Top 5 things you must know to pass the AWS Security Specialist exam

Joe South
February 27, 2023 by
Joe South

After passing the CCSP certification, I sought certification to enhance my skills in my company’s cloud provider, AWS. I reviewed the certifications, saw the AWS Security Specialist, and assumed this was the one for me since I am a security professional. I wasn’t entirely wrong, but I should have started with the AWS Solutions Architect Associate (SAA) certification. 

Get certified with an Exam Pass Guarantee

Get certified with an Exam Pass Guarantee

Looking to get certified? Many of our boot camps are backed by an Exam Pass Guarantee, ensuring you leave with the certification you want.

The AWS Security Specialist certification assumes you have the AWS SAA certification, making it very difficult to take it without the SAA. Despite this caveat that I didn’t know then, I still passed the certification on my first attempt. This blog will help you with your AWS security training and tell you the top five things you must know to pass this certification on your first attempt. 

1. Learn to think backward with IAM

IAM is likely the most complex part of this exam. You can have user accounts with permissions and roles that change what the account can do. You can have automated accounts with the same thing as well as service to service accounts with this same ability. 

You must understand the basics of IAM, least privileged and allow the service to set up an account to connect to another service whenever possible. On the exam, you will face several questions describing a problem to you and stating permission is broken. 

You are supposed to determine where to fix it in the least amount of time/effort. The best way to accomplish this was to think about the problem backward. What is the end of service? What is the user or service trying to access?  A service account is a way to go if it is a service. 

Next, you must ask yourself what is trying to be done. Is it a read, write or edit? This will determine what kind of permission needs to be in place. 

Finally, ask yourself where does this connection start? If you can answer those three questions, you will be in a much better situation to answer the question on the exam. 

2. Understand data storage nuances

Data storage is a huge topic in AWS cloud security since you are storing what could be your most precious data in someone else’s computer. Securing that data and storing it will be the most important topic you encounter, and on the exam, there is an emphasis on knowing how, where and for how long to store your data. 

Understanding when to use AWS S3 Glacier and when not will be crucial to passing this exam. You must know when to use S3, S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval and S3 Glacier Deep Archive. 

You will need to understand the nuances around each choice. For instance, if you send something to Deep Archive, when can I retrieve it? Is there a grace period for retrieving this data? What happens if I go beyond that grace period? You'll encounter all these questions on the exam, so you must understand the different storage options and when they apply to different situations in AWS. 

3. AWS Config and SCP are your friend

If you have ever taken one of my courses, then you have probably heard me say that the security professional's job is not to tell people they can’t use something in the cloud but to secure whatever they do in the cloud. 

This is accomplished via AWS Config and SCP policies. The combination of these two services in AWS will allow you to ensure that your developers are only using the services you have verified and secured. This combination will also correct common security issues in the environment. For example, suppose you have a policy that all S3 buckets must be encrypted, and someone creates one that isn’t encrypted. In that case, AWS Config can encrypt that S3 bucket automatically to ensure the security posture in the environment is maintained. 

On the exam, you will be faced with many questions about which service to use, when and what service best fits a use case. It will be critical for you to understand AWS Config and SCP.

4. Using a least privileged methodology 

As I stated earlier, IAM is close to everything from a security perspective in the cloud. You must pay attention to IAM and the permissions you are always assigning. Keeping this in mind, the least privileged methodology will enforce this not only on accounts but also on the network and the different assets in the environment. 

On the exam, you will be asked about the nuances of network security and how to better secure a vulnerable network. Using the least privileged methodology, you can narrow the scope to the originating and destination points and secure it in the middle. This is what a least privileged approach looks like for networking. 

On the exam, you will encounter many questions like this, where you must dissect a problem and devise the simplest solution. Thinking about the least privilege will lead you to the right answer since the exam is looking for that. 

5. Read and reread the AWS security certification questions before answering

This may seem overkill, but it is critical that you read, reread and sometimes reread the question a third time before choosing an answer. These questions are tough and will include many details that do not impact the situation. These details are in place to distract you from what you need to focus on. 

Reading each question several times will give you the best chance to avoid falling for these trick questions. When I take an exam like this, I typically read the question to try and identify what they are asking. I will then reread it and point out the information that has no value in the question. Once that is complete, I will reread the question emphasizing the information I need to know to answer the question. Only then do I start reading the answers. This way, you can form your answer on your own without being influenced by the answers below. 

Get certified with our Exam Pass Guarantee

Get certified with our Exam Pass Guarantee

Many of our boot camps come with an Exam Pass Guarantee: if you fail on your first attempt, we'll invite you to re-sit the course for free and cover the cost of your second exam.

This exam is difficult and is one of the hardest exams out there, but earning this AWS security certification will pay dividends in your career. Take the time to learn the material inside and out, and take your exam and pass it on your first attempt. I have also created an AWS Security Specialist course for this exam that cuts through all the fluff of the exam and gives you what you need to know to pass it on your first attempt. 

For more on AWS security and cloud engineering careers, visit Infosec's Cloud Engineer Hub!

Joe South
Joe South

Joe South has worked at companies of all sizes across multiple industries. Joe is currently in a role where he is empowered to introduce new and innovative solutions to increase the security posture of his organization. He enjoys teaching others what he’s learned and is the creator of a blog where he helps others get into cybersecurity and build a successful career.

Joe worked in vulnerability management, securing applications that served military and Department of Defense clients. He later expanded his skillset by diving into complex identity and access management (IAM) toolsets where he designed solutions for Fortune 500 companies across HIPAA, PCI and financial industries. He also architected solutions for companies to move into AWS, Azure and GCP while maintaining or increasing their security posture. Joe has his CCSP, AWS Security Specialty and AWS CCP certification, among others.