I have always wondered what it takes to secure the AWS cloud from the next day of passing the Azure Security Engineer Associate exam. The purpose behind both exams is the same, Secure the Cloud environment using best cloud practices and solutions.
I was not a big fan of AWS until I met the more granular control in the AWS cloud using the IAM Role, Resource-based policy, and my favorite one VPC architecture and components. I am an application security guy who has been pentesting for the past 4.5 years, lt seems interesting to see the other part of the screen where the cloud components or the microservices are baked and linked to form a working system that ingests your all malicious payload and attacks. i have explored the AWS cloud for more than 3 years in deploying and building smaller but useful services. After studying and working on AWS security parallelly for my employer, I developed a confidence up to a certain level. In short words, Holy Cow !!! , I know what hackers or bad guys look for in the web apps, APIs and Infrastructure. I can stop at least those basic OWASP top 10 right now with a defensive solution and secure configuration. And I couldn’t stop attempting this exam.
Another factor that triggered me to do this exam is my first open-source security tool, Bucky, which is designed to discover AWS S3 Bucket misconfiguration and automatically takeover them.
AWS Certified Security (SCS-C01 ) is a specialty-based certification that focuses on securing the AWS cloud infrastructure, It has the prerequisite of AWS Solution Architect Certification but if you think you are quite familiar with building solutions and configuring resources in the AWS cloud, you are good to go for studying and preparing for AWS Security Specialty exam. But I suggest, you should practically be able to do the deployment, configuration, and troubleshooting of the services in the cloud and then only jump into the security part. I started studying about AWS Security Speciality Syllabus specifically 6 months before the exam and I found it really interesting, I used various resources and guides to prepare for the exam but the golden advice would be to practically do the task and know the process and experience it.
Here are the details about the exam contents and their marks weightage in the exam.
Domain | Name | Percentage of Examination |
1 | Incident Response | 12% |
2 | Logging and Monitoring | 20% |
3 | Infrastructure Security | 26% |
4 | Identity and Access Management | 20% |
5 | Data Protection | 22% |
I have listed some of my study tips and resources for the certification below:
- First, build and Secure the services in AWS practically.
- AWS Skillbuilder https://explore.skillbuilder.aws/learn
- AWS Whitepapers https://aws.amazon.com/whitepapers/
- Cloudguru https://acloudguru.com/course/aws-certified-security-specialty
- Udemy Course by Zeal Vora https://www.udemy.com/course/aws-certified-security-specialty/
More specific topics and subjects to study and master but not limited to.
- Writing IAM/Resource-based policies.
- AWS KMS features usage.
- AWS VPC(Build from Scratch).
- S3 Bucket (Bucket Policy, Object ACL, Origin Access Identity, Data Retention, Access Point)
- Infrastructure Security (Security Groups, NACL, Firewall, WAF, Loadbalancer, Client VPN, Cognito, RDS, DynamoDB Security, Elastic Beanstack, VPC Peering, Transit Gateway, VPC endpoint, AWS Marketplace, etc.)
- Route53 DNS firewall, Cloudfront, Cloudtrail, Guarduty, Inspector, Security Hub, AWS IoT device defender, Glacier, Data retention, AWS SSM, STS, Secrets Manager, AWS Control Tower, Organizational Unit, Permissions Boundary.
- Lambda, Cloud HSM, AWS Shield, AWS Macie, Artifact, SES, SNS, ECR, EKS, ACM, API gateway, Internet Gateway, SQS, SSO, SAML, AD, VPG, VDI, TPM, EIP.
- AWS compliance, Audit Manager, AWS Config, CIS benchmark, PCI DSS, Foundational Best Security Practices, etc
This is the best mindmap created by Pawel Rzepa for a recap, make sure to go through it. If you are ready, you will have a rough picture of any questions to address and solve with a suitable security service. That is what makes you set for the exam. The exam can be scheduled with Pearson Vue or PSI you can choose the options to give the exam physically at the exam center or at your own home with some requirements. Some more information about the exam is provided below.
Total Number of questions: 65
Passing score: 750 out of 1000
Certification Price: $300 USD
Retry available: NO
Difficulty Level: Medium-Hard
Worth it? : YES
Personal thoughts: The questions are long and with interesting scenarios in real-world life which have multiple choice or Multiple responses based answers. Read the questions twice to get a good understanding and choose the best options, because I found many questions confusing, and have the best choice available.
Hope this post will help you, If you have any queries regarding the exam and stuff just DM me on Twitter I will be happy to assist you.