Close
Menu Close
Back to Blog
Ducksec Feb 19, 2024 aws, certifications

AWS Certified Security - Specialist - Certification Review

Introduction

Last year I enjoyed completing the AWS Solutions Architect Associate exam - so what better way to kick off 2024 than by taking on the Security specialism?!

Certification Overview

The AWS Certified Security - Specialty certification is a popular accreditation offered by Amazon Web Services (AWS) that, according to AWS “validates your expertise in creating and implementing security solutions in the AWS Cloud. This certification also validates understanding of specialised data classifications and AWS data protection mechanisms; data-encryption methods and AWS mechanisms to implement them; and secure internet protocols and AWS mechanisms to implement them.”.

At the outset, it’s worth being clear that this is very much an AWS security certification - not a security certification with AWS as the focus. By this I mean that if you don’t already have a solid grounding in security principles don’t expect to master them by pursuing this certification, rather, take this certification to see how those principles apply in AWS specifically.

AWS recommend that “AWS Certified Security - Specialty is intended for experienced individuals who have five years of IT security experience in designing and implementing security solutions and two or more years of hands-on experience in securing AWS workloads.” - my sense is that 5 years of security experience may be a bit overkill - the general security knowledge level required is probably on a par with Security+ - but the two years hands on with AWS isn’t. While the certification certainly covers many of the familiar services you know and love, it does tend to focus on more usual situations, edge cases and nuanced applications which you probably won’t be familiar with unless you’ve used the platform for a while.

Exam Details

  • Exam Title: AWS Certified Security - Specialty

  • Exam Code: SCS-CO2

  • Exam Format: Multiple-choice and multiple-response questions

  • Duration: 130 minutes

  • Passing Score: Approximately 750 (on a scale of 100-1000)

Exam Domains

According to the specification, the AWS Security Specialist certification exam is divided into the following key domains:

  • Domain 1: Threat Detection and Incident Response (14% of scored content)
  • Domain 2: Security Logging and Monitoring (18% of scored content)
  • Domain 3: Infrastructure Security (20% of scored content)
  • Domain 4: Identity and Access Management (16% of scored content)
  • Domain 5: Data Protection (18% of scored content)
  • Domain 6: Management and Security Governance (14% of scored content)

Like my last AWS exam, I felt that this was an accurate representation of the actual question split on the exam - although Logging and Monitoring felt a bit heavier than 18% on my specific exam.

Study Resources

As I’ve mentioned in previous reviews, AWS does provide a good variety of resources to help you study for the exam - on top of this there are some excellent third-party providers offering some affordable and enjoyable training. Some key items to check out include:

  • AWS Official Documentation: I find reading through lots of documentation a bit challenging, but AWS’s training materials do a good job of signposting the most relevant ones to focus on. AWS offers extensive documentation on each service, architecture best practices, and whitepapers - I’d spend some time getting to know these for all the named security products on the exam. This is far from the most fun way to study, but many of the actual exam questions felt like they were lifted right from the documentation.
  • AWS Skill Builder: AWS provides a variety of useful resources, reasonably priced at $29 USD + tax per month - I’d recommend this for at least a single month.
  • Official Practice Questions: AWS offer a free official practice exam (20 questions), find it on the exam information page, or through Skill Builder.
  • Official Practice Exam - Available as part of the skill builder subscription, last time, for Solutions Architect Associate, I thought that the practice exam was a great representation of the actual test - this time, not quite so much!
  • Online Courses: Outside of AWS official resources there are plenty of courses available from platforms like Udemy, or subscription platforms like ITProTV or CBT Nuggets. Not on either of these platforms but well worth your time are the courses from Adrian Cantrill.
  • Labs: One of the best things about practising for an AWS exam was that labbing was very easy to do - simply create an AWS account and try things out. You’ll want to ensure you have cost management in place before labbing much for this exam as many of the security services can be quite expensive!

Preparation Tips

Like many higher-level exams, this one seemed to focus quite heavily on nuances and edge cases, so don’t fall into the trap of concentrating only on the features which you’d most commonly use. I’d also be very familiar with services such as CloudFront, CloudWatch, CloudTrail and Security Hub which will certainly appear on the exam, but can also show up as part of a broader or more complex question.

Much more annoyingly, AWS seem to have fallen into the trap of making their higher-level exam questions “harder” by producing incredibly long, overly wordy, intentionally confusing (perhaps a little bit harsh there..) questions which take forever to unpick. In actual fact (and here’s the key on the exam) much of this fluff makes very little difference to the answer to the question, but you’ll want to practice spotting keywords and phrases being used and mentally preparing yourself for an awful lot of reading and re-reading before you sit the real thing. Seriously, I like to study - I read a lot and I take more exams than is probably normal for a human being, but halfway through this exam I was exhausted with trying to wade through these questions!

While studying, remember to pay attention to the relative cost of services, as well as their complexity and ease of use - a fair few of the exam questions will ask for the “most cost-effective” or “least effort” solution.

Exam Experience

Exam booking is through AWS’s Certmetrics platform and was straightforward, all exams are now delivered by Pearson Vue (PSI was previously an option but no longer) and can be taken online or at a test centre. I took mine online as is my preference. Nothing unusual or interesting to report in this regard, other than the fact that you are not shown your score, or even a pass/fail after the exam itself. There’s speculation online that you only don’t receive a pass/fail after the exam if you have provisionally passed, but I can’t confirm if that’s 100% true - it was in my case, I got my pass notification about 10 hours after the exam (which was quicker than last time!). I must admit I’m not a fan of this - one assumes that AWS are reviewing exam recordings for signs of cheating - but isn’t that rather the function of the Pearson Vue proctor? Either way be ready for an additional wait after the exam itself.

The exam itself was fairly straightforward - as with most (but not all) exams on the Pearson Vue platform you can go back and forward through the questions and bookmark any tough ones for review, this time round I used the feature to bookmark questions I was too tired of reading over!

One real positive for this exam was that AWS seem to have decided to avoid questions involving double negatives, or those “select the option which does NOT” type answers, which I always find extra confusing for no real benefit. A new feature was the ability to change the colour of the exam interface - I hope this is going to apply to all Pearson Vue exams going forward as I found it quite nice to change the colours from time to time. I still finished with a massive headache, but there you go. The exam time was plenty - there’s no practical simulations, just straight multiple-choice.

Should I get this certification?

As a Security specialist, I wanted to get this certification, and if you work with AWS regularly it would certainly be a good thing to do! I firmly believe that getting as many people certified in security as possible is one of the best ways to improve our collective defence against all kinds of threats, and if AWS is your thing this is a good way to go. If, however, you have little background in, or knowledge of, security, I feel this would be a very difficult certification to begin with. Even if you do work with AWS regularly, but don’t have your security fundamentals down it might pay dividends to start with something more general (like Security+) before taking on the AWS Security Specialist. For what it’s worth, I studied for about 2 months on and off and around work - I’m sure you could work through the material much more quickly if you were able to commit to studying full-time and had a security background - I’d double that if you’re approaching it without much Security knowledge under your belt.

Conclusion

Studying for and taking the AWS Certified Security Specialist certification on was enjoyable and rewarding, even if the exam was a bit of a slog. The certification is a valuable and in-demand credential that demonstrates your skills in securing AWS infrastructure and services but, to be fair, it won’t make a massive contribution to your knowledge of Security outside of the AWS platform (then again, it isn’t really supposed to!).

Copyright Ducksec© 2021 - 2024.