Exam Feedback

Hi Everyone

2 weeks ago I passed the Security Speciality exam and wanted to give some feedback and tips on the exam. I managed 925/1000.  

I found the exam fair and some of the areas of knowledge were from a general platform security domain and not specifically related to AWS hence needing more background in security. 

I found that many of the areas were covered by the ACG courses so well done for the excellent content. There were a few questions that posed requirements for URL whitelisted access to EC2 instances which is not an option with AWS services and the answer was use a 3rd party product so having knowledge of the capabilities and limitations of AWS offerings is important. 

There were questions on all the new stuff including Macie, Athena and Guard Duty all of which need to be known inside out. One area that it may be worth improving in the course or at a summary section is which tools to use where. Amazon have so many with Guard Duty, Trusted Advisor, Inspector, Cloud Watch, Cloud Watch Logs, Cloud Trail, Config etc you need to know which combination should be used together and sometimes there is overlap and knowing the limitations of each is important. 

I personally think the security aspects of Trusted Advisor need to be added into another product (config probably) as then it’s not really useful. 

There were 3 questions on linking AWS IAM to Active Directory including how to do it, requirements such as connectivity to corporate AF and the process for authentication. There were also some questions on AD trusts and Amazon Directory services. Also important to understand how SAML assume role works and probably worth adding some example policies with the SAML provider showing how you allocate AWS access to AD users in IAM policies.

May be worth adding some example use cases to the course on how to do real time threat analysis as again there are many ways to do this but I think Kinesis was probably the way to go  

I used the ACG course (thanks for the 2019 updates) and exam simulator. I then read the FAQs and documentation for all of the key services including IAM, Cloud Trail, Cloud Watch, Guard Duty, trusted Advisor, inspector, config etc but also read up on how encryption is managed by KMS by ways of envelope encryption.

You need to know how to rotate keys manually (don’t delete the old key) and use alias keys in KMS as well as the 12 month rotation policy by default. If you need something different then it’s lambda and cloud watch events you need.

Know when you should use WAF and Shield. I had a question about SSL termination for legacy applications through a network load balancer which again the amazon services were not the answer. Know that WAF only works with Cloud Front and ALB!

I also had a voucher in my AWS account for a free trial exam which was 20 questions that I thought was useful as the questions match what you will see in the real exam.

Finally Amazon have their own 2 hour preparation course on AWS.training which is really good as covers how to break down the questions and the domains nicely.

All in all this was a good challenge and A Cloud Guru has the best training course for this certification and I enjoyed Ryan and Faye’s learning style again.

Good luck to everyone in the exam. I used most of the time for this one unlike the architect associate exam. 

All in all, know VPC security, IAM, KMS like the back of your hand and understand how all the AWS security services work to secure your account. 

Enjoyed this one and using everything I have learned in my job. Now on to some Azure training before doing my professional architect certification next year. 

Thanks to ACG again for the excellent resources!