I recently passed the 2019 version of the AWS Security Specialty exam, which is one of their deep-dive technical certs entirely focused around building and running secure systems on AWS, including things like DDoS resiliency and encryption. I’ve used a lot of different resources for this so I thought I’d bring together a list of the best resources I found in the hope that it helps someone else.

2019 Exam

The 2019 exam is quite different from the original one that AWS tried out in beta and then retired pretty quickly afterwards, so make sure you’re using the right study materials. Quite rightly, in my opinion, they’ve taken the focus off CloudHSM, a relatively expensive and niche service, and turned it mostly towards KMS (Key Management Service) instead which is much more useful. Knowing KMS inside out really is the key to passing this one.

Prerequisites

Interestingly, AWS recently did away with their mandatory prerequisite that you needed an Associate level cert before you could sit a Specialty one. Whilst this does make it more flexible, I’d still say you really need to have one of their other certs before you make an attempt at this one. A lot of the study material and exam questions will assume you have a significant level of base knowledge around AWS services and I think if you went into the security specialty exam with only security knowledge you’d find it very difficult.

Having said that, I think their time in industry prerequisites are pretty wide off the mark. AWS suggest that you should have 5 years of infosec experience and 2 years of AWS-specific security experience before you sit the exam, which I think is excessive. I’ve been working in infosec for 3 years and focused full-time in AWS security for 1.5 years and I managed fine. If you’re enthusiastic about the field and have been working on this stuff day to day for maybe 6 months I think you’d be okay.

Key Study Areas

I’ve outlined below some key areas you may want to focus on. This is obviously not an exhaustive list, but it’s a good starting point.

  • KMS. So much of the exam depends on you knowing KMS inside out. Specifically (but not exhaustively):
    • Different types of key material and when to use them.
    • Key rotation schedules and how different key types affect this.
    • Using grants – when you would use them and why. Try and play around with doing this yourself if you can.
  • IAM
    • Know that IAM roles are almost always the answer for giving access to anything. Roles are always better than hardcoded credentials like access keys.
    • Know how to write policies, including ones that utilise complex conditions (see resources section).
    • Debugging conflicts between IAM policies, understanding the evaluation flow that determines whether an action is ultimately allowed or denied.
  • S3
    • Bucket policies: writing them and debugging them.
    • Understanding how to share S3 bucket access across accounts.
    • Knowing how to create fine grained policies that are quite complex – allowing access to a specific folder for a specific role in another account, but only from a specific IP with MFA enabled. Know how you’d go about constructing policies like this.
  • Certificate Manager/Shield/WAF
    • The services that they each integrate with and their limitations. Often it’s important to know what these services can’t do as you’ll get scenario-based questions with outlandish but feasible sounding answers.
  • CloudFront
    • Any question involving “static content” is probably going to be looking for an answer about serving content from an S3 bucket through CloudFront.
    • Tip: SSL certificates for CloudFront for custom domains must be provisioned in the us-east-1 (North Virginia) region. Same goes for Lambda@Edge functions.
  • Load Balancing
    • The different types of load balancer that are available: classic, application and network. Why you would use different ones in different scenarios.
    • SSL/TLS termination – doing it on a load balancer vs not doing it on a load balancer. How? Why?
  • Lambda
    • The difference between function policies and execution roles.
    • Debugging Lambda functions that won’t execute properly.
  • CloudTrail, CloudWatch, Config
    • What all of these services are and what they do. The exam will frequently try to trick you into picking the wrong one of these, which I think is quite an underhand trick.
    • Make sure you are absolutely confident in what each of these does and when you’d use a specific one.

Recommended Resources

I’ve tried to put these in order of priority for what resources I found most useful, and split up into categories.

Videos

AWS re:Invent videos are good sources for training material, along with other video content you might be using for training.

  • I can’t recommend enough A Cloud Guru for their video content. Their annual subscription is fantastic value for the amount of content you get access to, and being able to dip into their other specialty, architecture or service-specific courses for more in-depth refreshers is valuable. Their Security Specialty course was my main studying source for this exam.
  • re:Invent 2018: Data Protection. Great, fast paced summary of all the data protection relevant services you can use to help you secure data.
  • re:Invent 2018: IAM Policy Master. Don’t neglect IAM whilst you’re busy studying KMS – it’s just as important. This session has some great examples of building complex policies using conditions.
  • re:Invent 2018: VPC Fundamentals. This is a good refresher of VPCs and also a fantastic summary of the different connectivity options which you need to be aware of for the Security specialty.
  • re:Invent 2017: Encryption Deep Dive. This covers a lot of the same stuff as the 2018 data protection course, but in more depth so it’s worth a watch too – whiz through it on double speed if you have time.

Whitepapers

I’m not usually one for required reading before exams, but these really are essential reading for the Security Specialty cert.

  • The KMS Best Practices whitepaper. If you only read one thing, make it this. Seriously. I read this three times before my exam, and it’s a pretty interesting read.
  • The KMS Cryptographic Details whitepaper. This whitepaper is heavy reading and goes extremely in-depth as to how encryption actually works on AWS. I found it tied together all my understanding nicely after reading the Best Practice whitepaper and watching the Cloud Guru videos.
  • The DDoS Resiliency whitepaper. Another interesting read, I had a few questions in my exam that were answerable directly as a result of reading this whitepaper. This one is a great example of applying stuff for real-world situations and is refreshing after a lot of the theory-based stuff around KMS.
  • This list of Security Cert notes from mykter on GitHub is a fantastic summary of all things security relevant on AWS. Great resource to read over just before your exam.
  • The AWS Overview of Security Processes whitepaper is the bible of how AWS secure their own services. It’s a mammoth read but it’s a brilliant resource, especially if your role means you have to help with client’s compliance surveys.

AWS Articles

There are also a handful of AWS articles I found useful:

Exam Tips

Finally, a few quick fire tips for the actual exam:

  • There is plenty of time. You’re given 170 minutes for the exam which is generally around 65 questions – sometimes they add in some unmarked additional questions to gauge their effectiveness before introducing them to the exam pool. I finished and checked over my exam in 90 minutes, so there is really no need to rush through it.
  • If you can, avoid the PSI Exam Kiosks for sitting your exam. I’ve used these a few times and they’ve always been pretty bad. The experience stresses you out right before the exam and for both of mine I’ve been in a tiny, hot, windowless room with paper thin walls with people arguing in offices either side of me. The concept is good but the execution is terrible. Try and sit it at a proper exam centre if you can!
  • Know KMS inside out. I cannot stress this enough.
  • Good luck!