So last Thursday I sat the Security Specialty Exam and passed! Here are some things that I saw on my exam that you can be sure to study in case you see them too. Hope this helps.
Active Directory (AD)
There was an annoying amount of questions around AD so you should probably know this inside and out.
The differences between federation protocols like SAML and OIDC and when to use them.
How AD users are granted permissions and how they are associated with AWS IAM entities (roles, groups, and users).
How STS is involved with AD.
What CLI commands are used with AD.
What CloudTrail tracks in regards to AD.
Cross Account Permissions
There was a lot of scenarios asking how cross-account permissions should be granted to different AWS components.
How to limit permissions from an obscene amount of AWS accounts (1000+) when Service Control Policies (SCP) are NOT an option.
AWS Certificate Manager (ACM)
There were questions asking in-depth questions about ACM.
What Private Certificate Authority (CA) is and how/when to use it.
How certificates are distributed to your AWS entities such as: CloudFront, ELB, EC2, etc.
The number of certificates you need for a given scenario.
The region in which ACM certificates are stored.
How public/private certificates are managed.
3 Answers
Congratulations Jutin ! Any whitepapers or reinvent videos you found helpful and would recommend I am planning to take the exam in next 2 weeks
Thanks! I read the KMS Best Practices whitepaper and would recommend it (even though they can be such a drag). I didn’t watch any re:invent videos for any of the certs I hold.
Congratulations, nicely done! That’s a lot of brilliant feedback too (Active Directory is an interesting one there), and hopefully, it helps others with their studies as well. Well done, and enjoy your success!
Best of luck with the next steps on your cloud journey!
Thanks! I couldn’t have done it without acloud.guru.
I’ve just completed Security speciality exam & found few more topics appeared:
ACM, IOT, ADFS & Cloud directory, IPS & review VPC logs to find correct answer.
Thanks for the tips. I too saw VPC Flow Logs, but only a couple questions and the picture was easy to tell what happened. I don’t remember seeing IOT on my exam though. Could you elaborate a bit on the IOT questions you saw? I’m curious.
If you can’t use SCPs, what can you use? AWS Organisations?
I didn’t see any answer with a mention of AWS Organizations, OUs, or SCPs which is where my mind immediately went when I read 1000+ AWS accounts need access restrictions applied. There were numerous options such as: 1) Listing ALL the AWS account ids in an IAM/Bucket policy; 2) Using Lambda to Change IAM/Bucket Policies Programmatically; 3) Settings up a Trust between the central account and the other 1000+ and using something like STS to delegate access. There were some other options I can’t recall anymore… I can’t speak to what I think the right answer is because I’m not confident I got that question right.
That’s a tough one. Thanks for the reply. I have the exam on Thursday so this update has been really useful.
I passed too – questions said above did not overlap – there was one question specifically about Cognito internals, ACM Private Certs, a few IAM Policy statements showing Effect, Action, Policy etc. and which one best describes the above requirment and other way around – for this IAM statement, what does this mean? It was hard for me but I passed with mid-range score.
Wonder if a policy like the following would work for that deny: "Effect": "Deny", "Action": "s3:", "Resource": "", "Condition": { "StringLike": { "aws:SourceAccount": "12345678910" } }
Which would deny everyone but the stated source account from any s3 actions.
I’m taking the exam this coming Saturday. If I see a question like that I’m looking for the option to set up cross account access for each of the other accounts. Have each of the account provide a unique self assigned "ExternalID" to be required as a condition in the Trust policy created in the central account. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html