The AWS Security Specialty

First and foremost, I want to explain why I have not posted a new blog post for the past month. I have been quite busy in my life, as you can probably guess from this title, I have been studying for the AWS Security Specialty certification, I have been developing a cloud security course for a side project and I work 8-5 every single day. If that was not enough, I am also training for my first marathon while trying to consistently post good content for all my readers. It has been very difficult to stay on top of everything and even though I haven’t been posting I have been working on posts in the background to hopefully be able to consistently deliver content from here on out. Now for the certification.

Earlier in the year (roughly June) I took and passed the AWS CCP certification, and that certification was basic as you would expect. It focused on knowing the names of AWS services and knowing what they do and how you can leverage those services in various situations for your organization. Most people can study for that for no more than one month and pass that certification (that is a rough estimate from my own experience, your results may differ). From there I knew I wanted to focus on AWS for the rest of the year and a big deciding factor of that is because my company is moving heavily into AWS at this time. There are talks of going into other cloud providers as well but right now AWS is the big one for us at work. Since I have a security background and I felt I knew cloud security fairly well from my experience with the CCSP I felt the next step would be the AWS Security Specialist certification. I did not realize at the time that this cert is meant to be taken after you earn the AWS Solutions Architect Associate certification. I immediately purchased a few courses on Udemy, looked for any books on it on Amazon and found none that I felt confident in, so I decided to stick with Udemy courses. I bought two Udemy courses and figured that would be enough and once I finished those, I would find additional practice exams and go through those to prepare.

I want to pause here and explain why I chose this cert over others. I discussed that AWS was being used at my current employer, but I have the CCSP, why start going deep? Isn’t the CCSP good enough? Some may think this way, but it is not the case when you are an engineer. Engineers need to understand tools and platforms inside and out to really be effective at their job and excel where others will not. That is why I decided to choose AWS and start going deep to learn AWS well enough to not only understand AWS services and hold a conversation about it but to be able to configure an AWS environment securely for an organization. These skills will come in handy when you become a Security Architect or move into management. Having these skills will only benefit you. I would also like to say that I have no plans on getting every AWS cert on the market. I know some people do and some people go as far as to get every cert for every cloud provider on the market. I do not have enough time to do that nor do I have the need to do that. I do plan on getting a handful of certs across Azure and GCP but will not be getting every single cert. The reason is that I feel that method is inefficient and ineffective in terms of career growth in accordance with the market value. As someone who interviews candidates, having every single cert a vendor provides can be seen negatively to me because it can look like you may not have very much direction. I would rather take someone that has a defined path in their head with goals along the way rather than getting everything on the market and hoping something sticks. With that being said I have nothing against those that get everything, if that is you then you are doing something that most of us will never even want to do and my hat is off to you. I personally just do not find it valuable for me right now in my career to get every cert on the market right now.

For my studying I went through two Udemy courses and started taking practice tests and was scoring at most 54% on those practice tests. This is roughly 2 weeks out from when I was scheduled to take the test so I knew I was in for trouble scoring this low after taking two Udemy courses. I have nothing against Udemy and if you read my post on the CCSP, Udemy practice tests are likely the only reason I passed the CCSP with ease on my second attempt. Udemy is always my go-to resource when I am studying for any exam and it will remain that way, but if you have used Udemy then you know the content isn’t always consistent and it may not fit your study methods and there is little to no way to determine if it will fit you before spending the $5-$100 for the course (I never spend more than $15 on a Udemy course). Once I was consistently not able to score above 54% I knew I had to start looking for another study resource, I reached out to my network and the few in my network that have the certification all referred me straight to ACloudGuru. I was hesitant because of the price ($350/year) but knowing that I will be getting at least 4 more exams by the end of 2021 made me feel more confident in my purchase that I would already have resources ready for those exams. I spent the money and never looked back.

A key part of learning any cloud provider is hands-on activities. Without getting hands on with these services it is much more difficult to truly understand how they work. One of the benefits with ACloudGuru that I noticed immediately is that the course is laid out in a way that you are discussing the services and concepts for a 5-10 minute video then in the next one you are in the console deploying it in your free-tier account in AWS. This reinforces what you were just told/taught in the previous slides. While I was going through these videos, I was taking notes for each domain on things I did not understand that I knew I would have to come back to. Some of those sections that I outlined were IAM, KMS and Incident Response situational items. For those sections it was not so much as not understanding the concepts but more of learning how AWS was looking for me to answer. For instance, I know what IAM is and how to deploy least privilege in an environment, but the questions will try and confuse you when you only need to focus on two areas for permissions…. Policies and roles, and the initiating service and the receiving service. If you can keep that in mind those questions will be much easier. It was exceedingly difficult for me until I learned that simple key item.

I cannot stress this enough that even after purchasing the ACloudGuru course with two weeks left to study I knew I had to push out my exam and so I pushed it out by 4 weeks. The reason I did this is really for all the other items I listed above. I am busy and I have a lot of other things going on so throughout this entire process I was only able to spend 2-3 hours a day to study and yes even on the weekends I would study. With that in mind I knew I had to push it out so that I could reteach myself the material and unlearn anything that confused me from the Udemy courses. Another thing I noticed with the ACloudGuru courses is that they ask similar questions to the real exam at the end of each domain and then the practice test is also like the real exam. This helped a lot when I was trying to prepare myself mentally for the type of questions. For myself I have learned that knowing the information is one thing and is also 45% of the battle in my opinion, learning how they ask you about that information is roughly 55% of the exam that can make or break you. The course taught me how to slow down and break down a question so that I could understand what was being asked and picture it in the console in my head to fully understand it. Without those skills I would not have passed, and I would not have had a chance at passing. I also highly recommend going to get the AWS Solutions Architect Associate cert first. My goal is to get this cert by the end of this year and I will be using ACloudGuru as well and will of course post a blog post on that exam and everything I did to pass it once I pass it.

A few key areas that I thought were included in almost every question was IAM, KMS and encryption. Incident Response related questions would be next up in my opinion. I know it sounds incorrect to say I felt almost every question had some sort of IAM, KMS or encryption component to it but in my mind it absolutely did. Sometimes they would list out a roles and policy question and then ask about a compliance problem. Other times they would state a specific compliance requirement then ask you an encryption question with that compliance requirement. If you were not paying attention you would answer the wrong question within the question. On my exam logging & monitoring was not as prevalent but was absolutely present. It seemed to be about 20% of the time the question was related to a logging/monitoring issue that could be related to policy and roles that needed to be adjusted. Understanding these services and how they communicate with each other is critical for this exam. Automating as much as possible within AWS between services is key to passing this exam, it will be expected that you understand how that sort of action will take place and how to troubleshoot it when/if it breaks.

When I was taking the exam I followed the recommended ISC2 exam taking tips where I read each question 3 times and then read each answer with it, in my head I crossed out answers that made no sense but was always left with 2-3 possible answers. At that point you are stuck with picking between answers that could very likely be the right answer in the real world but it is about learning how they want you to answer it with the most efficiency and most cost savings. Keeping that in mind when answering those questions are key to getting those toss up questions correct. It could be because I did not take the AWS Solutions Architect Associate exam first, but I felt this exam was very difficult. I am very relieved to have passed on my first attempt not only because it opens me up to potentially get the AWS Solutions Architect Associate cert by the end of the year but because I really didn’t want to take that exam again due to its difficulty.

Another thing I want to note is the test environment. I took this exam remote from my home office with PearsonVUE and I have had nothing but great experiences with them previously but for whatever reason this one was quite a bit different. My exam was supposed to start at 2pm so I arrived in the lobby by 1:45, I was not able to start the exam until 2:30pm which was very frustrating since I could have been studying during that timeframe. During the exam I was interrupted multiple times for issues that I felt were irrelevant during the exam, issues of me having my head resting on my hand while taking the exam and I guess I would look too closely at questions and move my head slightly out of the camera. All these items are in their rules as I understand but while you are taking a test at this difficulty level you are going to do things out of habit. That was at least my case but something to keep in mind when taking it, make sure you follow their policies because they absolutely can and will end your test right there and force you to pay again to take the test.

As always thank you for reading my blog I really hope this blog post will help someone prepare for this exam. Please feel free to comment and share the post.