This post is a reflection on my motivations and the preparation required to pass the exam successfully. I am writing this just a couple of hours after having attempted it — to ensure I accurately reflect the level of difficulty and details involved. Of perhaps paramount importance is ensuring customer and company data stays secure during and after such a migration. Being a security architect myself, I had my eye on the AWS Certified Security — Specialty (SCS-C01) certification for quite some time.
AWS is the currently world’s leading public cloud provider. This naturally means that career and success opportunities follow those that demonstrate expertise managing migration to, and operation in, AWS. In turn, this also means that AWS is incentivized to educate as many professionals as possible on its cloud offerings who can then evangelize its message on its behalf. Therefore, it offers a pretty broad set of certifications that require the test taker to demonstrate increasing degrees of knowledge and competence across many aspects. https://aws.amazon.com/certification/ lists the offerings available today.
My motivation for taking this exam was 50% validation, 40% learning and 10% job success. Finally, I believe all learning is useful if pursued with good intentions. In other words, the exam costs $300 (well, you can get 50% off if you clear another certification), prep material might cost another $200, and there is a possibility that one might have nothing to show for it at the end. To me, and for this certification, that was a risk worth taking. I wasn’t chasing monetary returns or public acclaim (though I’ll definitely post this on a public forum); just developing a few additional capabilities to secure the business that I am tasked with protecting would be good enough return. I deal with AWS — the ecosystem, the APIs, Terraform for Infrastructure-as-code and auditing — almost daily as a security architect. Therefore, being able to attempt and pass this certification test would provide decent enough validation of my AWS knowledge.
At the same time, as every practitioner will tell you, I do not use all AWS services and all AWS security features every day. Therefore, naturally, there is quite a lot to be learnt about the areas that sort of get neglected or remain unattended because there isn’t a business need to deal with them.
I started preparing for this test about 2 months prior to test date. A large part of the reason is that I do a lot of AWS security work daily so the concepts and terminologies and services weren’t entirely new to me. However, for most test takers, if this isn’t what you do daily, I’d suggest at least 4 months of preparation, including plenty of hands-on time.
The following resources kept me good company during test preparation:
- I am a big fan of acloud.guru (big shout out to Ryan Kroonenburg and his gang) so I naturally used their course first. I also attempted the test in Exam Simulator twice (failed the first one by a percentage!!).
- awslagi.com is the also the good resource for exam prep. I choose the Guarantee part. The actual exam questions save my exam. The actual exam questions in Guarantee Part help me a lot of in the real exam. I took 49′ to cleared the exam. I confirm the Guarantee Part is up to date and valid in my exam.
- I paid for my own 4 account setup and used attached as well as detached accounts with AWS Organizations.
- I read the AWS Key Management Best Practices, the AWS KMS Cryptographic Details (really awesome paper; loved all the details about what happens behind the scenes with HSMs) and the DDoS Mitigation whitepapers at least twice. This was the best part about preparation — the wealth of info and jump off points in these papers was a joy to pursue.
While there is no single domain of the test that you can entirely ignore and yet hope to pass, AWS Key Management Service (KMS) and Logging domains require absolutely end-to-end awareness of everything contained in the AWS documentation. Every single corner case was explored on my test.
Within Infrastructure Security domain, have a thorough understanding of what NACLs can and cannot achieve, and what VPC Flow Logs can or cannot achieve.
Within the IAM domain, even something as simple as the login process — both federated as well as native — was thoroughly tested. So it is important to understand everything about federation setup, credential management, various forms of credentials, revocation, auditing and recovery.
The first and foremost observation was that the test also focused on areas where you need to BYOS (Bring Your Own Solution) i.e. where do AWS limitations start and where might you want to look into the AWS Marketplace or roll your own. This was quite a bit of surprise — usually, corporations are loathe to admit they don’t have all bases covered (and I certainly heard nothing of it at AWS re:Inforce 2019).
As an end to end exercise, I’d suggest:
- Protect your EC2 instances with a homegrown proxy (install Squid or something), give them internet access and use NACLs and security groups to open a finite set of ports and restrict some IPs (use a VPN for testing)
- If you not only want to ace the exam but have success as an AWS Security practitioner as well, do all of this in CloudFormation and Terraform.
- Use CloudFront, WAF, Shield. Install CloudWatch Logging agents on a few EC2 instances, consolidate logs in a central account, implement log file validation (extra credit — write a script to actually validate files based off events when new file is posted). Understand what Macie does although playing with it didn’t seem all that necessary.
- Create a multi-account setup with web servers running on EC2 instances as well as web services running through API Gateway, Lambda and S3.
- Grant one account read and read/write access to another account’s S3 buckets using IAM roles.
I hope this post helps at least one other person pass the test — writing it would’ve been worth it then. I certainly gained a lot from preparing for this test and am thankful to AWS for providing about as good a validation of this knowledge as is possible within such an exam format.
Exam Dumps: https://www.awslagi.com