Certified Security - Specialty

Sign Up Free or Log In to participate!

Passed AWS Certified Security Specialty 3/13/2019

Thank you very much for the course and community especially ACG and LinuxAcademy forum! I took the exam and passed today. The test center told me this exam is pretty new (probably no one hasn’t taken at there), and did not allow to walk out for a restroom break for almost 3 hrs(unlike AWS Associate exams I had). So, it didn’t really bother me since I was afraid not enough time to complete. At the end, I had like 10 minutes to review only few questions, marked 26 questions I didn’t have confident the answer, and only changed 1 question from review in hurry. If finding a time to study is a pain, sitting down 3 hrs for the exam and not allow a sec of day dreaming that is torture LOL!

Forum gave me a lot of directions to learn what I didn’t know and focus what I should know. So it’s a best place to follow. Like many others said, a lot of questions involve few services (few lines to read), mainly in short what is the problem (troubleshoot) and how to fix it (solution). Here are some I can remember from the exams:

1. Incident Response (1-2): Some cases and how to automate the process with certain services.

2. GuardDuty (1): Very specific finding types, why it cannot detect it.

3. Key Pair (1-2): Like course material, lost the key and what should you do, what to do with authorized_key file or instance.

4. Compromised (1-2): Like course material, know the priority step.

5. Pen Test (1): Know how to use on VPC architecture in high level and pre-authorized case.

6. Inspector: Don’t think I have it in term of related answer.

7. WAF (1-2): Associate to what services only, what condition is suit for some use case, and what rules like rate-based.

8. System Manager and Secret Manager (2-3) – Don’t have those easy "patching" scenario, instead some twist and turn conjunction with Parameter Store and Secret Manager. Which cheaper, why gets error to decrypt the secure string with KSM.

9. CloudWatch (5-6): Many question with other services together, how to use on premise log to CW, Why user doesn’t get a alert from CW, CW event use case with Lambda or some other services.

10. Athena: Doesn’t seem to be the answer, instead some other services might be better like Kinesis Data Analytics, Elasticsearch.

11. CoulTrail (5-6)): Many question with other services together, why S3 doesn’t receive the log, how to use CT with other services like Lambda or CW event to automate a process like deny/disable a policy or other cases.

12. AWS Config (2-3): Many question with other services together, Some cases like how to find unwanted authorize API or changes and mitigate the problem.

13: Trusted Advisor: Don’t think I have it in term of related answer.

14: Macie: No Macie but asking if PII expose in S3 what should we do, most like it’s how to secure metadata.

15. Bastion Host (1): I don’t know if SSH Agent forwarding is a thing but somehow need to secure the Bastion Host and it’s a lot of words with picture.

16. VPN and Direct Connect (1-2): Not much in detail besides knowing at high level how to use them.

17. VPC Peering (1): Not much besides how to do the pen test, no transit, no inter-peering nor route table related.

18. VPC Endpoints (1): Some wording somehow related to this service but forgot what it was, don’t think any policy involve.

19. VPN Flow Logs (1): No reading the traffic line but need to know it’s for VPC traffic at high level.

20. Security Group and NACL (2-3): Question might trick you with NACL Stateful, what port coming in and out, probably ephemeral ports.

21. SES and WorkMail (1): Only showed in policy as service for interpreting what policy does. Some talked about SES port but it wasn’t in my exam.

22. IP Table and Metadata (1): Know what IP table does for the root/users and metadata.

23. IDS/IPS (1) – AWS does not have this service, so what other options and what agent needs to be installed.

24. IP Packet (1) – AWS does not have this service, so what other options available.

25. CloundFront (1-2) – Know what CF is good for, no much in detail like sign url or SNI.

26. API Gateway: Don’t think I have it in term of related answer.

27. Lambda/Lambda@Edge (1) – know what can to do if legacy traffic comes in and need to add more headers.

28. SQS (1) – Some use case with other services.

29. AWS Organization (3-4): Know the SCP, know how it manages other OU, how to restrict other root accounts.

30. IAM (5-6): Many questions, cross account policy, how to read policy (example in the exam) and what it does, root= root+all users in the account. Understand the role for service to run and assume role is important, understand the resource might be optional if Identity based policy allow it. Don’t think Permission boundary in my exam.

31. Federatation (2-3): Know how to set it up, IDP<->SP, AD on premise, AssumeRomeWithSAML etc. Remember the IAM Role and AD Group mapping.

32. Cognito (1-2): How to use Cognito user, Cognito Sync and other services to restrict trouble gamers.

33. S3 (5-6): Many question with other services together, how to use IAM and bucket policy to access it, and encryption cases. Like "bucket/" and "bucket/*" different, or according to the example (in exam) can user access bucketA or bucketB or both.

34. ClouHSM (1): Or rather KSM related, it listed the requirements and pick a best choice. Need to know which is tamper resistance, high availability etc.

35. KMS (6-7): Many question with other services together, how to encrypt and decrypt scenario, CMK deleted and EBS use case like course material, know IAM and Resource policy for key, how to use Grants in some cases, external material might a good choice in some cases, know what "kms:ViaService" does.

35. ELB (1-2): Although no certificate nor ACM in my exam, it mixes in to other services use case like how to change the header on legacy instance.

36. Glacier Vault (1): Know how to set it up and LockID duration.

37. DynamoDB (2-3): Encryption at origin use case (DynamoDB encryption client), save metadata use case, and can choose KMS instead of SSE.

38. WAF Sandwich (1): Pretty straightforward.

39. EC2 (3-4): Many question with other services together, like compromised how to fix it. Virtual Security Appliances and Proxies use case.

It’s very a challenging exam for new comers, hope this helps and good luck!

3 Answers

Congratulations Shaw! Awsome Job


Well done in passing and thanks for the great feedback!

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?