Welcome back! Today I'm happy to announce that I've completed the AWS Certified Security Speciality exam. If you are in the process to prepare or just curious, read on!
First I have to start with a confession. I wanted to get this exam done a bit sooner, Amazon had sent a notification for the BETA which I missed at that time. Ever since Amazon announced the accreditation I was interested but up until now I had a few "legit" (not really) excuse, namely the World Cup and Wimbledon. Now that both is over I thought I should get cracking and take a closer look at where I am and give it a go. My progress during Wimbledon and the World Cup was slow to say the least: during those emotionally charged moments of tennis and football sometimes my attention was split between 5%-95% between my monitor and laptop screen.
Let's talk about this exam a bit in terms of prerequisites: One of them is that you have to hold either an Associate or Cloud Practicioner level accreditation from Amazon. To prepare Amazon has a few recommendations and documentations to read to get you started, if you have the money there are also classroom trainings available. Currently the recommended trainings from Amazon are from either the Solutions Architect track or the SecOps track. These are both worth considering and I'll come back to this a bit later. In addition to the Amazon exam preparation guide and syllabus I highly recommend watching the AWS Reinvent security videos on Youtube (just search for "search for aws reinvent 2017 security"). These will provide deep technical knowledge about various security topics and use cases in AWS for free for the financially astute :) If you don't like searching on Youtube here is the list of all the 2017 videos at your convenience.
AWS security exam - the architect dimension
My generic impressions of the exam is "medium" from a difficulty level point of view. The questions are pragmatic and practical - no surprises there. Obviously I cannot disclose any specific questions because I don't want to make the "NDA Gods" angry but I during the exam I felt for each question I had to wear slightly different hats or dimensions (as it is common in the security field and practice): Some questions focused on the technical high level knowledge domain (NB: architect track) of said AWS security service. This means you actually have to understand legitimate use cases and be able to recommend a solution to achieve security and regulatory requirements using AWS service(s) in some way.
AWS security exam - the hands-on dimension
The second dimension focused very much on the technical details. This involves hands on experience big time and I mean it in the most literal way (NB: SecOps track): you should have hands on experience with implementation and troubleshooting of said AWS security services, or "security engineer" domain. Know your IAM policies, roles, cross-account access scenarios well, make friends with Lambda functions, commit the intristic details of KMS and data encryption in general to your brain and don't be afraid of JSON :)
Let me stop here for a second. If you think about all the various AWS services where you should posess these two dimensions or skills you'll start to appreciate the 170 minutes given to complete the exam :) To give you an idea and give you some pointers on where you should focus your mojo at:
- AWS VPC and security related services (NACLs, Security Groups, ELB/ALB, etc.)
- AWS WAF, CloudFront
- AWS IAM, AWS Organizations
- AWS CloudTrail, CloudWatch and CloudWatch Events
- AWS data protection and encryption at rest for various storage services (S3/Glacier, EBS, RDS, etc.) - client side and server side encryption, key management and rotation
- AWS Inspector, Config, Trusted Advisor, Systems Manager
- AWS KMS, CloudHSM, Certificate Manager
- AWS Lambda
AWS security exam - aka "when the $^@T hits the fan dimension
The third dimension is pretty much focuses on security processes and procedures. This dimension is a good marrige between the other two dimensions as it should be. Amazon expects you to know what to do when the proverbial hits the fan and how you would respond to a security incident. Think of sensitive credentials and AWS services compromised, how would you recognize, contain, eradicate and restore a service? This dimension may include any of the AWS services but the scenarios are realistic.
So that's it for today, these are the dimensions you should think about when you prepare. Good luck and let me know if you have any questions and/or share your experience back.