The aim of the certification is to validate the candidate's knowledge across the following areas, as defined by AWS (source: AWS Certified Security Specialty (SCS-C01) Exam Guide):

• An understanding of specialized data classifications and AWS data protection mechanisms
• An understanding of data encryption methods and AWS mechanisms to implement them

• An understanding of secure internet protocols and AWS mechanisms to implement them
• Working knowledge of AWS security services and the features of services used to provide a secure production environment
• Competency gained from 2 or more years of production deployment experience using AWS security services and features
• The ability to make trade-off decisions with regard to cost, security, and deployment complexity given a set of application requirements
• An understanding of security operations and risks

Upon completion of this book, you will feel ready to take and sit this exam with confidence, and achieve the much sought-after AWS Certified Security – Specialty certification.

This exam is intended for candidates like you who are responsible for maintaining and implementing AWS security across a range of environments. Those of you in the following roles or similar would be ideally suited to attempt this certification:

• Cloud security consultant
• Cloud security architect
• Cloud security engineer
• DevSecOps engineer
• Cloud security specialist

Although these roles are typically the target audience of this certification, the certification itself is available to anyone; there are no prerequisites in terms of other certifications for taking this exam.

In the exam, there are five domains that have been defined by AWS that you will be assessed against, each with a different percentage weighting level, as shown in the following table:

Attention must be paid to each domain to ensure you feel confident and comfortable with the topics, services, and features that may crop up in your exam. Let me break down these domains further to allow you to gain a deeper understanding of exactly what is tested within each domain.

This domain tests your understanding of how best to identify, respond to, and resolve AWS incidents across a range of services, and has been broken down into the following three elements:

• 1.1: Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys: Here, you will be expected to know how to respond to such an incident and the steps required to remediate the issue and take the appropriate action, depending on the affected resource in question.
• 1.2: Verify that the incident response plan includes the relevant AWS services: When an incident occurs within an AWS environment, you must be able to utilize the appropriate AWS resources to identify, isolate, and resolve the issue as quickly as possible, without affecting or hindering other AWS infrastructure and resources.
• 1.3: Evaluate the configuration of automated alerting, and execute possible remediation of security-related incidents and emerging issues: Proactive monitoring and speed are two key elements when analyzing your infrastructure for potential issues, in addition to utilizing automated services. You must have a solid understanding of these features, and how they can assist you to spot a potential problem and help you to resolve the issue.

Being able to identity, verify, and remediate incidents as they occur within your environment allows you to effectively isolate your resources before the blast radius of the security incident expands wider within your infrastructure.

This domain determines your ability to implement and troubleshoot solutions relating to logging, monitoring, and alerting. You will need to be able to deploy, operate, and troubleshoot solutions relating to these four components within your AWS infrastructure:

• 2.1: Design and implement security monitoring and alerting: You must have full comprehension of the available monitoring and alerting services within AWS. In addition, you must also be aware of how these can be utilized and integrated to implement an effective solution for monitoring your infrastructure for security threats and vulnerabilities.
• 2.2: Troubleshoot security monitoring and alerting: Implementing a monitoring and alerting system is one thing, but being able to resolve issues with the solution and design is another. You must be aware of how the architecture is coupled together and the prerequisites for specific AWS features.
• 2.3: Design and implement a logging solution: Data held in logs generated from services and applications can provide a wealth of information to help you identify a potential security breach. Therefore, it's imperative that you have a sound awareness of how to implement a solution to capture and record log data.
• 2.4: Troubleshoot logging solutions: Similar to 2.2, your knowledge of logging solutions has to go deeper than implementation; you have to understand the key components, concepts, and how components depend on one another to enable you to resolve any incidents.

You must understand the complexities and importance of monitoring and logging and how they can be used together as an effective security tool.

The infrastructure security domain assesses your ability to architect security best practices across your AWS architecture, from an individual host, to your VPC, and then to the outer reaches of your edge infrastructure. This domain carries the highest percentage mark across your certification, so it's key that you understand all the concepts and components:

• 3.1: Design edge security on AWS: A thorough understanding of Amazon CloudFront and its security capabilities and controls is a must, in addition to other edge services offered by AWS.

• 3.2: Design and implement a secure network infrastructure: Here, you will be tested on your knowledge of Virtual Private Cloud (VPC) infrastructure, and how to architect an environment to meet different security needs using route tables, Network Access Control Lists (NACLs), bastion hosts, NAT gateways, Internet Gateway (IGWs), and security groups.
• 3.3: Troubleshoot a secure network infrastructure: This follows on from point 3.2, which ensures that you have a deep level of security architecture, enabling you to quickly pinpoint the most likely cause of misconfiguration from a security perspective.
• 3.4: Design and implement host-based security: This will focus on security controls that can be enabled and configured on individual hosts, such as your Elastic Compute Cloud (EC2) instances.

A VPC is one of the first elements you are likely to build within your AWS account. Understanding how to protect your VPC is key in maintaining a level of protection over the rest of your resources running within it.

This domain will focus solely on everything access control-related regarding the IAM service and how to control access to your AWS resources. IAM must be understood inside out and it is essential that you have the knowledge and confidence to spot errors in IAM JSON policies:

• 4.1: Design and implement a scalable authorization and authentication system to access AWS resources: I can't emphasize enough the importance of understanding IAM at a deep level. This point will test your knowledge of authentication and authorization mechanisms, from multi-factor authorization to implementing conditional-based IAM policies used for cross-account access.
• 4.2: Troubleshoot an authorization and authentication system to access the AWS resources domain: Here, you will be required to demonstrate your ability to resolve complex permission-based issues with your AWS resources.

Access control is covered in detail in the exam, so you must be familiar with all things relating to access management, and specifically the IAM service. You need to be able to read access policies to determine the resulting access of that policy.

The last domain requires you to have a solid understanding and awareness of how data within AWS can be protected through an encryption mechanism, both at rest and in transit. You will be assessed on services relating to encryption, specifically the Key Management Service (KMS):

• 5.1: Design and implement key management and use: This point requires you to demonstrate your knowledge when it comes to encryption using KMS. You must be aware of when, how, and why this service is used, and which services can benefit from the features it offers.
• 5.2: Troubleshoot key management: Data encryption keys are a powerful tool to help protect your data, but you must understand how you can configure the permissions surrounding these keys and what to look for when troubleshooting issues relating to data encryption and customer master keys.
• 5.3: Design and implement a data encryption solution for data at rest and data in transit: Here, you will be assessed on your understanding of encryption as a whole. You must demonstrate that you have the knowledge to encrypt data in any state using the correct configuration, depending on a set of requirements.

It is of no surprise that the Security Specialty exam will assess your understanding of encryption, which will be centered around two key services, AWS KMS and AWS CloudHSM. The KMS service integrates with many different AWS services to offer a level of encryption, so make sure that you are familiar with all the components of KMS.

Much like all other AWS certifications, the exam format consists of multiple-choice questions. You will have 170 minutes to answer 65 questions, which is just over 2.5 minutes per question. You should have plenty of time, provided you have studied well and are confident in the domain areas I just discussed. 

Some questions are scenario-based and do take a little longer to process and answer, but don't panic; focus on what's being asked and eliminate the obviously wrong answers. It is likely there will be two that you can rule out. Take your time and re-read the question before deciding on your final answer.

The passing score for this certification is 750 out of 1,000 (75%). The exam itself is USD 300 and it must be taken at an AWS authorized testing center, which can all be booked online through the AWS website, at https://aws.amazon.com/certification/.

In this chapter, we primarily focused on the different domains that you will be assessed against when taking your exam. I wanted to provide a deeper understanding of what each of the domain points might assess you against in order to allow you to understand where your strengths and weaknesses might lie. As you progress through the chapters, you will gain an understanding sufficient to cover all elements that have been discussed within this chapter to ensure that you are prepared for your certification.

In the next chapter, we'll begin by looking at the foundation of security in AWS, the AWS shared responsibility model, and how an understanding of this plays an important role in understanding AWS security as a whole.

As we conclude, here is a list of questions for you to test your knowledge regarding this chapter's material. You will find the answers in the Assessments section of the Appendix:

1. True or false: You need to complete a few other certifications as a prerequisite for the AWS Certified Security – Specialty certification.
2. How many domains have been defined by AWS that you will be assessed against in the exam?
3. The AWS Certified Security – Specialty certification consists of how many questions? (Choose one)
   • 55 questions
   • 60 questions
   • 65 questions
   • 75 questions

For more information on this certification, please visit the AWS site, where you can download the exam guide and sample questions, at https://aws.amazon.com/certification/certified-security-specialty/.