Last week, I took and passed the AWS Security Specialty certification exam. This is an advanced “specialty” certification offered by AWS centered around, surprisingly, implementing and managing security within the AWS cloud platform. This certification until recently required passing one of the Associate level exams, but today you can skip right to it if you think you can pass it. To renew, you only really have the option to take the exam again, at a reduced price.

Background and cloud path

I started my AWS cloud path about this time last year for two reasons. First, I wanted to stay current with my own skills and AWS wasn’t something I had the pleasure of supporting or playing in yet. Second, my company is in the process of moving workloads to AWS, and I wanted to keep up. In August of 2019, I passed the Cloud Practitioner. In September I passed the CCSK. And in December 2019 I passed the AWS Solutions Architect Associate. I started from Practitioner because I honestly was pretty fresh into AWS technologies and services, though not foreign to the concepts of the cloud after 18 years of IT experience. I could have tried to skip to the Security exam, but as someone painful fresh to working within AWS, I chose to do the Solutions Architect first, as many of the topics are foundational to the Security exam.

My goal has been not just to become aware of and conversant with AWS technologies, but to pave the way for hands-on pursuits, both personal and on the job. It’s been a bonus that the stars have aligned enough to allow me to learn on the job and build out a greenfield environment in AWS as we migrate into it full sail. I want to be able to understand how things are built in AWS, maintained in AWS, and secured in AWS so that I can begin to break it from the offensive side and then response to such activity efficiently. In the end, I want to be able to advise others on proper AWS security topics, both at a high level and also in the trenches.

And it’s a little self-serving; it’s a nice career safety net as well, much like my sysadmin skills and experience are to my infosec career.

Study plan

For the Security Specialty, my study plan started by learning the concepts for the prior exams. I kept a sick looking Gantt chart of my study plan efforts, but the Security specialty was definitely pretty stream-lined.

I also must mention that my original goal to pass this exam was Q1 2020. Unfortunately, COVID-19 concerns shut down testing opportunities and really stole some of my study time away, which elongated my efforts a bit. Thankfully, I don’t have other major plans for formal studying or certifications this year, so I had some personal wriggle room to push this into Q2.

As with other efforts, I started with A Cloud Guru’s course on the Security Specialty. This course is a little short on covering all the things you need, and it blasts through it quickly. And I have the same issues as I did with the Solutions Architect course where it’s just not polished, there’s plenty of mistakes that are left in the material, and it’s not nearly complete enough to rely upon to pass the exam. Still, it makes a relatively OK intro to the material. I’ll probably revisit this as review if I should renew the certificate in 3 years, since it requires taking the exam again.

My main effort centered around the related Linux Academy course by Adrian Cantrill. I really liked this course, and felt pretty darn prepared for the exam after it and after taking the Practice Exam (I scored 88% on my third and finally take of it.) This course is well over 40 hours, and does a good job being broad and deep enough to properly prepare for the exam.

Lastly, I spent time reading whitepapers, documentation, and FAQs off the AWS site on all of the security-related and core services I could. More importantly, I strongly suggest browsing the AWS security blog posts from 2017 through the end of 2019 to see scenarios and tutorials on how to do things like properly secure your root user, or incident response steps for a compromised key, or how to troubleshoot CloudWatch connectivity issues and various other common or weird scenarios. These scenarios and understanding how these work is extremely useful for the exam. As a bonus, truly read through these and follow along on the actual steps, or even recreate them in your own words.

I didn’t get a chance to use it, but if I had failed my exam attempt or started later than I did with my studying, I would have probably purchased the Practice Exam from Tutorials Dojo. My experience with Jon Bonso’s content was positive enough for the Solutions Architect that I would blindly pitch my money into this one had it come out earlier

The at home experience

I took my exam through Pearson Vue using the at home option. I thought the exam itself was stressful and difficult, but I have to say I think the at home experience was even more stressful to me. See, I live in an apartment and some of the rules of the at home component dictate a strict no sound posture. In fact, you’re not really supposed to even look away from the screen or make noise on your own! Thankfully, I have no idea what the real limits are, as I had absolutely no interruptions, noises, or contact with the proctor during my 1.5 hour exam duration. But, throughout my exam I dreaded noise in the hallway or a door shutting that would cause a disqualification!

Being in an apartment, I did quite a lot to prepare. I covered bookshelves, moved everything away from my dining table, and made an effort to minimize anything that needed scrutinizing. I had a USB web cam next to my laptop, but I was asked to move it to the top of the laptop anyway. I probably could have just used my built-in cam on the laptop. I never did hear anything from the proctor, only chat, and I have no idea if the proctor could hear me, as I typed my responses in and echoed them verbally as I did. The biggest instruction I had was to make sure a wall-mounted television in front of my was unplugged, which I had to quickly uncover the outlet and power cable to indeed show it was unplugged.

And while I apparently had no issues, it was definitely not relaxing taking the exam. Even halfway through, my head, neck, and shoulders were hurting from being all tensed up, and my eyes really yearned to just look up and afar for a bit while in thought on many of the questions. I’m pretty sure 30% of my mind was on my actions/behavior and not on the exam.

I imagine this is far, far better in a home where you can maybe go to a relatively empty basement room and keep pets/mates from making noise elsewhere, and not have to worry about much.

The exam

Basically, this exam sucks. I mean, it’s a good exam and really tests your knowledge of not just knowing how things work, but really digging deep to make sure you know or have done the steps in the many scenarios presented. I would estimate that maybe 40-50% of the questions were choose 2 or choose 3 answers. I’d guess about 70-80% were scenarios, and almost nothing was straight definitional.

Most questions were also pretty long to read and digest, and I found myself re-reading whole sections before even getting to the answers. And often the answers were lengthy as well. It was a splash of cool water when I hit short questions with short answers!

I also usually get done with an exam and I retain a litany of questions or items that tripped me up or I was happy to see, but in this case, I walked away at the end and had but one item to look up, and even then I couldn’t remember the context of the question!

Overall, I really liked the exam for what it tested against. This isn’t a light exam or something you can swing into with painfully little experience. You really have to understand how to do these things to get through it. I scored a 940 on it, and I’m extremely surprised and satisfied with that score.

That said, it should be kept in mind that this is still a multiple-choice exam. Even if a question is a big fat question mark, often one or two options will bubble up to the top and help formulate a decent guess.

What’s next?

Honestly, for AWS stuff it’s really about practical experience at work and on my own that is next. I will probably check out the Developer or Sysops Associate certs in time when I can apply those to renew the others. But otherwise, I have what I came for on the formal learning side of AWS and my immediate path to the dark side is now complete.

For cloud stuff, I’ll probably look at learning more about Azure through Linux Academy on my own time. And I’ll start focusing on topics that pertain to security and even penetration testing cloud deployments.

For security stuff, most of the rest of my 2020 was planned to be pretty informal, which works out well considering COVID-19 has changed things and put other things on hold so dramatically. I have a backlog of courses, tutorials, and other learning activities to do that would eat up years, so I want to chunk away at the juicier parts of that.