Last week I took the AWS Certified Security – Specialty exam — and I passed with a score of 930 (Woohoo!!)
In this post I cover why I took it, what I did to pass, my overall exam experience, and some tips I learnt along the way.
So let’s go.
Why would anybody pay good money, subject themselves to hours of studying, only to end up sitting in a cold exam room for hours answering many multiple choice questions!
And the reward for that work is an unsigned PDF file claiming you’re ‘certified’, and ‘privilege’ access to buy AWS branded notebooks and water bottles!! Unless those water bottles come with a reserved instance for Microsoft SQL server in Bahrain, I’m not interested.
But, jokes asides, I did this for fun and profit, and fortunately I really did enjoy the preparing for this exam. It exposed me to AWS services that I barely knew — and forced me to level-up my skills even on those that I knew.
The exam has a massive focus on VPC, KMS, IAM, S3, EC2, Cloudtrail and Cloudwatch. While lightly touching Guardduty, Macie, Config, Inspector, Lambda, Cloudfront, WAF, System Manager and AWS Shield.
You need to catch you breath just reading through that list!
But for those diligently keeping count — you’d notice that the majority of those services are serverless — meaning the exam combined my two technological love-affairs … security and serverless!
I wasn’t lying when I said it was fun. So what about the profit.
I’m not sure how good this would be for my career (I literally got the cert last week), but for $300, it’s is relatively cheap, with a tonne of practical value. So trying to get an ROI on this, isn’t going to be hard.
For comparison, the CCSP certification cost nearly twice as much, is highly theoretical and requires professional experience.
The results also help me validate my past years of working on serverless projects, proving I wasn’t just some rando posting useless hobby projects on GitHub. Instead, I’m now a certified AWS professional, posting useless hobby projects on GitHub (it’s all about how you market it!)
So now that we’ve covered the why, let’s move onto how.
How to Pass?
The general consensus from all my online research was to subscribe to the acloud.guru and LinuxAcademy courses, and I can absolutely confirm, that these two courses taken together are a great start for your exam preparation.
If you have the AWS recommended 5 years IT security experience and 2 years hands-on experience securing AWS workloads, then perhaps they’re enough. But I don’t that experience … and the two courses certainly wouldn’t have been enough for me.
I work as an architect in an organization with not much on the cloud, and I’ve never worked in an official security role. So I wasn’t the target audience for this exam, and just watching the courses definitely wasn’t going to get me a good score. I’m smart enough to know, that I’m not that smart!!
So I came up with a game-plan that leveraged my strengths to overcome the lack of experience, and if you’re interested keep on reading for how I did it.
Terraform like there’s no tomorrow
For one, I repeated most of the course material from acloud.guru and LinuxAcademy — but on Terraform!!
I found blindly copying the instructors console actions to be of little value — instead, trying to rebuild in Terraform, what the instructors were building on the console, was the quickest way to get an in-depth knowledge of the materials.
Terraform is by no means ‘quick’ — but once you build something in it, you develop an appreciation for the details of that service that the console abstracts away from you!
Plus, Terraform gave me the confidence of tearing down and re-building infrastructure, like playing an adventure game that lets you save your progress — allowing you to risk your life anytime and anywhere in the game, with the assurance that you can also revert to the last save-point.
Believe me, having that confidence to tinker, speeds-up learning. You’re more willing to modify an AWS Config recorder, if you know, no matter how badly you screw it up, some
terraform apply is going to get you back to the last working configuration.
For scripting I used the deadly combo of Python and boto3. For example, when learning STS Assume Role or creating key grants, it’s far easier scripting 20-30 lines of code, than it is do work on the console. Plus, once you’ve written down the code, a push to GitHub saves it for the next 1,000 years — which is roughly the time it took for me to finish studying anyway 🙂
Your own code, are the best notes you can take for the exam. Additionally, I’ve found the boto3 and Terraform docs to be the best way to learn a new service, and this was no exception. Actually using something, forces you to learn it — who knew?!
But for some use-cases, it’s going to be more theory than practice, for example DDoS mitigation, Guardduty findings, Incident response etc.
For those you need to research.
On top of course material, there are other mandatory materials that’ll help you in the exam. Some of these appear in every blog post on the subject, but some are strangely missing.
For example, the AWS Certified Exam Readiness was a phenomenally useful resource — and it was free! At the end of the course, you get a practice exam with 24 questions that come with thoughtful answers. I guess it’s missing from most online post because it’s new.
So here are some additional resources you might not find as recommended reading material elsewhere:
Must-Watch YouTube Videos:
- Becoming an IAM policy Master: Absolute must-watch!!
- Soup to Nuts: Identity Federation for AWS
- Deep Dive on Amazon Guardduty
- Best Practice for Implementing AWS Key management
- Provable Access Control: Not relevant for the exam, but amazing talk!
But pure researching isn’t really going to help that knowledge sink in — especially on a 3-hour exam. For areas where you’re unsure off, it’s always a good idea to write it down….
Write it down!!
Writing is thinking clearly. Can’t stress this enough.
I have a repo where I wrotedown my notes and kept my Terraform and python scripts, but apart from that, I also wrote down in blog form things I learnt along the way.
For example I wrote a ~3000 word article on KMS, that included diagrams and links, and even IAM policies. The post didn’t garner much viewership — but that’s not the point!
The point is writing something in essay form, forced me to think about about it clearly, which quickly revealed gaps in my understanding — gaps I could easily remediate before the exam, but not during the exam!
After writing the post, I posted it to a few forums for which I got great feedback written in very thoughtful form (thanks Mark!). This feedback helped me reveal the unknown-unknowns, things I had no idea I didn’t know!
For example, did you know that CMK key policies are special exception for AWS resources — in that their resource policies must explicitly allow permissions even for Principals in the same account. I surely didnt!!
And… did you also know that
arn:aws:iam:::<account>:root doesn’t refer to the root user (like what!!). Instead it refers to delegated IAM control. Not super useful for the exam — but super fun to learn. The moment I learnt how all of this worked, my brain just lights up, and that’s where all the fun comes in.
But I digress, the point is, I wouldn’t have learnt any of this, if I hadn’t written it down, and published it for general feedback. You should too — and ignore the snarky one-liner critics (they’re always there), there’s some great folks in the security community who are willing to give wonderful feedback if you ask nicely. Worse case, if you’re really desperate — you can always ask me, I promise to help!
Going into the exam, KMS was one of my strongest areas, and I owe it all to writing and publishing that blog post.
So to recap how I passed,
- Took the acloud.guru and LinuxAcademy course
- Terraform-ed like there’s no tomorrow
- Researched like crazy; and
- Wrote stuff down.
Now onto the exam itself!
As the world is now combating Covid-19, AWS recently announced you can take a virtual proctored exam, so your experience will differ from mine, as I took mine in a physical location here in Singapore.
The exam is 65 questions over 170 minutes — take a bathroom break before you start!! I flagged questions I wasn’t sure off, and made my first pass through all of them in 90 minutes. For which, a large chunk of questions were flagged (22 in total).
At this point, my confidence was low, 22 questions is a large percentage of the exam. I was feeling bad — like “WTF am I doing here??!!” bad…
But I collected my thoughts, took deep breaths — and moved on, one question at a time. Re-reading the questions, re-reading the answers, and applying some cognitive power. Slowly I started answering off the flagged questions. Gaining confidence with each answer 🙂
I went through the entire set of 65 again (eliminating 2-3 careless mistakes!), and eventually I finished with 30 minutes to spare.
Remember, you don’t need to know the right answer if you can eliminate all the wrong ones! And unlike other exams, the security specialty sometimes has questions with 2-3 workable answers — your job is to pick the one that matches the questions requirements (e.g. Fastest, Cheapest, Simplest…etc). So pay attention to that!
And if I can go from “WTF am I doing here” to scoring 930 — so can you. Just remember this if you’re feeling a bit flustered during the exam — you got this!!
Exam Dumps aren’t worth-it
There’s a websites claiming to have “100% exam questions”, but they are more problematic than helpful. For one, most of the questions are plagiarized from Acloud.guru or Linux Academy sample questions, so there’s no point if you subscribed to the courses already.
Secondly, these dumps have many obvious wrong answers. Avoid them like you would a mosh-pit during covid-19 lock-down!!
If you want practice questions here’s more kosher sources:
- 10 sample questions on the AWS website.
- 24 sample questions at the end of the Exam Readiness course (with an additional 12+ sprinkled throughout the course)
- 20 sample questions in the practice exam
- Acloud.Guru and Linux Academy practice exams.
From there you’ve got 54 questions from AWS, and ~150 questions from both acloud.guru and LinuxAcademy combined — you don’t need any more.
But let me share with you two tips before I end.
Tip 1: Lambda for the win!
Tip 1: Use Lambda instead of EC2.
When testing running code in a VPC subnet, it’s much easier to just deploy a lambda function into that subnet, than spinning up an EC2 instance. You don’t have to worry about key-pairs, and ip logging, NAT and security groups etc, and god-forbid the subnet is completely private, leaving you to mess around with Bastion Hosts, or Session manager.
Instead, you can easily deploy lambda functions with the runtime of your choice (including AWS-CLI running on Bash custom runtime) directly on any subnet. You can invoke those functions from your local machine on the internet — even if the function resides in a private subnet — and get the response immediately! Check out
Also, with the serverless-iam-roles-per-function plugin for serverless framework, you can assign different IAM roles to each lambda. Allowing you to test different permission policies, all from a single
serverless.yml file! This is the best way to test new permission policies to see their effect on running code!
Finally, nearly all security offerings on AWS are serverless in nature, hence you spend a lot of time, interacting with APIs and IAM roles, something any serverless practitioner is going to feel at home with.
Serverless first baby!!
Tip 2: Here’s how to save 90 bucks!
Here is my end-2-end cost for the exam:
- Exam cost : $300
- Practice Exam: $40
- 3 Months Acloud.guru: $87 (subscribed in Dec 2020 at $29/mo)
- 2 months Linux Academy: $98 ($49/mo)
For a grand total of $525.
But there is slight ‘hack’ you can do, once you know you get a 50% discount voucher on all AWS exams once you pass any exam. Instead of taking the $300 Security Specialty exam directly, take the $100 cloud practitioner, and apply that 50% discount for the $300 Specialty exam. Which means you get 2 certs (and a free practice exam) for $250 — instead of $340 had you paid rack price (like stupid ol’ me!).
That’s it folks. Leave you comments below on your experience below, or ask questions and I’ll try my best to answer.