Spread the love

AWS Certified Security -Speciality

This certification helps cloud security professionals to advance their knowledge on designing and implementing security solutions to secure the AWS platform.

AWS Certified Security Speciality

Target Audience

Exam Overview

Course Curriculum

1.1 Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys.

     *  Given an AWS Abuse report about an EC2 instance, securely isolate the instance as part of a
         forensic investigation.
    *  Analyze logs relevant to a reported instance to verify a breach, and collect relevant data.
    *  Capture a memory dump from a suspected instance for later deep analysis or for legal
        compliance reasons.

1.2 Verify that the Incident Response plan includes relevant AWS services.

    * Determine if changes to baseline security configuration have been made.
    * Determine if list omits services, processes, or procedures which facilitate Incident Response.
    * Recommend services, processes, procedures to remediate gaps.

1.3 Evaluate the configuration of automated alerting, and execute possible remediation of security related           incidents and emerging issues.

   *  Automate evaluation of conformance with rules for new/changed/removed resources.
   *  Apply rule-based alerts for common infrastructure misconfigurations.
   *  Review previous security incidents and recommend improvements to existing systems.

2.1  Design and implement security monitoring and alerting.
    *  Analyze architecture and identify monitoring requirements and sources for monitoring statistics.
   *  Analyze architecture to determine which AWS services can be used to automate monitoring and
   *  Analyze the requirements for custom application monitoring, and determine how this could be
   *  Set up automated tools/scripts to perform regular audits.

2.2 Troubleshoot security monitoring and alerting.

    *  Given an occurrence of a known event without the expected alerting, analyze the service functionality  and  configuration           and remediate.

   *  Given an occurrence of a known event without the expected alerting, analyze the permissions and  remediate.

   *  Given a custom application which is not reporting its statistics, analyze the configuration and remediate.

   *  Review audit trails of system and user activity.

2.3 Design and implement a logging solution.
    *  Analyze architecture and identify logging requirements and sources for log ingestion.
    *  Analyze requirements and implement durable and secure log storage according to AWS best
    *  Analyze architecture to determine which AWS services can be used to automate log ingestion and

 2.4 Troubleshoot logging solutions.

   *  Given the absence of logs, determine the incorrect configuration and define remediation steps.
   *  Analyze logging access permissions to determine incorrect configuration and define remediation

  *  Based on the security policy requirements, determine the correct log level, type, and sources. 

3.1 Design edge security on AWS.
   *  For a given workload, assess and limit the attack surface.
   *  Reduce blast radius (e.g. by distributing applications across accounts and regions).
   *  Choose appropriate AWS and/or third-party edge services such as WAF, CloudFront and Route 53
       to protect against DDoS or filter application-level attacks.
   *  Given a set of edge protection requirements for an application, evaluate the mechanisms to
       prevent and detect intrusions for compliance and recommend required changes.
   *  Test WAF rules to ensure they block malicious traffic.

3.2 Design and implement a secure network infrastructure.
   *  Disable any unnecessary network ports and protocols.
   *  Given a set of edge protection requirements, evaluate the security groups and NACLs of an
      application for compliance and recommend required changes.
   *  Given security requirements, decide on network segmentation (e.g. security groups and NACLs)
     that allow the minimum ingress/egress access required.
   *  Determine the use case for VPN or Direct Connect.
   *  Determine the use case for enabling VPC Flow Logs.
   *  Given a description of the network infrastructure for a VPC, analyze the use of subnets and
     gateways for secure operation.

3.3 Troubleshoot a secure network infrastructure.
   *  Determine where network traffic flow is being denied.
   *  Given a configuration, confirm security groups and NACLs have been implemented correctly

3.4 Design and implement host-based security.
   * Given security requirements, install and configure host-based protections including Inspector,
   *  Decide when to use host-based firewall like iptables.
   *  Recommend methods for host hardening and monitoring.

4.1 Design and implement a scalable authorization and authentication system to access AWS resources.
    *  Given a description of a workload, analyze the access control configuration for AWS services and
        make recommendations that reduce risk.
   *  Given a description how an organization manages their AWS accounts, verify security of their root
   *  Given your organization’s compliance requirements, determine when to apply user policies and
      resource policies.
  *  Within an organization’s policy, determine when to federate a directory services to IAM.
  *   Design a scalable authorization model that includes users, groups, roles, and policies.
  *   Identify and restrict individual users of data and AWS resources.
  *   Review policies to establish that users/systems are restricted from performing functions beyond
      their responsibility, and also enforce proper separation of duties.

4.2 Troubleshoot an authorization and authentication system to access AWS resources.
   *  Investigate a user’s inability to access S3 bucket contents.
   *  Investigate a user’s inability to switch roles to a different account.
   *  Investigate an Amazon EC2 instance’s inability to access a given AWS resource

5.1 Design and implement key management and use.
   *  Analyze a given scenario to determine an appropriate key management solution.
   *  Given a set of data protection requirements, evaluate key usage and recommend required
   *  Determine and control the blast radius of a key compromise event and design a solution to
     contain the same.

5.2 Troubleshoot key management.
   *  Break down the difference between a KMS key grant and IAM policy.
   *  Deduce the precedence given different conflicting policies for a given key.
   *  Determine when and how to revoke permissions for a user or service in the event of a

5.3 Design and implement a data encryption solution for data at rest and data in transit.
  *  Given a set of data protection requirements, evaluate the security of the data at rest in a
      workload and recommend required changes.
  *  Verify policy on a key such that it can only be used by specific AWS services.
  *  Distinguish the compliance state of data through tag-based data classifications and automate
  *  Evaluate a number of transport encryption techniques and select the appropriate method (i.e.
       TLS, IPsec, client-side KMS encryption).


Currently, AWS offers 12 certifications, which includes 1 foundation-level certification, 3 associate-level certifications, 2 professional-level certifications, and 6 specialty-level certifications. As there is no prerequisite for any AWS certification, as per your skills, knowledge, experience, and expertise you can choose and take one or more certifications.

  AWS Certified Security – Specialty Questions includes:

  1. Multiple-choice: Has one correct response and three incorrect responses.
  2. Multiple-response: Has two or more correct responses out of five or more options.

The important topics and concepts covered in the AWS Certified Security – Specialty Certification exam are:

  • S3
  • KMS
  • EBS, ELB, EC2 Auto Scaling
  • Elastic cache, Elastic Beanstalk
  • VPC, ROUTE53 Basics OpsWork
  • IAM, IAM Policy, IAM User, IAM Group
  • Cloudformation,Cloudwatch,Cloudtrail

Yes, we provide a course completion certificate for online training courses.

Roles & Responsibilities of an AWS Security Specialist are:

  • Understanding and working on data encryption and methods to implement it.
  • Monitoring services of AWS security and features to provide a secure environment.
  • Ability to make decisions with regards to security, cost, deploy complex applications for given requirements.
  • Monitoring security and access control by utilizing the AWS application.
  • Knowledge of AWS mechanisms and secure Internet protocols to implement them.
  • In-depth knowledge and understanding of operations security and risks.
  • At least five years of experience in IT security, designing and implementing solutions for security.
  • Understanding of security controls for AWS workloads.
  • A minimum of five years of IT security experience designing and implementing security solutions

AWS Security Speciality certification comes with the validity of three years from the date certified. You need to recertify to maintain your certification status.

To apply for the re-examination, sign in to www.aws.training, and click on ‘Certification.’ Then, click on ‘AWS Certification Account,’ followed by ‘Schedule New Exam

Here are the steps to register for the AWS security speciality certification exam:

1.Go to https://www.aws.training/certification, and log in to your account.

2.Then, go to Upcoming exams > Eligible exams
3.Select the AWS Certified security speciality exam, and then select exam options
4.Fill in the preferred exam language, exam details, preferred date and time, and then confirm the exam selection
5.Finally, make the payment for the exam, and thus, you are registered for the AWS certification exam

Scroll to Top