Hey all! I took the beta exam today, thought it might help some people out to post about the experience.
I went through the existing ACG course first, which was created around the 2016 beta exam. I went into the exam today figuring that there would be some missing pieces, but since the beta comes with a free retake I figured it’d be a good experience regardless of outcome.
I would say that the current version of the ACG course does cover a lot of the exam and has a lot of value. Of course in typical AWS exam fashion, the questions are generally scenario based, so real world experience applying what ACG teaches definitely makes a big difference working through this exam. I do remember thinking during taking it that I was lucky to have worked on some projects which used these services at a deeper level, or I wouldn’t have been prepared.
I had 70 questions, 180 minutes.
Encryption made up almost 1/2 of my exam. KMS was a huge component, lots of scenarios around encrypting data at rest. You need a very clear understanding of the encryption options for core services. S3 managed keys vs KMS managed keys came up multiple times. Also be familiar with recovery options in the event of a deleted KMS key, your options are for disabling / deleting keys, and how automatic/manual key rotation works. This came up in at least a few questions.
Additional items to research on top of the ACG course:
Encryption in transit – I had several questions involving SSL termination on ELBs.
AWS Certificate Manager – understand automatic renewals, and interfacing with CloudFront (hint – us-east-1!)
Cognito – have a high level understanding of use cases for Cognito and how it uses IAM policies.
Active Directory – high level understanding of using an external identity provider to have users assume roles without creating IAM users. This is covered well in other ACG courses – referencing those should be plenty.
Cloudwatch Logging Agent! – I think I had 7-8 questions related to this. How does it work? How do you troubleshoot when you’re not seeing logs show from from "some" instances?
EC2 Systems Manager – Another 5-6 questions here. Understand use cases for this.
API Gateway / Lambda / S3 – There were several questions based on this serverless architecture. You don’t need to be able to write a serverless app to get through them, but you DO need to have an understanding of how these components work together. I had at least 3-4 questions relating to troubleshooting issues around this architecture.
CloudWatch/CloudTrail/AWS Config – If you don’t use all of these services regularly, I’d watch and re-watch these modules. This was probably 25% of my exam.
And the big surprise of the day, CloudHSM – NOTHING. I know the initial 2016 beta had a ton of CloudHSM, which is why it makes up a good chunk of the ACG course, but I didn’t have a single question about it. That said, definitely do the lessons! Maybe I just had a weird exam, maybe they’re not focusing on it, who knows. But as Ryan will tell you in the course, if an employer is looking for someone with experience with it, it could be very valuable to you, and for just a couple hours worth of work to get the experience it’s a great investment.
My thoughts in summary:
1- It’s a beta exam, and you get a free retake once the exam is released if you don’t pass- and it’s 1/2 price! You really can’t lose by taking this now.
2- The ACG course is great. CloudHSM was the only thing in the course I didn’t run into, but still valuable. You won’t be wasting any time by taking the course in its current state. I’m sure Ryan’s working away on getting out the new material, but I wouldn’t skip out on the opportunity for the beta waiting for the material (PS – Ryan, you have an eta?)
3- Dig into the additional items I mentioned above.
4- Log into your AWS console and check out every single service listed under Security. There are newer services there that appear in questions. Get a high-level understanding of what they do, and be ready for AWS to try to trick you into thinking that they do things that they don’t do.
Good luck! It was a fun exam, I’m hoping to not need to take it again in a couple months but really won’t be bummed if it goes that way.
Okay Cloud Gurus, that’s it for this lecture. 😉
Awesome! Thanks for the heads up.
Thank you for taking time to write this up. Much appreciated!
Thank you!! Keep being awesome.
I took the beta exam last weekend as well, and my experience is the same. There are no questions for CloudHSM, then KMS has a huge part.
You already covered all the important components in my exam.
Additionally, worth reviewing below points:
- IAM root account activity, how to monitor
– DynamoDB encryption with AWS KMS: https://aws.amazon.com/blogs/security/three-data-at-rest-encryption-announcements/
- AWS WAF
Thanks for providing this information!!
Cloudwatch Logging Agent! – I think I had 7-8 questions related to this.
How does it work? How do you troubleshoot when you’re not seeing logs show from from "some" instances?
I am assuming it is all based on Cloudwatch Logs
Do you have any other reference material for this especially around troubleshooting, other than checking the agent / policy / size limitation?
Thanks for the post. I took the exam last year and am going to take it again at the end of this month for free. Based on your syllabus, it sounds like the exam hasn’t changed a whole lot.
For those of you thinking about taking the exam, make no mistake about it, it’s difficult. I don’t know if I passed it last year because AWS scrapped it and refunded everyone who took it. It’s a professional level exam, so be prepared. You’re not going to get a question like what AWS service provides user activity logs. Forget it.
I like ACG courses, and Ryan’s teaching style, but I can tell everyone that this particular course only scratches the surface. I took it when it first came out before taking the exam last year and I’m here to tell you in no uncertain terms that it is only a start. My advice to you is rely heavily on the AWS documentation. You can’t just have a passing knowledge of all the different security features. You really have to understand each one and how they are applied to achieve a particular outcome. Good luck!
Awesome. THANK YOU!
Thanks a lot for sharing, great information.
Thanks to all above for your submissions and suggestions. All of it helpful. I and a colleague of mine both sat for the beta exam today, having opted to give ourselves as much time to prepare as possible. Since today is the last day to take the beta version of the exam these notes may not help as much as those above, but I’m adding anyway so the topics may be included in future updates to the course material.
I wonder if AWS has continued to tweak the question pool throughout the beta period. I say this because we were both presented with questions on topics that we haven’t seen mentioned above. Also, some of the topics were presented in slightly different formats or worded in ways that differ from what we’ve seen others mention.
A couple of the topics we faced were:
AWS Vault Locks. (a feature of AWS Glacier) The question had to do with how to effect policy changes on a vault that has already been locked. https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock.html
AWS Athena. A couple of the questions included answers that suggested Athena might be used to query CloudTrail logs stored in S3 to find information about anomalies, etc. with other choices being to query logs in CloudWatch. On the surface both seem to be valid approaches, but you have to choose the ‘best’ option.
SSM Parameter Store – had a couple questions on this, but the format of the question came in terms of troubleshooting why a command might be getting an access error when trying to use a secure string, and you had to know which action was missing from the policy statement for the service that was trying to read the parameter. I’m pretty sure it needed kms:decrypt, but I don’t recall the question in exact form to know for sure.
In general I think the test was fair and I’m happy to see they are making these tests more difficult to pass. A few questions seemed to be poorly worded and I expect analysis of the answer distributions will reflect that and be weeded out. The course material has been helpful, but I agree with others that this is not a test you’re likely to pass without getting your hands very dirty by experimenting both in the console and also with the CLIs and the SDKs.
Thanks again to all for posting your experiences. Hope to pass of course, but the more important thing is we’re learning a lot by going through this process, and the community here makes it more enjoyable.