AWS Certified Security Speciality a few thoughts
Wojciech Szczepucha
Posted on January 19, 2021
What does AWS expects from you?
You need to have at least two years of experience in AWS!
I mean it!
Hand-on experience, in my opinion, is a must-have if you want to pass this exam. Also, in the context of the AWS Security Speciality exam, AWS requires from you broad knowledge of theirs security-related services.
You will be asked to prove your professional experience with IAM, S3, CloudWatch, or KMS - having on mind full coherence of those and other services. Additionally, if you feel insecure with a good understanding of the networking stack, attacks like DDoS, and how to remediate them, better sit and learn.
This might feel like an exaggeration, but not this time :).
My personal goal was not only to pass the exam, but it was still somewhat important for me, but I really wanted to deep dive into services and know them well. I work as a Cloud Security Engineer, and for me, understanding "how does it work" is fundamental.
Read a lot
Start with AWS Whitepapers and AWS Best Practices. Of course, particular services FAQs are very helpful either.
- Exam Guide
- AWS Security Best Practices
- AWS Best Practices for DDoS Resiliency
- Overview of AWS Security - Network Security
Services - I urge you to know them very well
Let's stop for a while. Below you will find services that, in my opinion, you should know well before taking the exam.
AWS IAM
- Policy - know what they are for, how to build them, how they work, and the policy evaluation logic. There is no excuse here; if you do not feel comfortable with IAM, do not go further. Know well how the 'Condition' statement works in the policy, what types of statements can be used.
- Understand the difference between identity policy and resource policies, when to use which.
- Know how to give permissions to your resources between accounts. How to revoke them.
- User, Group, Identity Pool (SAML usage) - overall knowledge and best practices are enough.
Example scenario: Corporate (with over 5000 user accounts, with their own IdP in the on-premise environment) wants to give part of theirs employees access to AWS accounts. Think, how would you build federation services here (maybe SAML & ADFS)?
AWS KMS
If you haven't used this service intentionally, take your time and play with it.
- Know how to create your own encryption keys, how do they work, what are the limits? How to rotate keys, understand when to rotate them manually? Take your time to understand how authorization with other services works: S3, RDS, EBS, third party accounts.
- Know what the manual process of encrypting and decrypting data is. How to provide your own material?
- When CMK is enough when CloudHSM is required?
AWS CloudHSM
- It is worth knowing what scenarios it will work in. What are the differences in terms of management and how to deal with Disaster Recovery and multi-region.
Amazon S3
- Think of S3 as a central files and logs repository - pay attention to ACLs and moving data between accounts.
- I would recommend you to exercise: encryption, replication between buckets.
- Be familiar with different types of tiers! How to make sure that your objects can stay untouched when time passes?
- Know the difference between Bucket Policy and ACL on the object level.
Amazon VPC
- When the private network is private, and when it's public? How to properly set routing and NAT?
- How Security Groups and NACLs work - how and where they can be attached, what is the difference between statefulness and stateless?
- Know how to connect networks between each-other. Peering, VPC Endpoints, Private Links.
- What is the Bastion Host, when and where should it be used?
- Know how to diagnose network connectivity problems, what tools to use, and which tools will show what?
Example: Security Group allows the traffic, but the traffic is not passing, where is the problem?
AWS CloudWatch
- Know it well. Understand how it works, what it is for - how to use it for scheduled actions, how to interact with other services.
- Take your time to understand how CloudWatch can be used to centralize events from your accounts and services.
AWS CloudFront
- Pay particular attention to the usage scenarios; it is worth clicking through and being aware of the functionality. Pay attention to possible options for limiting access to content, payment for access, use by applications.
AWS Lambda
- Play with permissions when using other services and working with API Gateway, including Cognito and authentication.
- You should also know when Lambda can come in handy, e.g., automating responses to security events.
AWS Cognito
- It is worth distinguishing between User Pool and Identity Pool, what to use when, and how to build user permissions based on IAM and Cognito.
AWS WAF
- What is WAF? How can we leverage from it with ALB, CloudFront? Why should we consider buying from the marketplace or using custom rules?
AWS Config
- Love this one! :)
- Automated reaction on findings/events is crucial here.
- Know the rule. AWS Config is for knowing "what" was changed, where CloudTrail is mostly for "who" did that change.
AWS SSM
- Do you know how to get into your EC2 without TCP port 22?
- Know how we can update our EC2 instances and remediate findings in an automated way.
AWS Secrets Manager
- Get around with it.
- Remember! After configuring auto-rotation, the first operation is done immediately (to confirm that it's working as expected), so it may break the service's operation consuming this parameter.
AWS Athena
- It's worth getting through your logs with Athena, even though just for a better understanding of what it's capable of.
It is also worth knowing:
- AWS Shield Advanced
- AWS Security HUB
- Amazon GuardDuty
- AWS CloudTrail
- AWS Config
- AWS Inspector
- Trusted Advisor
- AWS Directory Services
- AWS Organizations - what is SCP for?
- Amazon ECS - take a look at the security of underlying hosts.
Read the FAQs for all of the services mentioned above and focusing heavily on the IAM and KMS documentation.
Additional resources
- AWS Acceptable Use Policy
- AWS Penetration Testing
- Paweł Rzepa - his thoughts around the topic
- Mind map of Paweł Rzepa - beneficial for the recaps
- Condition Keys
- A good summary of services
Video materials worth watching
- AWS re:Invent 2017: Best Practices for Managing Security Operations on AWS (SID206)
- AWS re:Invent 2018: Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1)
- Advanced Security Best Practices Masterclass
- AWS re:Invent 2017: Best Practices for Implementing AWS Key Management Service (SID330)
- AWS re:Invent 2017: A Deep Dive into AWS Encryption Services (SID329)
- Encryption and Key Management in AWS
My last thoughts around the exam
- Build your own lab and use as many services as you can. Play a lot with IAM policies, KMS policies, and know them well.. not only semantically but for understanding the rules and connections.
- Take your time to get a good understanding of AWS Config, AWS Inspector, AWS GuardDuty - what, where it gets information from, how it exchanges it with each other, what it is for.
- Practical knowledge of CloudTrail (especially data availability over time), CloudWatch, VPC FLow Log is essential.
- DDoS - counteracting depending on the service (ALB, CloudFront, EC2) - is very helpful on the exam;)
- Use extra time for people with a leading language other than English (be sure to ask for it before registering for the exam);
- Take advantage of the previous exam discount (if you still have one) - AWS gives you a 50% discount coupon for each exam you pass.
Posted on January 19, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.