Materials
- Exam blueprint.
- AWS Certified Security – Specialty 2020 course on ACloudGuru.
- 10 tips to study for the AWS Certified Security – Specialty Certification
- Jayendra’s Blog.
- AWS Well-Architected Framework Security Pillar.
Whitepapers
- AWS Key Management Service Best Practices
- Risk and Compliance
- AWS Best Practices for DDoS Resiliency
- Security at the Edge: Core Principles
- Security of AWS CloudHSM Backups
- AWS Security Incident Response Guide
- Guidelines for Implementing AWS WAF
- Security Overview of AWS Lambda
Practice!
- I assume you have professional experience with AWS.
- Play with services that you do not use on daily basis.
- Practice exam on Tutorials Dojo.
Exam
- 65 questions, 170 minutes.
- Multiple choice, multiple answers questions.
- KMS and IAM knowledge is the key to pass this exam.
- Often answer is incorrect because mentioned in the answer AWS service capability does not exist.
- From my experience time is not an issue, I had plenty of time for reviews.
YouTube Videos
- AWS re:invent 2017: Best Practices for Implementing AWS Key Management Service (SID330)
- AWS re:Invent 2017: Best Practices for Managing Security Operations on AWS (SID206)
- AWS re:Invent 2018: Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1)
- AWS re:Invent 2017: A Deep Dive into AWS Encryption Services (SID329)
- Encryption and Key Management in AWS
Articles
KMS
AWS KMS concepts
Key policies in AWS KMS
Special-purpose keys
How AWS services use AWS KMS
Using grants in AWS KMS
Allowing users in other accounts to use a KMS key
Rotating AWS KMS keys
Policy conditions
Encryption context
Deleting AWS KMS keys
GenerateDataKey
What Is AWS CloudHSM?
IAM
All docs in Policies and permissions in IAM
Policy evaluation logic
AWS global condition context keys
Permissions boundaries for IAM entities
Managing server certificates in IAM
Getting credential reports for your AWS account
Security best practices in IAM
STS and federations
Requesting temporary security credentials
AWS Federated Authentication with Active Directory Federation Services (AD FS)
Identity Providers and Federation
About SAML 2.0-based federation
Enabling SAML 2.0 federated users to access the AWS Management Console
SSO
Understanding key AWS Single Sign-On concepts
How to create and manage users within AWS Single Sign-On
AWS Organizations
AWS Organizations terminology and concepts
Best practices for AWS Organizations
Service control policies (SCPs)
Inheritance for service control policies
CloudTrail
CloudTrail basics
Encrypting CloudTrail log files with AWS KMS–managed keys (SSE-KMS)
Sharing CloudTrail log files between AWS accounts
Security best practices in AWS CloudTrail
Validating CloudTrail log file integrity
Logging Amazon S3 API calls using AWS CloudTrail
CloudWatch
CloudWatch basics
How to Audit Cross-Account Roles Using AWS CloudTrail and Amazon CloudWatch Events
Why can’t I push log data to CloudWatch Logs with the awslogs agent?
VPC
VPC Flow Logs
Security groups for your VPC
Network ACLs
Compute
How to Protect Data at Rest with Amazon EC2 Instance Store Encryption
Amazon EBS encryption
IAM roles for Amazon EC2
Instance metadata and user data
Use API Gateway Lambda authorizers
Secrets management
Secrets management for serverless
The Right Way to Store Secrets using Parameter Store
ACM
Managed renewal for ACM certificates
Best practices
Certificate and key format for importing
What is ACM Private CA?
Designing a CA hierarchy
Load balancers
SSL/TLS certificates for Classic Load Balancers
Restricting access to Application Load Balancers
Perfect Forward Secrecy
Multiple TLS Certificates With Smart Selection Using SNI
CloudFront
Using HTTPS with CloudFront
Adding HTTP Security Headers Using Lambda@Edge and Amazon CloudFront
Choosing between signed URLs and signed cookies
Restricting the geographic distribution of your content
Restricting access to Amazon S3 content by using an origin access identity (OAI)
WAF and Shield
AWS Web Application Firewall (WAF) for Application Load Balancers
How AWS WAF works
How AWS Shield works
Shield Advanced
S3
Controlling Access to S3 Resources
Protecting data using server-side encryption
Protecting data using client-side encryption
Upload a large file to Amazon S3
Replicating objects
S3 Presigned URLs
Amazon S3 Glacier Vault Lock
Managing Object Lock
Using S3 Object Lock
Cognito
Adding user pool sign-in through a third party
Identity pools (federated identities) authentication flow
GuardDuty
Concepts and terminology
Managing multiple accounts in Amazon GuardDuty
Amazon S3 protection in Amazon GuardDuty
Config
What Is AWS Config?
Specifying Triggers for AWS Config Rules
Remediating Noncompliant AWS Resources by AWS Config Rules
AWS Config best practices
Others
What is Amazon Inspector?
How Systems Manager works
AWS Trusted Advisor
What is AWS Artifact?
How Realtor.com Monitors Amazon Athena Usage with AWS CloudTrail and Amazon QuickSight
How can I pass secrets or sensitive information securely to containers in an Amazon ECS task?