AWS Certified Security Specialty – materials

Materials

Whitepapers

Practice!

  • I assume you have professional experience with AWS.
  • Play with services that you do not use on daily basis.
  • Practice exam on Tutorials Dojo.

Exam

  • 65 questions, 170 minutes.
  • Multiple choice, multiple answers questions.
  • KMS and IAM knowledge is the key to pass this exam.
  • Often answer is incorrect because mentioned in the answer AWS service capability does not exist.
  • From my experience time is not an issue, I had plenty of time for reviews.

YouTube Videos

 

Articles

KMS

AWS KMS concepts
Key policies in AWS KMS
Special-purpose keys
How AWS services use AWS KMS
Using grants in AWS KMS
Allowing users in other accounts to use a KMS key
Rotating AWS KMS keys
Policy conditions
Encryption context
Deleting AWS KMS keys
GenerateDataKey
What Is AWS CloudHSM?

IAM

All docs in Policies and permissions in IAM
Policy evaluation logic
AWS global condition context keys
Permissions boundaries for IAM entities
Managing server certificates in IAM
Getting credential reports for your AWS account
Security best practices in IAM

STS and federations

Requesting temporary security credentials
AWS Federated Authentication with Active Directory Federation Services (AD FS)
Identity Providers and Federation
About SAML 2.0-based federation
Enabling SAML 2.0 federated users to access the AWS Management Console

SSO

Understanding key AWS Single Sign-On concepts
How to create and manage users within AWS Single Sign-On

AWS Organizations

AWS Organizations terminology and concepts
Best practices for AWS Organizations
Service control policies (SCPs)
Inheritance for service control policies

CloudTrail

CloudTrail basics
Encrypting CloudTrail log files with AWS KMS–managed keys (SSE-KMS)
Sharing CloudTrail log files between AWS accounts
Security best practices in AWS CloudTrail
Validating CloudTrail log file integrity
Logging Amazon S3 API calls using AWS CloudTrail

CloudWatch

CloudWatch basics
How to Audit Cross-Account Roles Using AWS CloudTrail and Amazon CloudWatch Events
Why can’t I push log data to CloudWatch Logs with the awslogs agent?

VPC

VPC Flow Logs
Security groups for your VPC
Network ACLs

Compute

How to Protect Data at Rest with Amazon EC2 Instance Store Encryption
Amazon EBS encryption
IAM roles for Amazon EC2
Instance metadata and user data
Use API Gateway Lambda authorizers

Secrets management

Secrets management for serverless
The Right Way to Store Secrets using Parameter Store

ACM

Managed renewal for ACM certificates
Best practices
Certificate and key format for importing
What is ACM Private CA?
Designing a CA hierarchy

Load balancers

SSL/TLS certificates for Classic Load Balancers
Restricting access to Application Load Balancers
Perfect Forward Secrecy
Multiple TLS Certificates With Smart Selection Using SNI

CloudFront

Using HTTPS with CloudFront
Adding HTTP Security Headers Using Lambda@Edge and Amazon CloudFront
Choosing between signed URLs and signed cookies
Restricting the geographic distribution of your content
Restricting access to Amazon S3 content by using an origin access identity (OAI)

WAF and Shield

AWS Web Application Firewall (WAF) for Application Load Balancers
How AWS WAF works
How AWS Shield works
Shield Advanced

S3

Controlling Access to S3 Resources
Protecting data using server-side encryption
Protecting data using client-side encryption
Upload a large file to Amazon S3
Replicating objects
S3 Presigned URLs
Amazon S3 Glacier Vault Lock
Managing Object Lock
Using S3 Object Lock

Cognito

Adding user pool sign-in through a third party
Identity pools (federated identities) authentication flow

GuardDuty

Concepts and terminology
Managing multiple accounts in Amazon GuardDuty
Amazon S3 protection in Amazon GuardDuty

Config

What Is AWS Config?
Specifying Triggers for AWS Config Rules
Remediating Noncompliant AWS Resources by AWS Config Rules
AWS Config best practices

Others

What is Amazon Inspector?
How Systems Manager works
AWS Trusted Advisor
What is AWS Artifact?
How Realtor.com Monitors Amazon Athena Usage with AWS CloudTrail and Amazon QuickSight
How can I pass secrets or sensitive information securely to containers in an Amazon ECS task?