AWS Certified Security - Specialty (SCS-C01) certification is ideal for IT professionals who want to increase their understanding of AWS security services, including security mechanisms and technologies. AWS Certified Security - Specialty certification enables IT professionals to demonstrate and verify their AWS knowledge and skills in security topics such as data security and encryption, incident response, identification, infrastructure security, access management, monitoring, and logging.
This guide will tell you everything you need to know about the AWS Certified Security - Specialty Certification exam. Keep reading to find out if the AWS Security certification is a good option for you.
What is the AWS Certified Security - Specialty certification exam?
The AWS Certified Security - Specialty certification is designed for IT professionals who perform security roles. This certification course recommends having at least two years of hands-on experience securing AWS workloads.
Before you sit for the exam, AWS suggests IT professionals have the following skill:
- The AWS shared responsibility model and its application
- Security controls for workloads on AWS
- Logging and monitoring strategies
- Cloud security threat models
- Patch management and security automation
- Ways to enhance AWS security services with third-party tools and services
- Disaster recovery controls, including BCP and backups
- Encryption
- Access control
- Data retention
AWS Certified Security – Specialty: Exam Details
- Certification Level: Speciality
- Exam Length: 170 minutes
- Exam Cost: $300
- Exam Format: 65 multiple-choice or multiple response questions
- Language: English, French (France), German, Italian, Japanese, Korean, Portuguese (Brazil), Simplified Chinese, and Spanish (Latin America).
AWS Certified Security – Specialty: Exam Objectives
The table below lists the test domains and objectives for the AWS Certified Security – Specialty exam, along with their percentage of examination. Take a quick at the exam objectives:
- Domain 1: Incident Response - 12%
- Domain 2: Logging and Monitoring - 20%
- Domain 3: Infrastructure Security - 26%
- Domain 4: Identity and Access Management - 20%
- Domain 5: Data Protection - 22%
Domain 1: Incident Response
1.1 Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys.
- Given an AWS Abuse report about an EC2 instance, securely isolate the instance as part of a forensic investigation.
- Analyze logs relevant to a reported instance to verify a breach, and collect relevant data.
- Capture a memory dump from a suspected instance for later deep analysis or for legal compliance reasons.
1.2 Verify that the Incident Response plan includes relevant AWS services.
- Determine if changes to baseline security configuration have been made.
- Determine if the list omits services, processes, or procedures which facilitate Incident Response.
- Recommend services, processes, and procedures to remediate gaps.
1.3 Evaluate the configuration of automated alerting and execute possible remediation of security-related incidents and emerging issues.
- Automate evaluation of conformance with rules for new/changed/removed resources.
- Apply rule-based alerts for common infrastructure misconfigurations.
- Review previous security incidents and recommend improvements to existing systems.
## Domain 2: Logging and Monitoring
2.1. Design and implement security monitoring and alerting.
- Analyze architecture and identify monitoring requirements and sources for monitoring statistics.
- Analyze architecture to determine which AWS services can be used to automate monitoring and alerting.
- Analyze the requirements for custom application monitoring, and determine how this could be achieved.
- Set up automated tools/scripts to perform regular audits.
2.2. Troubleshoot security monitoring and alerting.
- Given an occurrence of a known event without the expected alerting, analyze the service functionality and configuration and remediate.
- Given an occurrence of a known event without the expected alerting, analyze the permissions and mediate.
- Given a custom application that is not reporting its statistics, analyze the configuration and mediate.
- Review audit trails of system and user activity.
2.3. Design and implement a logging solution.
- Analyze architecture and identify logging requirements and sources for log ingestion.
- Analyze requirements and implement durable and secure log storage according to AWS best practices.
- Analyze architecture to determine which AWS services can be used to automate log ingestion and analysis.
2.4. Troubleshoot logging solutions.
- Given the absence of logs, determine the incorrect configuration and define remediation steps.
- Analyze logging access permissions to determine the incorrect configuration and define remediation steps.
- Based on the security policy requirements, determine the correct log level, type, and sources.
Domain 3: Infrastructure Security
3.1 Design edge security on AWS.
- For a given workload, assess and limit the attack surface.
- Reduce blast radius (e.g., by distributing applications across accounts and regions).
- Choose appropriate AWS and/or third-party edge services such as WAF, CloudFront, and Route 53 to protect against DDoS or filter application-level attacks.
- Given a set of edge protection requirements for an application, evaluate the mechanisms to the event and detect intrusions for compliance and recommend required changes.
- Test WAF rules to ensure they block malicious traffic.
3.2 Design and implement a secure network infrastructure.
- Disable any unnecessary network ports and protocols.
- Given a set of edge protection requirements, evaluate the security groups and NACLs of an application for compliance and recommend required changes.
- Given security requirements, decide on network segmentation (e.g., security groups and NACLs) to allow the minimum ingress/egress access required.
- Determine the use case for VPN or Direct Connect.
- Determine the use case for enabling VPC Flow Logs.
- Given a description of the network infrastructure for a VPC, analyze the use of subnets and gateways for secure operation.
3.3 Troubleshoot a secure network infrastructure.
- Determine where network traffic flow is being denied.
- Given a configuration, confirm security groups and NACLs have been implemented correctly.
3.4 Design and implement host-based security.
- Given security requirements, install and configure host-based protections, including Inspector and SSM.
- Decide when to use host-based firewalls like iptables.
- Recommend methods for host hardening and monitoring.
Domain 4: Identity and Access Management
4.1 Design and implement a scalable authorization and authentication system to access AWS resources.
- Given a description of a workload, analyze the access control configuration for AWS services and make recommendations that reduce risk.
- Given a description of how an organization manages their AWS accounts, verify the security of their root user.
- Given your organization's compliance requirements, determine when to apply user policies and resource policies.
- Within an organization's policy, determine when to federate a directory services to IAM.
- Design a scalable authorization model that includes users, groups, roles, and policies.
- Identify and restrict individual users of data and AWS resources.
- Review policies to establish that users/systems are restricted from performing functions beyond their responsibility and also enforce proper separation of duties.
4.2 Troubleshoot an authorization and authentication system to access AWS resources.
- Investigate a user's inability to access S3 bucket contents.
- Investigate a user's inability to switch roles to a different account.
- Investigate an Amazon EC2 instance's inability to access a given AWS resource.
Domain 5: Data Protection
5.1 Design and implement key management and use.
- Analyze a given scenario to determine an appropriate key management solution.
- Given a set of data protection requirements, evaluate key usage and recommend required angels.
- Determine and control the blast radius of a key compromise event and design a solution to contain the same.
5.2 Troubleshoot key management.
- Break down the difference between a KMS key grant and IAM policy.
- Deduce the precedence given different conflicting policies for a given key.
- Determine when and how to revoke permissions for a user or service in the event of a compromise.
5.3 Design and implement a data encryption solution for data at rest and data in transit.
- Given a set of data protection requirements, evaluate the security of the data at rest in a workload and recommend required changes.
- Verify policy on a key such that it can only be used by specific AWS services.
- Distinguish the compliance state of data through tag-based data classifications and automate remediation.
- Evaluate a number of transport encryption techniques and select the appropriate method (i.e., TLS, IPsec, client-side KMS encryption).
How much does the AWS Certified Security - Specialty exam cost?
The AWS Certified Security - Specialty certification exam costs you 300 USD. The duration of the exam is 170 minutes. There are 65 questions in the AWS Security Specialty exam, which will be multiple-choice and multiple response types. To pass the exam, you must achieve a score of 75% to 80% on a scale of 100-1000.
What experience do you need for AWS Certified Security - Specialty?
To sit for the AWS Certified Security - Specialty certification exam, professionals must need to hold a Cloud Practitioner or Associate-level AWS certification. Also, candidates must require at least five years of IT security experience in designing and implementing security solutions. Apart from this, two years of hands-on experience working with and securing AWS systems and workloads is required.
Who should take the AWS Certified Security – Specialty certification exam?
The AWS Certified Security - Specialty certification exam is designed for individuals working in a security role and, of course, possess the fundamental cloud space knowledge and skills. The exam covers many different areas related to AWS cloud services.
What are the benefits of achieving the AWS Security - Specialty certification?
Take a quick look at the benefits of taking the AWS Certified Security - Specialty certification exam:
- Cloud security is essential to all use cases
- AWS certifications offer a venerable benchmark for AWS partners and practitioners
- Ensures team members are following security best practices
- Provides professional progression for team members
- Contributes to AWS partner certification requirements
Is the AWS Certified Security – Specialty worth it?
Undoubtedly, earning the AWS Certified Security - Specialty Certification exam is well worth the time, money, and effort you put into the exam. Mark the words that earning this certification exam isn't easy, but it does add an extra layer of credibility and confidence to your overall skill set.
If you are working as an AWS practitioner, focusing on designing and implementing security solutions, you will need to obtain this certification. In this exam, you'll learn in-depth security strategies for designing and implementing solutions on an entirely different level, making you an in-demand AWS security expert.