Nahuel Hernandez

Nahuel Hernandez

Another personal blog about IT, Automation, Cloud, DevOps and Stuff.

AWS Security Certification Tips

The AWS Certified Security Specialty is an examen you need to demonstrate knowledge about securing the AWS platform, the most important topics to look at are KMS, Policies, GuardDuty, Inspector, Macie, Cloudtrail, Config, WAF and Shield.

4-Minute Read

aws-security-cert

AWS Certified Security Specialty

The AWS Certified Security Specialty (SCS-C01) validates an examinee’s ability to effectively demonstrate knowledge about securing the AWS platform. The exam is a 65 multiple-choice exam and we need to finish in less than 170 minutes.

The most important topics to look at are KSM (key types, key rotations, symmetric/asymmetric, CMKs), Policies, GuardDuty, Inspector, Macie, Firewall Manager, Security Hub, CloudTrail, S3 Encryption, SG/NACL, Cloudtrail, Config, Certificate Manager, WAF, Organizations, CloudHSM, and Shield.

How i prepared for the exam

This exam was my first AWS specialty certification, after passed all the associates and professionals exams, It was a lot harder than I had thought it would be. The questions are extensive and with multiple answers (like the professional certs). I prepared the certification in two weeks, and i studied for 4 hours each day.

I studied using the followings courses/materials:

  • Tutorial Dojo - AWS Security Book

    This book is fantastic. It also gives you a lot of valuable tips to implements with very specified examples.

  • AWS - Exam Readiness

    An official AWS Resource, we’ll teach you how to interpret exam questions, apply concepts being tested by the exam, and allocate your study time.

  • ACG - AWS Security Course

    I only did the Quizzes and the final practice exam, the questions are a lot easier than Tutorial Dojo and the exam. However, if you already have an ACG account, is a helpful resource.

  • Tutorial Dojo - AWS Security Practice Exams

    This is the best resource, i leave for the end, because i want to take advantage of the material and only use for some gaps. The exam was very similar to the Tutorial Dojo Practice Exams, i think is a little more complicated.

AWS Services to Focus On

  • Identity and Access Control
    • IAM
    • Resource-Based Policies
    • S3 Presigned URLs
    • CloudFront Signed URLs
    • Amazon Cognito
    • AWS SSO
    • AWS Security Token Service
    • AWS Organizations
    • AWS RAM
  • Application and Infrastructure Security
    • EC2 key pairs
    • AWS Systems Manager
    • AWS WAF
    • AWS Shield
    • AWS Firewall Manager
  • Data Security
    • AWS KMS
    • Amazon CloudHSM
    • AWS SSM Parameter Store
    • Amazon Secrets Manager
    • SSE-S3 Encryption
    • S3 Glacier Vault Lock
    • Amazon Macie
    • AWS Certificate Manager
  • Network Security
    • Amazon VPC
    • Amazon CloudFront
    • AWS ELB
    • Amazon API Gateway
    • AWS VPN
    • AWS Direct Connect
  • Logging and Monitoring
    • Amazon CloudWatch
    • Amazon CloudTrail
    • Amazon Route 53
  • Threat Detection, Prevention, Response and Remediation
    • Amazon GuardDuty
    • Amazon Inspector
    • Amazon Detective
    • AWS Security Hub
  • Risk and Compliance Management
    • AWS Artifact
    • AWS Config

Content Outline

This exam guide includes weightings, test domains, and objectives only. It is not a comprehensive listing of the content on this examination. The table below lists the main content domains and their weightings.

Domain 1: Incident Response (12%)

  1. Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys.

  2. Verify that the Incident Response plan includes relevant AWS services.

  3. Evaluate the configuration of automated alerting, and execute possible remediation of security-related incidents and emerging issues.

Domain 2: Logging and Monitoring (20%)

  1. Design and implement security monitoring and alerting.
  2. Troubleshoot security monitoring and alerting.
  3. Design and implement a logging solution.
  4. Troubleshoot logging solutions.

Domain 3: Infrastructure Security (26%)

  1. Design edge security on AWS.
  2. Design and implement a secure network infrastructure.
  3. Troubleshoot a secure network infrastructure.
  4. Design and implement host-based security.

Domain 4: Identity and Access Management (20%)

  1. Design and implement a scalable authorization and authentication system to access AWS resources.
  2. Troubleshoot an authorization and authentication system to access AWS resources.

Domain 5: Data Protection (22%)

  1. Design and implement key management and use.
  2. Troubleshoot key management.
  3. Design and implement a data encryption solution for data at rest and data in transit.

Additional Resources

Categories

Recent Posts

About

Over 15-year experience in the IT industry. Working in SysOps, DevOps and Architecture roles with mission-critical systems across a wide range of industries. Wide experience with AWS, Terraform, Kubernetes, Containers, CI/CD pipelines, and Linux. Always keeping up with the latest technologies. Passionate about automating the run of the mill. Big focus on problem-solving.