2020 Preparation Guide for AWS Certified Security — Specialty
While it’s fresh…
Today, I wrote and passed the AWS Certified Security — Specialty exam (SCS-C01). While the experience is still fresh in my mind, I want to solidify my thoughts into a format that others can digest. Hopefully this article will help others prepare for this exam, find value in, and achieve the certification.
Disclaimer…
Everyone’s preparedness going into these certification exams will be different. We all have differing levels of experience with AWS service offerings. Given this, my experience will invariably differ from yours and I highly suggest you seek out additional resources beyond what I’ve mentioned here to fill any knowledge or experience gaps you may have.
Questions that appear on AWS certification exams tend to come from a large and varied bank of questions. AWS keeps updating, adding, and removing questions as service offerings change. The likely-hood that any two people will receive the same set of questions is extremely low. Insights I provide here are based on the set of questions I encountered. This is also why many people will tell you memorizing exam dumps for AWS exams is futile.
Lastly, as with any professional certification exam, candidates must sign an NDA before taking the exam, disallowing them from disclosing the contents of the exam. Therefore, this article is focused on how I studied, and less about what I experienced on the exam itself.
Prior experience going into the exam…
With that disclaimer out of the way, what is my background with AWS prior to preparing for this exam?
For roughly 5 years, I’ve worked with AWS in a couple main capacities:
DevOps for an ASP/SaaS Provider
Working closely with services such as EC2, VPC, S3, CloudTrail, KMS, Route53, CloudWatch, IAM, Systems Manager. Writing and maintaining PowerShell, and Python (Boto3) scripts that make use of the AWS API and SDK. As well as occasional administrative tasks using the AWS CLI.
(Tech) Founder @ Lockdrop
Working with Serverless technologies such as API Gateway, Lambda, DynamoDB, S3, SNS, CloudFront, WAF, ACM, CloudFormation, CodePipeline, CodeCommit, CodeBuild, Athena
Prior experience with AWS Certification exams include:
- AWS Certified Solutions Architect — Associate (Passed)
- AWS Certified Solutions Architect — Professional (Passed)
As a testament to AWS’s ability to write exams that validate your experience (not just knowledge), I actually failed my first attempt at the AWS-ASA exam back in 2015. After spending a few months getting much more hands on experience, I retook and passed.
Thoughts going into the exam…
Given Covid19, I ended up taking the exam using remote proctoring through PearsonVUE. This option is really great, as you can write the exam in the comfort of your own home, shorten your commute (substantially), and have better control over potential distractions, among other advantages.
As you’ll see later from the study materials I used, there were many suggestions of potential questions around newer AWS services such as:
- AWS GuardDuty
- AWS Inspector
- AWS Macie
- AWS Firewall Manager
- AWS Security Hub
Going into the exam I was a bit nervous about the frequency of these topics as they were all relatively new to me.
Coming out of the exam…
Coming out of the exam, I was pleasantly surprised that with exception of AWS Inspector, most of the newer services that I was apprehensive about didn’t seem to materialize in the set of questions I was given.
Based on the set of questions I saw on the exam, I would recommend focusing study efforts on the following services, especially if you are not solid on them already.
- Amazon VPC
- AWS IAM
- AWS CloudTrail
- AWS Config
- AWS KMS
- Amazon CloudFront
- Amazon S3
Additionally, less frequent but notable services:
- AWS Systems Manager
- AWS Certificate Manager
- AWS WAF
- AWS Organizations
- AWS Inspector
Overall the exam did not seem as difficult as I had initially believed based on the study material, practice quizzes, and the breadth of related services.
How I studied…
Keep in mind, your depth and breadth of study should be catered to your individual knowledge and experience with AWS, and it’s service offering. For myself, I spent around a week of semi-intense study catching up on areas I was already familiar with (which thankfully are the core services of the exam), as well as reviewing some of the newer services I did not have experience with (Macie, GuardDuty, Config, Security Hub, Firewall Manager, Inspector).
What follows is a list of resources I used to prepare for the exam, in roughly the same order that I consumed them.
Official AWS Resources
AWS provides some good resources for gaining insight into the security ecosystem on AWS. That said, I wouldn’t say it’s necessarily targeted towards the content of the exam, below is a list of resources I used as referenced on the AWS certification prep page: https://aws.amazon.com/certification/certification-prep/
Exam Guide / Blueprint
Sample Questions
Exam Readiness Training — https://www.aws.training/Details/eLearning?id=34786
FAQ / Best Practices
If you take the Exam Readiness Training from above, you’ll find that it references a number of services for each domain on the exam. I took this list and dug deeper, reviewing the FAQ and Best Practices for each service. Digging deeper into the documentation as needed based on gaps in my own knowledge.
- AWS Config — FAQ, Best Practices
- AWS CloudTrail — FAQ, Best Practices
- Amazon CloudWatch — FAQ
- AWS Directory Service — FAQ, Best Practices
- AWS Secrets Manager — FAQ, Best Practices
- AWS Shield — FAQ, Best Practices
- AWS KMS — FAQ, Best Practices
- AWS IAM — FAQ, Best Practices
- Amazon RDS — FAQ, Best Practices
- AWS WAF — FAQ
- Amazon S3 Glacier — FAQ, Best Practices
- AWS Service Catalog — FAQ, Best Practices
- AWS Trusted Advisor — FAQ
- Amazon VPC — FAQ, Best Practices
Practice Exam — https://www.aws.training/certification?src=exam-prep
Others experiences…
After reviewing some of the official AWS resources, I proceeded to check out what others have said about the exam and how they studied. Surprisingly I couldn’t find a whole lot (especially more recent), which is part of my motivation for writing this article.
Some of what I did find:
- https://www.reddit.com/r/AWSCertifications/comments/hcs6fi/passed_certified_security_specialty/
- https://www.trenchesofit.com/2019/10/01/how-i-passed-aws-security/
- https://medium.com/@rzepsky/passing-the-aws-certified-security-speciality-exam-d5ac90b3cdbc
I would recommend reviewing the above posts / articles, especially that last one. Pawel Rzepa put together an AMAZING mind map, I won’t link to it directly, go check out his post.
A Cloud Guru
Quite a few people online recommended the AWS Certified Security — Specialty course on A Cloud Guru. I would 100% echo this.
They’ve done a great job of highlighting the specific aspects of the services covered on the exam, and there is a significant amount of recently updated content thanks to @fayecloudguru.
For myself, I really focused on the chapter review videos, newer updates, and videos in “Chapter 8: Updates Based On Student Feedback”. That said, my exam didn’t seem to contain noticeable mentions of the newer content. Don’t forget to check out their “Chapter 9: Troubleshooting Scenarios” section.
Further Reading & Practice…
For those wanting to dig deeper as part of their prep, I’d highly recommend looking up AWS Whitepapers on the relevant services, and ones that are security related.
Most importantly, if you don’t have significant hands-on experience with the AWS services at the core of the exam. Make sure you follow some of the labs available both through AWS training, the A Cloud Guru course, and elsewhere. Otherwise, poke around the service consoles and get a feel for how things work on your own. You’d be surprised how different (atleast visually) the hands-on experience can be from what is described in the docs.
Final Exam Tips & Thoughts…
As I mentioned in the disclaimer, the set of questions I encountered will certainly differ from any questions you might encounter.
Based on the questions I got, I would recommend focusing more on the core services and their interactions (IAM, VPC, KMS, AWS Config, CloudTrail, and AWS Organizations, etc…).
Don’t get too caught up studying the newer services such as (Macie, GuardDuty, Security Hub, Firewall Manager). Definitely review those services at a high level (A Cloud Guru coverage was good), this familiarity was helpful in being able to filter them out as distractions.
Is the exam worth it? As I’ve told and continue tell people frequently, the biggest value in taking AWS exams (in my experience) is the familiarity you gain with the AWS service offerings. This knowledge is really important when it comes to designing applications and services that allow you to reduce development effort, reduce operational/maintenance overhead, scale quickly, and most importantly, securely.