Certified Security - Specialty

Sign Up Free or Log In to participate!

Passed the Security Specialty Exam Today

Hey cloud gurus, I just want to tell you that I took my exam today and bring out what came to my attention.

First of all, time was not a problem at all. I had about an hour left at the end and was able to read through the whole exam twice.

Here are the topics that came up most:

1. KMS (lots of questions about key rotations)

2. Active Directory

3. IAM and Cross-Account access

4. AWS Organizations and SCPs – with an emphasis on permissive SCPs ("allow") in my case

5. VPC (Infrastructure Security), e.g. Security Groups, ACLs and Ephemeral Ports (understand the direction for inbound/outbound requests!!)

6. CloudTrail, Config, CloudWatch Events, Lambda

7. Athena

8. AWS Artifact

9. one/two question(s) each: Macie, Inspector, FlowLogs, WAF (in conjunction with DDoS)

Note: no CloudHSM at all, no Shield

Tough Topics:

  • When to use CloudTrail console vs. CloudTrail with Athena and S3

  • How to block the aws-managed DNS server for a whole VPC when using a custom DNS server

  • What is covered by the IAM credentials report and its corresponding API [1]

  • Active Directory one-way trust from cloud to on-premise

  • Integration of KMS in other AWS services – these ones were very tough!! They give you different policies and you must tell what is wrong or – even harder – what is missing, e.g. what are the missing conditions and actions in a policy which a user should use to grant EC2 access to use an EBS volume

  • Learn the GrantIsForAWSResource condition as it is important for services which integrate with KMS [2]

  • AWS KMS ViaService condition with regional endpoints: i.e. whether it makes a difference if the service URI contains the region "eu-central-1" or "us-east-1" etc.

  • high availability across different regions with KMS: is it possible to copy a key to another region? should you reference a key in another region instead?
    Note: Can someone who reads this please explain what the recommended setup is for KMS and highly available across different regions? (CloudHSM was not an option)

  • Terminating SSL on NLB, ALB, Classic Load Balancer and which Listener Protocol to chose on Classic Load Balancer when terminating SSL on the EC2 instance

  • AWS Organizations: How to restrict member account’s root user access

Question Style:

Almost all questions were scenario based (~4-5 sentences long). One or two had an infrastructure diagram. Some had an IAM policy. Many had special modifiers that asked about the most COST EFFECTIVE way of doing things or the solution with least operational overhead etc.

I could often narrow down the answer to two remaining options. Sometimes (e.g. 5-7 times) I had to guess between these two remaining options based on my feeling/experience. I think that it is the intended type of questioning AWS does on the more advanced certification exams. I am really excited if this gets even harder on the professional exams. I will share my thoughts on the Professional DevOps/Solutions Architect forums someday this year. Next will maybe be the Big Data or Networking Specialty.

Good Look to everyone!



[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
[2] https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-grant-is-for-aws-resource

Srikanth Gunday

@Martin – Thank you so much.

Srikanth Gunday

@Martin, I don’t think we can copy key to another region : If i am missing any info – please correct me – as per faq : Keys generated by AWS KMS are only stored and used in the region in which they were created. They cannot be transferred to another region. For example; keys created in the EU-Central (Frankfurt) region are only stored and used within the EU-Central (Frankfurt) region.

Martin Löper

That makes sense! However, what about disaster recovery? What happens if an entire region goes down and we reference keys from that region?

Rui Wang

@Martin, Thank you so much! For the high availability design, I wonder if the imported customer key would be an option since the same master key can be imported cross different regions?

1 Answers

Thanks so much for the feedback and really please to hear that you passed!

I agree it’s a tough exam and some of the questions do seem designed to trick you.

The Professional exams are maybe a little bit harder and part of the difficulty with the SA Pro for example, is that they really don’t give you a lot of time to answer the question which can be really challenging when the questions are long scenarios and the answers are also long…

Check out our AWS Certification Preparation Course – available to all ACG members, which will really help you to tackle the difficult Pro exams:

This course helps you prepare for all AWS certifications — including associate, professional and specialties. These tips, tricks and strategies apply to all certification exams.


Martin Löper

Thanks Faye, I will look into the preparation course! =)

Martin Löper

fyi: I studied the preparation course recently and took the DevOps Engineer Professional exam afterwards. The prep course was interesting, thanks! =)

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?