{"id":1507,"date":"2025-06-04T17:00:00","date_gmt":"2025-06-04T11:30:00","guid":{"rendered":"https:\/\/www.testpreptraining.com\/blog\/?p=1507"},"modified":"2025-06-04T17:52:37","modified_gmt":"2025-06-04T12:22:37","slug":"how-to-pass-aws-security-specialty-certification-exam","status":"publish","type":"post","link":"https:\/\/www.testpreptraining.ai\/blog\/how-to-pass-aws-security-specialty-certification-exam\/","title":{"rendered":"How to pass AWS Security Specialty certification exam? &#8211; Updated 2025"},"content":{"rendered":"\n<p>The <a href=\"https:\/\/www.testpreptraining.ai\/aws-certified-security-specialty-practice-exam\" target=\"_blank\" rel=\"noreferrer noopener\">AWS Certified Security \u2013 Specialty certification<\/a> is a highly respected credential for cloud professionals aiming to demonstrate their expertise in securing complex AWS environments. It\u2019s designed for individuals with a deep understanding of security principles, including data protection, identity and access management, incident response, and compliance. With cloud security becoming a top priority across industries, earning this certification can significantly elevate your professional credibility and career prospects. In this blog, we\u2019ll walk you through the essential steps, strategies, and resources you need to prepare effectively and confidently pass the AWS Security Specialty exam.<\/p>\n\n\n\n<p>Cloud security is no longer just a feature\u2014it\u2019s a frontline business priority. As organizations continue to move their critical workloads to the cloud, the demand for security professionals who understand how to secure AWS environments has skyrocketed. If you&#8217;re aiming to stand out in the cybersecurity landscape, the AWS Certified Security\u2013Specialty certification offers one of the most prestigious validations of your cloud security expertise.<\/p>\n\n\n\n<p>But make no mistake, this is not an entry-level certification. The exam tests your ability to think like a security architect: to protect data, ensure compliance, detect threats, and respond with precision. It demands a deep understanding of AWS services, layered security strategies, encryption techniques, identity and access controls, and incident response workflows.<\/p>\n\n\n\n<p>Earning this credential is not just about passing an exam, it\u2019s about proving that you can design and implement security solutions in a dynamic and scalable cloud environment. And with AWS being the most widely adopted cloud provider globally, this certification can open doors to high-impact, well-compensated roles across industries. In this guide, we will break down everything you need to prepare for and pass the AWS Certified Security \u2013 Specialty exam in 2025: from the exam structure and core domains to preparation tips, study resources, and real-world insights that help you succeed with confidence.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>AWS Security Specialty Exam Overview<\/strong><\/h3>\n\n\n\n<p>The AWS Certified Security &#8211; Specialty exam is a certification exam for IT professionals who want to demonstrate their expertise in securing AWS workloads. The exam covers a range of security-related topics, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Identity and Access Management (IAM)<\/li>\n\n\n\n<li>Detective Controls<\/li>\n\n\n\n<li>Infrastructure Security<\/li>\n\n\n\n<li>Data Protection<\/li>\n\n\n\n<li>Incident Response<\/li>\n\n\n\n<li>Compliance<\/li>\n<\/ul>\n\n\n\n<p>To pass the AWS Certified Security &#8211; Specialty exam, candidates must demonstrate a deep understanding of these topics and how to apply them to secure AWS workloads. The exam consists of 65 multiple-choice and multiple-response questions, and candidates have 130 minutes to complete the exam.<\/p>\n\n\n\n<p>The AWS Certified Security &#8211; Specialty exam is designed for experienced IT professionals who have hands-on experience with AWS security services, and a strong understanding of security best practices. To prepare for the exam, candidates should study the official AWS documentation, enroll in an AWS certification course, use practice exams, and focus their studies on the exam objectives.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-text-align-center\"><strong>EXAM DETAILS<\/strong><\/h4>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>Exam Code<\/td><td>SCS-C01<\/td><\/tr><tr><td>Exam Type<\/td><td>Speciality<\/td><\/tr><tr><td>Exam Duration<\/td><td>170 minutes<\/td><\/tr><tr><td>Exam Codt<\/td><td>$300 USD<\/td><\/tr><tr><td>Exam Format<\/td><td>Multiple Choice questions and Multiple Responses<\/td><\/tr><tr><td>Exam Scoring<\/td><td>Scaled score from 100 to 1000<\/td><\/tr><tr><td>Passing Score<\/td><td>75% &#8211; 80%<\/td><\/tr><tr><td>Exam Language<\/td><td>English, Japanese, Korean and Simplified Chinese<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Exam Question Format&nbsp;<\/strong><\/h4>\n\n\n\n<p>AWS Certified Security Specialty questions  comes with two questions types,<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>There will be multiple choice questions in\nwhich you only have select one correct option out of four options.<\/li>\n\n\n\n<li>And multiple responsive questions in which\nthere can be multiple correct answers from the options given.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Exam Score Guidelines<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In AWS Security Specialty exam certification\nyou can select one or more best suitable answers depends on the type of\nquestions.<\/li>\n\n\n\n<li>In AWS exam no marks will be deducted on giving\nwrong answer.<\/li>\n\n\n\n<li>There may be some content in the exam which\ndoes not have any score, it is just for gathering general information and it\nwill not have any effect on the exam.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Exam Result Process<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Score is scaled between 100 to 1000.<\/li>\n\n\n\n<li>On percentage basis you need to score between\n75% to 80%.<\/li>\n\n\n\n<li>AWS Security Specialty exam is based on pass or\nfail format. And also the exam result will be mailed to you within five business\ndays from the day of the exam.<\/li>\n\n\n\n<li>For this exam you just have to get the overall\npassing score so it is not necessary to pass each section.<\/li>\n\n\n\n<li>Each section in this exam has a varying\nweighting, with differ in number of questions listed against each section in\nthe exam.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Examination Retake policy<\/strong><\/h4>\n\n\n\n<p>Amazon has rules for retaking the certification test. According to the policy, you must wait 14 days before retaking the test. There is no such limit on how many times you can take the exam; you can keep taking it until you pass and are certified. Moreover, you are required to pay the entire registration price for each try.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>How to register?<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You need to register first and then sign in to <a href=\"https:\/\/www.aws.training\/Dashboard\">aws.training<\/a>.<\/li>\n\n\n\n<li>After that, click on Certification on the top\nof the page.<\/li>\n\n\n\n<li>Then click on AWS Certification account,\nSchedule new exam.<\/li>\n\n\n\n<li>Check for the exam you want to take and click\nschedule at Pearson VUI button or PSI.<\/li>\n<\/ul>\n\n\n\n<p>And at the time of exam\nbefore entering the test center you are required to provide two government\nissued ID\u2019s with matching your name on it as on the application form.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>AWS Security Specialty Skills Required<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You should have at least two years of hands on experience in securing AWS workloads.<\/li>\n\n\n\n<li>It is also recommended to have 5 years of experience in IT security for designing and implementing security solutions.<\/li>\n\n\n\n<li>This exam will examine your knowledge about how to secure AWS platform.<\/li>\n\n\n\n<li>You should have a good understanding in data encryption methods, secured internet protocols and AWS mechanism for implementing them.<\/li>\n\n\n\n<li>It also recommended having working knowledge of security services of AWS, specialized data classification and mechanism of AWS data protection.<\/li>\n\n\n\n<li>You should have experience of 2 or more years in production deployment for using AWS security services.<\/li>\n\n\n\n<li>A good knowledge of operations and risk in security.\u00a0<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>AWS Certified Security Specialty Exam Glossary<\/strong><\/h4>\n\n\n\n<p>Get familiarity with the services and important terms &#8211; <\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Identity and Access Management (IAM)<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IAM \u2013 A service used to manage users, groups, roles, and their permissions.<\/li>\n\n\n\n<li>IAM Policy \u2013 A JSON document that defines permissions for users or services.<\/li>\n\n\n\n<li>IAM Role \u2013 A way to grant temporary access to AWS resources for users or services.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Encryption and Data Protection<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>KMS (Key Management Service) \u2013 AWS-managed service to create and manage cryptographic keys.<\/li>\n\n\n\n<li>CMK (Customer Master Key) \u2013 The main encryption key used with KMS.<\/li>\n\n\n\n<li>Envelope Encryption \u2013 Encrypting data using a data key, which itself is encrypted with a master key.<\/li>\n\n\n\n<li>SSE (Server-Side Encryption) \u2013 AWS encrypts data at rest within services like S3, RDS, etc.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Monitoring and Logging<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AWS CloudTrail \u2013 Captures all API calls and activity across your AWS account.<\/li>\n\n\n\n<li>Amazon CloudWatch \u2013 Provides monitoring and alerting for AWS resources.<\/li>\n\n\n\n<li>VPC Flow Logs \u2013 Captures network traffic flow data in your VPC.<\/li>\n\n\n\n<li>AWS Config \u2013 Evaluates and monitors the configuration of AWS resources over time.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Infrastructure Security<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security Groups \u2013 Virtual firewalls that control inbound\/outbound traffic to AWS resources.<\/li>\n\n\n\n<li>NACLs (Network Access Control Lists) \u2013 Stateless firewalls for subnets within a VPC.<\/li>\n\n\n\n<li>AWS WAF (Web Application Firewall) \u2013 Protects web applications from common attacks.<\/li>\n\n\n\n<li>AWS Shield \u2013 Provides protection against Distributed Denial of Service (DDoS) attacks.<\/li>\n\n\n\n<li>Amazon Inspector \u2013 Scans EC2 instances for vulnerabilities.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Compliance and Risk Management<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AWS Artifact \u2013 Central location for compliance-related reports and documents.<\/li>\n\n\n\n<li>Shared Responsibility Model \u2013 Clarifies which security responsibilities AWS manages and which the customer must handle.<\/li>\n\n\n\n<li>Data Classification \u2013 Identifying data sensitivity levels to apply proper protection.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Incident Response<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Runbooks\/Playbooks \u2013 Documented procedures for responding to incidents.<\/li>\n\n\n\n<li>Amazon GuardDuty \u2013 Threat detection and continuous security monitoring service.<\/li>\n\n\n\n<li>Amazon Macie \u2013 Uses machine learning to identify and protect sensitive data, like PII, in S3.<\/li>\n\n\n\n<li>AWS Security Hub \u2013 Aggregates findings from security services into a unified dashboard.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Networking and Connectivity<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>VPC (Virtual Private Cloud) \u2013 A logically isolated section of AWS used to launch resources.<\/li>\n\n\n\n<li>VPN and Direct Connect \u2013 Secure, private connections between your data center and AWS.<\/li>\n\n\n\n<li>PrivateLink \u2013 Enables private connectivity between VPCs and AWS services without using public IPs.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Other Key Concepts<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>S3 Bucket Policies \u2013 JSON-based policies that control access to Amazon S3 buckets.<\/li>\n\n\n\n<li>ACL (Access Control List) \u2013 A legacy method for managing S3 permissions.<\/li>\n\n\n\n<li>Trusted Advisor \u2013 Provides real-time insights and recommendations on security, cost, and performance.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Why choose the AWS Security Specialty Exam?<\/strong><\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" width=\"584\" height=\"239\" src=\"https:\/\/www.testpreptraining.ai\/blog\/wp-content\/uploads\/2019\/12\/image-12.png\" alt=\"\" class=\"wp-image-1509\" srcset=\"https:\/\/www.testpreptraining.ai\/blog\/wp-content\/uploads\/2019\/12\/image-12.png 584w, https:\/\/www.testpreptraining.ai\/blog\/wp-content\/uploads\/2019\/12\/image-12-300x123.png 300w\" sizes=\"(max-width: 584px) 100vw, 584px\" \/><\/figure>\n<\/div>\n\n\n<p>The AWS Certified Security &#8211; Specialty certification is important for IT professionals who want to demonstrate their expertise in securing AWS workloads. This certification is highly valued by organizations that use AWS as it demonstrates a deep understanding of the security features and capabilities of the AWS platform. Some benefits of earning the AWS Certified Security &#8211; Specialty certification include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Career advancement: The AWS Certified Security &#8211; Specialty certification is recognized as a benchmark of expertise in securing AWS workloads, and can help IT professionals advance their careers and increase their earning potential.<\/li>\n\n\n\n<li>Increased credibility: The AWS Certified Security &#8211; Specialty certification provides IT professionals with an industry-recognized credential that demonstrates their expertise in securing AWS workloads. This credibility can help IT professionals stand out in a competitive job market.<\/li>\n\n\n\n<li>Improved job performance: The AWS Certified Security &#8211; Specialty certification provides IT professionals with a deep understanding of security best practices and AWS security services. This knowledge can help IT professionals improve their job performance and deliver more secure AWS workloads.<\/li>\n\n\n\n<li>Access to new job opportunities: The AWS Certified Security &#8211; Specialty certification opens up new job opportunities for IT professionals in the growing field of cloud security.<\/li>\n\n\n\n<li>Staying current with AWS updates: Earning the AWS Certified Security &#8211; Specialty certification requires staying current with updates to the AWS platform, which can help IT professionals stay current with the latest security features and capabilities of AWS.<\/li>\n<\/ul>\n\n\n\n<p>Overall, the AWS Certified Security &#8211; Specialty certification provides IT professionals with the skills, knowledge, and credibility they need to succeed in the rapidly growing field of cloud security.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>AWS Security Specialty (SCS-C01) Exam Layout<\/strong><\/h3>\n\n\n\n<p>There are 6 domains to focus on in this Specialty Certification exam. Moreover,  the Course Outline acts as the AWS certified security specialty exam blueprint. <\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" width=\"628\" height=\"303\" src=\"https:\/\/www.testpreptraining.ai\/blog\/wp-content\/uploads\/2019\/12\/image-13.png\" alt=\"\" class=\"wp-image-1511\" srcset=\"https:\/\/www.testpreptraining.ai\/blog\/wp-content\/uploads\/2019\/12\/image-13.png 628w, https:\/\/www.testpreptraining.ai\/blog\/wp-content\/uploads\/2019\/12\/image-13-300x145.png 300w\" sizes=\"(max-width: 628px) 100vw, 628px\" \/><\/figure>\n<\/div>\n\n\n<p> The AWS certified security specialty course covers the following domains:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Domain 1: Threat Detection and Incident Response (14%)<\/strong><\/h4>\n\n\n\n<p>Task Statement 1.1: Design and implement an incident response plan.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AWS best practices for incident response&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/aws-security-incident-response-guide\/aws-security-incident-response-guide.html\" target=\"_blank\" rel=\"noreferrer noopener\">AWS Security Incident Response Guide<\/a>)<\/li>\n\n\n\n<li>Cloud incidents<\/li>\n\n\n\n<li>Roles and responsibilities in the incident response plan&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/aws-security-incident-response-guide\/define-roles-and-responsibilities.html\" target=\"_blank\" rel=\"noreferrer noopener\">Define roles and responsibilities<\/a>)<\/li>\n\n\n\n<li>AWS Security Finding Format (ASFF)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/securityhub\/latest\/userguide\/securityhub-findings-format.html\" target=\"_blank\" rel=\"noreferrer noopener\">AWS Security Finding Format (ASFF)<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Implementing credential invalidation and rotation strategies in response to compromises (for example, by using AWS Identity and Access Management [IAM] and AWS Secrets Manager)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/prescriptive-guidance\/latest\/patterns\/automatically-rotate-iam-user-access-keys-at-scale-with-aws-organizations-and-aws-secrets-manager.html\" target=\"_blank\" rel=\"noreferrer noopener\">Automatically rotate IAM user access keys at scale with AWS Organizations and AWS Secrets Manager<\/a>)<\/li>\n\n\n\n<li>Isolating AWS resources&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/establishing-your-cloud-foundation-on-aws\/design-isolated-resource-environments.html\" target=\"_blank\" rel=\"noreferrer noopener\">Design isolated resource environments<\/a>)<\/li>\n\n\n\n<li>Designing and implementing playbooks and runbooks for responses to security incidents&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/wellarchitected\/latest\/framework\/sec_incident_response_playbooks.html\" target=\"_blank\" rel=\"noreferrer noopener\">Develop and test security incident response playbooks<\/a>)<\/li>\n\n\n\n<li>Deploying security services (for example, AWS Security Hub, Amazon Macie, Amazon GuardDuty, Amazon Inspector, AWS Config, Amazon Detective, AWS Identity and Access Management Access Analyzer)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/aws-overview\/security-services.html\" target=\"_blank\" rel=\"noreferrer noopener\">Security, identity, and compliance<\/a>)<\/li>\n\n\n\n<li>Configuring integrations with native AWS services and third-party services (for example, by using Amazon EventBridge and the ASFF)<\/li>\n<\/ul>\n\n\n\n<p>Task Statement 1.2: Detect security threats and anomalies by using AWS services.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AWS managed security services that detect threats&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/userguide\/monitoring-data-security.html#:~:text=To%20monitor%20the%20security%20of,these%20managed%20AWS%20security%20services.&amp;text=Amazon%20GuardDuty%20is%20a%20threat,findings%20for%20visibility%20and%20remediation.\" target=\"_blank\" rel=\"noreferrer noopener\">Monitoring data security with managed AWS security services<\/a>)<\/li>\n\n\n\n<li>Anomaly and correlation techniques to join data across services&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/en_us\/quicksight\/latest\/user\/anomaly-detection-outliers-and-key-drivers.html\" target=\"_blank\" rel=\"noreferrer noopener\">Concepts for anomaly or outlier detection<\/a>)<\/li>\n\n\n\n<li>Visualizations to identify anomalies<\/li>\n\n\n\n<li>Strategies to centralize security findings&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/navigating-gdpr-compliance\/centralized-security-management.html#:~:text=Security%20Hub%20centralizes%20and%20prioritizes,the%20highest%20priority%20security%20issues.\" target=\"_blank\" rel=\"noreferrer noopener\">Centralized Security Management<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Evaluating findings from security services (for example, GuardDuty, Security Hub, Macie, AWS Config, IAM Access Analyzer)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/securityhub\/latest\/userguide\/securityhub-internal-providers.html\" target=\"_blank\" rel=\"noreferrer noopener\">AWS service integrations with AWS Security Hub<\/a>)<\/li>\n\n\n\n<li>Searching and correlating security threats across AWS services (for example, by using Detective)<\/li>\n\n\n\n<li>Performing queries to validate security events (for example, by using Amazon Athena)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/athena\/latest\/ug\/cloudtrail-logs.html\" target=\"_blank\" rel=\"noreferrer noopener\">Querying AWS CloudTrail logs<\/a>)<\/li>\n\n\n\n<li>Creating metric filters and dashboards to detect anomalous activity (for example, by using Amazon CloudWatch)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonCloudWatch\/latest\/monitoring\/CloudWatch_Anomaly_Detection.html\" target=\"_blank\" rel=\"noreferrer noopener\">Using CloudWatch anomaly detection<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Task Statement 1.3: Respond to compromised resources and workloads.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AWS Security Incident Response Guide&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/aws-security-incident-response-guide\/aws-security-incident-response-guide.html\" target=\"_blank\" rel=\"noreferrer noopener\">AWS Security Incident Response Guide<\/a>)<\/li>\n\n\n\n<li>Resource isolation mechanisms&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/establishing-your-cloud-foundation-on-aws\/design-isolated-resource-environments.html\" target=\"_blank\" rel=\"noreferrer noopener\">Design isolated resource environments<\/a>)<\/li>\n\n\n\n<li>Techniques for root cause analysis&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/aws.amazon.com\/what-is\/root-cause-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">What is Root Cause Analysis (RCA)?<\/a>)<\/li>\n\n\n\n<li>Data capture mechanisms&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/sagemaker\/latest\/dg\/model-monitor-data-capture.html\" target=\"_blank\" rel=\"noreferrer noopener\">Capture data<\/a>)<\/li>\n\n\n\n<li>Log analysis for event validation&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonCloudWatch\/latest\/logs\/AnalyzingLogData.html\" target=\"_blank\" rel=\"noreferrer noopener\">Analyzing log data with CloudWatch Logs Insights<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Automating remediation by using AWS services (for example, AWS Lambda, AWS Step Functions, EventBridge, AWS Systems Manager runbooks, Security Hub, AWS Config)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/systems-manager\/latest\/userguide\/systems-manager-automation.html\" target=\"_blank\" rel=\"noreferrer noopener\">AWS Systems Manager&nbsp;Automation<\/a>)<\/li>\n\n\n\n<li>Responding to compromised resources (for example, by isolating Amazon EC2 instances)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/guardduty\/latest\/ug\/compromised-ec2.html\" target=\"_blank\" rel=\"noreferrer noopener\">Remediating a potentially compromised Amazon EC2 instance<\/a>)<\/li>\n\n\n\n<li>Investigating and analyzing to conduct root cause analysis (for example, by using Detective)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/detective\/latest\/userguide\/what-is-detective.html\" target=\"_blank\" rel=\"noreferrer noopener\">What is Amazon Detective?<\/a>)<\/li>\n\n\n\n<li>Capturing relevant forensics data from a compromised resource (for example, Amazon Elastic Block Store [Amazon EBS] volume snapshots, memory dump)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/ebs\/latest\/userguide\/ebs-snapshots.html\" target=\"_blank\" rel=\"noreferrer noopener\">Amazon EBS snapshots<\/a>)<\/li>\n\n\n\n<li>Querying logs in Amazon S3 for contextual information related to security events (for example, by using Athena)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/athena\/latest\/ug\/cloudtrail-logs.html\" target=\"_blank\" rel=\"noreferrer noopener\">Querying AWS CloudTrail logs<\/a>)<\/li>\n\n\n\n<li>Protecting and preserving forensic artifacts (for example, by using S3 Object Lock, isolated forensic accounts, S3 Lifecycle, and S3 replication)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/userguide\/object-lock.html\" target=\"_blank\" rel=\"noreferrer noopener\">Using S3 Object Lock<\/a>)<\/li>\n\n\n\n<li>Preparing services for incidents and recovering services after incidents&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/aws-security-incident-response-guide\/recovery.html\" target=\"_blank\" rel=\"noreferrer noopener\">Recovery<\/a>)<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Domain 2: Security Logging and Monitoring (18%)<\/strong><\/h4>\n\n\n\n<p>Task Statement 2.1: Design and implement monitoring and alerting to address security events.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AWS services that monitor events and provide alarms (for example, CloudWatch, EventBridge)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonCloudWatch\/latest\/monitoring\/cloudwatch-and-eventbridge.html\" target=\"_blank\" rel=\"noreferrer noopener\">Alarm events and EventBridge<\/a>)<\/li>\n\n\n\n<li>AWS services that automate alerting (for example, Lambda, Amazon Simple Notification Service [Amazon SNS], Security Hub)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/securityhub\/latest\/userguide\/securityhub-cloudwatch-events.html\" target=\"_blank\" rel=\"noreferrer noopener\">Automated response and remediation<\/a>)<\/li>\n\n\n\n<li>Tools that monitor metrics and baselines (for example, GuardDuty, Systems Manager)<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Analyzing architectures to identify monitoring requirements and sources of data for security monitoring&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/prescriptive-guidance\/latest\/implementing-logging-monitoring-cloudwatch\/welcome.html\" target=\"_blank\" rel=\"noreferrer noopener\">Designing and implementing logging and monitoring with Amazon CloudWatch<\/a>)<\/li>\n\n\n\n<li>Analyzing environments and workloads to determine monitoring requirements&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/wellarchitected\/latest\/framework\/cost_manage_demand_resources_cost_analysis.html\" target=\"_blank\" rel=\"noreferrer noopener\">Perform an analysis on the workload demand<\/a>)<\/li>\n\n\n\n<li>Designing environment monitoring and workload monitoring based on business and security requirements<\/li>\n\n\n\n<li>Setting up automated tools and scripts to perform regular audits (for example, by creating custom insights in Security Hub)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/securityhub\/latest\/userguide\/securityhub-custom-insights.html\" target=\"_blank\" rel=\"noreferrer noopener\">Custom insights<\/a>)<\/li>\n\n\n\n<li>Defining the metrics and thresholds that generate alerts&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonCloudWatch\/latest\/monitoring\/AlarmThatSendsEmail.html\" target=\"_blank\" rel=\"noreferrer noopener\">Using Amazon CloudWatch alarms<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Task Statement 2.2: Troubleshoot security monitoring and alerting.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configuration of monitoring services (for example, Security Hub)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/securityhub\/latest\/userguide\/what-is-securityhub.html\" target=\"_blank\" rel=\"noreferrer noopener\">What is AWS Security Hub?<\/a>)<\/li>\n\n\n\n<li>Relevant data that indicates security events&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/aws-security-incident-response-guide\/logging-and-events.html\" target=\"_blank\" rel=\"noreferrer noopener\">Logging and events<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Analyzing the service functionality, permissions, and configuration of resources after an event that did not provide visibility or alerting&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/access_policies_access-advisor.html\" target=\"_blank\" rel=\"noreferrer noopener\">Refining permissions in AWS using last accessed information<\/a>)<\/li>\n\n\n\n<li>Analyzing and remediating the configuration of a custom application that is not reporting its statistics&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/config\/latest\/developerguide\/WhatIsConfig.html\" target=\"_blank\" rel=\"noreferrer noopener\">What Is AWS Config?<\/a>)<\/li>\n\n\n\n<li>Evaluating logging and monitoring services for alignment with security requirements&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/introduction-aws-security\/monitoring-and-logging.html\" target=\"_blank\" rel=\"noreferrer noopener\">Monitoring and Logging<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Task Statement 2.3: Design and implement a logging solution.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AWS services and features that provide logging capabilities (for example, VPC Flow Logs, DNS logs, AWS CloudTrail, Amazon CloudWatch Logs)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/vpc\/latest\/userguide\/flow-logs.html\" target=\"_blank\" rel=\"noreferrer noopener\">Logging IP traffic using VPC Flow Logs<\/a>)<\/li>\n\n\n\n<li>Attributes of logging capabilities (for example, log levels, type, verbosity)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/lambda\/latest\/dg\/python-logging.html\" target=\"_blank\" rel=\"noreferrer noopener\">AWS Lambda function logging in Python<\/a>)<\/li>\n\n\n\n<li>Log destinations and lifecycle management (for example, retention period)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/userguide\/object-lifecycle-mgmt.html\" target=\"_blank\" rel=\"noreferrer noopener\">Managing your storage lifecycle<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configuring logging for services and applications&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/wellarchitected\/latest\/security-pillar\/sec_detect_investigate_events_app_service_logging.html\" target=\"_blank\" rel=\"noreferrer noopener\">Configure service and application logging<\/a>)<\/li>\n\n\n\n<li>Identifying logging requirements and sources for log ingestion<\/li>\n\n\n\n<li>Implementing log storage and lifecycle management according to AWS best practices and organizational requirements&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/userguide\/object-lifecycle-mgmt.html\" target=\"_blank\" rel=\"noreferrer noopener\">Managing your storage lifecycle<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Task Statement 2.4: Troubleshoot logging solutions.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Capabilities and use cases of AWS services that provide data sources (for example, log level, type, verbosity, cadence, timeliness, immutability)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/prescriptive-guidance\/latest\/logging-monitoring-for-application-owners\/aws-services-logging-monitoring.html\" target=\"_blank\" rel=\"noreferrer noopener\">AWS services for logging and monitoring<\/a>)<\/li>\n\n\n\n<li>AWS services and features that provide logging capabilities (for example, VPC Flow Logs, DNS logs, CloudTrail, CloudWatch Logs)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/vpc\/latest\/userguide\/flow-logs.html\" target=\"_blank\" rel=\"noreferrer noopener\">Logging IP traffic using VPC Flow Logs<\/a>)<\/li>\n\n\n\n<li>Access permissions that are necessary for logging&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonCloudWatch\/latest\/logs\/permissions-reference-cwl.html\" target=\"_blank\" rel=\"noreferrer noopener\">CloudWatch Logs permissions reference<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Identifying misconfiguration and determining remediation steps for absent access permissions that are necessary for logging (for example, by managing read\/write permissions, S3 bucket permissions, public access, and integrity)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/userguide\/enable-server-access-logging.html\" target=\"_blank\" rel=\"noreferrer noopener\">Enabling Amazon S3 server access logging<\/a>)<\/li>\n\n\n\n<li>Determining the cause of missing logs and performing remediation steps&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/guardduty\/latest\/ug\/guardduty_remediate.html\" target=\"_blank\" rel=\"noreferrer noopener\">Remediating security issues discovered by GuardDuty<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Task Statement 2.5: Design a log analysis solution.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Services and tools to analyze captured logs (for example, Athena, CloudWatch Logs filter)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/athena\/latest\/ug\/security-logging-monitoring.html\" target=\"_blank\" rel=\"noreferrer noopener\">Logging and monitoring in Athena<\/a>)<\/li>\n\n\n\n<li>Log analysis features of AWS services (for example, CloudWatch Logs Insights, CloudTrail Insights, Security Hub insights)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonCloudWatch\/latest\/logs\/AnalyzingLogData.html\" target=\"_blank\" rel=\"noreferrer noopener\">Analyzing log data with CloudWatch Logs Insights<\/a>)<\/li>\n\n\n\n<li>Log format and components (for example, CloudTrail logs)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/awscloudtrail\/latest\/userguide\/cloudtrail-log-file-examples.html\" target=\"_blank\" rel=\"noreferrer noopener\">CloudTrail log file examples<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Identifying patterns in logs to indicate anomalies and known threats&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonCloudWatch\/latest\/logs\/LogsAnomalyDetection.html\" target=\"_blank\" rel=\"noreferrer noopener\">Log anomaly detection<\/a>)<\/li>\n\n\n\n<li>Normalizing, parsing, and correlating logs&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/lambda\/latest\/operatorguide\/parse-logs.html\" target=\"_blank\" rel=\"noreferrer noopener\">Parsing logs and structured logging<\/a>)<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Domain 3: Infrastructure Security (20%)<\/strong><\/h4>\n\n\n\n<p>Task Statement 3.1: Design and implement security controls for edge services.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security features on edge services (for example, AWS WAF, load balancers, Amazon Route 53, Amazon CloudFront, AWS Shield)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/waf\/latest\/developerguide\/cloudfront-features.html\" target=\"_blank\" rel=\"noreferrer noopener\">How AWS WAF works with Amazon CloudFront features<\/a>)<\/li>\n\n\n\n<li>Common attacks, threats, and exploits (for example, Open Web Application Security Project [OWASP] Top 10, DDoS)<\/li>\n\n\n\n<li>Layered web application architecture&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/serverless-multi-tier-architectures-api-gateway-lambda\/three-tier-architecture-overview.html\" target=\"_blank\" rel=\"noreferrer noopener\">Three-tier architecture overview<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Defining edge security strategies for common use cases (for example, public website, serverless app, mobile app backend)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/wellarchitected\/latest\/serverless-applications-lens\/identity-and-access-management.html\" target=\"_blank\" rel=\"noreferrer noopener\">Identity and access management<\/a>)<\/li>\n\n\n\n<li>Selecting appropriate edge services based on anticipated threats and attacks (for example, OWASP Top 10, DDoS)<\/li>\n\n\n\n<li>Selecting appropriate protections based on anticipated vulnerabilities and risks (for example, vulnerable software, applications, libraries)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/aws.amazon.com\/security\/vulnerability-reporting\/\" target=\"_blank\" rel=\"noreferrer noopener\">Vulnerability Reporting<\/a>)<\/li>\n\n\n\n<li>Defining layers of defense by combining edge security services (for example, CloudFront with AWS WAF and load balancers)<\/li>\n\n\n\n<li>Applying restrictions at the edge based on various criteria (for example, geography, geolocation, rate limit)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonCloudFront\/latest\/DeveloperGuide\/georestrictions.html\" target=\"_blank\" rel=\"noreferrer noopener\">Restricting the geographic distribution of your content<\/a>)<\/li>\n\n\n\n<li>Activating logs, metrics, and monitoring around edge services to indicate attacks&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/aws-best-practices-ddos-resiliency\/metrics-and-alarms.html\" target=\"_blank\" rel=\"noreferrer noopener\">Metrics and alarms<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Task Statement 3.2: Design and implement network security controls.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>VPC security mechanisms (for example, security groups, network ACLs, AWS Network Firewall)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/vpc\/latest\/userguide\/vpc-security-best-practices.html\" target=\"_blank\" rel=\"noreferrer noopener\">Security best practices for your VPC<\/a>)<\/li>\n\n\n\n<li>Inter-VPC connectivity (for example, AWS Transit Gateway, VPC endpoints)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/aws-vpc-connectivity-options\/amazon-vpc-to-amazon-vpc-connectivity-options.html\" target=\"_blank\" rel=\"noreferrer noopener\">Amazon VPC-to-Amazon VPC connectivity options<\/a>)<\/li>\n\n\n\n<li>Security telemetry sources (for example, Traffic Mirroring, VPC Flow Logs)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/vpc\/latest\/userguide\/flow-logs.html\" target=\"_blank\" rel=\"noreferrer noopener\">Logging IP traffic using VPC Flow Logs<\/a>)<\/li>\n\n\n\n<li>VPN technology, terminology, and usage&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/vpn\/latest\/s2svpn\/VPC_VPN.html\" target=\"_blank\" rel=\"noreferrer noopener\">What is AWS Site-to-Site VPN?<\/a>)<\/li>\n\n\n\n<li>On-premises connectivity options (for example, AWS VPN, AWS Direct Connect)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/aws-vpc-connectivity-options\/aws-direct-connect.html\" target=\"_blank\" rel=\"noreferrer noopener\">AWS Direct Connect<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Implementing network segmentation based on security requirements (for example, public subnets, private subnets, sensitive VPCs, on-premises connectivity)<\/li>\n\n\n\n<li>Designing network controls to permit or prevent network traffic as required (for example, by using security groups, network ACLs, and Network Firewall)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/vpc\/latest\/userguide\/vpc-network-acls.html\" target=\"_blank\" rel=\"noreferrer noopener\">Control traffic to subnets using network ACLs<\/a>)<\/li>\n\n\n\n<li>Designing network flows to keep data off the public internet (for example, by using Transit Gateway, VPC endpoints, and Lambda in VPCs)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/vpc\/latest\/tgw\/what-is-transit-gateway.html\" target=\"_blank\" rel=\"noreferrer noopener\">What is a transit gateway?<\/a>)<\/li>\n\n\n\n<li>Determining which telemetry sources to monitor based on network design, threats, and attacks (for example, load balancer logs, VPC Flow Logs, Traffic Mirroring)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/elasticloadbalancing\/latest\/network\/load-balancer-monitoring.html\" target=\"_blank\" rel=\"noreferrer noopener\">Monitor your Network Load Balancers<\/a>)<\/li>\n\n\n\n<li>Determining redundancy and security workload requirements for communication between on-premises environments and the AWS Cloud (for example, by using AWS VPN, AWS VPN over Direct Connect, and MACsec)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/building-scalable-secure-multi-vpc-network-infrastructure\/direct-connect.html\" target=\"_blank\" rel=\"noreferrer noopener\">AWS Direct Connect<\/a>)<\/li>\n\n\n\n<li>Identifying and removing unnecessary network access&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/best-practices.html\" target=\"_blank\" rel=\"noreferrer noopener\">Security best practices in IAM<\/a>)<\/li>\n\n\n\n<li>Managing network configurations as requirements change (for example, by using AWS Firewall Manager)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/waf\/latest\/developerguide\/working-with-policies.html\" target=\"_blank\" rel=\"noreferrer noopener\">Working with AWS Firewall Manager policies<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Task Statement 3.3: Design and implement security controls for compute workloads.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Provisioning and maintenance of EC2 instances (for example, patching, inspecting, creation of snapshots and AMIs, use of EC2 Image Builder)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/imagebuilder\/latest\/userguide\/what-is-image-builder.html\" target=\"_blank\" rel=\"noreferrer noopener\">What is EC2 Image Builder?<\/a>)<\/li>\n\n\n\n<li>IAM instance roles and IAM service roles&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/id_roles.html\" target=\"_blank\" rel=\"noreferrer noopener\">IAM roles<\/a>)<\/li>\n\n\n\n<li>Services that scan for vulnerabilities in compute workloads (for example, Amazon Inspector, Amazon Elastic Container Registry [Amazon ECR])&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/inspector\/latest\/user\/scanning-ecr.html\" target=\"_blank\" rel=\"noreferrer noopener\">Scanning Amazon ECR container images with Amazon Inspector<\/a>)<\/li>\n\n\n\n<li>Host-based security (for example, firewalls, hardening)<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creating hardened EC2 AMIs&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AWSEC2\/latest\/WindowsGuide\/Creating_EBSbacked_WinAMI.html\" target=\"_blank\" rel=\"noreferrer noopener\">Create a custom Windows AMI<\/a>)<\/li>\n\n\n\n<li>Applying instance roles and service roles as appropriate to authorize compute workloads&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AWSEC2\/latest\/UserGuide\/iam-roles-for-amazon-ec2.html\" target=\"_blank\" rel=\"noreferrer noopener\">IAM roles for Amazon EC2<\/a>)<\/li>\n\n\n\n<li>Scanning EC2 instances and container images for known vulnerabilities&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/inspector\/latest\/user\/scanning-ec2.html\" target=\"_blank\" rel=\"noreferrer noopener\">Scanning Amazon EC2 instances with Amazon Inspector<\/a>)<\/li>\n\n\n\n<li>Applying patches across a fleet of EC2 instances or container images&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/systems-manager\/latest\/userguide\/patch-manager.html\" target=\"_blank\" rel=\"noreferrer noopener\">AWS Systems Manager&nbsp;Patch Manager<\/a>)<\/li>\n\n\n\n<li>Activating host-based security mechanisms (for example, host-based firewalls)<\/li>\n\n\n\n<li>Analyzing Amazon Inspector findings and determining appropriate mitigation techniques&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/inspector\/latest\/user\/findings-understanding.html\" target=\"_blank\" rel=\"noreferrer noopener\">Understanding findings in Amazon Inspector<\/a>)<\/li>\n\n\n\n<li>Passing secrets and credentials securely to compute workloads&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/security-creds.html\" target=\"_blank\" rel=\"noreferrer noopener\">AWS security credentials<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Task Statement 3.4: Troubleshoot network security.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>How to analyze reachability (for example, by using VPC Reachability Analyzer and Amazon Inspector)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/vpc\/latest\/reachability\/getting-started.html\" target=\"_blank\" rel=\"noreferrer noopener\">Getting started with Reachability Analyzer<\/a>)<\/li>\n\n\n\n<li>Fundamental TCP\/IP networking concepts (for example, UDP compared with TCP, ports, Open Systems Interconnection [OSI] model, network operating system utilities)<\/li>\n\n\n\n<li>How to read relevant log sources (for example, Route 53 logs, AWS WAF logs, VPC Flow Logs)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/vpc\/latest\/userguide\/flow-logs.html\" target=\"_blank\" rel=\"noreferrer noopener\">Logging IP traffic using VPC Flow Logs<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Identifying, interpreting, and prioritizing problems in network connectivity (for example, by using Amazon Inspector Network Reachability)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/inspector\/v1\/userguide\/inspector_network-reachability.html\" target=\"_blank\" rel=\"noreferrer noopener\">Network Reachability<\/a>)<\/li>\n\n\n\n<li>Determining solutions to produce desired network behavior&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/config\/latest\/developerguide\/evaluate-config_use-managed-rules.html\" target=\"_blank\" rel=\"noreferrer noopener\">AWS Config Managed Rules<\/a>)<\/li>\n\n\n\n<li>Analyzing log sources to identify problems&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonCloudWatch\/latest\/logs\/AnalyzingLogData.html\" target=\"_blank\" rel=\"noreferrer noopener\">Analyzing log data with CloudWatch Logs Insights<\/a>)<\/li>\n\n\n\n<li>Capturing traffic samples for problem analysis (for example, by using Traffic Mirroring)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/vpc\/latest\/mirroring\/what-is-traffic-mirroring.html\" target=\"_blank\" rel=\"noreferrer noopener\">What is Traffic Mirroring?<\/a>)<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Domain 4: Identity and Access Management (16%)<\/strong><\/h4>\n\n\n\n<p>Task Statement 4.1: Design, implement, and troubleshoot authentication for AWS resources.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Methods and services for creating and managing identities (for example, federation, identity providers, AWS IAM Identity Center [AWS Single Sign-On], Amazon Cognito)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/id_roles_providers.html\" target=\"_blank\" rel=\"noreferrer noopener\">Identity providers and federation<\/a>)<\/li>\n\n\n\n<li>Long-term and temporary credentialing mechanisms&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/wellarchitected\/latest\/framework\/sec_identities_unique.html#:~:text=The%20only%20time%20you%20should,methods%2C%20temporary%20credentials%20are%20generated.\" target=\"_blank\" rel=\"noreferrer noopener\">Use temporary credentials<\/a>)<\/li>\n\n\n\n<li>How to troubleshoot authentication issues (for example, by using CloudTrail, IAM Access Advisor, and IAM policy simulator)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/awscloudtrail\/latest\/userguide\/security_iam_troubleshoot.html\" target=\"_blank\" rel=\"noreferrer noopener\">Troubleshooting AWS CloudTrail identity and access<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Establishing identity through an authentication system, based on requirements&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/intro-structure.html\" target=\"_blank\" rel=\"noreferrer noopener\">How IAM works<\/a>)<\/li>\n\n\n\n<li>Setting up multi-factor authentication (MFA)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/id_credentials_mfa_enable-overview.html\" target=\"_blank\" rel=\"noreferrer noopener\">General steps for enabling MFA devices<\/a>)<\/li>\n\n\n\n<li>Determining when to use AWS Security Token Service (AWS STS) to issue temporary credentials&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/id_credentials_temp_request.html\" target=\"_blank\" rel=\"noreferrer noopener\">Requesting temporary security credentials<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Task Statement 4.2: Design, implement, and troubleshoot authorization for AWS resources.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Different IAM policies (for example, managed policies, inline policies, identity-based policies, resource-based policies, session control policies)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/access_policies.html\" target=\"_blank\" rel=\"noreferrer noopener\">Policies and permissions in IAM<\/a>)<\/li>\n\n\n\n<li>Components and impact of a policy (for example, Principal, Action, Resource, Condition)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/reference_policies_elements.html\" target=\"_blank\" rel=\"noreferrer noopener\">IAM JSON policy elements reference<\/a>)<\/li>\n\n\n\n<li>How to troubleshoot authorization issues (for example, by using CloudTrail, IAM Access Advisor, and IAM policy simulator)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/awscloudtrail\/latest\/userguide\/security_iam_troubleshoot.html\" target=\"_blank\" rel=\"noreferrer noopener\">Troubleshooting AWS CloudTrail identity and access<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Constructing attribute-based access control (ABAC) and role-based access control (RBAC) strategies&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/introduction_attribute-based-access-control.html\" target=\"_blank\" rel=\"noreferrer noopener\">What is ABAC for AWS?<\/a>)<\/li>\n\n\n\n<li>Evaluating IAM policy types for given requirements and workloads&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/reference_policies_evaluation-logic.html\" target=\"_blank\" rel=\"noreferrer noopener\">Policy evaluation logic<\/a>)<\/li>\n\n\n\n<li>Interpreting an IAM policy\u2019s effect on environments and workloads&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/reference_policies_variables.html\" target=\"_blank\" rel=\"noreferrer noopener\">IAM policy elements: Variables and tags<\/a>)<\/li>\n\n\n\n<li>Applying the principle of least privilege across an environment<\/li>\n\n\n\n<li>Enforcing proper separation of duties<\/li>\n\n\n\n<li>Analyzing access or authorization errors to determine cause or effect&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/what-is-access-analyzer.html\" target=\"_blank\" rel=\"noreferrer noopener\">Using AWS Identity and Access Management Access Analyzer<\/a>)<\/li>\n\n\n\n<li>Investigating unintended permissions, authorization, or privileges granted to a resource, service, or entity&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/organizations\/latest\/userguide\/orgs_permissions_overview.html\" target=\"_blank\" rel=\"noreferrer noopener\">Managing access permissions for your AWS organization<\/a>)<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Domain 5: Data Protection (18%)<\/strong><\/h4>\n\n\n\n<p>Task Statement 5.1: Design and implement controls that provide confidentiality and integrity for data in transit.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>TLS concepts&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/app-mesh\/latest\/userguide\/tls.html\" target=\"_blank\" rel=\"noreferrer noopener\">Transport Layer Security (TLS)<\/a>)<\/li>\n\n\n\n<li>VPN concepts (for example, IPsec)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/aws.amazon.com\/what-is\/vpn\/#:~:text=your%20internet%20traffic.-,Encryption,packet%20of%20a%20data%20stream.\" target=\"_blank\" rel=\"noreferrer noopener\">What is a VPN (Virtual Private Network)?<\/a>)<\/li>\n\n\n\n<li>Secure remote access methods (for example, SSH, RDP over Systems Manager Session Manager)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/systems-manager\/latest\/userguide\/session-manager.html\" target=\"_blank\" rel=\"noreferrer noopener\">AWS Systems Manager&nbsp;Session Manager<\/a>)<\/li>\n\n\n\n<li>Systems Manager Session Manager concepts<\/li>\n\n\n\n<li>How TLS certificates work with various network services and resources (for example, CloudFront, load balancers)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/elasticloadbalancing\/latest\/network\/create-tls-listener.html\" target=\"_blank\" rel=\"noreferrer noopener\">TLS listeners for your Network Load Balancer<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Designing secure connectivity between AWS and on-premises networks (for example, by using Direct Connect and VPN gateways)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/building-scalable-secure-multi-vpc-network-infrastructure\/direct-connect.html\" target=\"_blank\" rel=\"noreferrer noopener\">AWS Direct Connect&nbsp;<\/a>)<\/li>\n\n\n\n<li>Designing mechanisms to require encryption when connecting to resources (for example, Amazon RDS, Amazon Redshift, CloudFront, Amazon S3, Amazon DynamoDB, load balancers, Amazon Elastic File System [Amazon EFS], Amazon API Gateway)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonRDS\/latest\/UserGuide\/Overview.Encryption.html\" target=\"_blank\" rel=\"noreferrer noopener\">Encrypting&nbsp;Amazon RDS&nbsp;resources<\/a>)<\/li>\n\n\n\n<li>Requiring TLS for AWS API calls (for example, with Amazon S3)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/userguide\/network-isolation.html\" target=\"_blank\" rel=\"noreferrer noopener\">Infrastructure security in Amazon S3<\/a>)<\/li>\n\n\n\n<li>Designing mechanisms to forward traffic over secure connections (for example, by using Systems Manager and EC2 Instance Connect)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AWSEC2\/latest\/UserGuide\/ec2-instance-connect-methods.html\" target=\"_blank\" rel=\"noreferrer noopener\">Connect using EC2 Instance Connect<\/a>)<\/li>\n\n\n\n<li>Designing cross-Region networking by using private VIFs and public VIFs<\/li>\n<\/ul>\n\n\n\n<p>Task Statement 5.2: Design and implement controls that provide confidentiality and integrity for data at rest.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Encryption technique selection (for example, client-side, server-side, symmetric, asymmetric)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/kms\/latest\/developerguide\/concepts.html\" target=\"_blank\" rel=\"noreferrer noopener\">AWS KMS concepts<\/a>)<\/li>\n\n\n\n<li>Integrity-checking techniques (for example, hashing algorithms, digital signatures)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/userguide\/checking-object-integrity.html\" target=\"_blank\" rel=\"noreferrer noopener\">Checking object integrity<\/a>)<\/li>\n\n\n\n<li>Resource policies (for example, for DynamoDB, Amazon S3, and AWS Key Management Service [AWS KMS])&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/kms\/latest\/developerguide\/key-policies.html\" target=\"_blank\" rel=\"noreferrer noopener\">Key policies in AWS KMS<\/a>)<\/li>\n\n\n\n<li>IAM roles and policies&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/access_policies.html\" target=\"_blank\" rel=\"noreferrer noopener\">Policies and permissions in IAM<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Designing resource policies to restrict access to authorized users (for example, S3 bucket policies, DynamoDB policies)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/userguide\/example-bucket-policies.html\" target=\"_blank\" rel=\"noreferrer noopener\">Examples of Amazon S3 bucket policies<\/a>)<\/li>\n\n\n\n<li>Designing mechanisms to prevent unauthorized public access (for example, S3 Block Public Access, prevention of public snapshots and public AMIs)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/userguide\/access-control-block-public-access.html\" target=\"_blank\" rel=\"noreferrer noopener\">Blocking public access to your Amazon S3 storage<\/a>)<\/li>\n\n\n\n<li>Configuring services to activate encryption of data at rest (for example, Amazon S3, Amazon RDS, DynamoDB, Amazon Simple Queue Service [Amazon SQS], Amazon EBS, Amazon EFS)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AWSSimpleQueueService\/latest\/SQSDeveloperGuide\/sqs-server-side-encryption.html\" target=\"_blank\" rel=\"noreferrer noopener\">Encryption at rest in Amazon SQS<\/a>)<\/li>\n\n\n\n<li>Designing mechanisms to protect data integrity by preventing modifications (for example, by using S3 Object Lock, KMS key policies, S3 Glacier Vault Lock, and AWS Backup Vault Lock)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/userguide\/object-lock.html\" target=\"_blank\" rel=\"noreferrer noopener\">Using S3 Object Lock<\/a>)<\/li>\n\n\n\n<li>Designing encryption at rest by using AWS CloudHSM for relationaldatabases (for example, Amazon RDS, RDS Custom, databases on EC2 instances)<\/li>\n\n\n\n<li>Choosing encryption techniques based on business requirements&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/prescriptive-guidance\/latest\/strategy-data-at-rest-encryption\/welcome.html\" target=\"_blank\" rel=\"noreferrer noopener\">Creating an enterprise encryption strategy for data at rest<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Task Statement 5.3: Design and implement controls to manage the lifecycle of data at rest.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Lifecycle policies<\/li>\n\n\n\n<li>Data retention standards<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Designing S3 Lifecycle mechanisms to retain data for required retention periods (for example, S3 Object Lock, S3 Glacier Vault Lock, S3 Lifecycle policy)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/userguide\/object-lifecycle-mgmt.html\" target=\"_blank\" rel=\"noreferrer noopener\">Managing your storage lifecycle<\/a>)<\/li>\n\n\n\n<li>Designing automatic lifecycle management for AWS services and resources (for example, Amazon S3, EBS volume snapshots, RDS volume snapshots, AMIs, container images, CloudWatch log groups, Amazon Data Lifecycle Manager)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/ebs\/latest\/userguide\/snapshot-lifecycle.html\" target=\"_blank\" rel=\"noreferrer noopener\">Amazon Data Lifecycle Manager<\/a>)<\/li>\n\n\n\n<li>Establishing schedules and retention for AWS Backup across AWS services&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/aws-backup\/latest\/devguide\/creating-a-backup-plan.html\" target=\"_blank\" rel=\"noreferrer noopener\">Creating a backup plan<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Task Statement 5.4: Design and implement controls to protect credentials, secrets, and cryptographic key materials.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Secrets Manager&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/secretsmanager\/latest\/userguide\/intro.html\" target=\"_blank\" rel=\"noreferrer noopener\">What is AWS Secrets Manager?<\/a>)<\/li>\n\n\n\n<li>Systems Manager Parameter Store&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/systems-manager\/latest\/userguide\/systems-manager-parameter-store.html\" target=\"_blank\" rel=\"noreferrer noopener\">AWS Systems Manager&nbsp;Parameter Store<\/a>)<\/li>\n\n\n\n<li>Usage and management of symmetric keys and asymmetric keys (for example, AWS KMS)<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Designing management and rotation of secrets for workloads (for example, database access credentials, API keys, IAM access keys, AWS KMS customer managed keys)<\/li>\n\n\n\n<li>Designing KMS key policies to limit key usage to authorized users&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/kms\/latest\/developerguide\/key-policies.html\" target=\"_blank\" rel=\"noreferrer noopener\">Key policies in AWS KMS<\/a>)<\/li>\n\n\n\n<li>Establishing mechanisms to import and remove customer-provided key material&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/kms\/latest\/developerguide\/importing-keys.html\" target=\"_blank\" rel=\"noreferrer noopener\">Importing key material for AWS KMS keys<\/a>)<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Domain 6: Management and Security Governance (14%)<\/strong><\/h4>\n\n\n\n<p>Task Statement 6.1: Develop a strategy to centrally deploy and manage AWS accounts.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Multi-account strategies&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/organizing-your-aws-environment\/organizing-your-aws-environment.html\" target=\"_blank\" rel=\"noreferrer noopener\">Organizing Your AWS Environment Using Multiple Accounts<\/a>)<\/li>\n\n\n\n<li>Managed services that allow delegated administration&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/organizations\/latest\/userguide\/orgs_integrate_services_list.html\" target=\"_blank\" rel=\"noreferrer noopener\">AWS services that you can use with AWS Organizations<\/a>)<\/li>\n\n\n\n<li>Policy-defined guardrails<\/li>\n\n\n\n<li>Root account best practices&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/root-user-best-practices.html\" target=\"_blank\" rel=\"noreferrer noopener\">Root user best practices for your AWS account<\/a>)<\/li>\n\n\n\n<li>Cross-account roles&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/tutorial_cross-account-with-roles.html\" target=\"_blank\" rel=\"noreferrer noopener\">Delegate access across AWS accounts using IAM roles<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deploying and configuring AWS Organizations&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/organizations\/latest\/userguide\/orgs_tutorials_basic.html\" target=\"_blank\" rel=\"noreferrer noopener\">Creating and configuring an organization<\/a>)<\/li>\n\n\n\n<li>Determining when and how to deploy AWS Control Tower (for example, which services must be deactivated for successful deployment)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/prescriptive-guidance\/latest\/aws-control-tower\/deploy.html\" target=\"_blank\" rel=\"noreferrer noopener\">Deploying AWS Control Tower in an AWS Landing Zone organization<\/a>)<\/li>\n\n\n\n<li>Implementing SCPs as a technical solution to enforce a policy (for example, limitations on the use of a root account, implementation of controls in AWS Control Tower)<\/li>\n\n\n\n<li>Centrally managing security services and aggregating findings (for example, by using delegated administration and AWS Config aggregators)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/securityhub\/latest\/userguide\/central-configuration-intro.html\" target=\"_blank\" rel=\"noreferrer noopener\">How central configuration works<\/a>)<\/li>\n\n\n\n<li>Securing AWS account root user credentials&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/security-creds.html\" target=\"_blank\" rel=\"noreferrer noopener\">AWS security credentials<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Task Statement 6.2: Implement a secure and consistent deployment strategy for cloud resources.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deployment best practices with infrastructure as code (IaC) (for example, AWS CloudFormation template hardening and drift detection)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AWSCloudFormation\/latest\/UserGuide\/best-practices.html\" target=\"_blank\" rel=\"noreferrer noopener\">AWS CloudFormation best practices<\/a>)<\/li>\n\n\n\n<li>Best practices for tagging&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/tagging-best-practices\/tagging-best-practices.html\" target=\"_blank\" rel=\"noreferrer noopener\">Best Practices for Tagging AWS Resources<\/a>)<\/li>\n\n\n\n<li>Centralized management, deployment, and versioning of AWS services<\/li>\n\n\n\n<li>Visibility and control over AWS infrastructure<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Using CloudFormation to deploy cloud resources consistently and securely&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AWSCloudFormation\/latest\/UserGuide\/best-practices.html\" target=\"_blank\" rel=\"noreferrer noopener\">AWS CloudFormation best practices<\/a>)<\/li>\n\n\n\n<li>Implementing and enforcing multi-account tagging strategies&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/tagging-best-practices\/implementing-and-enforcing-tagging.html\" target=\"_blank\" rel=\"noreferrer noopener\">Implementing and enforcing tagging<\/a>)<\/li>\n\n\n\n<li>Configuring and deploying portfolios of approved AWS services (for example, by using AWS Service Catalog)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/prescriptive-guidance\/latest\/patterns\/automate-aws-service-catalog-portfolio-and-product-deployment-by-using-aws-cdk.html\" target=\"_blank\" rel=\"noreferrer noopener\">Automate AWS Service Catalog portfolio and product deployment by using AWS CDK<\/a>)<\/li>\n\n\n\n<li>Organizing AWS resources into different groups for management&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/ARG\/latest\/userguide\/resource-groups.html#:~:text=Sign%20in%20to%20the%20AWS,to%20create%20a%20new%20one.\" target=\"_blank\" rel=\"noreferrer noopener\">What are resource groups?<\/a>)<\/li>\n\n\n\n<li>Deploying Firewall Manager to enforce policies&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/waf\/latest\/developerguide\/working-with-policies.html\" target=\"_blank\" rel=\"noreferrer noopener\">Working with AWS Firewall Manager policies<\/a>)<\/li>\n\n\n\n<li>Securely sharing resources across AWS accounts (for example, by using AWS Resource Access Manager [AWS RAM])&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/ram\/latest\/userguide\/shareable.html#:~:text=AWS%20Network%20Firewall-,You%20can%20share%20the%20following%20AWS,resources%20by%20using%20AWS%20RAM.&amp;text=Create%20and%20manage%20firewall%20policies,%2C%20protection%2C%20and%20filtering%20behaviors.\" target=\"_blank\" rel=\"noreferrer noopener\">Shareable AWS resources<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Task Statement 6.3: Evaluate the compliance of AWS resources.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data classification by using AWS services&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/data-classification\/data-classification-overview.html\" target=\"_blank\" rel=\"noreferrer noopener\">Data classification overview<\/a>)<\/li>\n\n\n\n<li>How to assess, audit, and evaluate the configurations of AWS resources (for example, by using AWS Config)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/config\/latest\/developerguide\/evaluate-config.html\" target=\"_blank\" rel=\"noreferrer noopener\">Evaluating Resources with AWS Config Rules<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Identifying sensitive data by using Macie&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/macie\/latest\/user\/data-classification.html\" target=\"_blank\" rel=\"noreferrer noopener\">Discovering sensitive data with Amazon Macie<\/a>)<\/li>\n\n\n\n<li>Creating AWS Config rules for detection of noncompliant AWS resources&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/config\/latest\/developerguide\/remediation.html\" target=\"_blank\" rel=\"noreferrer noopener\">Remediating Noncompliant Resources with AWS Config Rules<\/a>)<\/li>\n\n\n\n<li>Collecting and organizing evidence by using Security Hub and AWS Audit Manager&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/audit-manager\/latest\/userguide\/review-evidence.html\" target=\"_blank\" rel=\"noreferrer noopener\">Reviewing the evidence in an assessment<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Task Statement 6.4: Identify security gaps through architectural reviews and cost analysis.<\/p>\n\n\n\n<p>Knowledge of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AWS cost and usage for anomaly identification&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/cost-management\/latest\/userguide\/getting-started-ad.html\" target=\"_blank\" rel=\"noreferrer noopener\">Getting started with AWS Cost Anomaly Detection<\/a>)<\/li>\n\n\n\n<li>Strategies to reduce attack surfaces&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/aws-best-practices-ddos-resiliency\/attack-surface-reduction.html#:~:text=Resources%20that%20are%20not%20exposed,not%20accessible%20from%20the%20internet.\" target=\"_blank\" rel=\"noreferrer noopener\">Attack surface reduction<\/a>)<\/li>\n\n\n\n<li>AWS Well-Architected Framework&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/wellarchitected\/latest\/framework\/welcome.html\" target=\"_blank\" rel=\"noreferrer noopener\">AWS Well-Architected Framework<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>Skills in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Identifying anomalies based on resource utilization and trends&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/AmazonCloudWatch\/latest\/monitoring\/CloudWatch_Anomaly_Detection.html\" target=\"_blank\" rel=\"noreferrer noopener\">Using CloudWatch anomaly detection<\/a>)<\/li>\n\n\n\n<li>Identifying unused resources by using AWS services and tools (for example, AWS Trusted Advisor, AWS Cost Explorer)&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/cost-management\/latest\/userguide\/ce-what-is.html\" target=\"_blank\" rel=\"noreferrer noopener\">Analyzing your costs with AWS Cost Explorer<\/a>)<\/li>\n\n\n\n<li>Using the AWS Well-Architected Tool to identify security gaps&nbsp;<strong>(AWS Documentation:<\/strong>&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/wellarchitected\/latest\/userguide\/security.html\" target=\"_blank\" rel=\"noreferrer noopener\">Security in AWS Well-Architected Tool<\/a>)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-center has-content-bg-color has-content-primary-background-color has-text-color has-background has-link-color wp-elements-f2525873c5caa2c913101ea3d06536ed\"><strong>AWS Specialty Security Exam Preparation Resources<\/strong><\/h2>\n\n\n\n<p>For AWS Security Specialty exam there are many resources that are available both online and offline which will help you during preparation for the exam. This will help you in understanding the topics better and also provide an expert assistance to solve your queries.&nbsp;Here we provide you the learning resources to get the most from your efforts in the AWS Certified Security Specialty study guide.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>AWS Security Specialty Recommended Books<\/strong><\/h4>\n\n\n\n<p>The AWS certified security specialty book are a perennial source available for learning. There are various books available for the security specialty exam which you can find online or in libraries. Some of the books that can arm you are as follows:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AWS: Security Best Practices on AWS \u2013 By Albert Anthony<\/li>\n\n\n\n<li>Mastering AWS Security: Create and Maintain a Secure Cloud Ecosystem By Albert Anthony<\/li>\n\n\n\n<li>Cloud Security Automation \u2013 Get to grips with automating your Cloud Security on AWS and OpenStack by Prashant Priyam<\/li>\n<\/ul>\n\n\n\n<p>And there are many websites available which provide online training for the exam with a full assistance to the course such as Simplilearn, Pluralsight, udemy and many more.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Discussion Forums <\/strong><\/h4>\n\n\n\n<p>Many websites provide good\ninformation and topic details related to the certification which can be helpful\nwhen having any doubt or want to know something about the exam. Some of them\nare,<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Answers.com<\/li>\n\n\n\n<li>Quora<\/li>\n\n\n\n<li>Stackoverflow<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Practice Questions<\/strong><\/h4>\n\n\n\n<p>Practice questions for the AWS Certified Security Specialist might help you study more effectively and move more quickly. As a result, when you finish, there are many websites that provide practice exams and assess you based on your expertise and understanding of AWS Security Services. On Amazon, you may also look for practice sets, although not all of the topics will be included. At Testprep Training you get a bulk of practice sets of questions on the AWS Security Specialty exam in two ways,<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.testpreptraining.ai\/aws-certified-security-specialty-free-practice-test\" target=\"_blank\" rel=\"noreferrer noopener\">Free practice questions for AWS Security Specialty exam<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.testpreptraining.ai\/aws-certified-security-specialty-questions?search=Security%20Specialty\" target=\"_blank\" rel=\"noreferrer noopener\">Real time practice questions for AWS Security Specialty exam with detailed analysis.<\/a><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Training at AWS<\/strong><\/h4>\n\n\n\n<p>There are many free training that is provided for AWS Security Specialty exam at <a href=\"https:\/\/aws.amazon.com\/training\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/aws.amazon.com\/training\/<\/a>. These AWS certified security specialty training require registration and are available at zero cost. AWS also gives access to various <a href=\"https:\/\/www.aws.training\/Details\/eLearning?id=34786\" target=\"_blank\" rel=\"noreferrer noopener\">Learning libraries<\/a> to get you know more about the AWS services.&nbsp; AWS also includes AWS APN partner which helps you to accelerate your business on AWS <\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>What are the benefits of AWS Certified Security Specialty?<\/strong><\/h3>\n\n\n\n<p>The AWS Certified Security &#8211; Specialty certification provides a number of benefits to IT professionals and organizations that use AWS. Some of the key benefits include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Career advancement: The AWS Certified Security &#8211; Specialty certification is recognized as a benchmark of expertise in securing AWS workloads, and can help IT professionals advance their careers and increase their earning potential.<\/li>\n\n\n\n<li>Increased credibility: The AWS Certified Security &#8211; Specialty certification provides IT professionals with an industry-recognized credential that demonstrates their expertise in securing AWS workloads. This credibility can help IT professionals stand out in a competitive job market.<\/li>\n\n\n\n<li>Improved job performance: The AWS Certified Security &#8211; Specialty certification provides IT professionals with a deep understanding of security best practices and AWS security services. This knowledge can help IT professionals improve their job performance and deliver more secure AWS workloads.<\/li>\n\n\n\n<li>Staying current with AWS updates: Earning the AWS Certified Security &#8211; Specialty certification requires staying current with updates to the AWS platform, which can help IT professionals stay current with the latest security features and capabilities of AWS.<\/li>\n\n\n\n<li>Better security for AWS workloads: The knowledge and skills gained through the AWS Certified Security &#8211; Specialty certification can help IT professionals design and implement more secure AWS workloads, reducing the risk of security breaches and data loss.<\/li>\n\n\n\n<li>Increased confidence and competitiveness: The AWS Certified Security &#8211; Specialty certification provides IT professionals with the confidence and credibility they need to compete for new job opportunities and succeed in their careers.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>AWS Security Learning Path<\/strong><\/h3>\n\n\n\n<p>This learning path is intended for those who carry out security-related tasks and want to feel in charge and confident when running apps on the Amazon cloud. You will learn about data encryption techniques, application security, and access control in this. You should get some expertise using the Amazon cloud for a specialty domain before applying.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" width=\"628\" height=\"249\" src=\"https:\/\/www.testpreptraining.ai\/blog\/wp-content\/uploads\/2019\/12\/image-14.png\" alt=\"\" class=\"wp-image-1512\" srcset=\"https:\/\/www.testpreptraining.ai\/blog\/wp-content\/uploads\/2019\/12\/image-14.png 628w, https:\/\/www.testpreptraining.ai\/blog\/wp-content\/uploads\/2019\/12\/image-14-300x119.png 300w\" sizes=\"(max-width: 628px) 100vw, 628px\" \/><\/figure>\n<\/div>\n\n\n<p>\u201cAWS Security Specialty exam\nwill provide an advantage in enhancing your skills and experience in security\nsolutions for securing AWS platform. For preparation of exam, tips are provided\nbelow and for tutorial you can reach out <a href=\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/\">AWS Security Specialty\ntutorials<\/a>.\u201d<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Preparing for AWS Security Specialty exam<\/strong><\/h3>\n\n\n\n<p>For the preparation of this certification exam it is important that you should make a good&nbsp;mindset that you have to and you should pass this certification anyhow. This will require a disciplined schedule for studying for the examination as well as it is also important that you should have&nbsp;experience and practical knowledge in security solutions. This certification will open doors for many new opportunities and will improve your skills and knowledge. <\/p>\n\n\n\n<h6 class=\"wp-block-heading\"><span style=\"text-decoration: underline;\">Exam Tips<\/span>:<\/h6>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Familiarize yourself with the exam format: Understanding the format of the exam and the types of questions that will be asked can help you better prepare and increase your chances of success.<\/li>\n\n\n\n<li>Review the AWS Security Fundamentals: Familiarize yourself with the core security concepts and technologies used in AWS.<\/li>\n\n\n\n<li>Study the AWS Well-Architected Framework: The Well-Architected Framework provides best practices for designing secure and scalable AWS workloads.<\/li>\n\n\n\n<li>Use AWS official training resources: AWS provides a range of official training resources, including whitepapers, online courses, and certification preparation workshops, to help you prepare for the exam.<\/li>\n\n\n\n<li>Practice using AWS services: Hands-on experience is key to success on the exam. Practice using AWS security services such as Amazon Virtual Private Cloud (VPC), AWS Identity and Access Management (IAM), and AWS Key Management Service (KMS) to build a solid understanding of how they work.<\/li>\n\n\n\n<li>Create a study plan and stick to it: Create a study plan that works for you and stick to it. This can help you focus your efforts and make the most of your study time.<\/li>\n\n\n\n<li>Practice with mock exams: Practicing with mock exams can help you identify areas where you need to improve and get a feel for the types of questions that will be on the real exam. <a href=\"https:\/\/www.testpreptraining.ai\/aws-certified-security-specialty-free-practice-test\" target=\"_blank\" rel=\"noreferrer noopener\"><em>Free practice questions for AWS Security Specialty exam<\/em><\/a><\/li>\n\n\n\n<li>Seek out additional resources: Look for additional resources, such as study guides and practice exams, that can help you prepare for the exam.<\/li>\n<\/ul>\n\n\n\n<p>Remember, the AWS Certified Security &#8211; Specialty certification is a challenging exam, and preparation and hard work are key to success. By following these tips and using the resources available, you can increase your chances of success on the exam and become an AWS Certified Security &#8211; Specialty.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Good luck for the exam!<\/strong><\/h4>\n","protected":false},"excerpt":{"rendered":"<p>The AWS Certified Security \u2013 Specialty certification is a highly respected credential for cloud professionals aiming to demonstrate their expertise in securing complex AWS environments. It\u2019s designed for individuals with a deep understanding of security principles, including data protection, identity and access management, incident response, and compliance. With cloud security becoming a top priority across&#8230;<\/p>\n","protected":false},"author":1,"featured_media":37867,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31],"tags":[9,195,3855,7316,6119,7314,194,7311,7315,5087,5088,5332,152,7313,7317,40,7312],"class_list":["post-1507","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aws","tag-aws-certification","tag-aws-certified-security-speciality","tag-aws-certified-security-specialty","tag-aws-certified-security-specialty-training","tag-aws-security","tag-aws-security-certification","tag-aws-security-specialty","tag-aws-security-specialty-certification","tag-aws-security-specialty-certification-full-course","tag-aws-security-specialty-exam","tag-aws-security-specialty-practice-exam","tag-certification","tag-cloud-security","tag-how-to-pass-aws-certified-security-specialty-exam","tag-how-to-pass-aws-security-certification","tag-security","tag-security-specialty"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to pass AWS Security Specialty certification exam? - Updated 2025 - Blog<\/title>\n<meta name=\"description\" content=\"Get ready to boost your chances and pass AWS Security Specialty Certification Exam with real time exam questions and learning material.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.testpreptraining.ai\/blog\/how-to-pass-aws-security-specialty-certification-exam\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to pass AWS Security Specialty certification exam? - Updated 2025 - Blog\" \/>\n<meta property=\"og:description\" content=\"Get ready to boost your chances and pass AWS Security Specialty Certification Exam with real time exam questions and learning material.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.testpreptraining.ai\/blog\/how-to-pass-aws-security-specialty-certification-exam\/\" \/>\n<meta property=\"og:site_name\" content=\"Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-06-04T11:30:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-04T12:22:37+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.testpreptraining.ai\/blog\/wp-content\/uploads\/2025\/06\/How-to-pass-AWS-Security-Specialty-certification-exam-Updated-2025.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"720\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TestPrepTraining\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TestPrepTraining\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"29 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.testpreptraining.ai\/blog\/how-to-pass-aws-security-specialty-certification-exam\/\",\"url\":\"https:\/\/www.testpreptraining.ai\/blog\/how-to-pass-aws-security-specialty-certification-exam\/\",\"name\":\"How to pass AWS Security Specialty certification exam? - Updated 2025 - Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/blog\/#website\"},\"datePublished\":\"2025-06-04T11:30:00+00:00\",\"dateModified\":\"2025-06-04T12:22:37+00:00\",\"author\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/blog\/#\/schema\/person\/b46daaf932dbfb07cbe7db807006780c\"},\"description\":\"Get ready to boost your chances and pass AWS Security Specialty Certification Exam with real time exam questions and learning material.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/blog\/how-to-pass-aws-security-specialty-certification-exam\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.testpreptraining.ai\/blog\/how-to-pass-aws-security-specialty-certification-exam\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.testpreptraining.ai\/blog\/how-to-pass-aws-security-specialty-certification-exam\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.testpreptraining.ai\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to pass AWS Security Specialty certification exam? &#8211; Updated 2025\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.testpreptraining.ai\/blog\/#website\",\"url\":\"https:\/\/www.testpreptraining.ai\/blog\/\",\"name\":\"Learning Resources\",\"description\":\"Testprep Training Blogs\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.testpreptraining.ai\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.testpreptraining.ai\/blog\/#\/schema\/person\/b46daaf932dbfb07cbe7db807006780c\",\"name\":\"TestPrepTraining\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.testpreptraining.ai\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4cd4f7acc79865d9ba457114e386c039833599aae3707598a92eda256c6a5278?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4cd4f7acc79865d9ba457114e386c039833599aae3707598a92eda256c6a5278?s=96&d=mm&r=g\",\"caption\":\"TestPrepTraining\"},\"description\":\"Testprep Training offers a wide range of practice exams and online courses for Professional certification exam curated by field experts and working professionals. Evaluate your skills and build confidence to appear for the exam.\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to pass AWS Security Specialty certification exam? - Updated 2025 - Blog","description":"Get ready to boost your chances and pass AWS Security Specialty Certification Exam with real time exam questions and learning material.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.testpreptraining.ai\/blog\/how-to-pass-aws-security-specialty-certification-exam\/","og_locale":"en_US","og_type":"article","og_title":"How to pass AWS Security Specialty certification exam? - Updated 2025 - Blog","og_description":"Get ready to boost your chances and pass AWS Security Specialty Certification Exam with real time exam questions and learning material.","og_url":"https:\/\/www.testpreptraining.ai\/blog\/how-to-pass-aws-security-specialty-certification-exam\/","og_site_name":"Blog","article_published_time":"2025-06-04T11:30:00+00:00","article_modified_time":"2025-06-04T12:22:37+00:00","og_image":[{"width":1280,"height":720,"url":"https:\/\/www.testpreptraining.ai\/blog\/wp-content\/uploads\/2025\/06\/How-to-pass-AWS-Security-Specialty-certification-exam-Updated-2025.jpg","type":"image\/jpeg"}],"author":"TestPrepTraining","twitter_card":"summary_large_image","twitter_misc":{"Written by":"TestPrepTraining","Est. reading time":"29 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.testpreptraining.ai\/blog\/how-to-pass-aws-security-specialty-certification-exam\/","url":"https:\/\/www.testpreptraining.ai\/blog\/how-to-pass-aws-security-specialty-certification-exam\/","name":"How to pass AWS Security Specialty certification exam? - Updated 2025 - Blog","isPartOf":{"@id":"https:\/\/www.testpreptraining.ai\/blog\/#website"},"datePublished":"2025-06-04T11:30:00+00:00","dateModified":"2025-06-04T12:22:37+00:00","author":{"@id":"https:\/\/www.testpreptraining.ai\/blog\/#\/schema\/person\/b46daaf932dbfb07cbe7db807006780c"},"description":"Get ready to boost your chances and pass AWS Security Specialty Certification Exam with real time exam questions and learning material.","breadcrumb":{"@id":"https:\/\/www.testpreptraining.ai\/blog\/how-to-pass-aws-security-specialty-certification-exam\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.testpreptraining.ai\/blog\/how-to-pass-aws-security-specialty-certification-exam\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.testpreptraining.ai\/blog\/how-to-pass-aws-security-specialty-certification-exam\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.testpreptraining.ai\/blog\/"},{"@type":"ListItem","position":2,"name":"How to pass AWS Security Specialty certification exam? &#8211; Updated 2025"}]},{"@type":"WebSite","@id":"https:\/\/www.testpreptraining.ai\/blog\/#website","url":"https:\/\/www.testpreptraining.ai\/blog\/","name":"Learning Resources","description":"Testprep Training Blogs","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.testpreptraining.ai\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.testpreptraining.ai\/blog\/#\/schema\/person\/b46daaf932dbfb07cbe7db807006780c","name":"TestPrepTraining","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.testpreptraining.ai\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4cd4f7acc79865d9ba457114e386c039833599aae3707598a92eda256c6a5278?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4cd4f7acc79865d9ba457114e386c039833599aae3707598a92eda256c6a5278?s=96&d=mm&r=g","caption":"TestPrepTraining"},"description":"Testprep Training offers a wide range of practice exams and online courses for Professional certification exam curated by field experts and working professionals. Evaluate your skills and build confidence to appear for the exam."}]}},"_links":{"self":[{"href":"https:\/\/www.testpreptraining.ai\/blog\/wp-json\/wp\/v2\/posts\/1507","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.testpreptraining.ai\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.testpreptraining.ai\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/blog\/wp-json\/wp\/v2\/comments?post=1507"}],"version-history":[{"count":14,"href":"https:\/\/www.testpreptraining.ai\/blog\/wp-json\/wp\/v2\/posts\/1507\/revisions"}],"predecessor-version":[{"id":37868,"href":"https:\/\/www.testpreptraining.ai\/blog\/wp-json\/wp\/v2\/posts\/1507\/revisions\/37868"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/blog\/wp-json\/wp\/v2\/media\/37867"}],"wp:attachment":[{"href":"https:\/\/www.testpreptraining.ai\/blog\/wp-json\/wp\/v2\/media?parent=1507"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/blog\/wp-json\/wp\/v2\/categories?post=1507"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/blog\/wp-json\/wp\/v2\/tags?post=1507"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}