Some quick notes on the AWS Certified Security Specialty study and exam (Sept 2019)

Passed this weekend with 975/1000! Wish I knew which questions I had dropped! 🙂

Once again, I predominantly used the synonomous acloud.guru (ACG) course. After reviewing the course content and some people’s feedback in the ACG forums I gambled on having sufficient knowledge across some of the core areas and focussed on stuff that was new to me. I also used 20+ years of experience in IT to focus on content in Troubleshooting and Incident Response that was new to problems in AWS. In ACG this often meant going through the summary videos for each chapter first, then going back into content in detail as required for a more complete understanding. I definitely recommend the ACG course overall, IMHO they are better than most content in Pluralsight & Udemy and worth spending my own money on. They had updated content for 2019 based on feedback from users (I was studying in Sept 2019).

As well as the video learning, my key (pun intended) reading materials were

• Config FAQ

• KMS FAQ and best practise whitepaper

I didn’t use any specific external labs for this certification. There are several practical labs in the ACG course which I clicked along with and headed off on tangents when I found interesting things.

Practice exams are essential to test what you know and to identify areas that needed further study. This is my biggest study tip – do mock exams and study what you get wrong!

My core areas:

• Networking: VPCs, SGs, route tables, NACLs, gateways, etc

• IAM & Identity Federation with STS

• Organizations & SCPs

• Logging (CloudWatch, CloudTrail, VPC flowlogs, etc)

• Trusted Advisor

All of these have content which is also covered by the Certified Solution Architect (CSA) track. If you have passed CSA Professional then you’re probably already up to speed. If you’ve done CSA Associate, then there’s more to learn.

New areas to cover which needed in-depth knowledge over and above the Certified Solution Architect Professional were primarily:

• S3 policies, ACLs, encryption, pre-signed URLs, CRR/SRR

• Glacier Vault Lock

• Use of (and conflicts in) IAM and S3 policies

• Key Management Service (KMS) including CMKs/DMKs, key rotation, key policies and grants

• Amazon Certificate Manager (ACM)

• Integrating ACM, CloudFront and ELB

• Cognito

• Config (lots of recent changes here, get a refresher if you learnt it in 2018!)

On troubleshooting, real world experience integrating & debugging these services is invaluable:

• KMS with anything

• Lambda with S3, CloudWatch, etc

• Cross Account access in IAM

• SGs and NACLs

• Why isn’t my _____ logging to CloudWatch?

Be really clear on the differences between:

• Shield and WAF

• TA and Inspector

• Network packet logging and packet inspection

• AWS public and private service endpoints and PrivateLink

Relatively new services which need to be understood, but not in-depth:

• CloudHSM

• Athena

• GuardDuty

• Secrets Manager

• Artifact

• ECS and container security e.g. managing mutual auth certs with ACM

Most of the new services have appeared in the exam in 2019, so if you’re reading this in 2020 it’s likely that there’s more new things to learn about! Do some research online to find out what.

Where does it sit on the difficulty scale? I would say: more difficult/in-depth than the 3 x Associate exams but easier than the CSA Pro.

As with all certifications, go book a date in the calendar. Schedule an exam at a testing centre and then get studying. You can reschedule AWS exams upto 3 times without penalty upto 24 hours beforehand, so if you’re not ready it can always be deferred. Good luck!