The AWS Certified Security-Specialty Exam is for experts who want to show they are skilled in safeguarding AWS systems. This exam covers various subjects like controlling access, securing networks, safeguarding data, and handling security incidents. Preparing for the AWS Certified Security-Specialty Exam can be a challenging task, as the exam requires a deep understanding of AWS security services and best practices. That’s why I have created this cheat sheet to help you prepare for the exam more efficiently and effectively. This cheat sheet includes key concepts, important tips, and sample questions that will help you master the exam material and pass the exam with confidence.<\/p>\n\n\n\n
Whether you are a security professional looking to advance your career or an IT professional seeking to enhance your AWS skills, this cheat sheet will provide you with the knowledge and skills you need to pass the AWS Certified Security-Specialty Exam. So, let’s dive in and start preparing for the exam!<\/p>\n\n\n\n
The AWS Certified Security Specialty certification encompasses topics in which security professionals and staff need to be skilled in. not to mention, they must have an understanding of security fundamentals, follow best practices, and build expertise in key services that are unique to the AWS platform. <\/p>\n\n\n
![\"Overview](\"https:\/\/www.testpreptraining.ai\/blog\/wp-content\/uploads\/2020\/05\/overview.png\")
<\/figure>\n<\/div>\n\n\nMoreover, this certification is designed to certify the candidate\u2019s AWS knowledge across security topics that include data protection and encryption, infrastructure security, incident response, identity, and access management, monitoring, and logging.<\/p>\n\n\n\n
AWS Certified Security-Specialty Glossary<\/strong><\/h4>\n\n\n\n\n- Access Key – An access key is an alphanumeric code that AWS provides to a user to authenticate their access to AWS services.<\/li>\n\n\n\n
- Authentication – Authentication means confirming who you are before using AWS resources.<\/li>\n\n\n\n
- Authorization – Authorization is deciding if you’re allowed to use AWS stuff based on who you are and what you’re allowed to do.<\/li>\n\n\n\n
- CloudTrail – CloudTrail is an AWS service that provides visibility into user activity by recording AWS API calls and delivering the resulting log files to an S3 bucket.<\/li>\n\n\n\n
- Compliance – Compliance refers to adhering to security standards and regulations, such as the GDPR or HIPAA, to ensure the security and privacy of data.<\/li>\n\n\n\n
- Data Encryption – Data encryption means turning regular information into secret code so bad guys can’t read it without permission.<\/li>\n\n\n\n
- IAM – IAM, short for Identity and Access Management, is like a security guard for AWS. It controls who can do what with AWS stuff.<\/li>\n\n\n\n
- KMS – KMS, or Key Management Service, is an AWS service that allows users to create, manage, and use encryption keys to protect their data.<\/li>\n\n\n\n
- Multi-Factor Authentication (MFA) – MFA is a security feature that requires users to provide more than one form of authentication, such as a password and a security token, to access AWS resources.<\/li>\n\n\n\n
- Network Security – Network security is like locking the doors and windows of a house to keep intruders out. It’s about protecting a company’s computer network and data from unauthorized access or attacks.<\/li>\n\n\n\n
- PCI DSS – PCI DSS, which stands for Payment Card Industry Data Security Standard, are rules to make sure that credit card information is handled safely and securely. It’s like having strict guidelines for how to protect sensitive financial data.<\/li>\n\n\n\n
- Security Group – A security group is a virtual firewall that controls inbound and outbound traffic to an AWS resource, such as an EC2 instance.<\/li>\n\n\n\n
- Security Token Service (STS) – STS is an AWS service that provides temporary security credentials to allow users to access AWS resources.<\/li>\n\n\n\n
- Server-Side Encryption (SSE) – SSE is a feature that allows users to encrypt data at rest within AWS services, such as S3 or RDS.<\/li>\n\n\n\n
- SSL\/TLS – SSL\/TLS, known as Secure Sockets Layer\/Transport Layer Security, is like a special code that makes sure that when you send information over the internet, it stays private and safe from others who might want to see it. It’s like having a secret language for your online conversations.<\/li>\n<\/ol>\n\n\n\n
AWS Certified Security-Specialty Preparation Resources<\/strong><\/h3>\n\n\n\nHere are some official resources for preparing for the AWS Certified Security-Specialty Exam:<\/p>\n\n\n\n
\n- AWS Certification website: The AWS Certification website has a dedicated page for the Security-Specialty Exam, which provides an overview of the exam, its objectives, and recommended preparation resources.<\/li>\n<\/ol>\n\n\n\n
Link: https:\/\/aws.amazon.com\/certification\/certified-security-specialty\/<\/a><\/p>\n\n\n\n\n- Exam guide: The AWS Certified Security-Specialty Exam Guide is like a user manual that tells you everything you need to know about the exam. It explains how the exam is set up, what kind of questions you’ll face, and even some helpful hints for doing well on the test.<\/li>\n<\/ol>\n\n\n\n
Link: https:\/\/d1.awsstatic.com\/training-and-certification\/docs-security-specialty\/AWS-Certified-Security-Specialty_Exam-Guide.pdf<\/a><\/p>\n\n\n\n\n- Exam readiness training: AWS offers a range of exam readiness training courses, including instructor-led courses, self-paced digital courses, and virtual classroom training. These courses cover the key concepts and skills required for the exam.<\/li>\n<\/ol>\n\n\n\n
Link: https:\/\/aws.amazon.com\/training\/course-descriptions\/aws-certified-security-specialty-exam-readiness\/<\/a><\/p>\n\n\n\n\n- Whitepapers: AWS offers a range of whitepapers that cover various security-related topics, such as securing data in transit and at rest, securing AWS environments, and incident response. These whitepapers can help you prepare for the exam by providing a deeper understanding of the security concepts covered in the exam.<\/li>\n<\/ol>\n\n\n\n
Link: https:\/\/aws.amazon.com\/whitepapers\/?whitepapers-main.sort-by=item.additionalFields.sortDate&whitepapers-main.sort-order=desc&whitepapers-main.q=security<\/a><\/p>\n\n\n\n\n- Sample questions: AWS offers practice questions that you can try to check what you know and get ready for the exam. These questions are meant to show you the kind of questions you’ll see on the real test.<\/li>\n<\/ol>\n\n\n\n
Link: https:\/\/d1.awsstatic.com\/training-and-certification\/docs-security-specialty\/AWS-Certified-Security-Specialty_Sample-Questions.pdf<\/a><\/p>\n\n\n\nAWS Certified Security Specialty Exam Course Outline and Documentation<\/strong><\/h3>\n\n\n\nCourse Outline refers to the blueprint of the exam guide which defines the course aims and learning outcomes. The main objective of the course outline is to provide candidates with an overall plan for the course, enabling them to plan their own schedules and learn effectively. <\/p>\n\n\n\n
The AWS Certified Security Specialty course outline includes weightings, test domains, and objectives only. Let\u2019s take a look at the table below.<\/p>\n\n\n\n
Domain 1: Threat Detection and Incident Response (14%)<\/strong><\/h4>\n\n\n\nTask Statement 1.1: Design and implement an incident response plan.<\/p>\n\n\n\n
Knowledge of:<\/p>\n\n\n\n
\n- AWS best practices for incident response (AWS Documentation:<\/strong> AWS Security Incident Response Guide<\/a>)<\/li>\n\n\n\n
- Cloud incidents<\/li>\n\n\n\n
- Roles and responsibilities in the incident response plan (AWS Documentation:<\/strong> Define roles and responsibilities<\/a>)<\/li>\n\n\n\n
- AWS Security Finding Format (ASFF) (AWS Documentation:<\/strong> AWS Security Finding Format (ASFF)<\/a>)<\/li>\n<\/ul>\n\n\n\n
Skills in:<\/p>\n\n\n\n
\n- Implementing credential invalidation and rotation strategies in response to compromises (for example, by using AWS Identity and Access Management [IAM] and AWS Secrets Manager) (AWS Documentation:<\/strong> Automatically rotate IAM user access keys at scale with AWS Organizations and AWS Secrets Manager<\/a>)<\/li>\n\n\n\n
- Isolating AWS resources (AWS Documentation:<\/strong> Design isolated resource environments<\/a>)<\/li>\n\n\n\n
- Designing and implementing playbooks and runbooks for responses to security incidents (AWS Documentation:<\/strong> Develop and test security incident response playbooks<\/a>)<\/li>\n\n\n\n
- Deploying security services (for example, AWS Security Hub, Amazon Macie, Amazon GuardDuty, Amazon Inspector, AWS Config, Amazon Detective, AWS Identity and Access Management Access Analyzer) (AWS Documentation:<\/strong> Security, identity, and compliance<\/a>)<\/li>\n\n\n\n
- Configuring integrations with native AWS services and third-party services (for example, by using Amazon EventBridge and the ASFF)<\/li>\n<\/ul>\n\n\n\n
Task Statement 1.2: Detect security threats and anomalies by using AWS services.<\/p>\n\n\n\n
Knowledge of:<\/p>\n\n\n\n
\n- AWS managed security services that detect threats (AWS Documentation:<\/strong> Monitoring data security with managed AWS security services<\/a>)<\/li>\n\n\n\n
- Anomaly and correlation techniques to join data across services (AWS Documentation:<\/strong> Concepts for anomaly or outlier detection<\/a>)<\/li>\n\n\n\n
- Visualizations to identify anomalies<\/li>\n\n\n\n
- Strategies to centralize security findings (AWS Documentation:<\/strong> Centralized Security Management<\/a>)<\/li>\n<\/ul>\n\n\n\n
Skills in:<\/p>\n\n\n\n
\n- Evaluating findings from security services (for example, GuardDuty, Security Hub, Macie, AWS Config, IAM Access Analyzer) (AWS Documentation:<\/strong> AWS service integrations with AWS Security Hub<\/a>)<\/li>\n\n\n\n
- Searching and correlating security threats across AWS services (for example, by using Detective)<\/li>\n\n\n\n
- Performing queries to validate security events (for example, by using Amazon Athena) (AWS Documentation:<\/strong> Querying AWS CloudTrail logs<\/a>)<\/li>\n\n\n\n
- Creating metric filters and dashboards to detect anomalous activity (for example, by using Amazon CloudWatch) (AWS Documentation:<\/strong> Using CloudWatch anomaly detection<\/a>)<\/li>\n<\/ul>\n\n\n\n
Task Statement 1.3: Respond to compromised resources and workloads.<\/p>\n\n\n\n
Knowledge of:<\/p>\n\n\n\n
\n- AWS Security Incident Response Guide (AWS Documentation:<\/strong> AWS Security Incident Response Guide<\/a>)<\/li>\n\n\n\n
- Resource isolation mechanisms (AWS Documentation:<\/strong> Design isolated resource environments<\/a>)<\/li>\n\n\n\n
- Techniques for root cause analysis (AWS Documentation:<\/strong> What is Root Cause Analysis (RCA)?<\/a>)<\/li>\n\n\n\n
- Data capture mechanisms (AWS Documentation:<\/strong> Capture data<\/a>)<\/li>\n\n\n\n
- Log analysis for event validation (AWS Documentation:<\/strong> Analyzing log data with CloudWatch Logs Insights<\/a>)<\/li>\n<\/ul>\n\n\n\n
Skills in:<\/p>\n\n\n\n
\n- Automating remediation by using AWS services (for example, AWS Lambda, AWS Step Functions, EventBridge, AWS Systems Manager runbooks, Security Hub, AWS Config) (AWS Documentation:<\/strong> AWS Systems Manager Automation<\/a>)<\/li>\n\n\n\n
- Responding to compromised resources (for example, by isolating Amazon EC2 instances) (AWS Documentation:<\/strong> Remediating a potentially compromised Amazon EC2 instance<\/a>)<\/li>\n\n\n\n
- Investigating and analyzing to conduct root cause analysis (for example, by using Detective) (AWS Documentation:<\/strong> What is Amazon Detective?<\/a>)<\/li>\n\n\n\n
- Capturing relevant forensics data from a compromised resource (for example, Amazon Elastic Block Store [Amazon EBS] volume snapshots, memory dump) (AWS Documentation:<\/strong> Amazon EBS snapshots<\/a>)<\/li>\n\n\n\n
- Querying logs in Amazon S3 for contextual information related to security events (for example, by using Athena) (AWS Documentation:<\/strong> Querying AWS CloudTrail logs<\/a>)<\/li>\n\n\n\n
- Protecting and preserving forensic artifacts (for example, by using S3 Object Lock, isolated forensic accounts, S3 Lifecycle, and S3 replication) (AWS Documentation:<\/strong> Using S3 Object Lock<\/a>)<\/li>\n\n\n\n
- Preparing services for incidents and recovering services after incidents (AWS Documentation:<\/strong> Recovery<\/a>)<\/li>\n<\/ul>\n\n\n\n
Domain 2: Security Logging and Monitoring (18%)<\/strong><\/h4>\n\n\n\nTask Statement 2.1: Design and implement monitoring and alerting to address security events.<\/p>\n\n\n\n
Knowledge of:<\/p>\n\n\n\n
\n- AWS services that monitor events and provide alarms (for example, CloudWatch, EventBridge) (AWS Documentation:<\/strong> Alarm events and EventBridge<\/a>)<\/li>\n\n\n\n
- AWS services that automate alerting (for example, Lambda, Amazon Simple Notification Service [Amazon SNS], Security Hub) (AWS Documentation:<\/strong> Automated response and remediation<\/a>)<\/li>\n\n\n\n
- Tools that monitor metrics and baselines (for example, GuardDuty, Systems Manager)<\/li>\n<\/ul>\n\n\n\n
Skills in:<\/p>\n\n\n\n
\n- Analyzing architectures to identify monitoring requirements and sources of data for security monitoring (AWS Documentation:<\/strong> Designing and implementing logging and monitoring with Amazon CloudWatch<\/a>)<\/li>\n\n\n\n
- Analyzing environments and workloads to determine monitoring requirements (AWS Documentation:<\/strong> Perform an analysis on the workload demand<\/a>)<\/li>\n\n\n\n
- Designing environment monitoring and workload monitoring based on business and security requirements<\/li>\n\n\n\n
- Setting up automated tools and scripts to perform regular audits (for example, by creating custom insights in Security Hub) (AWS Documentation:<\/strong> Custom insights<\/a>)<\/li>\n\n\n\n
- Defining the metrics and thresholds that generate alerts (AWS Documentation:<\/strong> Using Amazon CloudWatch alarms<\/a>)<\/li>\n<\/ul>\n\n\n\n
Task Statement 2.2: Troubleshoot security monitoring and alerting.<\/p>\n\n\n\n
Knowledge of:<\/p>\n\n\n\n
\n- Configuration of monitoring services (for example, Security Hub) (AWS Documentation:<\/strong> What is AWS Security Hub?<\/a>)<\/li>\n\n\n\n
- Relevant data that indicates security events (AWS Documentation:<\/strong> Logging and events<\/a>)<\/li>\n<\/ul>\n\n\n\n
Skills in:<\/p>\n\n\n\n
\n- Analyzing the service functionality, permissions, and configuration of resources after an event that did not provide visibility or alerting (AWS Documentation:<\/strong> Refining permissions in AWS using last accessed information<\/a>)<\/li>\n\n\n\n
- Analyzing and remediating the configuration of a custom application that is not reporting its statistics (AWS Documentation:<\/strong> What Is AWS Config?<\/a>)<\/li>\n\n\n\n
- Evaluating logging and monitoring services for alignment with security requirements (AWS Documentation:<\/strong> Monitoring and Logging<\/a>)<\/li>\n<\/ul>\n\n\n\n
Task Statement 2.3: Design and implement a logging solution.<\/p>\n\n\n\n
Knowledge of:<\/p>\n\n\n\n
\n- AWS services and features that provide logging capabilities (for example, VPC Flow Logs, DNS logs, AWS CloudTrail, Amazon CloudWatch Logs) (AWS Documentation:<\/strong> Logging IP traffic using VPC Flow Logs<\/a>)<\/li>\n\n\n\n
- Attributes of logging capabilities (for example, log levels, type, verbosity) (AWS Documentation:<\/strong> AWS Lambda function logging in Python<\/a>)<\/li>\n\n\n\n
- Log destinations and lifecycle management (for example, retention period) (AWS Documentation:<\/strong> Managing your storage lifecycle<\/a>)<\/li>\n<\/ul>\n\n\n\n
Skills in:<\/p>\n\n\n\n
\n- Configuring logging for services and applications (AWS Documentation:<\/strong> Configure service and application logging<\/a>)<\/li>\n\n\n\n
- Identifying logging requirements and sources for log ingestion<\/li>\n\n\n\n
- Implementing log storage and lifecycle management according to AWS best practices and organizational requirements (AWS Documentation:<\/strong> Managing your storage lifecycle<\/a>)<\/li>\n<\/ul>\n\n\n\n
Task Statement 2.4: Troubleshoot logging solutions.<\/p>\n\n\n\n
Knowledge of:<\/p>\n\n\n\n
\n- Capabilities and use cases of AWS services that provide data sources (for example, log level, type, verbosity, cadence, timeliness, immutability) (AWS Documentation:<\/strong> AWS services for logging and monitoring<\/a>)<\/li>\n\n\n\n
- AWS services and features that provide logging capabilities (for example, VPC Flow Logs, DNS logs, CloudTrail, CloudWatch Logs) (AWS Documentation:<\/strong> Logging IP traffic using VPC Flow Logs<\/a>)<\/li>\n\n\n\n
- Access permissions that are necessary for logging (AWS Documentation:<\/strong> CloudWatch Logs permissions reference<\/a>)<\/li>\n<\/ul>\n\n\n\n
Skills in:<\/p>\n\n\n\n
\n- Identifying misconfiguration and determining remediation steps for absent access permissions that are necessary for logging (for example, by managing read\/write permissions, S3 bucket permissions, public access, and integrity) (AWS Documentation:<\/strong> Enabling Amazon S3 server access logging<\/a>)<\/li>\n\n\n\n
- Determining the cause of missing logs and performing remediation steps (AWS Documentation:<\/strong> Remediating security issues discovered by GuardDuty<\/a>)<\/li>\n<\/ul>\n\n\n\n
Task Statement 2.5: Design a log analysis solution.<\/p>\n\n\n\n
Knowledge of:<\/p>\n\n\n\n
\n- Services and tools to analyze captured logs (for example, Athena, CloudWatch Logs filter) (AWS Documentation:<\/strong> Logging and monitoring in Athena<\/a>)<\/li>\n\n\n\n
- Log analysis features of AWS services (for example, CloudWatch Logs Insights, CloudTrail Insights, Security Hub insights) (AWS Documentation:<\/strong> Analyzing log data with CloudWatch Logs Insights<\/a>)<\/li>\n\n\n\n
- Log format and components (for example, CloudTrail logs) (AWS Documentation:<\/strong> CloudTrail log file examples<\/a>)<\/li>\n<\/ul>\n\n\n\n
Skills in:<\/p>\n\n\n\n
\n- Identifying patterns in logs to indicate anomalies and known threats (AWS Documentation:<\/strong> Log anomaly detection<\/a>)<\/li>\n\n\n\n
- Normalizing, parsing, and correlating logs (AWS Documentation:<\/strong> Parsing logs and structured logging<\/a>)<\/li>\n<\/ul>\n\n\n\n
Domain 3: Infrastructure Security (20%)<\/strong><\/h4>\n\n\n\nTask Statement 3.1: Design and implement security controls for edge services.<\/p>\n\n\n\n
Knowledge of:<\/p>\n\n\n\n
\n- Security features on edge services (for example, AWS WAF, load balancers, Amazon Route 53, Amazon CloudFront, AWS Shield) (AWS Documentation:<\/strong> How AWS WAF works with Amazon CloudFront features<\/a>)<\/li>\n\n\n\n
- Common attacks, threats, and exploits (for example, Open Web Application Security Project [OWASP] Top 10, DDoS)<\/li>\n\n\n\n
- Layered web application architecture (AWS Documentation:<\/strong> Three-tier architecture overview<\/a>)<\/li>\n<\/ul>\n\n\n\n
Skills in:<\/p>\n\n\n\n
\n- Defining edge security strategies for common use cases (for example, public website, serverless app, mobile app backend) (AWS Documentation:<\/strong> Identity and access management<\/a>)<\/li>\n\n\n\n
- Selecting appropriate edge services based on anticipated threats and attacks (for example, OWASP Top 10, DDoS)<\/li>\n\n\n\n
- Selecting appropriate protections based on anticipated vulnerabilities and risks (for example, vulnerable software, applications, libraries) (AWS Documentation:<\/strong> Vulnerability Reporting<\/a>)<\/li>\n\n\n\n
- Defining layers of defense by combining edge security services (for example, CloudFront with AWS WAF and load balancers)<\/li>\n\n\n\n
- Applying restrictions at the edge based on various criteria (for example, geography, geolocation, rate limit) (AWS Documentation:<\/strong> Restricting the geographic distribution of your content<\/a>)<\/li>\n\n\n\n
- Activating logs, metrics, and monitoring around edge services to indicate attacks (AWS Documentation:<\/strong> Metrics and alarms<\/a>)<\/li>\n<\/ul>\n\n\n\n
Task Statement 3.2: Design and implement network security controls.<\/p>\n\n\n\n
Knowledge of:<\/p>\n\n\n\n
\n- VPC security mechanisms (for example, security groups, network ACLs, AWS Network Firewall) (AWS Documentation:<\/strong> Security best practices for your VPC<\/a>)<\/li>\n\n\n\n
- Inter-VPC connectivity (for example, AWS Transit Gateway, VPC endpoints) (AWS Documentation:<\/strong> Amazon VPC-to-Amazon VPC connectivity options<\/a>)<\/li>\n\n\n\n
- Security telemetry sources (for example, Traffic Mirroring, VPC Flow Logs) (AWS Documentation:<\/strong> Logging IP traffic using VPC Flow Logs<\/a>)<\/li>\n\n\n\n
- VPN technology, terminology, and usage (AWS Documentation:<\/strong> What is AWS Site-to-Site VPN?<\/a>)<\/li>\n\n\n\n
- On-premises connectivity options (for example, AWS VPN, AWS Direct Connect) (AWS Documentation:<\/strong> AWS Direct Connect<\/a>)<\/li>\n<\/ul>\n\n\n\n
Skills in:<\/p>\n\n\n\n
\n- Implementing network segmentation based on security requirements (for example, public subnets, private subnets, sensitive VPCs, on-premises connectivity)<\/li>\n\n\n\n
- Designing network controls to permit or prevent network traffic as required (for example, by using security groups, network ACLs, and Network Firewall) (AWS Documentation:<\/strong> Control traffic to subnets using network ACLs<\/a>)<\/li>\n\n\n\n
- Designing network flows to keep data off the public internet (for example, by using Transit Gateway, VPC endpoints, and Lambda in VPCs) (AWS Documentation:<\/strong> What is a transit gateway?<\/a>)<\/li>\n\n\n\n
- Determining which telemetry sources to monitor based on network design, threats, and attacks (for example, load balancer logs, VPC Flow Logs, Traffic Mirroring) (AWS Documentation:<\/strong>
AWS Certified Security-Specialty Preparation Resources<\/strong><\/h3>\n\n\n\nHere are some official resources for preparing for the AWS Certified Security-Specialty Exam:<\/p>\n\n\n\n
\n- AWS Certification website: The AWS Certification website has a dedicated page for the Security-Specialty Exam, which provides an overview of the exam, its objectives, and recommended preparation resources.<\/li>\n<\/ol>\n\n\n\n
Link: https:\/\/aws.amazon.com\/certification\/certified-security-specialty\/<\/a><\/p>\n\n\n\n\n- Exam guide: The AWS Certified Security-Specialty Exam Guide is like a user manual that tells you everything you need to know about the exam. It explains how the exam is set up, what kind of questions you’ll face, and even some helpful hints for doing well on the test.<\/li>\n<\/ol>\n\n\n\n
Link: https:\/\/d1.awsstatic.com\/training-and-certification\/docs-security-specialty\/AWS-Certified-Security-Specialty_Exam-Guide.pdf<\/a><\/p>\n\n\n\n\n- Exam readiness training: AWS offers a range of exam readiness training courses, including instructor-led courses, self-paced digital courses, and virtual classroom training. These courses cover the key concepts and skills required for the exam.<\/li>\n<\/ol>\n\n\n\n
Link: https:\/\/aws.amazon.com\/training\/course-descriptions\/aws-certified-security-specialty-exam-readiness\/<\/a><\/p>\n\n\n\n\n- Whitepapers: AWS offers a range of whitepapers that cover various security-related topics, such as securing data in transit and at rest, securing AWS environments, and incident response. These whitepapers can help you prepare for the exam by providing a deeper understanding of the security concepts covered in the exam.<\/li>\n<\/ol>\n\n\n\n
Link: https:\/\/aws.amazon.com\/whitepapers\/?whitepapers-main.sort-by=item.additionalFields.sortDate&whitepapers-main.sort-order=desc&whitepapers-main.q=security<\/a><\/p>\n\n\n\n\n- Sample questions: AWS offers practice questions that you can try to check what you know and get ready for the exam. These questions are meant to show you the kind of questions you’ll see on the real test.<\/li>\n<\/ol>\n\n\n\n
Link: https:\/\/d1.awsstatic.com\/training-and-certification\/docs-security-specialty\/AWS-Certified-Security-Specialty_Sample-Questions.pdf<\/a><\/p>\n\n\n\nAWS Certified Security Specialty Exam Course Outline and Documentation<\/strong><\/h3>\n\n\n\nCourse Outline refers to the blueprint of the exam guide which defines the course aims and learning outcomes. The main objective of the course outline is to provide candidates with an overall plan for the course, enabling them to plan their own schedules and learn effectively. <\/p>\n\n\n\n
The AWS Certified Security Specialty course outline includes weightings, test domains, and objectives only. Let\u2019s take a look at the table below.<\/p>\n\n\n\n
Domain 1: Threat Detection and Incident Response (14%)<\/strong><\/h4>\n\n\n\nTask Statement 1.1: Design and implement an incident response plan.<\/p>\n\n\n\n
Knowledge of:<\/p>\n\n\n\n
\n- AWS best practices for incident response (AWS Documentation:<\/strong> AWS Security Incident Response Guide<\/a>)<\/li>\n\n\n\n
- Cloud incidents<\/li>\n\n\n\n
- Roles and responsibilities in the incident response plan (AWS Documentation:<\/strong> Define roles and responsibilities<\/a>)<\/li>\n\n\n\n
- AWS Security Finding Format (ASFF) (AWS Documentation:<\/strong> AWS Security Finding Format (ASFF)<\/a>)<\/li>\n<\/ul>\n\n\n\n
Skills in:<\/p>\n\n\n\n
\n- Implementing credential invalidation and rotation strategies in response to compromises (for example, by using AWS Identity and Access Management [IAM] and AWS Secrets Manager) (AWS Documentation:<\/strong> Automatically rotate IAM user access keys at scale with AWS Organizations and AWS Secrets Manager<\/a>)<\/li>\n\n\n\n
- Isolating AWS resources (AWS Documentation:<\/strong> Design isolated resource environments<\/a>)<\/li>\n\n\n\n
- Designing and implementing playbooks and runbooks for responses to security incidents (AWS Documentation:<\/strong> Develop and test security incident response playbooks<\/a>)<\/li>\n\n\n\n
- Deploying security services (for example, AWS Security Hub, Amazon Macie, Amazon GuardDuty, Amazon Inspector, AWS Config, Amazon Detective, AWS Identity and Access Management Access Analyzer) (AWS Documentation:<\/strong> Security, identity, and compliance<\/a>)<\/li>\n\n\n\n
- Configuring integrations with native AWS services and third-party services (for example, by using Amazon EventBridge and the ASFF)<\/li>\n<\/ul>\n\n\n\n
Task Statement 1.2: Detect security threats and anomalies by using AWS services.<\/p>\n\n\n\n
Knowledge of:<\/p>\n\n\n\n
\n- AWS managed security services that detect threats (AWS Documentation:<\/strong> Monitoring data security with managed AWS security services<\/a>)<\/li>\n\n\n\n
- Anomaly and correlation techniques to join data across services (AWS Documentation:<\/strong> Concepts for anomaly or outlier detection<\/a>)<\/li>\n\n\n\n
- Visualizations to identify anomalies<\/li>\n\n\n\n
- Strategies to centralize security findings (AWS Documentation:<\/strong> Centralized Security Management<\/a>)<\/li>\n<\/ul>\n\n\n\n
Skills in:<\/p>\n\n\n\n
\n- Evaluating findings from security services (for example, GuardDuty, Security Hub, Macie, AWS Config, IAM Access Analyzer) (AWS Documentation:<\/strong> AWS service integrations with AWS Security Hub<\/a>)<\/li>\n\n\n\n
- Searching and correlating security threats across AWS services (for example, by using Detective)<\/li>\n\n\n\n
- Performing queries to validate security events (for example, by using Amazon Athena) (AWS Documentation:<\/strong> Querying AWS CloudTrail logs<\/a>)<\/li>\n\n\n\n
- Creating metric filters and dashboards to detect anomalous activity (for example, by using Amazon CloudWatch) (AWS Documentation:<\/strong> Using CloudWatch anomaly detection<\/a>)<\/li>\n<\/ul>\n\n\n\n
Task Statement 1.3: Respond to compromised resources and workloads.<\/p>\n\n\n\n
Knowledge of:<\/p>\n\n\n\n
\n- AWS Security Incident Response Guide (AWS Documentation:<\/strong> AWS Security Incident Response Guide<\/a>)<\/li>\n\n\n\n
- Resource isolation mechanisms (AWS Documentation:<\/strong> Design isolated resource environments<\/a>)<\/li>\n\n\n\n
- Techniques for root cause analysis (AWS Documentation:<\/strong> What is Root Cause Analysis (RCA)?<\/a>)<\/li>\n\n\n\n
- Data capture mechanisms (AWS Documentation:<\/strong> Capture data<\/a>)<\/li>\n\n\n\n
- Log analysis for event validation (AWS Documentation:<\/strong> Analyzing log data with CloudWatch Logs Insights<\/a>)<\/li>\n<\/ul>\n\n\n\n
Skills in:<\/p>\n\n\n\n
\n- Automating remediation by using AWS services (for example, AWS Lambda, AWS Step Functions, EventBridge, AWS Systems Manager runbooks, Security Hub, AWS Config) (AWS Documentation:<\/strong> AWS Systems Manager Automation<\/a>)<\/li>\n\n\n\n
- Responding to compromised resources (for example, by isolating Amazon EC2 instances) (AWS Documentation:<\/strong> Remediating a potentially compromised Amazon EC2 instance<\/a>)<\/li>\n\n\n\n
- Investigating and analyzing to conduct root cause analysis (for example, by using Detective) (AWS Documentation:<\/strong> What is Amazon Detective?<\/a>)<\/li>\n\n\n\n
- Capturing relevant forensics data from a compromised resource (for example, Amazon Elastic Block Store [Amazon EBS] volume snapshots, memory dump) (AWS Documentation:<\/strong> Amazon EBS snapshots<\/a>)<\/li>\n\n\n\n
- Querying logs in Amazon S3 for contextual information related to security events (for example, by using Athena) (AWS Documentation:<\/strong> Querying AWS CloudTrail logs<\/a>)<\/li>\n\n\n\n
- Protecting and preserving forensic artifacts (for example, by using S3 Object Lock, isolated forensic accounts, S3 Lifecycle, and S3 replication) (AWS Documentation:<\/strong> Using S3 Object Lock<\/a>)<\/li>\n\n\n\n
- Preparing services for incidents and recovering services after incidents (AWS Documentation:<\/strong> Recovery<\/a>)<\/li>\n<\/ul>\n\n\n\n
Domain 2: Security Logging and Monitoring (18%)<\/strong><\/h4>\n\n\n\nTask Statement 2.1: Design and implement monitoring and alerting to address security events.<\/p>\n\n\n\n
Knowledge of:<\/p>\n\n\n\n
\n- AWS services that monitor events and provide alarms (for example, CloudWatch, EventBridge) (AWS Documentation:<\/strong> Alarm events and EventBridge<\/a>)<\/li>\n\n\n\n
- AWS services that automate alerting (for example, Lambda, Amazon Simple Notification Service [Amazon SNS], Security Hub) (AWS Documentation:<\/strong> Automated response and remediation<\/a>)<\/li>\n\n\n\n
- Tools that monitor metrics and baselines (for example, GuardDuty, Systems Manager)<\/li>\n<\/ul>\n\n\n\n
Skills in:<\/p>\n\n\n\n
\n- Analyzing architectures to identify monitoring requirements and sources of data for security monitoring (AWS Documentation:<\/strong> Designing and implementing logging and monitoring with Amazon CloudWatch<\/a>)<\/li>\n\n\n\n
- Analyzing environments and workloads to determine monitoring requirements (AWS Documentation:<\/strong> Perform an analysis on the workload demand<\/a>)<\/li>\n\n\n\n
- Designing environment monitoring and workload monitoring based on business and security requirements<\/li>\n\n\n\n
- Setting up automated tools and scripts to perform regular audits (for example, by creating custom insights in Security Hub) (AWS Documentation:<\/strong> Custom insights<\/a>)<\/li>\n\n\n\n
- Defining the metrics and thresholds that generate alerts (AWS Documentation:<\/strong> Using Amazon CloudWatch alarms<\/a>)<\/li>\n<\/ul>\n\n\n\n
Task Statement 2.2: Troubleshoot security monitoring and alerting.<\/p>\n\n\n\n
Knowledge of:<\/p>\n\n\n\n
\n- Configuration of monitoring services (for example, Security Hub) (AWS Documentation:<\/strong> What is AWS Security Hub?<\/a>)<\/li>\n\n\n\n
- Relevant data that indicates security events (AWS Documentation:<\/strong> Logging and events<\/a>)<\/li>\n<\/ul>\n\n\n\n
Skills in:<\/p>\n\n\n\n
\n- Analyzing the service functionality, permissions, and configuration of resources after an event that did not provide visibility or alerting (AWS Documentation:<\/strong> Refining permissions in AWS using last accessed information<\/a>)<\/li>\n\n\n\n
- Analyzing and remediating the configuration of a custom application that is not reporting its statistics (AWS Documentation:<\/strong> What Is AWS Config?<\/a>)<\/li>\n\n\n\n
- Evaluating logging and monitoring services for alignment with security requirements (AWS Documentation:<\/strong> Monitoring and Logging<\/a>)<\/li>\n<\/ul>\n\n\n\n
Task Statement 2.3: Design and implement a logging solution.<\/p>\n\n\n\n
Knowledge of:<\/p>\n\n\n\n
\n- AWS services and features that provide logging capabilities (for example, VPC Flow Logs, DNS logs, AWS CloudTrail, Amazon CloudWatch Logs) (AWS Documentation:<\/strong> Logging IP traffic using VPC Flow Logs<\/a>)<\/li>\n\n\n\n
- Attributes of logging capabilities (for example, log levels, type, verbosity) (AWS Documentation:<\/strong> AWS Lambda function logging in Python<\/a>)<\/li>\n\n\n\n
- Log destinations and lifecycle management (for example, retention period) (AWS Documentation:<\/strong> Managing your storage lifecycle<\/a>)<\/li>\n<\/ul>\n\n\n\n
Skills in:<\/p>\n\n\n\n
\n- Configuring logging for services and applications (AWS Documentation:<\/strong> Configure service and application logging<\/a>)<\/li>\n\n\n\n
- Identifying logging requirements and sources for log ingestion<\/li>\n\n\n\n
- Implementing log storage and lifecycle management according to AWS best practices and organizational requirements (AWS Documentation:<\/strong> Managing your storage lifecycle<\/a>)<\/li>\n<\/ul>\n\n\n\n
Task Statement 2.4: Troubleshoot logging solutions.<\/p>\n\n\n\n
Knowledge of:<\/p>\n\n\n\n
\n- Capabilities and use cases of AWS services that provide data sources (for example, log level, type, verbosity, cadence, timeliness, immutability) (AWS Documentation:<\/strong> AWS services for logging and monitoring<\/a>)<\/li>\n\n\n\n
- AWS services and features that provide logging capabilities (for example, VPC Flow Logs, DNS logs, CloudTrail, CloudWatch Logs) (AWS Documentation:<\/strong> Logging IP traffic using VPC Flow Logs<\/a>)<\/li>\n\n\n\n
- Access permissions that are necessary for logging (AWS Documentation:<\/strong> CloudWatch Logs permissions reference<\/a>)<\/li>\n<\/ul>\n\n\n\n
Skills in:<\/p>\n\n\n\n
\n- Identifying misconfiguration and determining remediation steps for absent access permissions that are necessary for logging (for example, by managing read\/write permissions, S3 bucket permissions, public access, and integrity) (AWS Documentation:<\/strong> Enabling Amazon S3 server access logging<\/a>)<\/li>\n\n\n\n
- Determining the cause of missing logs and performing remediation steps (AWS Documentation:<\/strong> Remediating security issues discovered by GuardDuty<\/a>)<\/li>\n<\/ul>\n\n\n\n
Task Statement 2.5: Design a log analysis solution.<\/p>\n\n\n\n
Knowledge of:<\/p>\n\n\n\n
\n- Services and tools to analyze captured logs (for example, Athena, CloudWatch Logs filter) (AWS Documentation:<\/strong> Logging and monitoring in Athena<\/a>)<\/li>\n\n\n\n
- Log analysis features of AWS services (for example, CloudWatch Logs Insights, CloudTrail Insights, Security Hub insights) (AWS Documentation:<\/strong> Analyzing log data with CloudWatch Logs Insights<\/a>)<\/li>\n\n\n\n
- Log format and components (for example, CloudTrail logs) (AWS Documentation:<\/strong> CloudTrail log file examples<\/a>)<\/li>\n<\/ul>\n\n\n\n
Skills in:<\/p>\n\n\n\n
\n- Identifying patterns in logs to indicate anomalies and known threats (AWS Documentation:<\/strong> Log anomaly detection<\/a>)<\/li>\n\n\n\n
- Normalizing, parsing, and correlating logs (AWS Documentation:<\/strong> Parsing logs and structured logging<\/a>)<\/li>\n<\/ul>\n\n\n\n
Domain 3: Infrastructure Security (20%)<\/strong><\/h4>\n\n\n\nTask Statement 3.1: Design and implement security controls for edge services.<\/p>\n\n\n\n
Knowledge of:<\/p>\n\n\n\n
\n- Security features on edge services (for example, AWS WAF, load balancers, Amazon Route 53, Amazon CloudFront, AWS Shield) (AWS Documentation:<\/strong> How AWS WAF works with Amazon CloudFront features<\/a>)<\/li>\n\n\n\n
- Common attacks, threats, and exploits (for example, Open Web Application Security Project [OWASP] Top 10, DDoS)<\/li>\n\n\n\n
- Layered web application architecture (AWS Documentation:<\/strong> Three-tier architecture overview<\/a>)<\/li>\n<\/ul>\n\n\n\n
Skills in:<\/p>\n\n\n\n
\n- Defining edge security strategies for common use cases (for example, public website, serverless app, mobile app backend) (AWS Documentation:<\/strong> Identity and access management<\/a>)<\/li>\n\n\n\n
- Selecting appropriate edge services based on anticipated threats and attacks (for example, OWASP Top 10, DDoS)<\/li>\n\n\n\n
- Selecting appropriate protections based on anticipated vulnerabilities and risks (for example, vulnerable software, applications, libraries) (AWS Documentation:<\/strong> Vulnerability Reporting<\/a>)<\/li>\n\n\n\n
- Defining layers of defense by combining edge security services (for example, CloudFront with AWS WAF and load balancers)<\/li>\n\n\n\n
- Applying restrictions at the edge based on various criteria (for example, geography, geolocation, rate limit) (AWS Documentation:<\/strong> Restricting the geographic distribution of your content<\/a>)<\/li>\n\n\n\n
- Activating logs, metrics, and monitoring around edge services to indicate attacks (AWS Documentation:<\/strong> Metrics and alarms<\/a>)<\/li>\n<\/ul>\n\n\n\n
Task Statement 3.2: Design and implement network security controls.<\/p>\n\n\n\n
Knowledge of:<\/p>\n\n\n\n
\n- VPC security mechanisms (for example, security groups, network ACLs, AWS Network Firewall) (AWS Documentation:<\/strong> Security best practices for your VPC<\/a>)<\/li>\n\n\n\n
- Inter-VPC connectivity (for example, AWS Transit Gateway, VPC endpoints) (AWS Documentation:<\/strong> Amazon VPC-to-Amazon VPC connectivity options<\/a>)<\/li>\n\n\n\n
- Security telemetry sources (for example, Traffic Mirroring, VPC Flow Logs) (AWS Documentation:<\/strong> Logging IP traffic using VPC Flow Logs<\/a>)<\/li>\n\n\n\n
- VPN technology, terminology, and usage (AWS Documentation:<\/strong> What is AWS Site-to-Site VPN?<\/a>)<\/li>\n\n\n\n
- On-premises connectivity options (for example, AWS VPN, AWS Direct Connect) (AWS Documentation:<\/strong> AWS Direct Connect<\/a>)<\/li>\n<\/ul>\n\n\n\n
Skills in:<\/p>\n\n\n\n
\n- Implementing network segmentation based on security requirements (for example, public subnets, private subnets, sensitive VPCs, on-premises connectivity)<\/li>\n\n\n\n
- Designing network controls to permit or prevent network traffic as required (for example, by using security groups, network ACLs, and Network Firewall) (AWS Documentation:<\/strong> Control traffic to subnets using network ACLs<\/a>)<\/li>\n\n\n\n
- Designing network flows to keep data off the public internet (for example, by using Transit Gateway, VPC endpoints, and Lambda in VPCs) (AWS Documentation:<\/strong> What is a transit gateway?<\/a>)<\/li>\n\n\n\n
- Determining which telemetry sources to monitor based on network design, threats, and attacks (for example, load balancer logs, VPC Flow Logs, Traffic Mirroring) (AWS Documentation:<\/strong>
Link: https:\/\/aws.amazon.com\/certification\/certified-security-specialty\/<\/a><\/p>\n\n\n\n Link: https:\/\/d1.awsstatic.com\/training-and-certification\/docs-security-specialty\/AWS-Certified-Security-Specialty_Exam-Guide.pdf<\/a><\/p>\n\n\n\n Link: https:\/\/aws.amazon.com\/training\/course-descriptions\/aws-certified-security-specialty-exam-readiness\/<\/a><\/p>\n\n\n\n Link: https:\/\/aws.amazon.com\/whitepapers\/?whitepapers-main.sort-by=item.additionalFields.sortDate&whitepapers-main.sort-order=desc&whitepapers-main.q=security<\/a><\/p>\n\n\n\n Link: https:\/\/d1.awsstatic.com\/training-and-certification\/docs-security-specialty\/AWS-Certified-Security-Specialty_Sample-Questions.pdf<\/a><\/p>\n\n\n\n Course Outline refers to the blueprint of the exam guide which defines the course aims and learning outcomes. The main objective of the course outline is to provide candidates with an overall plan for the course, enabling them to plan their own schedules and learn effectively. <\/p>\n\n\n\n The AWS Certified Security Specialty course outline includes weightings, test domains, and objectives only. Let\u2019s take a look at the table below.<\/p>\n\n\n\n Task Statement 1.1: Design and implement an incident response plan.<\/p>\n\n\n\n Knowledge of:<\/p>\n\n\n\n Skills in:<\/p>\n\n\n\n Task Statement 1.2: Detect security threats and anomalies by using AWS services.<\/p>\n\n\n\n Knowledge of:<\/p>\n\n\n\n Skills in:<\/p>\n\n\n\n Task Statement 1.3: Respond to compromised resources and workloads.<\/p>\n\n\n\n Knowledge of:<\/p>\n\n\n\n Skills in:<\/p>\n\n\n\n Task Statement 2.1: Design and implement monitoring and alerting to address security events.<\/p>\n\n\n\n Knowledge of:<\/p>\n\n\n\n Skills in:<\/p>\n\n\n\n Task Statement 2.2: Troubleshoot security monitoring and alerting.<\/p>\n\n\n\n Knowledge of:<\/p>\n\n\n\n Skills in:<\/p>\n\n\n\n Task Statement 2.3: Design and implement a logging solution.<\/p>\n\n\n\n Knowledge of:<\/p>\n\n\n\n Skills in:<\/p>\n\n\n\n Task Statement 2.4: Troubleshoot logging solutions.<\/p>\n\n\n\n Knowledge of:<\/p>\n\n\n\n Skills in:<\/p>\n\n\n\n Task Statement 2.5: Design a log analysis solution.<\/p>\n\n\n\n Knowledge of:<\/p>\n\n\n\n Skills in:<\/p>\n\n\n\n Task Statement 3.1: Design and implement security controls for edge services.<\/p>\n\n\n\n Knowledge of:<\/p>\n\n\n\n Skills in:<\/p>\n\n\n\n Task Statement 3.2: Design and implement network security controls.<\/p>\n\n\n\n Knowledge of:<\/p>\n\n\n\n Skills in:<\/p>\n\n\n\n\n
\n
\n
\n
AWS Certified Security Specialty Exam Course Outline and Documentation<\/strong><\/h3>\n\n\n\n
Domain 1: Threat Detection and Incident Response (14%)<\/strong><\/h4>\n\n\n\n
\n
\n
\n
\n
\n
\n
Domain 2: Security Logging and Monitoring (18%)<\/strong><\/h4>\n\n\n\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
Domain 3: Infrastructure Security (20%)<\/strong><\/h4>\n\n\n\n
\n
\n
\n
\n