Certified Security - Specialty

Sign Up Free or Log In to participate!

Passed AWS Security Specialty Exam – February 2020

Hello Cloud Gurus!

I am happy to report that I passed the AWS Security Specialty exam yesterday with a score of 899 points.

Kudos to Ryan and Faye for the great course they put together!

Here is my feedback.

I have studied for about 6 weeks: every evening after work for 2 hours plus watching re:Invent/re:Inforce videos on Youtube before bed.

After 4 weeks, I took the official practice exam and passed with 85%. Used the ACG Exam Simulator and passed that with 86%. That told me I was almost ready so at that point I bought the Whizlabs practice tests and did those two times over the course of the next two weeks.

As for services that I was tested on, same list as the one provided by Vighnesh here:


Below are some of them that I have found particularly tricky:

IAM: IAM Policies with MFA conditions. I had one question where I had to choose between GetSessionToken and AssumeRole

Configuring MFA-Protected API Access

CloudTrail: The Event History view shows the operational and security events in the past 90 days and NOT data events. To query for data events you should probably use Athena.

Viewing Events with CloudTrail Event History

Know how to centralize CloudTrail logs in a master account, this scenario comes up quite in a few questions. I recommend you do it yourself and make sure you understand the S3 bucket policy on the master account and how to configure CloudTrail in the member accounts to point to it.

Receiving CloudTrail Log Files from Multiple Accounts

Inspector: the Network Reachability package does NOT require an agent be installed on EC2 instances and findings include whether your ports are reachable from the Internet, potential misconfigured Security Groups, NACLs, etc.

Network Reachability

IDS/IPS: When you need to inspect network packets remember that there are NO AWS services that do that. You need a third-party solution (that can run on EC2 of course) from AWS Marketplace for example. Faye covers that very well in the course.

VPC PrivateLink: showed up as a valid answer in one question. Even if you did not know what PrivateLink does all the other answers were suggesting creating 1500 rules in a security group or NACL.

VPC Endpoints: Know that there are two types: Gateway (currently only S3 and DynamoDB offer Gateway endpoints to VPC) and Interface (a lot of services are accessible via Interface endpoints: KMS, SQS, SNS, API Gateway, etc), the differences between them, know how to use Endpoints Policies to control traffic through the endpoints.

CloudFront and ACM: remember that if you install a custom SSL certificate from ACM on to your CloudFront distribution that certificate must reside in ACM in us-east-1 region!

How to Use an SSL Certificate on ACM or IAM with CloudFront

Also know that when you import a cert in ACM you have to have the public cert, the intermediate CA cert and private key in .PEM format.

Certificate Format

ACM Private Certificate Authority: I got a question about that as well but I was good there as the Whizlabs tests revealed that gap in my preparation in the last two weeks leading to the exam.

Private Certificate Authority – AWS Certificate Manager

As for the study material that I used I will compile a list and publish it to Github tomorrow and post the link on this forum as well.

Good luck with your preparation/exam and let me know if you have any questions.


PS I have published my study guide on Github here


Hello 🙂 Thank you for the amazing write up, i been studying i have gone though the course, all the whizlabs but they added a new one exam 4 and it is totally different to the other ones, can you confirm if the exam 4 is like the real exam or not ?

Radu Lupan

Whizlab exam 4 is a little different in the sense that it has quite a few questions about ACM Private Certificate Authority and I did not expect that service to be such an important piece. In my exam I got exactly one question about acm pca which was way easier than the ones in the Whizlab exam 4 and I would have probably answered it correctly even without studying the subject. However, I recommend reviewing acm pca service use cases and best practices.


Thank you so much for your reply man!


Also the other questions were a lot more advanced i am kind of lost as i have studied for this a lot and made tons of notes but still on that exam i was like shit! why is it that hard, i need about 75% to pass well. The problem now is that i read most of the white papers the whole CMK and cloudwatch. I am waiting to see maybe cloudguru will update their contents to reflect anything new that might not be covered and will pop up in the exam. Did you say you used the Cloud guru mock exams as well for practicing ? Thanks again

Radu Lupan

Study the material referenced by Whizlabs for test 4 on the questions you get wrong and you will be ok. Yes, I used the ACG exam simulator as well, I liked it.


thanks man! ACG exam sim is closer to the real questions than Whizlab ?

0 Answers

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?