Certified Security - Specialty

Sign Up Free or Log In to participate!

Jan 8 2021 — Sat for Security Specialty Certification today and wow…..

So, the test I took today was actually pretty hard.  I knew that I had picked a bad week, but perhaps also a very bad day.  For background, I’m a ‘cloud engineer’ (I don’t make clouds) at a very large financial organization, and they have asked engineers to try and get this certification, probably to reduce their non-insignificant liability insurance bills.  My preparation was listening to most of the ACG course over 2 weeks at the end of November.  Then I had to deal with real life for about 4 weeks, then fast forward to this week.  

Monday, first practice exam on ACG: 45%…but it was completed in about 1 hr, mostly to identify my own gaps.

Tuesday, study some, distracted some by the obvious insanity of the week, sleep poorly, second practice exam on ACG:  55%….uh oh

Wednesday: freak out a little, decide to take one more test in srs mode before taking my first reschedule option… 3rd attempt on ACG: 85%…. ok, I guess I won’t cancel

Thursday: distracted, study a bit, cram mind maps, white papers, but hard to focus due to all the things…. no test

Friday: 4 hours sleep, cram in the morning, sit in afternoon….2 hours before gametime…check ACG… OMG… 20+ lessons in the course are new or have an update time of today…crap…might as well try anyway, since it’s lost money at that point…. Pearson at home, PSI wasn’t working for me because their OS version regular expression can’t identify Big Sur (11.1), it only checks for 10.X versions of OSX (fix yo regex pls)….


Oh my lord.  I think around question 5 was where I started to lose hope.  The questions are hard, yes, but I think the exam topics may have also just been updated, very recently?  I’ll spare you the suspense now, but I passed.  I don’t have my score, but I’m going to guess passed by the skin of my teeth.  I’m pretty sure I know how I was able to, as well.  I flagged about 30 questions in the first pass, it took an hour and 15 minutesish.  Then went and read and re-read the 30 questions, and then I was able to leverage my decades (yes I am old) of experience to eliminate a large percent of the answers as just slightly less right than the real right answer.  Some came down to a coin flip, I honestly had never even heard of RAM before, yet it was on the test and an answer I wound up picking, because the rest were either totally wrong, or very very subtly less right.  Here were the topics from what I can remember:

Crypto crypto crypto!

HSM, KMS, CMKs, S3 encryption at rest options, key grants, secret stores, web certs, both ssh and session manager questions, really had a lot on mine

API gateways, endpoints, and bridges

Service Catalog?  I still need to go figure out what that is.

Fargate? I know what this is, but it was on the test….

Unexpectedly hard questions about AWS Inspector, Guard Duty, Lambdas, Shield, Waf, Aws config, Cloudfront, CloudFORMATION, and bucket policies…

More than a couple cloudfront questions actually

More than a couple questions about AWS organizations, cross account access/crypto, and SCPs

IAM policies, IAM groups, IAM roles, IAM users, understand all this, and then understand both policy resolution logic(and where that logic might not be the same as everywhere else) and tricky edge case conditional evaluation syntax questions

Networking, VPC fundamentals, nat instance/nat gateways, routing, security groups and acls, ASGs, ALBs, NLBs

A couple questions around vpc <-> connections and vpc <-> to on-prem via gateways/vpns/ipsec tunnels/friends

Logging best practices, troubleshooting exotic security log pipelines involving services you might not expect A few compliance questions, those are kind of the only freebies

Cognito, and AD, mostly in the context of on-prem AD to something in AWS (which is very close to reality in my experience), and SAML

Before last week, I was fairly confident that I’d be able to pass as a few other people in my group also had taken it and passed in the past few weeks, and they know me and my skillset and told me I shouldn’t have any trouble.  I’m not entirely sure we took the same test.  I think to pass the test I took, you need a combination of broad industry experience and in-depth knowledge of a bunch of AWS services that you probably don’t use at work yet, and most importantly how to discriminate between a good security solution vs one with a subtle weakness.  There were multiple questions that made me chuckle because they were so close to some real world problems I’ve seen and/or recently dealt with.  Which I think, on balance, makes for a pretty good general cloud security test.  I wouldn’t have passed without ACG, but I also wouldn’t have passed with just ACG, at least not the course I heard from 2 months ago.  No fault to ACG, AWS is constantly adding new things, removing things, and changing the names of things.  I’ve been using it since it was just EC2 and S3 and the stuff I don’t know could fill many books. 

This was my first AWS certification, but certainly not the first exam I passed.  This one was hard, not impossible, but hard, and unfortunately my test went from broad concepts all the way down to very specific syntax questions.  I wish everyone the best of luck, and highly suggest you don’t make the mistake I did and stay current!

Soooo…. I’m wondering, can one go directly to SA pro next, or do I need a prerequisite cert first?  Or, should I go for devops and maybe have some fun?


2 Answers

Thanks for the info share.  I would recommend doing at least the Architect Associate before the Pro.  Many students get all three associate level certs before attempting the Pro exams.

Thanks for the great write up, Samuel! I did what Michael suggested; Architect Associate first, as well as the Developer & SysOps Associates. I did find that approach helped round out my knowledge in preparation for Architect Pro, as there were topics from all three associates in that exam.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?