3 weeks ago, I mentioned I failed my first attempt to pass the Security Specialty exam, mentioning that the ACG course was covering about only 60% of the exam content.
I just retook and passed the exam (going from 620 points to 850) and want to share all the materials I used to learn all what’s not covered in the ACG course.
This time again KMS was most of the exam, with IAM policies and Organizations SCP, and also EC2 forensic. Troubleshooting policies was again just 1 question. And again some questions about Artifact, Athena, and this time I also had two questions on Vault lock (which I was unprepared for. I really think ACG need to update their training material on this one as the exam as moved too far for the course content to be relevant anymore.
Must study topics are:
KMS Key policies (viaService & grants)
Vault lock (not in my list below)
GuardDuty. Although I didn’t saw it in the exam, I doubt it’s going to be long before GuardDuty will show up in the exam
Most of the material I used are whitepapers, FAQs, AWS documentation and re:invent or other AWS event sessions. With re:invent 2018 I guess there will be several new interesting videos which should be added to this list soon.
Here they are by topic
KMS policies, Grants and ViaServices:
***** AWS KMS whitepaper: https://d0.awsstatic.com/whitepapers/aws-kms-best-practices.pdf
Using Key Policies in AWS KMS: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
Deep dive into AWS encryption: https://www.youtube.com/watch?v=gTZgxsCTfbk
Best practices for implementing AWS KMS : https://www.youtube.com/watch?v=X1eZjXQ55ec
How do I share my KMS CMK across accounts? https://www.youtube.com/watch?v=qS7P2DpJFZQ
Deep drive into CloudTrail: https://www.youtube.com/watch?v=t0e-mz_I2OU
AWS re:Invent 2017: Using AWS CloudTrail to Enhance Governance and Compliance of Ama (DEV311) https://www.youtube.com/watch?v=mbdC6IhOROk
FAQ : https://aws.amazon.com/organizations/faqs/
Applying AWS organizations to comple structures : https://www.youtube.com/watch?v=pfetMIlo_2s
About Service Control Policies: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_about-scps.html
***** AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC303): https://www.youtube.com/watch?v=y7-fAT3z8Lo
Delegating Access to Your AWS Environment : https://www.youtube.com/watch?v=0zJuULHFS6A
The Evolution of Identity and Access Management on AWS – AWS Online Tech Talks : https://www.youtube.com/watch?v=2apSeOjDwZo
Advanced Techniques for Federation of the AWS Management Console and Command Line Interface (CLI) : https://www.youtube.com/watch?v=t6WWda_AY04
AWS re:Invent 2017: Soup to Nuts: Identity Federation for AWS (SID344) : https://www.youtube.com/watch?v=CJexxdv054c
A Self-Directed Journey to AWS Identity Federation Mastery : http://federationworkshopreinvent2016.s3-website-us-east-1.amazonaws.com/
***** Architecting Security and Governance Across a Multi-Account Stra (SID331): https://www.youtube.com/watch?v=71fD8Oenwxc
AWS re:Invent 2017: Incident Response in the Cloud (SID319) : https://www.youtube.com/watch?v=ufmgB9M2WII
Automating Incident Response and Forensics https://www.youtube.com/watch?v=f_EcwmmXkXk
AWS re:Invent 2017: Using AWS Lambda as a Security Team (SID301) https://www.youtube.com/watch?v=oMlGHP8-yHU
Modernize Your Threat Detection and Remediation Process Using Cloud Services https://www.youtube.com/watch?v=ZYT8MHdQ410
User guide : querying AWS CloudTrail logs: https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html
Querying AWS CloudTrail logs with Amazon Athena: https://www.youtube.com/watch?v=cfojAdWoMWo
Blog post: https://aws.amazon.com/blogs/big-data/aws-cloudtrail-and-amazon-athena-dive-deep-to-analyze-security-compliance-and-operational-activity/
AWS System Manager (SSM)
Amazon EC2 Systems Manager Introduction: https://www.youtube.com/watch?v=zwS8lssaY_k
Deep Dive with Amazon EC2 Systems Manager [ENT401]: https://www.youtube.com/watch?v=BmpxZsk9N48
FAQ : https://aws.amazon.com/artifact/faq/
And use the service download and read (partially) artifacts and agreements to see what they are
Introducing [email protected] : https://www.youtube.com/watch?v=c_ZL3nOxEi8
AWS re:Invent 2017: Introduction to Amazon CloudFront and AWS [email protected] (CTD201) : https://www.youtube.com/watch?v=wRaPw1tx6LA
Deep Dive on Amazon GuardDuty – AWS Online Tech Talks: https://www.youtube.com/watch?v=o2YaIsps5LY
AWS re:Invent 2017: Creating Your Virtual Data Center: VPC Fundamentals and Connecti (NET201) https://www.youtube.com/watch?v=Tff1mekxOJ4
AWS Summit Tel Aviv 2017: Fundamentals of Networking and Security on AWS https://www.youtube.com/watch?v=KtPambVS2-4
AWS Summit Series 2016 | Chicago – Network Security and Access Control within AWS https://www.youtube.com/watch?v=AcBcmILiQTo
And unrelated to the exam but the best presentation of all:
AWS re:Invent 2017: The AWS Philosophy of Security (SID322) https://www.youtube.com/watch?v=KJiCfPXOW-U
Likewise. I received a 730 and already have 5 certs. "I really think ACG need to update their training material on this one as the exam as moved too far for the course content to be relevant anymore." Course material needs updating ASAP. I got many questions on Macie, vault lock, Athena , Artifact, the term blast radius was used at least 3 times. Luckily I saw this post. You need so much more for this exam.
I passed last week. Def follow the advice above as ACG is missing so much that you need to know. DO NOT go by just the AWS practice exam or the sample questions…
I felt that the focus of acloudguru have shifted and there is no longer focus on ensuring that the course get updated. Acloudguru whilst an important learning resource is no longer the go-to resource.
Thank you so much for the details and guidance.
I passed the exam and I have to say your post is a must on preparing to the test! Thank you so much.
Glad I could help
Thanks for your post! I passed the exam yesterday morning. I’m subscribed to both ACG and Linux Academy and there is a ton of information in both courses that are SEVERELY missing. Haven’t encountered such a jarring gap before. Fortunately I got a chance to review your post and go through the material and it was definitely helpful. I also hold two other AWS certs and work with AWS on a daily basis which I believe helped. On to the next one!
Thanks a lot for your post! I have just started preparing for the exam having just completed sysops and architect associate exams. I’ve looked at a few courses covering this exam and the length of them seems to vary from 7.5 hours up to nearly 39. This one is only 11-12 hours so is definitely one of the briefer courses.
just to let you know that we have begun updating the course for 2019, based on feedback from everyone. I have added a section today (Chapter 9 – Updates For 2019) which I will continue to build out over the next few weeks to include any gaps in the course.
I have also added a lecture covering additional resources and grouping together all the best White Papers and re:Invent videos to watch.
If you have anything to contribute, please do let me know!
Hello Faye, Thank you for the update. Although I passed the test, I might look back at your updates when I have free time. It will be a good refresher.
This is amazing. Thank you so much for taking the time. I failed with a 660 recently, and it’s not like I have zero AWS experience either. I can attest that the course is sorely incomplete and high-level. I admire wanting to prep people for the real world, but it’s odd to me to spend a huge chunk of the course on CloudHSM then telling people it’s optional for the exam. I can hope that they will fill in the blanks because when acg hits the mark, they really hit the mark with the best teaching. There is not even an Athena video in the course. There is nothing on Vault lock. I hope anyone who has failed once and is trying again like me sees your post.
LRS1023 I took it today and had the same experience. I was like where is Athena and Vault lock coming from.