I took the Security Specialty exam today and failed. There were a lot of topics absolutely not covered in this course.
1- Debugging IAM policies, S3 policies and ACL, which is supposed to be a big topic was … just 1 question
2- I had 5 questions about AWS Athena to use it to query logs.
3- I had 2 questions on AWS Artifact
4- I had 5 questions on compromised EC2 forensic, none of which could be answered with what is presented in the course. 3 questions were about capturing/accessing memory core dumps
5- I had about 4 questions on using AWS Organizations, especially how to use it and set it up to restrict root accounts
6- I had 2 questions about AWS Lambda@Edge (which I had no clue what it was) for security (like manipulating HTTP headers)
7- 1/3 of the questions were about KMS and especially lots of detailed questions about KMS keys’ JSON policies. At least 5 questions were about correcting KMS keys JSON policies, requiring to know by heart all the KMS keys’ policies’ fields
That’s about 1/3 of the exam on things I didn’t know about/had never heard of. Too much unknown to pass.
Also a lot of questions where about cross-account access, whether it was about restricting it, troubleshooting it, allowing it with least-privilege, for all sorts of services
I couldn’t agree with you more. I have taken this course as well and preparing for my exams. I’ve been a little busy at work so taking my time but I think Acloud guru can do better. Especially looking at the response from fellow students, the course needs more practical stuff especially since this is a specialty exams and it’s not about rushing to show a demo. This exams from all indication is a broad one and requires extensive coverage of literature.
I agree with the comments above. The exam is more intense (than the Solution Architect associate) with surprising wide coverage. I sat the exam today and passed (awaiting score detail). The ACG and other online training only really sets you up for 50-60% of the questions asked, in the way they are asked in the exam. Common themes are KMS, S3 policies, Organisation SCP policies, compromised EC2 handling with Forensic investigation and response several questions. Cognito Service as answer 3 times inc mobile app and OIDC. CloudFront, ALB, WAFs, AWS Certificate Manager. root account and cross-account IAM roles and policies for shared S3. VPC peering and Penetration testing. VPNs, DirectConnect, EBS storage, EC2 Systems Manager in relation to CVE audit reviews and patching. One on Cloud HSM.
I was surprised by the AWS practice exam, is VERY different from the main exam. I used Udemy for exam practise, as ACG don’t have any exam sets. Very similar questions to the AWS practice exam, but only covers 50-60. You will need knowledge from associate exams. e.g. I got questions on SQS policy security. Redshift security key usage. DynamoDB encryption deployment. Tagging resources and benefits of doing this over time.
I used various additional RE:invent 2017 videos, security best practices, response automation, soup to nut federation. plus FAQs, reading docs etc. plus my time served knowledge of security basics and fundamentals, around PKI, Encryption, network security groups and NACLs.
It was fair exam, with a few giveaway questions with obviously wrong statements. The key is knowledge and relationship of AWS services with security functions or capabilities