24 exercises that help you prepare for the AWS Security Specialty exam
I have recently passed the AWS Security Specialty exam.
Apart from reading documentations and whitepapers like crazy when preparing for the exam, I did quite a few exercises to make to concepts stick.
Please be aware that the recommendations and exercises described in this post will cost you some money. By doing these exercises you can expect a bill about 10 USD a month. This can be more if you have run out of your free tier quota.
The investment is worth it though. The exam costs 300 USD (or half the money if you have passed another exam before). If you study for three or four months, you’ll probably spend around an extra $35-40. It’s better than paying the exam fee again if you don’t pass for the first time.
You’ll need practical experience to pass the exam. Even though the exam is focused on security, there are many different areas you’ll need to be familiar of and I would say that it’s almost impossible to pass the exam without getting one’s feet wet.
2. Have multiple accounts
Have at least three accounts. Dedicate one account to be the master account and enable Organizations in there. Pull in the other accounts.
If you don’t have multiple accounts, you can create the missing ones from within the Organizations. In this case, you won’t have a root user for the other accounts, but the
OrganizationAccountAccessRole will be available in the member accounts by default and they can be assumed. By the way, this should be the preferred way to switch between accounts instead of logging out and in all over again.
3. Create a KMS CMK
( This part is very important. You’ll need to create KMS customer managed CMK (customer master key) in one of the accounts.
A custom CMK costs $1 a month but you can use it for a lot of different exercises.
4. Extra hands-on experience
Let’s see the extra exercises I completed when preparing for the exam. You can decrease cost if you bunch some exercises together, for example, those that need running EC2 instances can be done one after the other.
- Launch an EC2 instance with key pair in a VPC. Enable VPC Flow Logs, send them to CloudWatch and create an alarm if three or more rejected requests have been recorded over port 22 in the last 5 minutes. Try to intentionally make bad requests to the instance.
- Enable VPC Flow Logs and send them to S3. Set up NACLs to block outgoing traffic. Use Athena to query the logs for rejected requests.
- Create an S3 bucket and a Gateway Endpoint in a VPC. Launch a Lambda function in the VPC. Modify the bucket policy to only accept uploads via the VPC endpoint. Invoke the Lambda function from the CLI and then try to manually upload a document to the bucket. What happens?
- Create three S3 buckets, one with SSE-S3, one with SSE-KMS (default CMK) and another one with SS3-KMS custom CMK. Create a user/role whose only permission is to read objects from the buckets. Upload objects to the bucket using your admin access and try to get them using the newly created user/role. What happens? Which bucket can you read the objects from and why? What should be modified to be able to read objects from all buckets? Don't even try to sit the exam if you can't answer these questions.
- Set up a rule in CloudWatch Events for monitoring root user activity. Set an SNS topic as target for the rule and subscribe your email address to the topic. Use the root user to log in and do some harmless action (e.g. create an S3 bucket).
- Set up cross account access for getting objects from one account with the user/role in another account. What policies are needed? A very important topic, which is always asked in the exam.
- Create a user with a tag (e.g.
Department: Development). Create an S3 bucket and a bucket policy so that the user can only access their and their department's
folderin the bucket (attribute-based access control).
- As it was stated above, create roles in your member accounts and switch roles when working in a different account of yours.
- Create a role that has permissions to launch a DynamoDB table only in the us-west-2 region. How many different solutions can you implement? (Hint: You can definitely use permission boundaries or
Not*in IAM policies.)
- Create a role and a KMS grant for that role to encrypt and decrypt using your custom CMK.
- Set up a policy for a role that has permission to launch an EC2 instance only if the instance has the tag
Project: Fox/ the instance is in the us-west-2 region / the user assuming the role has MFA enabled.
- Create a Lambda function which isolate an EC2 instance (i.e. removes its security group and adds another one with no inbound access from the internet)
- Create a DynamoDB table and an S3 bucket as well as a user with full S3 access. Add permission boundaries to the user with
sqs:*. Can the user upload an object to S3? Can the user create an SQS queue? Add the user
dynamodb:*permission. Can they create a table? Why?
- Slight modification of the last task. Create a user with
s3:*IAM permissions and add permission boundaries with
DENYall DynamoDB actions. Can the user upload an object to an S3 bucket? Why? Add a bucket policy to the bucket that allows full access to the user (
s3:*). Can the user upload the object now? Remove the
s3:*from the user's IAM permissions. How about now? Why? You must know the answer to questions like this before you book the exam!
- Create cross account access to S3 using ACLs. This is legacy but it comes up in the exam.
- Start an EC2 instance and set up a CloudWatch Events rule to restart the instance using a Lambda target when the instance is stopped. Then stop the instance and see if it restarts.
- Create a role in Account 1 which can only be assumed by defining an external ID. Use the CLI to assume the role.
- Upload objects to an S3 bucket in another account. Use the customer managed CMK to encrypt the object.
- Create S3 cross-region replication with all server-side encryption options. Which one cannot be used?
- Create a user and add KMS grants to the user to generate a data key, and then use the user's temporary permissions to create a data key. Use the CLI. What is the difference between revoking and retiring a grant?
- Redirect WAF ACL logs through Kinesis Firehose to S3.
- Create a 3-tier application in a VPC and configure security groups and NACLs. Use an Application Load Balancer in the web tier and an EC2 t2.micro in the application and database tiers to keep the cost low.
- Create an AWS Config incident response rule for an S3 bucket ACL becoming public.
- Get your hands dirty with GuardDuty. This service is heavily featured in the exam.
Do heaps of practice and read a lot.
I hope this post helps you with the first part. Good luck.
Thanks for reading and see you next time.