How I successfully passed the AWS Certified Security Specialty exam?
Last December (2019) I had the chance to successfully pass the AWS Certified Security Specialty exam. It took me between 2 and 3 months of study with a not-so-balanced lifestyle with the time devoted to my family and to rest properly.
The exam time is approximately 180 minutes which, a priori, seems to be more than enough time compared with the mock exams available on Whizlabs which usually took me around 90 minutes maximum. Due to the Scenario-based questions are really different and with a lot more of details you have to be well prepared understanding not only each service but the context or the services it interacts with, preferably knowing about AWS Architecture.
My initial preparation material was the A Cloud Guru – AWS Certified Security Specialty course but while I was checking the Whizlabs’ mock exams I realized using only this material would be far from enough. This is the reason why I prepared this list of additional resources I’ve used that hope you find it useful.
Data Protection Services
AWS Docs
- Allowing Users in Other Accounts to Use a CMK
- AWS Key Management Service Concepts
- Enabling Rotation for an Amazon RDS Database Secret
- How AWS Services use AWS KMS
- Importing Key Material in AWS Key Management Service (AWS KMS)
- KMS CLI Encrypt
- KMS CLI Decrypt
- KMS Limits
- Rotating Customer Master Keys
- Sign (CloudHSM)
- Troubleshooting Key Access
- Using Key Policies in AWS KMS
- What Is AWS Certificate Manager?
- What Is AWS CloudHSM?
- What Is AWS Secrets Manager?
Videos
- A Deep Dive into AWS Encryption Services
- Best Practices for Implementing AWS Key Management Service
- Encryption and Key Management in AWS
- Introducing AWS Key Management Service Custom Key Store
Whitepapers
Identity and Access Management (IAM) & Authentication/Authorization Services
AWS Docs
- Adding Social Identity Providers to a User Pool
- AWS Federated Authentication with Active Directory Federation Services (AD FS)
- Common Scenarios for Roles: Users, Applications, and Services
- Enabling SAML 2.0 Federated Users to Access the AWS Management Console
- Integrate a REST API with an Amazon Cognito User Pool
- Tutorial: Delegate Access Across AWS Accounts Using IAM Roles
- Using IAM Policies with AWS KMS
Videos
- Become an IAM Policy Master in 60 Minutes or Less
- Best Practices for Using AWS Identity and Access Management (IAM) Roles
- IAM Policy Ninja
- Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito
- Soup to Nuts: Identity Federation for AWS
Whitepapers
Compliance Services
AWS Docs
Videos
Networking & Content Delivery Services
AWS Docs
- Analyzing Amazon VPC Flow Log data with support for Amazon S3 as a destination
- Architecture – Linux Bastion Hosts on the AWS Cloud
- DHCP Options Sets
- Endpoints for Amazon DynamoDB
- Gateway VPC Endpoints
- Managing and Using a Web Access Control List (Web ACL)
- SSL Negotiation Configurations for Classic Load Balancers
Videos
- Amazon CloudFront Flash Talks: Best Practices on Configuring, Securing, Customizing, and Monitoring Your Distribution
- Amazon VPC: Security at the Speed Of Light
- Application Acceleration and Protection with Amazon CloudFront, AWS WAF, and AWS Shield
- Your Virtual Data Center: VPC Fundamentals and Connectivity Options
Incident & Response Services
AWS Docs
- Automating processes for handling and remediating AWS Abuse alerts
- Create Alarms That Stop, Terminate, Reboot, or Recover an Instance
- CryptoCurrency Finding Types
- How AWS Shield Works
- How can I reset the administrator password on an EC2 Windows instance?
- How to Automatically Update Your Security Groups for Amazon CloudFront and AWS WAF by Using AWS Lambda
- How to Receive Notifications When Your AWS Account’s Root Access Keys Are Used
- How to use Amazon GuardDuty and AWS Web Application Firewall to automatically block suspicious hosts
- My AWS account might be compromised
- Recover Your Instance
- Subscribing to GuardDuty Announcements SNS Topic
Videos
- Automate Threat Mitigation using AWS WAF and Amazon GuardDuty
- Best Practices for DDoS Mitigation on AWS
- Deep Dive on Amazon GuardDuty
Whitepapers
- AWS Best Practices for DDoS Resiliency
- Simplify Security Incident Response and Digital Forensics on AWS
Storage Services
AWS Docs
- Amazon S3 Glacier Vault Lock
- Bucket Policy Examples
- Protecting Data Using Client-Side Encryption
- Specifying Conditions in a Policy
- Using Amazon S3 Block Public Access
Videos
Compute Services
AWS Docs
- Accessing Amazon CloudWatch Logs for AWS Lambda
- AWS Lambda Execution Role
- Installing Amazon Inspector Agents
Videos
Whitepapers
Logging Services
Whitepapers
Other Services
AWS Docs
- Amazon Kinesis
- Controlling Access with Amazon Kinesis Data Firehose
- Controlling Access to Amazon Kinesis Data Streams Resources Using IAM
- Data Protection in Amazon Kinesis Data Streams
- Logging Amazon Kinesis Data Streams API Calls with AWS CloudTrail
- Monitoring the Amazon Kinesis Data Streams Service with Amazon CloudWatch
- Security Best Practices for Kinesis Data Streams
- Amazon Macie
- AWS Organizations
- Amazon SES
General
Videos
Whitepapers
- Amazon Web Services: Overview of Security Processes
- AWS Cloud Adoption Framework – Security Perspective
- Security Pillar – AWS Well-Architected Framework
Final Tips
- I recommend putting special attention to AWS Key Management Service (KMS) understanding all the scenarios and services that make use of it.
- Knowing and understanding the JSON format of IAM Policies is a MUST.
- Understanding different scenarios for VPCs (internet-facing and private networking) and VPC Endpoints is crucial for passing the exam
Thanks for reading!