22 July 2024

AWS Security Exam Prep

Passing the AWS Security Speciality (SCS-C02) with Ewan Allan


I have recently passed the AWS Security Speciality. I passed the previous SCS-C01 about 3 years ago and, to be honest, this one has really ramped up the difficulty. It feels like a proper speciality exam now.

AWS Security Specialty
AWS Security Specialty Certification

For the exam preparation, I used a combination of a course from Adrian Cantrill (https://learn.cantrill.io/) and exam practice tests from Tutorials Dojo (https://tutorialsdojo.com/).

While these are both good resources, there were still questions on the exam that hadn't been covered by either of them. For example, a few questions came up about Audit Manager in the exam, and I hadn't even looked at this service because it wasn't covered!

It's my fault, I should have read through the AWS exam guide (https://d1.awsstatic.com/train...) to make sure I'd done enough revision. I've just checked Stephane Maarek's course (https://www.udemy.com/course/u...) and he, at least, has a 2 minute video on Audit Manager. His course is MUCH cheaper that Adrian Cantrill's too.


General tips:

READ THE EXAM GUIDE!

Mark off the parts you have revised to make sure you don't miss anything. My question bank will be different than yours but nothing outside this guide will come up on your exam.

Know these services inside out:

  • Know IAM inside and out, especially SCPs, conditions and trust policies
  • KMS. Know which keys you can rotate and how to rotate them, how the different keys work and how encryption is handled in different services even if it's not through KMS. Knowing how to share keys securely will help
  • Cloudwatch logging and metrics. Troubleshooting alarms came up quite a bit in the questions I had along with which permissions you need to be able to write to Cloudwatch logs
  • Cloudtrail
  • Cloudfront
  • VPC and networking, especially VPC endpoints
  • Amazon Certificate Manager

Know what these are and how they work at least - it will help if you have some experience of them:

  • Security Hub
  • Inspector
  • Audit Manager - I didn't see this covered in any training material so do your own research
  • Guard Duty
  • Resource Access Manager - this was only briefly covered in my training material but I had some quite in depth questions on the exam.
  • Detective
  • Config and it's remediations
  • Understand DNSSEC and the records that need to be added for it to work
  • AWS Signer
  • Amazon Identity Center and how SSO works
  • Trusted Advisor
  • Cloud Formation and Cloud Formation Guard

If you can, try these services out. Services like Detective and Guard Duty give a 30 day free trial. Getting used to the layout and hands on with how the services work is very helpful.

Remember that AWS will always prefer using AWS services over third parties and the questions reflect that. Choose the AWS option if you are torn between a third party option and an AWS service.

Good luck on the exam!


Your next steps to securing your cloud environments

You should take a security first approach when developing in the cloud, as it's something that should never be under-rated.

We are keen to support clients and organisations with their security needs on cloud with AWS, Azure and Google Cloud, so if you are interested in engaging a trusted provider, then please get in touch using the details below -


Calum Mather (General Manager)

calum@inov8consulting.co.uk

07342 742 605

LinkTree
Scan or click


Security Specialty orange