Thoughts after taking the AWS Certified Security Specialty exam

Last week AWS re:Invent was a blast! Amongst very exciting product announcements, promoting the Unicorn rental business at the GameDay and the re:Play party, I was able to sit the AWS Certified Security – Specialty (Beta) certification.

[Disclaimer: This article won’t share any exam content or questions outside what is publicly available in the AWS public exam blueprint or description. I will just be sharing my experience and highlighting what materials I found more helpful]


AWS recently released three new speciality exams, in addition to the existing Associate and Professional level exams: Security, Advanced Networking and Big Data. Currently the three exams are in Beta version and require at least a valid associate level AWS certification in order to be able to book it. For more details about the current certificates visit the AWS Training and Certification page.


Exam Structure and Technique

You will be given 170 Minutes to complete the exam and you need to be prepared to answer at least twice as many questions as you normally get on an Associate-level exam. The questions vary from multiple-choice, multiple-response and scenario based. I found the questions not as long as the ones you get in the Professional level exams but you can expect at least a few long ones.

One of the most important things you need to keep in mind is that getting to the end of the exam is essential so even if time is short to complete all the questions, you need to make sure you at least attempt to answer them all, instead of leaving the exam incomplete. Here are some techniques that can help you get through the paper in time:

  • Check how many questions you’ve answered in each half hour block and pick up a pace that will enable you to finish the whole exam.
  • Scan the answers quickly and eliminate obvious wrong answers. You will be given a blank sheet of paper so that might help you taking notes and discarding wrong answers.
  • Do not overthink the questions and trust your gut. Second thoughts can ruin your pace so use the ‘mark for later’ review feature and move on!

How to prepare

It’s very important that you read the official Exam Blueprint carefully, and identify how each exam domain weights towards the final score. What I did was to create a document checklist with each subdomain and made sure I prepared each specific topic before going into the exam. In addition to doing this, I would like to highlight the following areas I recommend looking into:


Video Content

Advanced Security Best Practices Masterclass.
The following video gives an excellent overview of key AWS security processes and covers areas like the Shared Responsibility Model, IAM, VPC, EC2, Abstracted Services or Encryption and Key Management.

Best Practices for Managing Security Operations in AWS – AWS July 2016 Webinar Series
This video deep dives on topics such as AWS IAM, infrastructure as code and change management using CloudFormation, audit and log AWS service usage and automatic compliance checks on the AWS infrastructure.


Account Separation & Mandatory Access Control.
This very interesting webinar covers mandatory security controls on AWS as well as AWS account management strategies.


AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for High Security.
This video introduces secure application design principles and goes through some practices using AWS KMS as well as a real life example of KMS.


AWS re:Invent 2015 | (NET201) VPC Fundamentals and Connectivity Options.
Great overview of VPC concepts such as Subnets, Route Tables, Network ACLs, Security Groups, VPC connectivity options, VPC endpoints and VPC DNS.


AWS re:Invent 2015 | (SEC307) A Progressive Journey Through AWS IAM Federation Options.
Session that covers the different federation options in AWS as well as a customer case study about their federation journey.


Written Content

Here are some more specific areas I recommend reading in addition to the contents highlighted in the Exam Blueprint:  


Overview of Security Processes.
This whitepaper can be a bit long (80 pages) but provides a great overview of the security options for pretty much all the key AWS Services. I would recommend to at least look into the services mentioned in the Exam Blueprint.


AWS Cloud Compliance.
Make sure you have a basic understanding of the different compliance programs and security frameworks AWS is enrolled into, especially the ones mentioned in the Exam Blueprint.


Understand the different encryption techniques in the AWS platform, for example: S3EBSKMSELB or AWS CloudHSM.


Knowing about IAM Roles for Amazon EC2 and the different types of Delegation Roles is a must!


Familiarity with IAM policies is also a must. An article I really like is this one which gives examples of typical use cases for S3 bucket policies. Also make sure you fully understand the IAM best practices to live by!


Security in your VPC is also a hot topic. Make sure you are very familiar with VPC PeeringComparison of Security Groups and Network ACLsVPC Flow Logs, the different VPC Networking Components and the options for VPN connections.


Logging and monitoring: Do read about AWS CloudWatch Logs and AWS CloudtrailThis exercise also combines these two services together.


Other tips

AWS hasn’t yet released any practice questions for this exam but the practice exams are available for purchase on the Webassessor site as well as the sample questions provided for the existing certifications. These can give you an idea of what kinds of questions AWS will be asking you. Just make sure you focus on the security-related ones!


I hope you found this article useful and best of luck for your exam!