Open in app

Sign in

Write

Sign in

AWS Certified Security — Specialty (SCS-C01)

Chiradeep Chhaya
6 min readSep 27, 2019

Introduction

AWS is the currently world’s leading public cloud provider. This naturally means that career and success opportunities follow those that demonstrate expertise managing migration to, and operation in, AWS. In turn, this also means that AWS is incentivized to educate as many professionals as possible on its cloud offerings who can then evangelize its message on its behalf. Therefore, it offers a pretty broad set of certifications that require the test taker to demonstrate increasing degrees of knowledge and competence across many aspects. https://aws.amazon.com/certification/ lists the offerings available today.

Of perhaps paramount importance is ensuring customer and company data stays secure during and after such a migration. Being a security architect myself, I had my eye on the AWS Certified Security — Specialty (SCS-C01) certification for quite some time.

This post is a reflection on my motivations and the preparation required to pass the exam successfully. I am writing this just a couple of hours after having attempted it — to ensure I accurately reflect the level of difficulty and details involved.

Motivation

My motivation for taking this exam was 50% validation, 40% learning and 10% job success.

  • I deal with AWS — the ecosystem, the APIs, Terraform for Infrastructure-as-code and auditing — almost daily as a security architect. Therefore, being able to attempt and pass this certification test would provide decent enough validation of my AWS knowledge.
  • At the same time, as every practitioner will tell you, I do not use all AWS services and all AWS security features every day. Therefore, naturally, there is quite a lot to be learnt about the areas that sort of get neglected or remain unattended because there isn’t a business need to deal with them
  • Finally, I believe all learning is useful if pursued with good intentions. In other words, the exam costs $300 (well, you can get 50% off if you clear another certification), prep material might cost another $200, and there is a possibility that one might have nothing to show for it at the end. To me, and for this certification, that was a risk worth taking. I wasn’t chasing monetary returns or public acclaim (though I’ll definitely post this on a public forum); just developing a few additional capabilities to secure the business that I am tasked with protecting would be good enough return.

With that said, let me share my observations on the exam and what you can do to best prepare for it.

Preparation

I started preparing for this test about 2 months prior to test date. A large part of the reason is that I do a lot of AWS security work daily so the concepts and terminologies and services weren’t entirely new to me. However, for most test takers, if this isn’t what you do daily, I’d suggest at least 4 months of preparation, including plenty of hands-on time.

The following resources kept me good company during test prearation:

  • I am a big fan of acloud.guru (big shout out to Ryan Kroonenburg and his gang) so I naturally used their course first. I also attempted the test in Exam Simulator twice (failed the first one by a percentage!!).
  • However, I wanted more practice with exam-like questions, so I signed up for LinuxAcademy as well and went through their practice test thrice (so there’s a greater chance of discovering a good part of the 300 or so questions in their bank)
  • I read the AWS Key Management Best Practices, the AWS KMS Cryptographic Details (really awesome paper; loved all the details about what happens behind the scenes with HSMs) and the DDoS Mitigation whitepapers at least twice. This was the best part about preparation — the wealth of info and jump off points in these papers was a joy to pursue
  • I paid for my own 4 account setup and used attached as well as detached accounts with AWS Organizations

Observations

I have to credit AWS for developing a test worthy of the investment that goes into studying for it. While I can’t (and won’t) share any specific questions, I think the observations below will stand test takers in good stead.

  • The first and foremost observation was that the test also focused on areas where you need to BYOS (Bring Your Own Solution) i.e. where do AWS limitations start and where might you want to look into the AWS Marketplace or roll your own. This was quite a bit of surprise — usually, corporations are loathe to admit they don’t have all bases covered (and I certainly heard nothing of it at AWS re:Inforce 2019)
  • The questions weren’t one liners. They were almost entirely scenario based. There was minuscule, if any, testing of theoretical knowledge. So do not expect questions like “What form of server side encryption is S3 not compatible with? SSE-C, SSE-KMS, SSE-S3, SSE-HSM (answer SSE-HSM, ‘coz that’s not a real thing!!)”. You will need to try harder :)
  • While there is no single domain of the test that you can entirely ignore and yet hope to pass, AWS Key Management Service (KMS) and Logging domains require absolutely end-to-end awareness of everything contained in the AWS documentation. Every single corner case was explored on my test.
  • Within the IAM domain, even something as simple as the login process — both federated as well as native — was thoroughly tested. So it is important to understand everything about federation setup, credential management, various forms of credentials, revocation, auditing and recovery.
  • Within Infrastructure Security domain, have a thorough understanding of what NACLs can and cannot achieve, and what VPC Flow Logs can or cannot achieve.
  • Within the Incident Response/Forensics domain, it usually builds off the Logging domain so if you understand the interplay between CloudWatch Logs, CloudWatch Events, CloudTrail and SNS, you should have no problems on this part of the test.

As an end to end exercise, I’d suggest

  • Create a multi-account setup with web servers running on EC2 instances as well as web services running through API Gateway, Lambda and S3.
  • Use CloudFront, WAF, Shield. Install CloudWatch Logging agents on a few EC2 instances, consolidate logs in a central account, implement log file validation (extra credit — write a script to actually validate files based off events when new file is posted). Understand what Macie does although playing with it didn’t seem all that necessary.
  • Grant one account read and read/write access to another account’s S3 buckets using IAM roles.
  • Protect your EC2 instances with a homegrown proxy (install Squid or something), give them internet access and use NACLs and security groups to open a finite set of ports and restrict some IPs (use a VPN for testing),
  • Finally, apply Service Control Policies through the organization (as examples, restrict regions or mandate S3 encryption. They can be found here: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html). Do this every day of the week before your exam and recite the script in your sleep the day of the exam :)
  • If you not only want to ace the exam but have success as an AWS Security practitioner as well, do all of this in CloudFormation and Terraform!!

Conclusion

I hope this post helps at least one other person pass the test — writing it would’ve been worth it then. I certainly gained a lot from preparing for this test and am thankful to AWS for providing about as good a validation of this knowledge as is possible within such an exam format.

If you have any questions about the test or my observations herein — and dare I now say about AWS Security — please feel free to hit me up on Twitter or LinkedIn.

☮️ and 🖖

AWS
Certification
Aws Security

--

--

Chiradeep Chhaya

Written by Chiradeep Chhaya

11 Followers

Purveyor of all things security, cloud, Pythonic and SpaceX. On Twitter at @itsmecbc

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams