Introduction
Amazon Web Services (AWS) offers certifications in 4 broad categories - Foundational, Associate, Professional and Speciality. I recently cleared the Solutions Architect Associate certification. This time, wanted to attempt a “Speciality” certification. And what better topic to delve into than Cloud security. As much of a boon cloud is, it’s Achilies’ heel remains unsecure workloads. Although AWS provides a ton of tools to mitigate and potentially limit security incidents, but they still do happen and often cost not just in monetary terms but also reduced customer confidence.
I decided to take this assessment to see where I stand and if my head is in the right place especially w.r.t securing the Cloud workloads. After about a week’s on and off preparation, I was able to pass the exam and earn my badge. 👏
I’ll divide this post into 5 sections - exam format, exam topics, my preparation, additional resources and tips.
Let’s discuss the exam format first.
What is the exam like?
The exam duration is roughly 3 hours (180 mins), and you need to answer 60-odd questions. The number of questions can vary as per AWS, with some questions being not used in scoring. Questions are multiple-choice types with a mix of single answer or multiple answers. Multiple answers can appear in 2 scenarios. A problem that is solved in multiple steps or a problem that can be solved in multiple ways. I managed to finish answering all questions and reviewing a few in under 90 minutes. So don’t worry about the duration, its generous. And I managed to score >900.
You are expected to login atleast 30 mins prior to your scheduled time and a proctor will inspect your surrounding before setting up the exam. The 180 min window starts from when you launch the exam.
The result will be shown on the screen as soon as the test ends. You can expect a detailed scorecard in your inbox within the next day, though they mention it can take upto 5 days.
What kind of questions to expect?
Here are the exam objectives as per AWS.
Broadly, the exam tests you on 5 topics (decreasing weightage) -
- Infrastructure Security (26%)
- Data Protection (22%)
- Identity and Access Management (20%)
- Logging and Monitoring (20%)
- Incident Response (12%)
How did I prepare?
There is no better preparation than hands-on experience.
Just what AWS says in their exam guide, and it is quite true. Yes, you could slog it out and try to clear this exam, but you will need some form of hands-on training to be successful.
Working with AWS on a daily basisc, I already had a good understanding of the major services, security practices, recommended architectures etc. I started by going through the exam guide and sample questions to understand what kind of knowledge AWS expects the test takers to have.
I then browsed through the FAQ section of some crucial services under the “Security” umbrella. For example, KMS, IAM, CloudTrail etc. The FAQ pages are an excellent resource to develop an understanding of the services, and their limitations. Knowing limitatons or where a particular service does not apply can help eliminate choices. For more detailed information, I also looked through the documentation.
Between the FAQ and Documentation - everything gets covered in terms of what can be asked in the exam. If you already have some experience with AWS, chances are these will probably be like reaffirming your knowledge. If you don’t have practical experience previously, my recommendation is to try out at least the major services in a free-tier account before attempting the exam.
AWS Security Blog is a great source to get familier with Security best practices as well as some recommended architectures to automate incident responses etc.
I did not buy any courses or prep materials from the usual suspects as I did not feel the need after the above preparation. In total, I devoted around 5 days of prep time. 2 to 4 hours on each day.
Anything else?
AWS’s re:Invent videos are a great source for a deep dive into any service. A small caveat here is to supplement them with the documentation. Over the years, even though most concepts remain the same, service limits and capabilities keep changing.
Take the AWS Security Training Quizes here.
AWS Training Portal courses for the major services like IAM, KMS etc.
Complete the exam readiness course by AWS here. It would give you an idea if you need to prepare better in some areas.
AWS provides a test exam at a nominal fee, which you can use to test your understanding before the final exam. This can give you a feedback in time, if you need to improve. I did not take it though.
Tips!
I recommend to prepare these topics really well as a majority of the questions will touch upon these in some form.
KMS - Study about the different keys, their rotation, access control, cross account, cross region access, where and how to use data keys, permissions needed to encrypt/decrypt etc. This will have maximum questions after infrastruture security.
S3 - It may not immediately strike as a “security” service but it plays a crucial role as a data store and protecting data at rest. Be absolutely clear about controlling object access, bucket policies, encryption options etc. It also plays a key role in incident management, audit (Cloudtrail logs) etc. Be thorough with your understandng of this service.
IAM - Study about the different policies (resource/identity) and their use-cases. Be familier with the policy syntax as well, there maybe a few questions which will ask you to choose the most appropriate policy given a requirement. Topics like Federation, SSO, Identity providers, STS are all important to know about.
VPC - The network layer is incredibly important again. Things like NACL, routes, NAT gateways, flow logs etc are essential to creating secure architectures as well as during incident response. Establing secure routes for workloads using VPN, DirectConnect, VPC endpoints etc. is essential to having a secure deployment.
Compute - EC2, ALB, external security appliances etc. One of the rare occassions, where AWS actually recommends some thrid party tools. How and why, what additional configs should be used - one needs to be aware of the details.
Monitoring & Audit - Cloudwatch, Cloudtrail, Config, Trusted Advisor, Inspector etc. are some of the services which can fall under this category. Be clear about when and how would you use Cloudtrail vs Cloudwatch. Prepare well for these service including any customizations that may be needed to get the desired solution, like - centralizing logs on Cloudwatch using an agent on every EC2. Basically, what AWS offers out-of-the-box, and what you need to configure specifically.
Others - There are a whole host of services which touch upon the security sphere in some way of the other - Macie, GuardDuty, WAF, CloudTrail, Secrets Manager, Artifacts, ACM etc. Be sure about the purpose of each and maybe more impotantly, what one cannot do with them!
I noted down some points while preparing for the exam, to brush up my knowledge, and as a quick reference. This is in no way exhaustive, but merely what I felt worth keeping in mind. Refer to this note.
Conclusion
To sum up, if you have been working with AWS for a year or 2, with some focus on securing the accounts, it should not take you more than a week’s study to be prepared. But, I still recommend supplementing your practical knowledge with some of the resources I described above.
If you are just starting out, I suggest to get some hands-on experience first with the basic services discussed above before attempting the exam. Also, familiarise yourself with the shared cloud security model. I cannot stress this enough, practical experience is absolutely essential to acing this exam.
Hope you find this post helpful.
Good Luck for your exam! 👍