AWS Certified Security Specialty Tips

Troubleshooting, troubleshooting and more troubleshooting… and some unusual combination of services to implement a secure architecture. This sentence is a summary of the AWS Certified Security - Specialty exam. Take a look at the following post If you are interested in some tips and the strategy that I have followed to pass the exam.

Score

My scaled score was 805/1000. This is the first exam that has also informed me about the required score to pass, you will need a minimum of 750/1000 to succeed. I am still investigating, but I think AWS changed the way the exams are graded and I am pretty sure they elevated the minimum score to pass in most of the exams. Taking the Developer Associate exam as an example, I know people that have passed the old Associate exams with 65%, but you precise a 720/1000 to pass the new version.

Prelude

I presented the exam on February 7th, the exam was scheduled soon as I could because the seats were limited in my city. It took me 2 months to prepare the exam, from Dec 2018 to Feb 2019. My Security knowledge used to be basic, with a bit of advanced services/solutions wisdom, in essence, what a typical Sr. Developer could have found in formal projects.

The strategy before the exam

For this one I used the following resources:

 The "A Cloud Guru" (ACG) course

• Good intro to the exam topics, I’ve only watched the course once and it is the only course in ACG, so far, that I think it does not cover the necessary exam topics. So either you complement it with other courses or you expand your knowledge on each topic with resources on the web, like reInvent videos or the AWS Developer guides, I have included links at the end of the post.

"Linux Academy" course

• This was the real preparation, I watched it twice and repeated some videos like Permission Boundaries, Service Control Policies, Cross-account logging and a few others. The videos are precise, entertaining and with great advices. All the sections have a subsection that it is dedicated to troubleshooting. The test exam at end of the course was really beneficial because it helped me to realize about two important topics that I was underestimating, KMS policies and S3 encryption for Cross Region Replication.

"reInvent" and other videos

• You can find a list of the videos that I have watched at the end of the post, they helped me to understand services a lot better, may be a little bit more than what’s needed for the exam.

Whizlabs exams

• I think that the real exam was harder that the Whizlabs exams, the level and the combination of services was pretty unusual in the former. But I do recommend to take the exams as they will help to recognize your weaknesses, these exams help you there. Plus they will verify your understanding on all the services and their architecture.
• I took each of the 3 exams that were available at that time only once, my scores were: 79, 81 and 86.

Whitepapers

• DDoS attacks
• Well framework architecture

As always I created small documents to write down the important topics and remarkable advices from the videos. I did not have much time to look at the FAQs, and when I went to check them they did not help much to solve doubts. I found most of the answer in the AWS Developer Guides. As a good specialty exam, you will not pass if you only know the limits, costs, main features and limitations of the key services, this time you need to know how to implement security architectures in broad amount of services, solutions and topics. My suggestion is that you should study as many use cases and architectures as you can find on the web. Search in the Developer Guides, look for blogs, white papers and other advance material to increase your knowledge.

Deep dive into the exam

You will have 2 hours and 50 minutes to answer 65 questions. I do not know you, but at the middle of the exam I usually evaluate internally the objectives that I have set by forehand, it was then when I was attacked by discouragement: The questions were hard because they presented architectures that I have never seen or that at least are not usual (but still technically possible), I was not going fast enough to save time to review the flagged questions at the end, the name of the services were confusing on purpose and the place was kind of noisy, so it was hard to concentrate. The thought that brought me back on track was this: "I was already there and I did not want to spend 300 extra dollars to try again", so I took a deep breath (OK, I took three of those) and kept going. I wrote a post indicating that the BigData specialty was the hardest exam that I have even presented, and I still think it is, because the questions were quite long to read as well as the answers, and you have 4 of these per question. The Security exam is not so wordy, after I have pull myself together I was able to gain back time and I had a lot of time at the end to review 19 flagged questions. Still, the question are really hard, as they presented unusual architectures. You must be prepared to make the security services fit into the existing solutions. I have also cleared the DevOps Pro exam on January 16th and that exam was a piece of cake for me compared to the Security exam. You will have around 2.5 minutes to answer each question, fortunately, there are some questions that will not take you more than 30 seconds, those really helped in the review process, even when they appeared at the end of the exam, it was a relief in any case. In this exam, the advise to read the last piece of the question and note what is the main concern (lowest cost, increase reliability, most secure way, etc.), was not adequate for most of the cases, as most of them were: “How do you check what’s wrong?”, “How do you fix it?”, “How do you investigate this issue?”, “How do you contain that menace?”. So it is not about the service as it is much about the combination of steps and services. I was able to eliminate one question right away, sometimes even two, so I followed this approach as frequently as possible. Sometimes, two answers in a question were like a template, were only one or two words would change between them, so try to compare them quickly and find the service that does not fit or the one that is required in the solution.

The services that I have found in the exam

There are many services and solutions in AWS, and as you may imagine, most of which include a default security feature or they provide security overall. Here is a list of the services that I found (and those that I did not find) in the exam according to the number of times I saw them:

You need to be proficient here

• KMS plus Identity policies
  • You will get questions that contain JSON policies, you need to recognize how they merge, what they grant, if they allow you to manage or/and use the keys.
• Troubleshooting concepts on all the services
  • Typos, SNS issues, encryption issues, incorrect combination of services. Learn all you can about troubleshooting, the best way to do it, is with hands-ons and labs. Practice, practice, practice.
• CloudWatch Architecture
  • Remember the different services that can send logs to CloudWatch.
• CloudTrail Architectures
  • Turn on CloudTrail and study all the options in the configuration panel: Encryption, CW Logs, Data Events and the role to assign permission.

High number of appearances

• S3 Bucket policy
  • You will not find Object ACLs, but you will be tested on Bucket policies
• NACL/SG
  • You should not have any problems with these concepts at this point, but you will be tested about them, remember that SGs are stateful while NACLs are not, you need to allow traffic in and out according to the scenario. Plus remember that SGs can reference other SGs and they cannot block traffic, only allow it. NACLs can only reference CIDRs and IPs, and that the rules have an order.
• WAF
  • Know that you can generate rules and you can integrate WAF to CloudFront and ELBs.
• Automated Response
  • Learn to use CT logs, CW Alarms/Metrics, AWS Config, Trusted Advisor and S3 Events to detect or fire up CW Events so you can react to undesired changes and remediate them with Lambda or/and send a SNS notification.
• CloudWatch Events
  • Remember that CW can detect events like in Config and CloudTrail to execute an action.
• CloudWatch Alarms and Metrics
  • Remember that Alarms are controlled by Metrics, and when an alarm changes states, you can send a notification.
• Use of Roles (assume roles, trust policy, EC2 roles)
  • Remember that you assume a role with another AWS account or with STS.
  • Remember that a trust policy indicates who can assume the role.
  • Remember that 99% of the time, you should use EC2 roles instead of access keys.
• Cross Account Access
  • Study how a user in a different account can get access to your account, it is pretty related to the previous point.
• System Manager Param Store
  • Remember that it provides secure, hierarchical storage for configuration data management. You can keep passwords, database strings, and license codes, all as plain text or encrypted data.
• S3 Encryption at rest
  • Remember that you can use SSE with S3, KMS and Customer keys. Keep in mind that with replication, KMS needs some extra configuration in the replication configuration, plus SSE-C is not supported in CRR.

Surprising appearances

• VPN
  • Connections through a VPN are encrypted.
• Direct Connect (DC)
  • Connections through DC are faster and adds stability, but they require additional connections so it could take time to be configured.
• VPC Endpoints at high level
  • VPC Endpoints allow you to connect with AWS services but without using the internet, improving security and latency.
• Kinesis
  • If you need to process a lot of information in near-real time, like logs or ssh tries, use Kinesis Streams.
• CloudFormation
  • CloudFormation motto is “Infrastructure as a code”, so you can use the description of objects (and their interaction with other objects) in plain text to deploy services and architectures in AWS. In few words, you can easily and quickly duplicate infrastructure.

Regular appearance in the exam

• Config
  • Helpful to detect and check for changes in your environment, like changes in SGs or entities permissions.
• Inspector agent
  • An agent to assess network exposure of EC2 instances, do not confuse it with SSM agent.
• Centralized Logging
  • Use an S3 in a different account as the logging storage place of other accounts.
• Service Control Policy
  • If you work with more than one account, you need to reduce the blast radius and organize your team better. You can enforce controls by using Organizational Units and prevent users, even the root users, to grant themselves access to unauthorized actions.
• Permission Boundaries
  • Remember that permissions boundaries allow you to restrict permissions to only desired services and actions.
• CloudWatch Filters
  • There were a lot of answers that used this concept, not necessarily the correct one, keep in mind that you can apply filters to generate metrics.
• Bastions
  • In few words, this is an EC2 machine in a public subnet that can be used as a jump box to maintain instances in private subnets.
• System Manager (SSM) agent
  • Maintain your fleet of EC2 instances without having to SSH on each one of them, just install the agent (most of the usual AMIs already include them) and start managing them from the console.
• Packet Capture
  • Remember that you are not allowed to use an EC2 in a promiscuous mode, so you will require to install a sniffer in EC2 to track packet content.

Low appearance

• ACM
  • Do you need to add a certificate to your site? You can use ACM.
• GuardDuty
  • Machine Learning service that detects unusual behavior in your services related to security.
• Trusted Advisor
  • Scan your architecture, compare it with established best practices and get recommendations.
• EC2 Key Pairs
  • Remember that you can opt-in to manage the public keys in EC2 to modify the way you login into the instances.
• Network artifacts in general other than those already mentioned (NATs, Gateways)
  • Remember that you need an Internet Gateway attached to your VPC so it can take packets to the internet, and that NAT Gateways/Instances allow you to start traffic to communicate with the outside world while preventing to receive non-intended communication from the internet.
• Identity Federation with Cognito
  • Study the different ways Cognito can help you minimize the effort to login manage users.
• Encryption SDK
  • Do not create a new SDK, use the one provided by AWS and save time to manage and use your KMS keys.

Appeared once and as incorrect answers

• DNS queries
• S3 Access Logs
• VPC Flow Logs
• Abuse Notification

The missing ones

• Bucket ACLs
• CloudFront
• Signed URLs
• Event Buses
• Route53
• Wipe process for EBS and EC2 Memory
• AWS Shield

The exam is challenging, so my final recommendation is to get your hands dirty in order to learn about the steps that are needed to setup configurations, this will help you to learn troubleshooting as this is one of the skills that is most recurrent and which is a difficult topic in the exam. I will not wish you luck, I wish you to be prepared for this exam, so practice, and practice, and practice.

References

Courses

• Linux Academy: AWS Certified Security - Specialty Certification
• A Cloud Guru: Certified Security Specialty
• Whizlabs: AWS Certified Security Specialty - Practice Tests

reInvent and other videos

• 5 Minutes to Amazon Cognito: Federated Identity and Mobile App Demo
• Security & Compliance: First Steps to Best Practices (Level 100)
• AWS re:Invent 2016: Introduction to Amazon CloudFront (CTD205)
• AWS re:Invent 2017: Running Lean Architectures: How to Optimize for Cost Efficiency (ARC303)
• Cloud Academy Webinar: How to pass the AWS Security Specialist exam?
• Journey Through the Cloud - Security Best Practices

White papers

• DDoS attacks
• Well framework architecture

Other references

• AWS Developer Guides
• AWS Certified BigData - Specialty tip