Certified Security - Specialty

Sign Up Free or Log In to participate!

I took the Security Specialty beta exam today

Hey all! I took the beta exam today, thought it might help some people out to post about the experience.

I went through the existing ACG course first, which was created around the 2016 beta exam. I went into the exam today figuring that there would be some missing pieces, but since the beta comes with a free retake I figured it’d be a good experience regardless of outcome.

I would say that the current version of the ACG course does cover a lot of the exam and has a lot of value. Of course in typical AWS exam fashion, the questions are generally scenario based, so real world experience applying what ACG teaches definitely makes a big difference working through this exam. I do remember thinking during taking it that I was lucky to have worked on some projects which used these services at a deeper level, or I wouldn’t have been prepared.

I had 70 questions, 180 minutes.


Encryption made up almost 1/2 of my exam. KMS was a huge component, lots of scenarios around encrypting data at rest. You need a very clear understanding of the encryption options for core services. S3 managed keys vs KMS managed keys came up multiple times. Also be familiar with recovery options in the event of a deleted KMS key, your options are for disabling / deleting keys, and how automatic/manual key rotation works. This came up in at least a few questions.

Additional items to research on top of the ACG course:

Encryption in transit – I had several questions involving SSL termination on ELBs.

AWS Certificate Manager – understand automatic renewals, and interfacing with CloudFront (hint – us-east-1!)

Cognito – have a high level understanding of use cases for Cognito and how it uses IAM policies.

Active Directory – high level understanding of using an external identity provider to have users assume roles without creating IAM users. This is covered well in other ACG courses – referencing those should be plenty.

Cloudwatch Logging Agent! – I think I had 7-8 questions related to this. How does it work? How do you troubleshoot when you’re not seeing logs show from from "some" instances?

EC2 Systems Manager – Another 5-6 questions here. Understand use cases for this.

API Gateway / Lambda / S3 – There were several questions based on this serverless architecture. You don’t need to be able to write a serverless app to get through them, but you DO need to have an understanding of how these components work together. I had at least 3-4 questions relating to troubleshooting issues around this architecture.

CloudWatch/CloudTrail/AWS Config – If you don’t use all of these services regularly, I’d watch and re-watch these modules. This was probably 25% of my exam.

And the big surprise of the day, CloudHSM – NOTHING. I know the initial 2016 beta had a ton of CloudHSM, which is why it makes up a good chunk of the ACG course, but I didn’t have a single question about it. That said, definitely do the lessons! Maybe I just had a weird exam, maybe they’re not focusing on it, who knows. But as Ryan will tell you in the course, if an employer is looking for someone with experience with it, it could be very valuable to you, and for just a couple hours worth of work to get the experience it’s a great investment.

My thoughts in summary:

1- It’s a beta exam, and you get a free retake once the exam is released if you don’t pass- and it’s 1/2 price! You really can’t lose by taking this now.

2- The ACG course is great. CloudHSM was the only thing in the course I didn’t run into, but still valuable. You won’t be wasting any time by taking the course in its current state. I’m sure Ryan’s working away on getting out the new material, but I wouldn’t skip out on the opportunity for the beta waiting for the material (PS – Ryan, you have an eta?)

3- Dig into the additional items I mentioned above.

4- Log into your AWS console and check out every single service listed under Security. There are newer services there that appear in questions. Get a high-level understanding of what they do, and be ready for AWS to try to trick you into thinking that they do things that they don’t do.

Good luck! It was a fun exam, I’m hoping to not need to take it again in a couple months but really won’t be bummed if it goes that way.

Okay Cloud Gurus, that’s it for this lecture. 😉


Very much what I’ve been anticipating. Thanks for the reassurance! Not too shocked that CloudHSM is missing, though I didn’t realize it featured so heavily in the original beta. It’s an important service for the organizations that require it, but this isn’t the majority of systems on AWS by any stretch of the imagination. Curious if you saw any questions on the new(ish) encryption SDK?


YES! This was on the exam multiple times. I specifically recall a question about how to fix an application that is hitting the API calls-per-second limit of KMS doing decrypt requests. Thanks for bringing this up!


Thanks for updating. Appreciate it!!


Relating to per-second-limits on KMS doing decrypt requests…I came up with this gem with a quick google search: If you are exceeding the requests per second limit, consider using the data key caching feature of the AWS Encryption SDK. Reusing data keys, rather than requesting a new data key for every encryption operation, might reduce the frequency of your requests to AWS KMS. See https://docs.aws.amazon.com/kms/latest/developerguide/limits.html


JoeNerd AWESOME tips from the Beta Exam. Thanks a bunch !!!


Brent thanks also for sharing your findings.

Cool stuff, thanks for sharing. I agree about taking the beta – the way I look at it, the fact that there are no available practice questions means, worst case scenario, you pay half price for the real exam in the summer, plus get a practice run at it now. Also, even if the ACG course changes drastically, we effectively get the same-ish content from two viewpoints. No bad thing at all.


I took my beta exam two days ago, and I agree with most of the points you make here. I did get a couple of questions on Organizations and Service Control Policies which I don’t believe Ryan covers in the current course material (but does in the Cloud Practitioner course). I got a couple of questions about Config as well and Systems Manager. I also got several questions about penetration testing, and under what circumstances you had to notify AWS to do it. A couple of the questions seemed to imply that if you used an approved pen testing appliance from the marketplace you didn’t have to notify AWS (i.e., they didn’t get an alert in that case). I don’t recall Ryan speaking to that specifically in the course so I was a little out of the water on those questions. I think I might have gotten one question on CloudHSM, but only as an implementation option in a given scenario where you need to manage keys without a lot of overhead. I didn’t get any questions on Cognito at all, one or two about AD federation as an authentication/authorization solution in a corporate hybrid environment.


Andy, Ryan has a video, I believe an updated video on his SS course where he said even using a MarketPlace (he mentioned Cali Linux) tool, you always have to notify AWS. And this is what AWS paper on penetration says "Permission is required for ALL penetration tests." https://aws.amazon.com/security/penetration-testing/ . Thanks for the tips


You know, I suspected that was the case but for some reason I answered both of those questions incorrectly. I’m assuming I’ll be retaking that exam once the beta is over … 🙁


@lincupel: most likely refering to "Pre-Authorized" scanners, e.g. Qualys, Rapid7, Tenable: https://aws.amazon.com/marketplace/search/results?x=0&y=0&searchTerms=pre-authorized

Jeremy Simkins

Just took the exam this morning. I wish I saw this post earlier! I 100% agree with this post, it hit the exam right on the head. I feel good about the exam so let’s see what happens.


Took my Beta Exam Today (hard but I liked how the questions were made better than in the CSAA exam) and it was pretty much what JoeNerd wrote down on his post. Thanks Ryan for your video updates I got quite a few questions on regarding the new videos that you added. If you could also include more troubleshot scenarios (from what folks mentioned here in the forum would be great) also Thanks JoeNerd for such detailed and now I can say 🙂 accurate feedback on the exam.


I took it today too. I’m just getting over the flu. Figured that if I failed it I get a free roll later. I’m wondering if we all took the same test if it was in the last month.

11 Answers

Awesome! Thanks for the heads up.

Thank you for taking time to write this up. Much appreciated!

Thank you!

Thank you!! Keep being awesome.

I took the beta exam last weekend as well, and my experience is the same. There are no questions for CloudHSM, then KMS has a huge part.

You already covered all the important components in my exam. 

Additionally, worth reviewing below points:

  • IAM root account activity, how to monitor

– DynamoDB encryption with AWS KMS: https://aws.amazon.com/blogs/security/three-data-at-rest-encryption-announcements/


Thanks for providing this information!!

Cloudwatch Logging Agent! – I think I had 7-8 questions related to this. 

How does it work? How do you troubleshoot when you’re not seeing logs show from from "some" instances? 

I am assuming it is all based on Cloudwatch Logs 



Do you have any other reference material for this especially around troubleshooting, other than checking the agent / policy / size limitation?

Sid McLaurin

I remember two troubleshooting questions on the exam. One had mostly IAM instance profiles and roles as viable answers and the other pointed to network issues. I guessed on the network one and in hindsight I found this link: https://forums.aws.amazon.com/thread.jspa?messageID=789442

Thanks for the post. I took the exam last year and am going to take it again at the end of this month for free. Based on your syllabus, it sounds like the exam hasn’t changed a whole lot.

For those of you thinking about taking the exam, make no mistake about it, it’s difficult. I don’t know if I passed it last year because AWS scrapped it and refunded everyone who took it. It’s a professional level exam, so be prepared. You’re not going to get a question like what AWS service provides user activity logs. Forget it.

I like ACG courses, and Ryan’s teaching style, but I can tell everyone that this particular course only scratches the surface. I took it when it first came out before taking the exam last year and I’m here to tell you in no uncertain terms that it is only a start. My advice to you is rely heavily on the AWS documentation. You can’t just have a passing knowledge of all the different security features. You really have to understand each one and how they are applied to achieve a particular outcome. Good luck!


Much appreciated!

Awesome. THANK YOU!

Thanks a lot for sharing, great information.

Thanks to all above for your submissions and suggestions. All of it helpful. I and a colleague of mine both sat for the beta exam today, having opted to give ourselves as much time to prepare as possible. Since today is the last day to take the beta version of the exam these notes may not help as much as those above, but I’m adding anyway so the topics may be included in future updates to the course material.

I wonder if AWS has continued to tweak the question pool throughout the beta period. I say this because we were both presented with questions on topics that we haven’t seen mentioned above. Also, some of the topics were presented in slightly different formats or worded in ways that differ from what we’ve seen others mention. 

A couple of the topics we faced were: 

  • AWS Vault Locks. (a feature of AWS Glacier) The question had to do with how to effect policy changes on a vault that has already been locked. https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock.html

  • AWS Athena. A couple of the questions included answers that suggested Athena might be used to query CloudTrail logs stored in S3 to find information about anomalies, etc. with other choices being to query logs in CloudWatch. On the surface both seem to be valid approaches, but you have to choose the ‘best’ option. 

  • SSM Parameter Store – had a couple questions on this, but the format of the question came in terms of troubleshooting why a command might be getting an access error when trying to use a secure string, and you had to know which action was missing from the policy statement for the service that was trying to read the parameter. I’m pretty sure it needed kms:decrypt, but I don’t recall the question in exact form to know for sure.

In general I think the test was fair and I’m happy to see they are making these tests more difficult to pass. A few questions seemed to be poorly worded and I expect analysis of the answer distributions will reflect that and be weeded out. The course material has been helpful, but I agree with others that this is not a test you’re likely to pass without getting your hands very dirty by experimenting both in the console and also with the CLIs and the SDKs. 

Thanks again to all for posting your experiences. Hope to pass of course, but the more important thing is we’re learning a lot by going through this process, and the community here makes it more enjoyable.


How long did it take for your to receive the exam results?


I got mine today; I managed to pass the exam, albeit it wasn’t my best effort. :$ I figure I have two years now to polish before I have to take it again.


Let me give a very heartfelt thank-you for all of you who shared their experiences! 🙂


yep.. got mine today. I actually had a bit of a better score than i had anticipated given the odd question about vulnerability scanning permission

Sujith Babu

Thanks for the article, I passed this exam on 11th Dec 2018 and this article helped in understanding the gaps in my knowledge and areas I had missed in my preparations.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?