How I passed the AWS Certified Security - Specialty exam

I took and passed the AWS Certified Security - Specialty exam a few days ago.

Below I’ll share what I used for preparation and what experienced I had in the exam.

1. Pre-requisites

AWS recommends that you should have at least two years of hands-on experience with securing the platform.

I had that experience and although it hasn’t only been security-related, security should always be a key point whatever you build in the cloud. I usually research on securing the infrastructure that I build or use, so the topic wasn’t entirely foreign to me.

2. Preparation

Overall, I studied more than three months for this exam. This means about 1.5 - 2 hours a day on most days, sometimes more on the weekend.

Although Covid-19 stirred up my daily routine a bit, I could more or less keep up with my original schedule I set for myself.

2.1. Pre- and post-Covid times

In normal times, when I don’t have to live locked down, I use my commute time to read.

Others like listening to courses while sitting on the train (I don’t, I’m more of a visual type), and I usually read whitepapers and documentations during this time.

Using this time schedule I will have left 1 - 1.5 hours in the evening after my children go to bed and before I fall asleep behind my laptop to do practical hands-on stuff and watching videos.

2.2. When you are forced to stay home

In these crazy times I did the reading and the coursework in the morning before work. I found it more beneficial than doing it in the evening because I could concentrate more and wasn’t tired.

I left the hands-on exercises with services I don’t have much exposure to at work for the evening.

2.3. Resources

My main source of knowledge was AWS.

They have recently come out with the Ramp Up Security Guide, which I followed from the beginning to the end.

It recommends doing heaps of hands-on labs and contains some video lessons as well.

The video courses don’t go into much detail, so they won’t be enough by themselves.

The labs are really good; I strongly recommend doing all of them. Some real exam questions are based on these scenarios and the solutions (or part of the solutions) presented in the labs are, obviously, the correct answers to these questions.

I took the exam readiness course (it’s also in the guide) as well. The instructor is pretty good, but as I said earlier, the depth is not enough for the exam. It basically tells you what services you need to be familiar with and from what aspects. The content of the readiness course covers the exam topics, but again, you’ll probably need to do a lot of extra reading.

That brings me to the next point, the AWS Documentations. These were the single source of truth for me. I read a lot about the services, followed the tutorials even if I was familiar with them. This is essential and there are no shortcuts. The exam will test how thorough your knowledge is.

It’s not enough to know the services from the security point but you’ll need to have an understanding of the service overall.

The guide recommends some whitepapers and they are compulsory to read. The KMS Best Practices whitepaper is really good, so is the Security Best Practices one, although the latter is almost 4 years old at the time I’m writing this. I suggest that you read all recommended whitepapers at least once.

The KMS Cryptographic Details whitepaper is not on the list but I highly recommend it, because it contains a lot of useful stuff about how KMS works.

I watched quite a few re:Invent videos while I was preparing for the exam.

These two videos on IAM (this one and this one) are compulsory. Don’t even try sitting the exam without knowing the stuff described in these videos. I can’t emphasize this enough, it’s very important.

I also watched other re:Invent videos on KMS and other services. It’s up to you and your current experience which videos you choose to watch. The more the better; There’s a lot of good stuff on YouTube.

Finally, I took the relevant course on Linux Academy. The instructor was good and the topics were discussed in detail. There are a lot of hands-on labs in the lessons and at the end of each section as well.

I have to say though that it only covers about 55-60% of the exam and the course doesn’t seem to be up-to-date. The solutions presented are valid (Logging and Monitoring part is very good), but I needed to read a lot to fill the gaps, both for topics that are covered and those that are not. It’s a good start for the exam preparation but it shouldn’t be your only source.

2.4. Practice exams and questions

The exam readiness course has some questions scattered throughout the course. There’s also a practice exam with 24 questions at the end of the course and the answers are readily available.

Although these questions were useful, I think they contain some errors. I contacted AWS about them but I got the usual BS back (Unfortunately, it’s not in our scope of support to investigate the questions and answers. There are thorough steps in place to ensure the accuracy and integrity of AWS Certification exams. AWS Certification regularly rotates questions in and out that adhere to the exam guide.).

For example, one of the questions is this (the practice exam at the end of the course is free and publicly available, so I can share it here):

An application running on EC2 instances must use a user name and password to access a database. The developer has stored those secrets in the AWS Systems Manager Parameter Store with type SecureString using the default AWS Key Management Service (AWS KMS) customer master key (CMK). Which steps allow the application to access the secrets via the API? (Select 2)

Apparently, the correct answers are Add permission to use the AWS KMS key to decrypt to the EC2 instance role and Add permission to read the Systems Manager parameter to the EC2 instance role.

The first answer is incorrect (or I don’t entirely understand the question, which is also a possibility), because you don’t need extra permissions for the default KMS CMK (alias/aws/ssm) that is delegated to the service. Its key policy has the kms:ViaService condition key set to ssm, which specifies that the key can be used by anyone who has the necessary permissions to Parameter Store. You can try it if you want to.

It’s true though that a separate kms:Decrypt permission is needed if a custom (i.e. customer-managed) KMS CMK is used to decrypt SecureString parameters.

This is not the only thing I found ambiguous in this set of questions.

The official AWS practice exam costs $50 and has 20 questions. It was a no brainer for me to get it because I got it for free (if you have passed an exam, you’ll get a free practice exam). According to the instructor in the exam readiness course, the questions in the practice exam are taken from the real exam question pool.

I was disappointed that 12 out of 20 questions in the official practice exam (worth $50) can also be found in the practice exam of the free, publicly available exam readiness course, word for word. If it hadn’t been free, I would say it’s not worth buying it, because I couldn’t get much more out of it, especially that I had already seen these questions in the course. I don’t think that asking $50 for something that you can get for free from the same source (AWS) is appropriate.

Finally, I took the practice exams from Tutorials Dojo. They released the new Security Specialty course just a week before I took the exam. The questions and explanations are good and Jon Bonso delivers the usual and expected quality. It’s a good source to fill the gaps in the knowledge.

I write about this in every exam review post: Practice exams are not about getting to know the questions before the exam. Just like the questions in your maths tests in high school were probably not taken from the textbook either. It wouldn’t be fair to know the questions (it’s cheating, right?) because it would devalue the certification itself and would be against the NDA.

The goal of taking these practice exams is to get a feel for the real exam, what kind of questions (length, difficulty, topics etc.) you can expect in the real exam. Some practice exams are better at achieving this goal, some of them are not that good.

Although it’s likely that you will see some very similar questions in the exam (there are no miracles, you can’t ask infinite questions on KMS, for example), it’s unrealistic to expect that practice exams leak out real questions. Everyone sitting the exam has to sign the non-disclosure agreement. And I think it’s better to have real knowledge instead of just a paper stating that I have met the requirements.

3. Exam

Let’s talk about the exam itself.

3.1. Home proctored

Due to Covid-19, I took the exam from my home. AWS made all exams available in a home proctored format. I’m not sure if it’s a permanent move or just a temporary thing because of the virus.

Overall, the exam proctored and delivered by Pearson VUE went very smoothly and I can truly recommend it.

The rules are very strict. My exam was scheduled for 9:00 am and I had my last glass of water at 8:00 am because I wasn’t allowed to leave the room for 3 hours, which is a very long time (especially for me, because I drink a lot of water).

There were no issues with the platform, computer or internet during the exam. They call you in before the exam and be prepared to talk a few words with the proctor. They will ask you to show them your desk (nothing can be there) and pull up your sleeve to show them your wrists (nothing is allowed to be worn).

They released the exam 15 minutes early after check-in.

3.2. Content

The exam was hard but fair. It contains 65 questions and you have 170 minutes to answer them. Non-native speakers of English can get extra 30 minutes but I didn’t take this option.

About 35-40% of the questions were multiple choices (2 out of 5 or 3 out of 6). I had quite a few long questions (6-7 lines) with long answers, where only one or two words were different. You need to read the questions and options very carefully.

Most questions are scenario-based that require a complex solution with multiple services. Again, details are important. The options might list five services for the automated solution and only differ in one service.

I tried to allocate two minutes for each questions and go over the marked ones and then all of them again in the remaining 50 minutes. This strategy was more or less successful, but the time was just enough. I could have used an extra 10-15 minutes.

The main topics in my exam were the following:

• Heaps of EC2-related questions, going into detail (Linux, Windows, complex architectures with Auto Scaling Groups and Auto Scaling Groups)
• IAM, lots of policies (some of them are very tricky), cross account access, federation (AD)
• KMS inside and out (key policies, rotation, imported key material)
• A lot of questions on GuardDuty, not just what it is but how it works
• Quite a few questions on Direct Connect and VPN, be prepared for these
• Infrastructure protection: VPC, NACL, Security Groups (and the difference between them), hots-based protection (couple of questions on this one!)
• Lots of CloudWatch-related troubleshooting questions, be familiar how CloudWatch works
• CloudTrail in great detail
• A question or two on ACM (both public and private certificates)
• VPC Endpoints, Inspector, Config (straightforward questions)
• Incident response solutions (architecture, memory dumps, creating AMIs)
• A few questions about Systems Manager and Secrets Manager and related permissions
• Some questions on AWS Organizations, Service Control Policies and SSO, so make sure that you know how these services work

I was surprised not getting any questions on Cognito, CloudHSM and serverless, but I’m sure that it was just my paper because they are essential services and you should know about them in great detail.

4. Conclusion

In conclusion, here’s what I did to pass the exam:

1. Go over the Ramp Up-guide.
2. Read a lot about these topics and even more.
3. Do the labs, follow the documentation tutorials and invent new challenges based on what you read. I have a nice collection of these challenges and I might share them in a separate post.
4. Some practice questions are nice to have.
5. Although the Linux Academy course was good, it's not enough to pass the exam, so back to points 1-3.

Overall, the Security Specialty exam was good, the journey to the certification was fun, and I’m very proud of passing the exam with a solid score and having this certification.

I hope this post has helped. Feel free to reach out if you have any questions.

Thanks for reading and see you next time.