2020 Preparation Guide for AWS Certified Security — Specialty

6 min readJun 24, 2020

While it’s fresh…

Today, I wrote and passed the AWS Certified Security — Specialty exam (SCS-C01). While the experience is still fresh in my mind, I want to solidify my thoughts into a format that others can digest. Hopefully this article will help others prepare for this exam, find value in, and achieve the certification.

Disclaimer…

Everyone’s preparedness going into these certification exams will be different. We all have differing levels of experience with AWS service offerings. Given this, my experience will invariably differ from yours and I highly suggest you seek out additional resources beyond what I’ve mentioned here to fill any knowledge or experience gaps you may have.

Questions that appear on AWS certification exams tend to come from a large and varied bank of questions. AWS keeps updating, adding, and removing questions as service offerings change. The likely-hood that any two people will receive the same set of questions is extremely low. Insights I provide here are based on the set of questions I encountered. This is also why many people will tell you memorizing exam dumps for AWS exams is futile.

Lastly, as with any professional certification exam, candidates must sign an NDA before taking the exam, disallowing them from disclosing the contents of the exam. Therefore, this article is focused on how I studied, and less about what I experienced on the exam itself.

Prior experience going into the exam…

With that disclaimer out of the way, what is my background with AWS prior to preparing for this exam?

For roughly 5 years, I’ve worked with AWS in a couple main capacities:

DevOps for an ASP/SaaS Provider

Working closely with services such as EC2, VPC, S3, CloudTrail, KMS, Route53, CloudWatch, IAM, Systems Manager. Writing and maintaining PowerShell, and Python (Boto3) scripts that make use of the AWS API and SDK. As well as occasional administrative tasks using the AWS CLI.

(Tech) Founder @ Lockdrop

Working with Serverless technologies such as API Gateway, Lambda, DynamoDB, S3, SNS, CloudFront, WAF, ACM, CloudFormation, CodePipeline, CodeCommit, CodeBuild, Athena

Prior experience with AWS Certification exams include:

AWS Certified Solutions Architect — Associate (Passed)
AWS Certified Solutions Architect — Professional (Passed)

As a testament to AWS’s ability to write exams that validate your experience (not just knowledge), I actually failed my first attempt at the AWS-ASA exam back in 2015. After spending a few months getting much more hands on experience, I retook and passed.

Thoughts going into the exam…

Given Covid19, I ended up taking the exam using remote proctoring through PearsonVUE. This option is really great, as you can write the exam in the comfort of your own home, shorten your commute (substantially), and have better control over potential distractions, among other advantages.

As you’ll see later from the study materials I used, there were many suggestions of potential questions around newer AWS services such as:

AWS GuardDuty
AWS Inspector
AWS Macie
AWS Firewall Manager
AWS Security Hub

Going into the exam I was a bit nervous about the frequency of these topics as they were all relatively new to me.

Coming out of the exam…

Coming out of the exam, I was pleasantly surprised that with exception of AWS Inspector, most of the newer services that I was apprehensive about didn’t seem to materialize in the set of questions I was given.

Based on the set of questions I saw on the exam, I would recommend focusing study efforts on the following services, especially if you are not solid on them already.

Amazon VPC
AWS IAM
AWS CloudTrail
AWS Config
AWS KMS
Amazon CloudFront
Amazon S3

Additionally, less frequent but notable services:

AWS Systems Manager
AWS Certificate Manager
AWS WAF
AWS Organizations
AWS Inspector

Overall the exam did not seem as difficult as I had initially believed based on the study material, practice quizzes, and the breadth of related services.

How I studied…

Keep in mind, your depth and breadth of study should be catered to your individual knowledge and experience with AWS, and it’s service offering. For myself, I spent around a week of semi-intense study catching up on areas I was already familiar with (which thankfully are the core services of the exam), as well as reviewing some of the newer services I did not have experience with (Macie, GuardDuty, Config, Security Hub, Firewall Manager, Inspector).

What follows is a list of resources I used to prepare for the exam, in roughly the same order that I consumed them.

Official AWS Resources

AWS provides some good resources for gaining insight into the security ecosystem on AWS. That said, I wouldn’t say it’s necessarily targeted towards the content of the exam, below is a list of resources I used as referenced on the AWS certification prep page: https://aws.amazon.com/certification/certification-prep/

Exam Guide / Blueprint

Sample Questions

Exam Readiness Training — https://www.aws.training/Details/eLearning?id=34786

FAQ / Best Practices

If you take the Exam Readiness Training from above, you’ll find that it references a number of services for each domain on the exam. I took this list and dug deeper, reviewing the FAQ and Best Practices for each service. Digging deeper into the documentation as needed based on gaps in my own knowledge.

AWS Config — FAQ, Best Practices
AWS CloudTrail — FAQ, Best Practices
Amazon CloudWatch — FAQ
AWS Directory Service — FAQ, Best Practices
AWS Secrets Manager — FAQ, Best Practices
AWS Shield — FAQ, Best Practices
AWS KMS — FAQ, Best Practices
AWS IAM — FAQ, Best Practices
Amazon RDS — FAQ, Best Practices
AWS WAF — FAQ
Amazon S3 Glacier — FAQ, Best Practices
AWS Service Catalog — FAQ, Best Practices
AWS Trusted Advisor — FAQ
Amazon VPC — FAQ, Best Practices

Practice Exam — https://www.aws.training/certification?src=exam-prep

Others experiences…

After reviewing some of the official AWS resources, I proceeded to check out what others have said about the exam and how they studied. Surprisingly I couldn’t find a whole lot (especially more recent), which is part of my motivation for writing this article.

Some of what I did find:

I would recommend reviewing the above posts / articles, especially that last one. Pawel Rzepa put together an AMAZING mind map, I won’t link to it directly, go check out his post.

A Cloud Guru

Quite a few people online recommended the AWS Certified Security — Specialty course on A Cloud Guru. I would 100% echo this.

They’ve done a great job of highlighting the specific aspects of the services covered on the exam, and there is a significant amount of recently updated content thanks to @fayecloudguru.

For myself, I really focused on the chapter review videos, newer updates, and videos in “Chapter 8: Updates Based On Student Feedback”. That said, my exam didn’t seem to contain noticeable mentions of the newer content. Don’t forget to check out their “Chapter 9: Troubleshooting Scenarios” section.

Final Exam Tips & Thoughts…

As I mentioned in the disclaimer, the set of questions I encountered will certainly differ from any questions you might encounter.

Based on the questions I got, I would recommend focusing more on the core services and their interactions (IAM, VPC, KMS, AWS Config, CloudTrail, and AWS Organizations, etc…).

Don’t get too caught up studying the newer services such as (Macie, GuardDuty, Security Hub, Firewall Manager). Definitely review those services at a high level (A Cloud Guru coverage was good), this familiarity was helpful in being able to filter them out as distractions.

Is the exam worth it? As I’ve told and continue tell people frequently, the biggest value in taking AWS exams (in my experience) is the familiarity you gain with the AWS service offerings. This knowledge is really important when it comes to designing applications and services that allow you to reduce development effort, reduce operational/maintenance overhead, scale quickly, and most importantly, securely.