Hello Cloud Gurus!
I am happy to report that I passed the AWS Security Specialty exam yesterday with a score of 899 points.
Kudos to Ryan and Faye for the great course they put together!
Here is my feedback.
I have studied for about 6 weeks: every evening after work for 2 hours plus watching re:Invent/re:Inforce videos on Youtube before bed.
After 4 weeks, I took the official practice exam and passed with 85%. Used the ACG Exam Simulator and passed that with 86%. That told me I was almost ready so at that point I bought the Whizlabs practice tests and did those two times over the course of the next two weeks.
As for services that I was tested on, same list as the one provided by Vighnesh here:
Below are some of them that I have found particularly tricky:
IAM: IAM Policies with MFA conditions. I had one question where I had to choose between GetSessionToken and AssumeRole
CloudTrail: The Event History view shows the operational and security events in the past 90 days and NOT data events. To query for data events you should probably use Athena.
Know how to centralize CloudTrail logs in a master account, this scenario comes up quite in a few questions. I recommend you do it yourself and make sure you understand the S3 bucket policy on the master account and how to configure CloudTrail in the member accounts to point to it.
Inspector: the Network Reachability package does NOT require an agent be installed on EC2 instances and findings include whether your ports are reachable from the Internet, potential misconfigured Security Groups, NACLs, etc.
IDS/IPS: When you need to inspect network packets remember that there are NO AWS services that do that. You need a third-party solution (that can run on EC2 of course) from AWS Marketplace for example. Faye covers that very well in the course.
VPC PrivateLink: showed up as a valid answer in one question. Even if you did not know what PrivateLink does all the other answers were suggesting creating 1500 rules in a security group or NACL.
VPC Endpoints: Know that there are two types: Gateway (currently only S3 and DynamoDB offer Gateway endpoints to VPC) and Interface (a lot of services are accessible via Interface endpoints: KMS, SQS, SNS, API Gateway, etc), the differences between them, know how to use Endpoints Policies to control traffic through the endpoints.
CloudFront and ACM: remember that if you install a custom SSL certificate from ACM on to your CloudFront distribution that certificate must reside in ACM in us-east-1 region!
Also know that when you import a cert in ACM you have to have the public cert, the intermediate CA cert and private key in .PEM format.
ACM Private Certificate Authority: I got a question about that as well but I was good there as the Whizlabs tests revealed that gap in my preparation in the last two weeks leading to the exam.
As for the study material that I used I will compile a list and publish it to Github tomorrow and post the link on this forum as well.
Good luck with your preparation/exam and let me know if you have any questions.
PS I have published my study guide on Github here