Preparing for any AWS certification exam can be tough! It takes time, it takes focus, and as you move from the associate into the professional and specialty-level certs, it takes a deeper understanding of AWS services and how they work together. At A Cloud Guru, we design our certification courses to help you master the topics you’ll need to know to pass your exams. But we’ve also found that knowing what to expect ahead of time can help you as you work your way through a course, and can even give you a better chance of passing your exam the first time.

In this post, we’ll be looking at the AWS Certified Security – Specialty exam, what it covers, what you need to know, where you can find additional resources, and strategies you can use when you actually sit the exam.

In this blog post, we’ll cover:

the content areas of the exam

how to tackle those pesky multiple-choice questions

tips to help you improve your study skills

uber-helpful Amazon resources

Before we dive in, a quick word about hands-on experience: there’s no replacement for it. We’re humans, and we learn by doing. Think of it like learning to cook, or make your own kombucha. You can watch all the YouTube videos, but until you get in the kitchen, get a feel for working with the ingredients, make a big mess of everything, and come out the other side, you’re not going to master these new skills. The more time you can spend making a big mess in an actual AWS environment, applying and testing and breaking and fixing the skills you’re going to be learning, the better you’ll do when you sit the exam.

Get more than certified

Join A Cloud Guru and get access to all of our courses, labs, quizzes, and our new learning paths, which take you step-by-step from novice to guru in your chosen area of the cloud.

A great time to get AWS certified

Why get AWS certified? At the risk of sounding dramatic, you couldn’t pick a better time to enter the AWS Security Specialty field. The market is absolutely ripe for new AWS security specialists! Here are just some of the reasons why it’s a great time to go for this type of certification:

A huge need. I don’t have to tell you that cloud computing is in demand, and companies are eager to find IT professionals who have a rich background in cloud security.

A massive skills gap. There is an enormous skills gap worldwide when it comes to Amazon security know-how, providing those who get certified plenty of skies-the-limit opportunities.

A status boost. Being certified shows that you’re the go-to cloud guru in AWS. It’s a sure way to get noticed within your own organization and by employers and recruiters looking to hire engineers who have this high-level expertise.

A bigger paycheck. According to Forbes, the median salary for those who are AWS-cloud-certified is nearly $150k. So it really pays to pass the exam and show you have the right skills at the right time.

Helpful resources

We get it. The prospect of preparing for the AWS Security Speciality exam is stressful. But you don’t have to go it alone. There are heaps of support tools and resources, many of them free, that complement everything else you’ll be doing to prepare for the exam, such as working with the tools, taking our course, and honing your test-taking skills.

Here are three excellent resources worth checking out:

Amazon’s whitepapers: These whitepapers cover every aspect of AWS Security Speciality exam. Admittedly, they’re about as entertaining to read as the ingredients on the back of a ketchup bottle. But they’re invaluable, just the same. You’ll actually really appreciate spending a lot of time with these whitepapers.

AWS re:invent videos: You can find a bunch of these videos on Youtube. Many are short enough that you can watch them on your lunch hour. And if you’re already familiar with a topic, you can save time by zipping through parts at double-speed.

Amazon’s FAQs: You can find a generous listing of FAQs that discuss all the technologies you’ll need to become familiar with to prep for AWS security specialty exam.

AWS security specialty domains

The AWS exam is divided into 5 content areas or domains:

Incident Response

Logging and Monitoring

Infrastructure Security

Identify Access Management (IAM)

Data Protection.

Amazon doesn’t give each domain equal weight—some contain more questions than others—so you’ll want to allocate your study time accordingly. Below, you’ll see a percentage next to each domain. This will give you an idea of how many questions are allocated to each topic. Of course, you’ll want to spend more time studying the domains with the higher percentages.

Domain 1: Incident Response (12%)

This domain covers detecting, responding to, and recovering from security incidents. And there are 2 very common security issues you must get familiar with: compromised EC2 instances and exposed access and secret access keys. Let’s delve into each a bit:

Compromised EC2 instance — This section covers what to do if one of your EC2 instances becomes compromised. (Some examples include changing your security groups, removing internet access, or isolating the compromised EC2 instance so it can’t compromise anything else.)

— This section covers what to do if one of your EC2 instances becomes compromised. (Some examples include changing your security groups, removing internet access, or isolating the compromised EC2 instance so it can’t compromise anything else.) Exposed access keys and secret access keys — What do you do if access keys are accidentally exposed? (You’d be surprised how many people call me in a panic about this problem. Never put access keys on GitHub!) This section focuses on disabling and deleting access keys so they can’t be used against you, and other effective solutions.

In addition, you’ll want to become familiar with these 6 Amazon security services:

AWS Config (configuration management) AWS CloudTrail (IAM auditing) Amazon CloudWatch (logging) Amazon GuardDuty (threat detection) AWS Lambda (response automation) Amazon Inspector (infrastructure security scans)

→ Incident Response Resources:

Domain 2: Logging and Monitoring (20%)

It’s essential that you have an effective logging and monitoring strategy within your AWS account. For this domain, you’ll need to know how to design a strategy and use it to effectively troubleshoot security issues. The main services you’ll want to know are:

CloudWatch (logging)

CloudTrail (IAM auditing)

Athena (querying log files with data stored in S3)

Config (configuration management)

Inspector (security scans)

→ Logging & Monitoring Resources:

Domain 3: Infrastructure Security 26%

This is the largest domain, so be sure to spend plenty of time preparing for it. It covers designing and troubleshooting secure networks within AWS. Have you completed the Solution Architect Associate certification? If so, you’ll have a leg up, because you already know about infrastructure security and how to set up secure networks and Virtual Private Cloud (VPC) resources within AWS.

For this domain, you’ll want to focus on these issues:

Edge security (think the perimeter of your network)

Host-based security of your EC2 instances

DDoS mitigation within AWS

Protecting against common exploits such as cross-site scripting (XSS) and SQL injection

The main services to become familiar with include:

AWS WAF (Web Application Firewall)

AWS Shield for DDoS protection

There are a host of other services to protect your application from DDoS attacks and help you elastically scale to absorb the attack. They include:

CloudFront and Route 53 (these have built-in protection)

Elastic Load Balancer (ELB) (protective mechanisms for your VPC)

EC2 Auto Scaling (absorb any type of DDoS attack by scaling your infrastructure and preventing the attack from taking down your service)

VPC and Network Access Control Lists (NACL) and Security groups (protect your hosts and your EC2 environment)

Artifact (to demonstrate to regulators that the AWS services you’re using are compliant with regulatory requirements)

[Note that Artifact offers all sorts of helpful documentation. For example, if you’re working in an industry that has to adhere to the Payment Card Industry Data Security Standard (PCI DSS), you can log in to Artifact and download the documentation and certification that demonstrate that the AWS services you are using are truly PCI DSS-compliant.]

Macie (protects personally identifiable information (PII) within any document that is stored within an S3 bucket.)

[It actually scans all your documents and will let you know if there exists any hidden PII that might need to be encrypted.]

→ Infrastructure Security Resources:

Whitepapers — There are loads of whitepapers for this domain, such as “VPC Connectivity Options,” “DDoS Best Practices,” “AWS Security Best Practices,” “Well Architected Framework Security Pillar,” and “Overview of Security Processes.”

Videos — “VPC Connectivity Options,” “DDoS Best Practices,” “Advanced Security Masterclass,” and “Well Architected Framework Security Pillars”.

FAQs — WAF, AWS Shield, CloudFront, Route 53, VPC, ELB, EC2 Auto Scaling, Lambda, Direct Connect, Artifact, and Macie.

Domain 4: Identity and Access Management (IAM) (20%)

This section tests your knowledge of designing and troubleshooting your authentication and authorization policy. You will need to have a solid grasp on that policy and be able to translate and troubleshoot. Make sure you’re familiar with these services:

CloudTrail (IAM auditing)

Multi-factor authentication (MFA) (particularly for the root account)

Active Directory Federation (ADF) (includes federating access to AWS resources with an on-premises active directory installation)

→ IAM Management Resources:

Whitepapers — “Overview of Security Processes” and “AWS Security Best Practices.”

Videos — “IAM Policy Master” and “IAM Policy Ninja” (they are similar), “ID Federation for AWS” (important to watch since many of us often don’t get much hands-on experience doing ADF and it’s hard to replicate it in a lab environment)

FAQs — “IAM,” “Cognito,” (for web identity federation and federating access with web ID providers such as Facebook, Google, and Amazon), “CloudTrail,” and “AWS Organizations” (on how to set up permissions at an organizational level).

Domain 5: Data Protection (22%)

To test well on this domain, you’ll need to know how to protect your data using encryption. That includes creating and managing keys, controlling the use of encryption across a wide range of AWS services and in applications, and designing and troubleshooting an encryption strategy.

Pay particular attention to key management services (KMS)! I can’t emphasize this enough. Be sure you understand the difference between encryption at rest and in transit and the different technologies you’ll need to encrypt your data. And, it bears repeating: get as much KMS hands-on experience as you can. Play around with the tools by encrypting data, unencrypting it, and re-encrypting it.

→ Data Protection Resources:

Whitepapers — “KMS Best Practices and Encrypting Data at Rest”

Videos — “KMS Best Practices and Encryption Deepdive” (This covers the same material as the whitepaper does.)

FAQs — “KMS” (Worth reading twice! It’s critical for passing this domain.) Pay particular attention to the different types of keys involved in KMS and how you rotate the different keys, such as when to use automatic or manual key rotation.

Tackling tricky questions in 3 steps

To crush this exam and its multiple-choice questions, it’s imperative to develop an effective exam strategy. Our tried-and-true strategy includes 3 simple steps:

Get clear on what the question is asking Eliminate likely wrong answers Select the best answer

An important note on logistics: you’ll want to have a pencil and some scratch paper for this strategy. The testing center where you’re taking the exam should provide you with these (if they don’t, ask). But it can’t hurt to prepare for the worst, so we recommend that you bring a few sheets of blank paper and a couple pencils as backup.

Before we move into step 1, quickly go through the exam and answer the questions you’re 100% confident about. If you’re not immediately sure of the answer, flag the question and keep going. This is a great way to build some positive momentum early on, and to make sure you save your time for the more challenging questions.

STEP #1: GET CLEAR ON WHAT THE QUESTION IS ASKING

You’re now ready to tackle the more flagged questions. Starting with the first one, identify keywords that seem to get to the root of the question and write them on your pad. When you’re done, here’s what it might look like:

STEP #2: ELIMINATE LIKELY WRONG ANSWERS

Next, eliminate answers that don’t look right. To do this, draw a grid on your pad with column numbers A, B, C, D, and E, like this:

The column headers A, B C, D, and E represent the answers for that question. Take a look at each answer. Perhaps one appears to be incorrect or partially incorrect, or it’s not addressing what’s being asked. For those dubious answers, you’ll do one of two things: If the answer seems wrong, put an X in the column under the answer letter on your grid. If you’re not sure, put down a question mark. If you discover that one answer seems like it’s probably the right one, leave that column blank.

STEP #3: PICK THE RIGHT ANSWER

In an ideal world, when you’re done filling in the columns of your grid, you should have one column that’s blank. If that’s the case, there’s your answer. If none of the answers seem to be correct, or you’re left with a bunch of question marks, read back through the answers and pick the one that seems to most thoroughly answer the question. Continue going through the questions until you have answered every question on the exam.

Start simulating your exam

Our Exam Simulator lets you take all the practice runs you need, so you can go into your actual exam with undeniable confidence, and maybe even a bit of a swagger.

Sample question

Let’s put this strategy to work by attacking a sample question. This irksome question could appear as part of the Data Protection domain:

After reading through the question, we’ll write down some keywords.

I wrote down “located in your data center” because that seems important. I called out “highly confidential” which tells me that we might want to encrypt the data. Finally, given the frequent crashes that were noted, I selected “network is unreliable.”

Next, I’ll draw my grid and add my column headers A through E.

Now let’s take a look at the possible answers and figure out which ones can be eliminated.

Use a VPC Endpoint so that the data never leaves Amazon’s network Access the data using a secure port Use a VPN between your VPC and the data center over a Direct Connect connection Use a VPN between your VPC and the data center and access the database using a secure port Configure Direct Connect between the VPC and your data center

A: I don’t think this one seems right because the data is on our own data center, not in Amazon’s network, so I’m going to mark an X in column A.

B: This answer seems to only partially answer the question since it doesn’t take care of the network latency problem, so I’m eliminating it as well and putting an X in the B column.

C: This answer seems pretty good because we are using a VPN between our VPC and the data center, which means our link will be encrypted and our sensitive data will be protected. Also, we’re using Direct Connect which will address our network inconsistency issue. So I will leave the C column blank.

D: We are using a VPN, so we’re not sending anything in clear text, and a secure port, so our data will be well protected. However, we’re not protecting against network inconsistency, so our application is still in danger if we hit network issues again. So I’ll put an X in that column.

E: This answer does address our network inconsistency issue, but it’s not going to protect our sensitive data. Because it’s a partial answer, it gets an X.

Now when we look at our grid, the best answer clearly is C.

Study tips

There are numerous tips you can use to improve your study habits—and your chances of passing the exam. They can also help you figure out whether you’re actually ready. This will save you from going through the agony of retaking it. Remember, our goal is to help you pass this beast the first time. And I’ll say just one more thing about these study tips: They can help you, not just on prepping for this test but in everyday life. How? Because they’re designed to help you achieve such valuable skills as staying organized, making good decisions, and strengthening recall.

→ Studying Skills Resource: I’m a big fan of Tony Buzan’s book Study Skills and recommend you pick up a copy. Buzan, who invented mind mapping, discusses many tips to help you study more efficiently and effectively.

TIP #1: USE MIND MAPS

If you haven’t used mind maps—or you’ve never heard of them—you’re in for a treat. Mind mapping is a powerful, pictorial, note-taking device that helps you better remember and categorize information. The beauty of a mind map is that, at any time, you can glance at the diagram you’ve created and quickly review the information you’ve been studying. This beats flipping through pages and pages of a textbook that’s been covered in yellow highlighter.

Mind mapping involves drawing imaginative, colorful pictures to help you remember ideas. Don’t worry, you don’t have to be an artist to use this tool. Just the same, before you get going with it, you might want to watch a YouTube tutorial to learn the basics of mind mapping.

Take a look at this mind map I created for our AWS Lambda course. First, I drew a pictorial representation of Lambda in the center of the page. Next, I drew branches coming out of it, each representing the sub-headings Troubleshooting, Permissions, Serverless, Event-driven Sources, and Functions.

You can really have fun with these things. You can use keywords, images, colors, and symbols to explain the broader concepts in more detail. Arrows help to show the relationships between different parts of the diagram. Keep in mind mind mapping is an individual experience, so structure yours in a way that speaks to you. Remember, the purpose is to help you remember information—the more creative (even goofy) you are in drawing your map, the better.

TIP #2: REINFORCE WHAT YOU’VE LEARNED

Fading memory is something we’re all susceptible to. In fact, studies show that we forget information we’ve learned very soon after we learn it. According to one study, 75% of what we learn is lost within 24 hours if we don’t review the information!

However, you can improve retention if you adhere to this review schedule: After you learn something new, review it in 10 minutes. Then review it again in 24 hours. Then 1 week later. Then 1 month later, and finally, every 3 to 6 months thereafter. It’s been determined that, if you take these steps, you can retain 90% of what you’ve learned!

Keep in mind that reinforcing what you’ve learned isn’t always just review. Yes, you should review your notes, reread whitepapers, and scan through videos. But you can also challenge yourself by practicing test-taking.

For example, you can take a practice version of the AWS security exam. If you’re an ACG member, check out our Exam Simulator. It’s very close to the real thing, so it’s a great tool to help you hone your study skills. Finally, you can take the recently released exam readiness training that includes a host of sample exam questions.

TIP #3: SET A GOAL

Finally, challenge yourself by setting a goal of when you’re going to take the AWS Security Specialty Certification exam. Be realistic, but don’t schedule it too far off. Remember, this is a great time to receive your AWS security certification! Once you’ve set your goal, sign up for the exam. Yes, it’s a toughie, but you have a great chance of passing it the first time if you use these tips and tricks.