AWS Security Exam Tips

First of all I want to update you all that I’ve passed my AWS  Security Speciality Exam!!


There aren’t many resources on the web related to preparing for this exam.

So,  in this post,  I’m compiling all the resources that I’ve gone through. I will keep adding to this list. If you have any suggestions please comment below.


Notes after passing the exam:

1) Practice, Practice , Practice :as many topics as you can. I took the beta exam and missed it by 4 questions. Before I retook it I practiced almost all the topics to get a better idea. – SSM run commands – Certificate manager – KMS encryption – NACL tightening – Config Rules – CLoudwatch and cloudtrail logs – Data security – and more – Cloudfront Distribution

2) Eliminate the wrong choices: This helped me the most during the test . Look out for a keyword that invalidates an answer choice. Like you can’t have a deny rule in a Security group.

3) Be ready to find the MOST secure choice: There might be two right solution but there’s always the most secure among the given choices. Be ready to find the best answer.

4) When asked be ready to find the choice that fulfills requirement and is not necessarily the most secure.

5)  Read the question and answer choices really well and carefully.

6) Buy a practice exam:  from Amazon ( official ) or Whizlabs. Both  helped me a lot. But don’t depend on it only. Look tip no 1


Official Exam guide and blueprint:

Official Practice Exam (10 Questions):



DOMAIN 1: Incident Response

Incident Response

Automated alerting

Readiness test


Engaging aws

Compliance Framework

PCI-DSS for Credit Cards

HIPPA-Health data related

ISO 27001

DOMAIN 2: Logging and Monitoring

Cloudtrail Logs: AWS CloudTrail is a service that captures API calls made by or on behalf of your AWS account. This information is collected and written to log files that are stored in an Amazon S3 bucket that you specify. API calls are logged whenever you use the API, the console, or the AWS CLI. Using the information collected by CloudTrail, you can determine what request was made, the source IP address the request was made from, who made the request, when it was made, and so on.

Cloudtrail Topics to know for the exam:

  • CloudTrail Log File Integrity Validation
  •  Restrict access for users in my account from seeing the CloudTrail Event History?
    CloudTrail integrates with AWS Identity and Access Management (IAM), which allows you to control access to CloudTrail and to other AWS resources that CloudTrail requires, including the ability to restrict permissions to view and search account activity. This is accomplished by removing the “cloudtrail:LookupEvents” from the Users IAM policy which will then prevent that IAM user from viewing account activity.
  • Applying a Trail to all Regions
  • By default, CloudTrail log files are encrypted using S3 Server Side Encryption (SSE) and placed into your S3 bucket.
  • Log File Aggregation across accounts: You can configure one S3 bucket as the destination for multiple accounts.


Cloudwatch Events: You can use cloudwatch events to trigger a lambda function if a certain pattern is

AWS Config: AWS Config enables continuous monitoring of your AWS resources, making it simple to assess, audit, and record resource configurations and changes. AWS Config does this through the use of rules that define the desired configuration state of your AWS resources. AWS Config provides a number of AWS managed rules that address a wide range of security concerns such as checking if you encrypted your Amazon Elastic Block Store (Amazon EBS) volumes, tagged your resources appropriately, and enabled multi-factor authentication (MFA) for root accounts. You can also create custom rules to codify your compliance requirements through the use of AWS Lambda functions.

  1. Creates a snapshot of all the assets and what changes have been made.
  2. Helps you achieve Continuous compliance, continuous monitoring, continuous assessment, Change Management, Operational Troubleshooting
  3. Shows you a timeline
  4. Shows you all the dependencies, so you can see the impact of SG being modified on EC2 instances.
  5. AWS Managed Rules and Custom Rules. Rules example( all data at rest must be encrypted)

USe Case: If someone turns off VPC flow log, cloudtrail+Lambda turns it back on and makes sure you stay compliant.( This is config change trigger)

Use Case: Disable access keys that haven’t been used for 1 month( this is periodic trigger )

VPC Flow Logs

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs. After you’ve created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs

DOMAIN 3: Infrastructure Security


Security Group

Bastion host


Whitelisting / Blacklisting

VPC Flow logs

AWS Web Application Firewall

DDos protection

Penetration Testing

EC2 Systems Manager

Using Service-Linked Roles for Systems Manager

DOMAIN 4: Identity and access Management




Access Keys


Know API calls for logstream, loggroup, log agent , metrics , cloudwatch actions in an IAM policy

Web Identity Federation vs Cognito

DOMAIN 5: Data Protection

Data in Transit:




SSL certificates:

Perfect Forward Secrecy

Data at rest:

Server side encryption –( S3, kms, SSE-C)

When the S3 bucket objects are encrypted , the meta data is not encrypted. So the best option is to use an encrypted DynamoDB table

Client Side encryption

EBS encryption

DynamoDB encryption at rest.

KMS CMK, Data keys, Grants

Other methods of securing data

Cloudfront signed cookies vs signed urls

KMS Is featured heavily. 10-15 questions

Buy my course on Udemy where I cover all the KMS concepts needed for the exam. It’s only $10

visit this Link to buy:

KMS Notes for the exam

  • If a CMK is disabled or pending deletion, the Key Rotation check box is cleared, and you cannot change it. This reminds you that AWS KMS does not rotate CMKs while they are disabled or pending deletion. The key rotation status is restored when you re-enable the CMK or cancel deletion.
  • Best way to rotate an Imported Key Material:Because the new CMK is a different resource from the current CMK, it has a different key ID and ARN. When you change CMKs, you need to update references to the CMK ID or ARN in your applications. Aliases, which associate a friendly name with a CMK, make this process easier. Use an alias to refer to a CMK in your applications. Then, when you want to change the CMK that the application uses, change the target CMK of the alias.
  • Automatic key rotation is available for all customer managed CMKs with KMS-generated key material. It is not available for CMKs that have imported key material (the value of the Origin field is External), but you can rotate these CMKs manually.
  • You cannot manage key rotation for AWS managed CMKs. AWS KMS automatically rotates AWS managed keys every three years (1095 days).
  • When you enable automatic key rotation for a customer managed CMK, AWS KMS generates new cryptographic material for the CMK every year. AWS KMS also saves the CMK’s older cryptographic material so it can be used to decrypt data that it encrypted.
  • AWS KMS Condition Keys

    AWS KMS provides an additional set of predefined condition keys that you can use in key policies and IAM policies. These condition keys are specific to AWS KMS. For example, you can use the 


     condition key to require a particular encryption context when controlling access to a KMS customer master key (CMK).

  • With conditions you can limit key use to a particular service(eg s3, or ec2). You can also set when the key material expires.


Other Topics

DynamoDB encryption in-transit and at rest

Kinesis Encryption Options

Glacier Vaults

Where to terminate TLS

Perfect Forward Secrecy, Server Order Preference, Predefined Security Policy.

Cloudwatch log groups vs streams

AWS Systems Manager Patch Manager: AWS Systems Manager Patch Manager automates the process of patching managed instances with security-related updates. For Linux-based instances, you can also install patches for non-security updates.

How AWS Systems Manager Parameter Store Uses AWS: KMS:

SSM Agent Logs:

You can view SSM Agent logs on Linux instances in the following locations.

  • 1
  • 1

Inspector: Understand how Inspector works and what packages are available.

For example, inspector has a rule to evaluate Insecure Server Protocols

This rule helps determine whether your EC2 instances allow support for insecure and unencrypted ports/services such as FTP, Telnet, HTTP, IMAP, POP version 3, SMTP, SNMP versions 1 and 2, rsh, and rlogin.

Trusted Advisor vs Inspector:

The difference is:

  • Trusted Advisor applies to the AWS account and AWS services
  • Amazon Inspector applies to the content of multiple EC2 instances


AD and IAM: Steps for Active Directory( AD) Federation using IAM


AWS Key Management Service Cryptographic Details:

AWS Security Best Practices:

AWS Security at Scale : Logging in AWS:


Useful Links:

AWS Security Blog with lots of great posts/articles:

The Top 10 Most Downloaded AWS Security and Compliance Documents in 2017:

IAM best practices:

AWS Security Checklist ( Each point is clickable!):

AWS Incident Response Blog:


Videos to watch: