Certified Security - Specialty

Sign Up Free or Log In to participate!

Passing the Certified Security Specialty Exam.

I passed the Certified Security Specialty Exam the other week and decided to write a small article.
Hopefully it will help someone out with their studies.
One thing that I recommend for this exam is access to a 2nd account. There are a number of IAM scenarios you can try out. You will also need to know your cross account workings if you are going to work with AWS anyway. Two FreeTier accounts are better than one !

Very nice. You list macie. I was curious if that comes up in the exam, i didn’t see it mentioned in the guru course.


Macie did come up in the practice exam.


Yes, Its one of the possible answers in the practice exam but not the correct answer.

8 Answers

Thank you Madoc! Excellent article and appreciate all the advice!

Great write up! I just passed the exam yesterday as well. I also found that AWS reinvent videos are extremely helpful. Here are a few that I found useful.




I recommend watching the VPC section and Logging section from Ryan’s course multiple times along with go through your console and click around. See what can/cannot be changed


Thank you for the youtube links and tips and congratulations on passing this important milestone! What do you plan to do next?

Thx for the insider scoops Madoc. I enjoyed your article – informative with a dash of humor. Awesome!

Thank you so much! This is such a great resource!

Thank you very much Madoc!!!. Your post definitely helped me pass the Security Specialty Exam today.

Here are a few more comments and pointers for those preparing to take the exam.

1. Its a challenging test.

   The questions are all long format and more than 90% required multi part answers (2 or 3 choices)

   Read the questions carefully. In some cases there are more than 2 valid answers so look for key words in the question.

   Flag questions and come back to them. I ended up with 26 questions I had to really work through before i could answer.

   Do all the things Madoc suggests then some. The questions were all about securing architectures in different scenario’s

2. You really need to know how the services work. No Really!!

   This isn’t the kind of exam you can just wing your way through. To help ill try to list what i recall as the ratio of questions

   Based on my test I suggest focusing the following;

   KMS – (10 questions)

               Key Rotation – How to and the affect on dependent services

               Deleting CMK – Under what conditions and what are the implications to encrypted data / Application

               Importing Key Material – How to and the advantages/disadvantages

               Management and Usage Policies – How to securely provide access to keys

               Integration – How to use KMS with S3, DynamoDB, APIs [encrypt , decrypt]

    IAM – (5 questions)

               Creating policies – knowing the resultant policy outcome and restricting service access to a subset of users

               Condition Statements – How to applying conditions like MFA or Encryption to a plocy

               Cross account access – Know how to set this up and troubleshoot access issues

   VPC – (5 questions)

               Security Groups – Know how and when to apply them

               Network Access Lists – Know how and when to apply them

               VPC Peering – Know how to troubleshoot multi VPC configurations

               DNS – Know how to overwrite or update DNS setting for EC2 Instances

   CLOUDWATCH – (10 questions)

              Logs – Know what is possible and how to troubleshooting Logs agent issues

              Events – Know what is possible and how to troubleshooting Event triggers and issues

              Metrics – Know what is possible and how to troubleshooting filters

              Integration – Know how to integrate it with other services (Lambda, SNS)

   CLOUDTRAIL (10 questions)

             API – Know when to use Cloudtrail and what permissions it needs

             Integration – Know how to integrate it with other services (Cloudwatch, Lambda, SNS)

   AWSCONFIG – (10 questions)

             Change Management – Know how to apply it to enforce and monitor changes to environments

             Integration – Know how to integrate it with other services (Cloudwatch, S3, IAM)

   OTHER – (15 questions)

            Athena – At least 2 questions where Athena was either part of the question or part of the possible solutions

            ALB/ELB – At least 3 questions on architecture using load balancing, using certificates or working with proprietary ports

            CloudHSM – I think 1 question on when to use CloudHSM over KMS

            Data Protection – 3 or so questions of questions on best practise architecture for long term retention or restricted access

            S3 – 5 or more questions on how to secure

Although everyone’s experience will vary from test to test, this was a tough test for me. A huge thanks to all the ACLOUD guys for the videos as they do a fantastic job as a primer, but id caution anyone who wants to take the test to spend time building multi tier complex  architectures where your using all of the above points.

Good luck all

Prabhat Kumar Krishna

Hi All – i’ll Say sorry to myself, I didn’t see this post earlier. It would have definitely helped me to pass the exam. Unfortunately today I have failed the test. Most of the questions are as mentioned above. Couple of questions related to EMS security port, Container security while migrating from ec2. Most of the questions related to troubleshooting, AWS Config had approx 2-3 questions. None of the questions were straight forward, 95% were scenario based.

Thanks Madoc for the Excellent article. This will definitely help those who are preparing for this exam. Thanks to Rick-os & turbo2547 as well, for the additional links.

Thanks Madoc,Is there any book you advice for reading to pass the exam

Hi All,

I have just completed the aws security specialty exam and i would like to add some notes while it is fresh in my head

1. 10-15 questions on Cloud-HSM which i was not expecting after reading various threads

2. 5-8 Questions on Athena/Kinesis and how they integrate with Logs

3. Only 1 question on the Allow/Deny Policy

4. 3-5 questions on ALB/ELB/Cloudfront SSL Certificates

5. 4-6 questions on choosing between cloudwatch/cloudtrail/config/maice/inspector

Find out in 5 days if i have passed or not

Hope someone finds this usefull

Devon Artis

Why did you say five days ? The exam is shown onscreen with pass or fail

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?