a group of users in restricted
8. What port number do you need to open to successfully use SES
9. what is the bool MultiFactorAuth condition?
10. how can you recover data from a deleted CMK?
11. ElastiSearch
12. how you can inspect actually network traffic?
13. How should you secure ECS?
14 I had a lot of questions about organizations and restricted access to only certain resources in specified account of your org
15. what is the principle condition
16. how can you make a policy with write once read many archiving policy?
In conclusion do not treat this exam like an associate. Treat is more like a professional and I greatly encourage you to go out and study more in depth topics covered in this cours.
5 Answers
3. How to make sure that you do not use AWS provided DNS – Use private hosted zone or Modify VPCs DHCP option to a custom one
4. NotPrinciple in IAM policies – All principle (anyone) except the principle mentioned in the NotPrinciple section.
5. why are your cloudtrail logs not logging? does the bucket not exist? – Cloudtrail does not have role which grants access to write logs to the bucket
6. granting cross account access to auditors – Create cross account access with SAML with read only access.
7. Cognito groups and Cognito sync triggers and how to place a group of users in restricted
8. What port number do you need to open to successfully use SES – 25, 2525, 587, 2587, 465, 2465
9. what is the bool MultiFactorAuth condition? Check if the request is MF authenticated or not
10. how can you recover data from a deleted CMK? Key is not deleted directly, it remain there for 7 days. If its well within 7 days it can be reoved from schedule deletion. Else it can’t be recovered.
11. ElastiSearch – its supports resource based as well as Identity based policy to secure it, proxy via Nginx if using Kibana
12. how you can inspect actually network traffic? – VFC flowlogs or third party tool like wireshark
13. How should you secure ECS? Use IAM role for each task, security group and NACLs
15. what is the principle condition – To allow or deny a "WHO" part of policy (User, service etc)
16. how can you make a policy with write once read many archiving policy? – Vault Lock policy which is immutable
Give me like half an hour and come back here. I am about to share a ton of my notes and extra tips after I get this stuff typed out.
I think for 3 they might be talking about disabled DNSREsolution and DNSHostnames for the VPC Configuration. For 8,while allll those ports numbers are valid but AWS throttles port 25, 465 and 2465 are for TLS Wrapper so if they question talked about not every having an unencrypted connection you would use these ports.
Athena: It has both IAM policy, ACL and follows bucket policies. It can be used to read cloudTrail logs on ad hoc basis. Also to use it we will need to give access to Glue Data catalog. So instead of giving access to full S3 only select object and similar for data catalog
For Athena, best to experiment with it to understand it’s mechanics but it’s basically an on-demand SQL query engine. This blog post here talks about common use cases: https://aws.amazon.com/blogs/big-data/aws-cloudtrail-and-amazon-athena-dive-deep-to-analyze-security-compliance-and-operational-activity/
OK so since I’ve taken the exam early in October I decided to sign up for Linux Academy. I suggest going through their course too if you have the time/money if you really really want to make sure you pass. If you don’t have the time I’m sure if you know this course inside and out plus the questions previously posed her you should be fine, but I am here to help you out even more. https://github.com/JuiceTheJiraffe/Jacob-Johnson/tree/master/Notes/AWS-Security-Cert-Study-Material
This link goes to my GitHub account where I have about 47 pages of notes based off of the real exam (answering the question on my original post with the actual test answers), notes on the whiz labs tests, and of course ACloudGuru. Since I hand write all my notes first I do not have my Linux Academy notes typed yet. Expect an Update to this post mid December with those notes added to the already many notes. In that folder I have the notes and review questions that I use to test myself throughout studying. The notes tend to go hand and hand, but I always make my review question while writing my notes so therefore I have review questions based on the Linux Academy course. I highlighted important sections that I think you guys should consider studying before the test because it contains mostly information that is on the test and not covered in ACloudGuru. The sections I highlighted that is. Also if you have the money I would suggest investing in Whiz Labs. Even though the test’s they had were easier than the actually exam, testing myself is one of the best ways I get a feel for how the actually test might ask questions. I feel that greatly helped as even though the first time through the exam I only confidently knew 5 questions I still only failed by 3 questions. I hope this helps everyone out more and if you have any more questions post it to this forum and ill be happy to help!
Sir!
Thank You! for your notes and post.. I owe my passing the exam to you! Good day! sir!!
Glad I could help 🙂
This test is much more difficult than the available material from AWS/PSI would lead you to believe, but it is fair, for the most part. I passed it without much studying, having worked extensively with AWS security for the last three years.
The one area they could improve upon, is the ambiguity of some of the questions. I would estimate that 1/4 of the questions on my test had more than one right answer, leaving you to pick the best right one. IMO, that sort of thing belongs on a psychology test, not a certification exam.
AWS is known for frequently updating the questions on their tests, so your best bet is to spend the time to truly understand the source material. Know KMS, VPCs, S3 security, and everything about IAM really well, and you’ve got the fundamentals covered.
Thanks for the article, I passed this exam on 11th Dec 2018 and this article helped in understanding the gaps in my knowledge and areas I had missed in my preparations.
Great advice… thank you.
thank you