Certified Security - Specialty

Sign Up Free or Log In to participate!

Took the Security Speciality test today -Failed (My comments- exam really isn’t a “security” exam)

UPDATE: Found out my score. I was two away from passing. My feeling about the exam below remain the same.


I will first list my work experience and my current AWS skill-set. I’ve worked with AWS for over 10 years. Almost always on security related functions. I am currently the leading AWS security architect for a fortune 500 company, which hosts over 150 applications in AWS. You might ask why I even take the exam? Well, I interview a decent amount of folks who have this cert, and I wanted to see what it was like. I did study for about 4-5 months with acloudguru using their course and exam simulator. Thank you to Ryan and Faye for their excellent work. I think they do an incredible job.

Yes, I did fail the exam. Why?

Well the exam for a lack of a better word is horrible. 50% of the questions aren’t really even security related. They are more architecture related with AWS security products. There are questions that will ask about cost, most effective way to implement, least comprehensive, or most efficient. All of those are asinine questions for a security exam. For this exam, AWS is really tailoring it to try and get your future employers to use AWS native technologies. In other words, they want to lock you into AWS by examining on those principles. This is a security exam not an exam on how to keep cost down or how to implement things efficiently and fast. The idea is to keep things secure. I’ve been successful in implementing systems, data center migrations, application migrations, etc in AWS by focusing on the most secure solutions possible. Yes, that means trying to keep cost down (conducting BIA’s), but about 99% of the time the most cost efficient isn’t the most secure. A lot of these questions are based on scenarios that just don’t happen in the real world with real world architecture. This test makes you think that, which is counterintuitive.

The other BIG point is that there are a ton of people taking this exam from the US government space. If you’re like me and you work in gov-cloud currently the test REALLY isn’t for you. I wouldn’t touch this exam because the majority of the questions are not applicable in those environments. Even the DOD says don’t touch it, and refused to put the cert on any IAT level ranking. That rarely happens, so in the mean time I will not be taking it again. Stick to the architecture associate and professional exams. Both of which I have, and both are much more valuable in the cloud space and us-gov spaces.

Source: https://public.cyber.mil/cw/cwmp/dod-approved-8570-baseline-certifications/

In any event, I have an email out to Stephen Schmidt of AWS with my comments. I’ve worked with Steve in the past in the private sector. I am hoping to get the exam changed dramatically. I thought about 25% of the exam was pretty good. The other 75% not so much. In my eyes without a change, the cert is not too valuable. I wouldn’t put a candidate above another one because they have this cert.



CJ, actual exam content aside, do you feel that the ACG course should have prepared you for the exam? What were the gaps?


Great question! I do for the most part. I think the content is there. Possibly a bit more information on VPC endpoints and peering. There were about 5 questions comparing those two. All of them about what was "least" comprehensive. The simulator on cloudguru is great, but I thought this test was 3x as hard. In this test you might get 2 questions that aren’t scenarios, which makes the quizzes not too valuable either.That is a change from the architecture courses, where I thought the simulator was harder. I also thought the KMS questions in the exam were much harder than the simulator for sure. There was a question about FIPS 140-2 that I know will through everyone off. For NDA sakes I won’t repeat it, but if you follow the advice from the course you will get it wrong.


In general if you’re already in the security field and think security you won’t do well. If you’re NOT such as middleware support, developer, etc, I think you will crush it from this content. Exactly opposite of what you would think 🙂

0 Answers

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?