Took the test today… its is very very hard. There is a lot of scenario based questions….example, "a developer wants to log in from mobile device, how do make sure he only has read access only when logging outside the company network"…??? There is lots of scenario based questions on cross account access in addition to the root problems of the question so you’ll have to play with that and get comfortable. A lot of scenarios on encryption .. how to prove and s3 bucket is encrypted at rest to your CSO.. VPC Flows… how to read them… example, they had a log that shows vpc a talking to vpc b but vpc be showed "rejected" message when A was sending to B… but B could send to A.. and it would ask on what port it was rejected… so learn how to read vpc flows. I cant say that I saw much on this class that I found on the test. I didn’t see anything on inspector, very little on KSM….however I did see a few scenario based questions that had CloudHSM and AWS Config. So again, I didn’t not see it asking me questions of how AWS Config, Customer Keys, KMS, or CloudHSM worked, it just assumes you already know this and that is what makes it a lot harder. I had to fall back to "process of elimination" and look for holes on some answers so that I can rule them out. I think this course is good for you to know how to secure and audit yourself at work….but its not enough to get you to pass the test. i’m ok with that as in the end I need to apply the tools that this course teaches you, however, the test is much much more than that. Hopefully the above helps add content to the course. Good luck. oh… additionally before I forget, there was scenario based questions on federated accounts, encryption, best approach to migrate from legacy to cloud, vpc peering…. and ill add more if it crosses my mind
2 Answers
I’m with CLOS – I also took the exam yesterday and found it … let’s say "spicy". The scenarios were very interesting, but also a lot more extensive than I anticipated them to be, so it took me roughly two hours to go through all 106 of them. Total time allotted was two hours and fifty minutes, so I used the remaining time for a second pass to double-check everything.
With regards to the questions:
1.) Some questions had typos or missing answers (six possible options, three of them being "Reserved for Beta use" – I’m certain I am NOT leaking anything meaningful here) and two questions were repeats of the ones that came before.
2.) CloudHSM was, as expected, a large part. It felt like 6-10 questions that touched it. If you can get "face time" in with the service, I would very much recommend doing it. Just reading the user guide and watching videos on it does not feel sufficient.
3.) VPC is a large part of building a secure system. It’d be great if that section could be expanded upon for this course
4.) In relation to 3.), I’d also love the opportunity to buy just the VPC parts of the Network Specialty course or just cross share some of the classes (think: "VPC Flow Logs" and anything else titled "VPC") with this course.
Make sure you read this. It will score you some points.
https://aws.amazon.com/blogs/aws/vpc-flow-logs-log-and-view-network-traffic-flows/