I took the Security Specialty exam today and failed. There were a lot of topics absolutely not covered in this course.
1- Debugging IAM policies, S3 policies and ACL, which is supposed to be a big topic was … just 1 question
2- I had 5 questions about AWS Athena to use it to query logs.
3- I had 2 questions on AWS Artifact
4- I had 5 questions on compromised EC2 forensic, none of which could be answered with what is presented in the course. 3 questions were about capturing/accessing memory core dumps
5- I had about 4 questions on using AWS Organizations, especially how to use it and set it up to restrict root accounts
6- I had 2 questions about AWS Lambda@Edge (which I had no clue what it was) for security (like manipulating HTTP headers)
7- 1/3 of the questions were about KMS and especially lots of detailed questions about KMS keys’ JSON policies. At least 5 questions were about correcting KMS keys JSON policies, requiring to know by heart all the KMS keys’ policies’ fields
That’s about 1/3 of the exam on things I didn’t know about/had never heard of. Too much unknown to pass.
Also a lot of questions where about cross-account access, whether it was about restricting it, troubleshooting it, allowing it with least-privilege, for all sorts of services
2 Answers
I couldn’t agree with you more. I have taken this course as well and preparing for my exams. I’ve been a little busy at work so taking my time but I think Acloud guru can do better. Especially looking at the response from fellow students, the course needs more practical stuff especially since this is a specialty exams and it’s not about rushing to show a demo. This exams from all indication is a broad one and requires extensive coverage of literature.
I agree with the comments above. The exam is more intense (than the Solution Architect associate) with surprising wide coverage. I sat the exam today and passed (awaiting score detail). The ACG and other online training only really sets you up for 50-60% of the questions asked, in the way they are asked in the exam. Common themes are KMS, S3 policies, Organisation SCP policies, compromised EC2 handling with Forensic investigation and response several questions. Cognito Service as answer 3 times inc mobile app and OIDC. CloudFront, ALB, WAFs, AWS Certificate Manager. root account and cross-account IAM roles and policies for shared S3. VPC peering and Penetration testing. VPNs, DirectConnect, EBS storage, EC2 Systems Manager in relation to CVE audit reviews and patching. One on Cloud HSM.
I was surprised by the AWS practice exam, is VERY different from the main exam. I used Udemy for exam practise, as ACG don’t have any exam sets. Very similar questions to the AWS practice exam, but only covers 50-60. You will need knowledge from associate exams. e.g. I got questions on SQS policy security. Redshift security key usage. DynamoDB encryption deployment. Tagging resources and benefits of doing this over time.
I used various additional RE:invent 2017 videos, security best practices, response automation, soup to nut federation. plus FAQs, reading docs etc. plus my time served knowledge of security basics and fundamentals, around PKI, Encryption, network security groups and NACLs.
It was fair exam, with a few giveaway questions with obviously wrong statements. The key is knowledge and relationship of AWS services with security functions or capabilities
Agree with all above. Seems like ACG needs to be updated to include some of these topics; at least, to include Athena in the very least.
BTW, here is why Athena was heavily featured: https://docs.aws.amazon.com/athena/latest/ug/querying-AWS-service-logs.html what I got confused with it that it doesn’t work (yet) with CloudWatch logs
I couldn’t agree with you more. I have taken this course as well and preparing for my exams. I’ve been a little busy at work so taking my time but I think Acloud guru can do better. Especially looking at the response from fellow students, the course needs more practical stuff especially since this is a specialty exams and it’s not about rushing to show a demo. This exams from all indication is a broad one and requires extensive coverage of literature.
Hi, I did the exam yesterday and I failed as well. Like Matthieu I got a lot of questions about Athena, some about Artifact and Macie (for PII), few on the Organizations and so on. One of the question was about configuring an S3 bucket policy for Write-Once-Read-Many, including archiving. Yeah and KMS was present in some question, in my case more around the CMK management, part cover by the course, part not. I was underprepared for sure, aside of the Organization I used by myself I got at least 20 questions that was not directly covered by the course. I’ll wait for my detailed result (to know if I miss for few points or many) before going forward.