Published on

AWS Security Specialty: What I Learned Preparing for the Exam

Authors

Recently, I passed the AWS Certified Security – Specialty exam.

The initially drawn to this test because I spotted a 50% discount on the exam fee.

Just kidding:) The main reason was my desire to comprehensively learn about AWS security architecture. In my daily work, I deal with AWS/Ali/Azure cloud and on-premise hybrid cloud. While the documentation from these cloud vendors can solve most of the problems encountered in daily work, I sometimes wonder, "Is this the best solution? Is the solution provided in the official document good enough?". To gain a thorough understanding of every aspect of cloud computing security, I decided to take the AWS Certified Security – Specialty exam to comprehend all the details of cloud security architecture.

In this blog, I mainly want to share my exam preparation process, hoping to lend a hand to those preparing for this exam.

First, I want to mention Dylan Shields' book, AWS Security. This book, combining theory and practice, introduces the main considerations for AWS security architecture design. My previous blog post An IAM Split-Privilege Model with Terraform for Robust Cybersecurity was also inspired by this book. It's a fantastic resource for an overview of AWS security architecture design from a 30,000-foot viewpoint.

Next, I'd like to touch on the scope of the exam, a bit of technical content. The scope is incredibly broad, with interconnected elements. The exam content is also random, flexible, and combines different services. Below, I mention a few things that I think should be noted.

  1. Understand all services, familiarize with important services This could be the most time-consuming yet essential part, understanding the purpose and objective of each service. With key services like EC2, IAM, VPC, S3, you should familiarize yourself with the content as much as possible. Know the purpose of all services mentioned in the Security course and when they are appropriate to use. You don't need to be an expert in all of them, but having a clear understanding can help answer a lot of simple questions quickly. For example, WAF, Shield, CloudFront - it's vital to clearly differentiate between them. Which service is better to block DDOS? Also, services like CloudTrail, CloudWatch, AWS Config, Inspector - these can easily be confused if not well understood.

  2. Understand IAM and policy You must be well-versed with IAM and ACL-related content like the relationships between User, Group, Role, Policy. Understand the three types of Policy - AWS-managed, customer-managed, inline - and the two types of Permissions - Identity-based policies and resource-based policies (plus, SCP is also added). Know the priority order - explicit deny, explicit allow, implicit deny. These are crucial, and you need to fully understand them rather than cramming them.

  3. KMS Regarding KMS, understand symmetric and asymmetric CMKs, the purposes of different Keys, storage locations, and Key rotation content. These are elements of a service that can easily cause confusion.

  4. Data Security For this part, you can refer to docs like Encryption of Data at Rest. For Data Security, you need to differentiate between SSE-KMS, SSE-C, SSE-S3.

  5. VPC-related That's a large topic. Amazon Virtual Private Cloud (VPC) is a fundamental component of AWS, providing a virtual network that allows you to launch AWS resources into a logically isolated section of the AWS Cloud. Understanding VPC is crucial for anyone aiming to excel in AWS security. Here are some key aspects to consider:

  • VPC Basics
  • VPC Peering and Transit Gateway
  • VPC Endpoints
  • Security Groups and Network ACLs
  • VPC Flow Logs
  • VPC Peering Best Practices
  • VPC Security Considerations
  • Network Isolation and Segmentation
  • AWS PrivateLink
  • VPC Peering and Third-Party Appliances

By thoroughly understanding these VPC-related concepts and best practices, you'll be well-prepared to address security concerns and design robust, secure network architectures as part of your AWS Certified Security – Specialty exam preparation. VPC is a critical foundation for securing AWS resources, and a strong grasp of its intricacies is essential for success in the field of AWS security.

The above briefly covers just a few items and directions. After all, the main goal of this post is to share my insights, not to be a technical article.