AWS Certified Security-Specialty Exam Cheat Sheet

  1. Home
  2. Cloud Computing
  3. AWS Certified Security-Specialty Exam Cheat Sheet
AWS Certified Security - Specialty Exam Cheat Sheet

The AWS Certified Security-Specialty Exam is for experts who want to show they are skilled in safeguarding AWS systems. This exam covers various subjects like controlling access, securing networks, safeguarding data, and handling security incidents.

Preparing for the AWS Certified Security-Specialty Exam can be a challenging task, as the exam requires a deep understanding of AWS security services and best practices. That’s why I have created this cheat sheet to help you prepare for the exam in a more efficient and effective way. This cheat sheet includes key concepts, important tips, and sample questions that will help you master the exam material and pass the exam with confidence.

Whether you are a security professional looking to advance your career or an IT professional seeking to enhance your AWS skills, this cheat sheet will provide you with the knowledge and skills you need to pass the AWS Certified Security-Specialty Exam. So, let’s dive in and start preparing for the exam!

AWS Certified Security-Specialty: Overview

The AWS Certified Security Specialty certification encompasses topics in which security professionals and staff need to be skilled in. not to mention, they must have an understanding of security fundamentals, follow best practices, and build expertise in key services that are unique to the AWS platform. 

Overview of AWS Certified Security-Specialty Exam

Moreover, this certification is designed to certify the candidate’s AWS knowledge across security topics that include data protection and encryption, infrastructure security, incident response, identity, and access management, monitoring, and logging.

AWS Certified Security-Specialty Glossary

  1. Access Key – An access key is an alphanumeric code that AWS provides to a user to authenticate their access to AWS services.
  2. Authentication – Authentication means confirming who you are before using AWS resources.
  3. Authorization – Authorization is deciding if you’re allowed to use AWS stuff based on who you are and what you’re allowed to do.
  4. CloudTrail – CloudTrail is an AWS service that provides visibility into user activity by recording AWS API calls and delivering the resulting log files to an S3 bucket.
  5. Compliance – Compliance refers to adhering to security standards and regulations, such as the GDPR or HIPAA, to ensure the security and privacy of data.
  6. Data Encryption – Data encryption means turning regular information into secret code so bad guys can’t read it without permission.
  7. IAM – IAM, short for Identity and Access Management, is like a security guard for AWS. It controls who can do what with AWS stuff.
  8. KMS – KMS, or Key Management Service, is an AWS service that allows users to create, manage, and use encryption keys to protect their data.
  9. Multi-Factor Authentication (MFA) – MFA is a security feature that requires users to provide more than one form of authentication, such as a password and a security token, to access AWS resources.
  10. Network Security – Network security is like locking the doors and windows of a house to keep intruders out. It’s about protecting a company’s computer network and data from unauthorized access or attacks.
  11. PCI DSS – PCI DSS, which stands for Payment Card Industry Data Security Standard, are rules to make sure that credit card information is handled safely and securely. It’s like having strict guidelines for how to protect sensitive financial data.
  12. Security Group – A security group is a virtual firewall that controls inbound and outbound traffic to an AWS resource, such as an EC2 instance.
  13. Security Token Service (STS) – STS is an AWS service that provides temporary security credentials to allow users to access AWS resources.
  14. Server-Side Encryption (SSE) – SSE is a feature that allows users to encrypt data at rest within AWS services, such as S3 or RDS.
  15. SSL/TLS – SSL/TLS, known as Secure Sockets Layer/Transport Layer Security, is like a special code that makes sure that when you send information over the internet, it stays private and safe from others who might want to see it. It’s like having a secret language for your online conversations.

Exam preparation resources for AWS Certified Security-Specialty Exam

Here are some official resources for preparing for the AWS Certified Security-Specialty Exam:

  1. AWS Certification website: The AWS Certification website has a dedicated page for the Security-Specialty Exam, which provides an overview of the exam, its objectives, and recommended preparation resources.

Link: https://aws.amazon.com/certification/certified-security-specialty/

  1. Exam guide: The AWS Certified Security-Specialty Exam Guide is like a user manual that tells you everything you need to know about the exam. It explains how the exam is set up, what kind of questions you’ll face, and even some helpful hints for doing well on the test.

Link: https://d1.awsstatic.com/training-and-certification/docs-security-specialty/AWS-Certified-Security-Specialty_Exam-Guide.pdf

  1. Exam readiness training: AWS offers a range of exam readiness training courses, including instructor-led courses, self-paced digital courses, and virtual classroom training. These courses cover the key concepts and skills required for the exam.

Link: https://aws.amazon.com/training/course-descriptions/aws-certified-security-specialty-exam-readiness/

  1. Whitepapers: AWS offers a range of whitepapers that cover various security-related topics, such as securing data in transit and at rest, securing AWS environments, and incident response. These whitepapers can help you prepare for the exam by providing a deeper understanding of the security concepts covered in the exam.

Link: https://aws.amazon.com/whitepapers/?whitepapers-main.sort-by=item.additionalFields.sortDate&whitepapers-main.sort-order=desc&whitepapers-main.q=security

  1. Sample questions: AWS offers practice questions that you can try to check what you know and get ready for the exam. These questions are meant to show you the kind of questions you’ll see on the real test.

Link: https://d1.awsstatic.com/training-and-certification/docs-security-specialty/AWS-Certified-Security-Specialty_Sample-Questions.pdf

Course Outline

Course Outline refers to the blueprint of the exam guide which defines the course aims and learning outcomes. The main objective of the course outline is to provide candidates with an overall plan for the course, enabling them to plan their own schedules and learn effectively. 

The AWS Certified Security Specialty course outline includes weightings, test domains, and objectives only. Let’s take a look at the table below.

Domain 1: Threat Detection and Incident Response (14%)

Task Statement 1.1: Design and implement an incident response plan.

Knowledge of:

Skills in:

Task Statement 1.2: Detect security threats and anomalies by using AWS services.

Knowledge of:

Skills in:

  • Evaluating findings from security services (for example, GuardDuty, Security Hub, Macie, AWS Config, IAM Access Analyzer) (AWS Documentation: AWS service integrations with AWS Security Hub)
  • Searching and correlating security threats across AWS services (for example, by using Detective)
  • Performing queries to validate security events (for example, by using Amazon Athena) (AWS Documentation: Querying AWS CloudTrail logs)
  • Creating metric filters and dashboards to detect anomalous activity (for example, by using Amazon CloudWatch) (AWS Documentation: Using CloudWatch anomaly detection)

Task Statement 1.3: Respond to compromised resources and workloads.

Knowledge of:

Skills in:

  • Automating remediation by using AWS services (for example, AWS Lambda, AWS Step Functions, EventBridge, AWS Systems Manager runbooks, Security Hub, AWS Config) (AWS Documentation: AWS Systems Manager Automation)
  • Responding to compromised resources (for example, by isolating Amazon EC2 instances) (AWS Documentation: Remediating a potentially compromised Amazon EC2 instance)
  • Investigating and analyzing to conduct root cause analysis (for example, by using Detective) (AWS Documentation: What is Amazon Detective?)
  • Capturing relevant forensics data from a compromised resource (for example, Amazon Elastic Block Store [Amazon EBS] volume snapshots, memory dump) (AWS Documentation: Amazon EBS snapshots)
  • Querying logs in Amazon S3 for contextual information related to security events (for example, by using Athena) (AWS Documentation: Querying AWS CloudTrail logs)
  • Protecting and preserving forensic artifacts (for example, by using S3 Object Lock, isolated forensic accounts, S3 Lifecycle, and S3 replication) (AWS Documentation: Using S3 Object Lock)
  • Preparing services for incidents and recovering services after incidents (AWS Documentation: Recovery)

Domain 2: Security Logging and Monitoring (18%)

Task Statement 2.1: Design and implement monitoring and alerting to address security events.

Knowledge of:

  • AWS services that monitor events and provide alarms (for example, CloudWatch, EventBridge) (AWS Documentation: Alarm events and EventBridge)
  • AWS services that automate alerting (for example, Lambda, Amazon Simple Notification Service [Amazon SNS], Security Hub) (AWS Documentation: Automated response and remediation)
  • Tools that monitor metrics and baselines (for example, GuardDuty, Systems Manager)

Skills in:

Task Statement 2.2: Troubleshoot security monitoring and alerting.

Knowledge of:

Skills in:

  • Analyzing the service functionality, permissions, and configuration of resources after an event that did not provide visibility or alerting (AWS Documentation: Refining permissions in AWS using last accessed information)
  • Analyzing and remediating the configuration of a custom application that is not reporting its statistics (AWS Documentation: What Is AWS Config?)
  • Evaluating logging and monitoring services for alignment with security requirements (AWS Documentation: Monitoring and Logging)

Task Statement 2.3: Design and implement a logging solution.

Knowledge of:

Skills in:

Task Statement 2.4: Troubleshoot logging solutions.

Knowledge of:

Skills in:

Task Statement 2.5: Design a log analysis solution.

Knowledge of:

Skills in:

Domain 3: Infrastructure Security (20%)

Task Statement 3.1: Design and implement security controls for edge services.

Knowledge of:

Skills in:

  • Defining edge security strategies for common use cases (for example, public website, serverless app, mobile app backend) (AWS Documentation: Identity and access management)
  • Selecting appropriate edge services based on anticipated threats and attacks (for example, OWASP Top 10, DDoS)
  • Selecting appropriate protections based on anticipated vulnerabilities and risks (for example, vulnerable software, applications, libraries) (AWS Documentation: Vulnerability Reporting)
  • Defining layers of defense by combining edge security services (for example, CloudFront with AWS WAF and load balancers)
  • Applying restrictions at the edge based on various criteria (for example, geography, geolocation, rate limit) (AWS Documentation: Restricting the geographic distribution of your content)
  • Activating logs, metrics, and monitoring around edge services to indicate attacks (AWS Documentation: Metrics and alarms)

Task Statement 3.2: Design and implement network security controls.

Knowledge of:

Skills in:

  • Implementing network segmentation based on security requirements (for example, public subnets, private subnets, sensitive VPCs, on-premises connectivity)
  • Designing network controls to permit or prevent network traffic as required (for example, by using security groups, network ACLs, and Network Firewall) (AWS Documentation: Control traffic to subnets using network ACLs)
  • Designing network flows to keep data off the public internet (for example, by using Transit Gateway, VPC endpoints, and Lambda in VPCs) (AWS Documentation: What is a transit gateway?)
  • Determining which telemetry sources to monitor based on network design, threats, and attacks (for example, load balancer logs, VPC Flow Logs, Traffic Mirroring) (AWS Documentation: Monitor your Network Load Balancers)
  • Determining redundancy and security workload requirements for communication between on-premises environments and the AWS Cloud (for example, by using AWS VPN, AWS VPN over Direct Connect, and MACsec) (AWS Documentation: AWS Direct Connect)
  • Identifying and removing unnecessary network access (AWS Documentation: Security best practices in IAM)
  • Managing network configurations as requirements change (for example, by using AWS Firewall Manager) (AWS Documentation: Working with AWS Firewall Manager policies)

Task Statement 3.3: Design and implement security controls for compute workloads.

Knowledge of:

  • Provisioning and maintenance of EC2 instances (for example, patching, inspecting, creation of snapshots and AMIs, use of EC2 Image Builder) (AWS Documentation: What is EC2 Image Builder?)
  • IAM instance roles and IAM service roles (AWS Documentation: IAM roles)
  • Services that scan for vulnerabilities in compute workloads (for example, Amazon Inspector, Amazon Elastic Container Registry [Amazon ECR]) (AWS Documentation: Scanning Amazon ECR container images with Amazon Inspector)
  • Host-based security (for example, firewalls, hardening)

Skills in:

Task Statement 3.4: Troubleshoot network security.

Knowledge of:

  • How to analyze reachability (for example, by using VPC Reachability Analyzer and Amazon Inspector) (AWS Documentation: Getting started with Reachability Analyzer)
  • Fundamental TCP/IP networking concepts (for example, UDP compared with TCP, ports, Open Systems Interconnection [OSI] model, network operating system utilities)
  • How to read relevant log sources (for example, Route 53 logs, AWS WAF logs, VPC Flow Logs) (AWS Documentation: Logging IP traffic using VPC Flow Logs)

Skills in:

Domain 4: Identity and Access Management (16%)

Task Statement 4.1: Design, implement, and troubleshoot authentication for AWS resources.

Knowledge of:

Skills in:

Task Statement 4.2: Design, implement, and troubleshoot authorization for AWS resources.

Knowledge of:

Skills in:

Domain 5: Data Protection (18%)

Task Statement 5.1: Design and implement controls that provide confidentiality and integrity for data in transit.

Knowledge of:

Skills in:

  • Designing secure connectivity between AWS and on-premises networks (for example, by using Direct Connect and VPN gateways) (AWS Documentation: AWS Direct Connect )
  • Designing mechanisms to require encryption when connecting to resources (for example, Amazon RDS, Amazon Redshift, CloudFront, Amazon S3, Amazon DynamoDB, load balancers, Amazon Elastic File System [Amazon EFS], Amazon API Gateway) (AWS Documentation: Encrypting Amazon RDS resources)
  • Requiring TLS for AWS API calls (for example, with Amazon S3) (AWS Documentation: Infrastructure security in Amazon S3)
  • Designing mechanisms to forward traffic over secure connections (for example, by using Systems Manager and EC2 Instance Connect) (AWS Documentation: Connect using EC2 Instance Connect)
  • Designing cross-Region networking by using private VIFs and public VIFs

Task Statement 5.2: Design and implement controls that provide confidentiality and integrity for data at rest.

Knowledge of:

  • Encryption technique selection (for example, client-side, server-side, symmetric, asymmetric) (AWS Documentation: AWS KMS concepts)
  • Integrity-checking techniques (for example, hashing algorithms, digital signatures) (AWS Documentation: Checking object integrity)
  • Resource policies (for example, for DynamoDB, Amazon S3, and AWS Key Management Service [AWS KMS]) (AWS Documentation: Key policies in AWS KMS)
  • IAM roles and policies (AWS Documentation: Policies and permissions in IAM)

Skills in:

  • Designing resource policies to restrict access to authorized users (for example, S3 bucket policies, DynamoDB policies) (AWS Documentation: Examples of Amazon S3 bucket policies)
  • Designing mechanisms to prevent unauthorized public access (for example, S3 Block Public Access, prevention of public snapshots and public AMIs) (AWS Documentation: Blocking public access to your Amazon S3 storage)
  • Configuring services to activate encryption of data at rest (for example, Amazon S3, Amazon RDS, DynamoDB, Amazon Simple Queue Service [Amazon SQS], Amazon EBS, Amazon EFS) (AWS Documentation: Encryption at rest in Amazon SQS)
  • Designing mechanisms to protect data integrity by preventing modifications (for example, by using S3 Object Lock, KMS key policies, S3 Glacier Vault Lock, and AWS Backup Vault Lock) (AWS Documentation: Using S3 Object Lock)
  • Designing encryption at rest by using AWS CloudHSM for relationaldatabases (for example, Amazon RDS, RDS Custom, databases on EC2 instances)
  • Choosing encryption techniques based on business requirements (AWS Documentation: Creating an enterprise encryption strategy for data at rest)

Task Statement 5.3: Design and implement controls to manage the lifecycle of data at rest.

Knowledge of:

  • Lifecycle policies
  • Data retention standards

Skills in:

  • Designing S3 Lifecycle mechanisms to retain data for required retention periods (for example, S3 Object Lock, S3 Glacier Vault Lock, S3 Lifecycle policy) (AWS Documentation: Managing your storage lifecycle)
  • Designing automatic lifecycle management for AWS services and resources (for example, Amazon S3, EBS volume snapshots, RDS volume snapshots, AMIs, container images, CloudWatch log groups, Amazon Data Lifecycle Manager) (AWS Documentation: Amazon Data Lifecycle Manager)
  • Establishing schedules and retention for AWS Backup across AWS services (AWS Documentation: Creating a backup plan)

Task Statement 5.4: Design and implement controls to protect credentials, secrets, and cryptographic key materials.

Knowledge of:

Skills in:

  • Designing management and rotation of secrets for workloads (for example, database access credentials, API keys, IAM access keys, AWS KMS customer managed keys)
  • Designing KMS key policies to limit key usage to authorized users (AWS Documentation: Key policies in AWS KMS)
  • Establishing mechanisms to import and remove customer-provided key material (AWS Documentation: Importing key material for AWS KMS keys)

Domain 6: Management and Security Governance (14%)

Task Statement 6.1: Develop a strategy to centrally deploy and manage AWS accounts.

Knowledge of:

Skills in:

Task Statement 6.2: Implement a secure and consistent deployment strategy for cloud resources.

Knowledge of:

  • Deployment best practices with infrastructure as code (IaC) (for example, AWS CloudFormation template hardening and drift detection) (AWS Documentation: AWS CloudFormation best practices)
  • Best practices for tagging (AWS Documentation: Best Practices for Tagging AWS Resources)
  • Centralized management, deployment, and versioning of AWS services
  • Visibility and control over AWS infrastructure

Skills in:

Task Statement 6.3: Evaluate the compliance of AWS resources.

Knowledge of:

Skills in:

Task Statement 6.4: Identify security gaps through architectural reviews and cost analysis.

Knowledge of:

Skills in:

AWS Cheat Sheet

The AWS cheat sheet incorporates the list of basic terms in the AWS landscape. The basic terms include AWS services and information about AWS and cloud computing. Any AWS terminology cheat sheet would include details about AWS (Amazon Web Services) and cloud computing.

Cloud Computing and Services

The AWS cheat sheet provides details about cloud computing and its different forms. Cloud computing is like using the internet for computing, with many remote servers. It’s helpful for storing data centrally and accessing computer services. Cloud computing mainly comes in three types: public, private, and hybrid cloud.

  • First things first, the public cloud comprises a third-party service distributor giving resources and services to customers through the internet.
  • After this, the private cloud involves the provision and management of resources and services specifically for a particular company. 
  • Subsequently, a hybrid cloud is an amalgamation of both public and private cloud traits. 

AWS Influence 

AWS influence plays an essential role in the formation of the AWS Cloud Practitioner cheat sheet. This helps to achieve a clear and better insight into the upshot of AWS and its potential trends in the near future. Nowadays, almost every association with a computer could have a use case relevant to AWS services. This is a clear indication that AWS is a trustworthy alternative for conventional solutions such as with S3 Glacier.  

Initially started as a cloud-based solution for storage and computing services, AWS is now applicable to almost every area such as databases, business productivity, virtual desktops, IoT development, machine learning, and analytics. Furthermore, AWS offers better adaptability for the growth of startups with limited resources for funding traditional datacenter deployments.

AWS Region, AZs, Edge locations

One of the essential phrases in the AWS glossary is the AWS regions. These entries in the AWS cheat sheet notify about all crucial aspects of the AWS landscape.

  • First thing first, every region is a separate geographic area, completely independent, isolated from the other regions. Also, helps in achieving the greatest possible fault tolerance and stability.
  • Secondly, the interaction between regions is across the public Internet.
  • Subsequently, all-regions have multiple Availability Zones.
  • After this, each and every AZ is actually isolated, geographically separated from each other and outlined as an independent failure zone
  • Moreover, AZs are united with low-latency private links (not public internet)

AWS Services

  • Compute
  • Storage
  • Database
  • Developer Tools
  • Security, Identity, & Compliance
  • Cryptography & PKI
  • Machine Learning
  • Management & Governance
  • Migration & Transfer
  • Mobile
  • Networking & Content Delivery
  • Media Services
  • End-User Computing
  • Analytics
  • Application Integration
  • Business Applications
  • Satellite
  • Robotics
  • Blockchain
  • Game Development
  • Internet of Things (IoT)
  • Customer Enablement Services
  • Customer Engagement
  • AR & VR
  • SDKs & Toolkits
  • General Reference
  • AWS Management Console
  • Additional Resources

Expert’s Corner

To conclude, AWS is a strong pillar that can help you produce a stable career in the field of Information Technology. There is nothing wrong to say that AWS certification is a great opportunity to enhance your skills and experience. It not only provides you a reputed position in your company but also offers you higher pay in comparison to your other peers.

The above article featuring AWS Certified Security-Specialty is an initiative taken in consideration of the increasing demand for the exam. The article addresses every important detail which is of supreme importance. Although, the exam is not tough as it mainly covers features and services which you would have used in your day to day working on AWS or services which have a clear demarcation of their purpose. All you need is a focussed mindset and proper preparation to sweep through the exam easily. 

Still got questions? Feel free to ask. We would love to hear from you. 

Testprep Youtube

Build your knowledge and technical expertise with advanced learning skills and expert tutorials on AWS Certified Security-Specialty. Prepare and become a Certified Now!

Menu