AWS Certified Security – Speciality (SCS-C01) Exam Learning Path

Tis the season for learning. Courses start at $11.99

I recently cleared the AWS Certified Security – Speciality (SCS-C01) with a score of 939/1000. If compared with the Advanced Networking – Speciality exam, the Security – Speciality was not as tough mainly cause it covers features and services which you would have used in your day to day working on AWS or services which have a clear demarcation of their purpose.

AWS Certified Security – Speciality (SCS-C01) exam is the focusing on the AWS Security and Compliance concepts. It basically validates

  • An understanding of specialized data classifications and AWS data protection mechanisms.
  • An understanding of data-encryption methods and AWS mechanisms to implement them.
  • An understanding of secure Internet protocols and AWS mechanisms to implement them.
  • A working knowledge of AWS security services and features of services to provide a secure production environment.
  • Competency gained from two or more years of production deployment experience using AWS security services and features.
  • The ability to make tradeoff decisions with regard to cost, security, and deployment complexity given a set of application requirements. An understanding of security operations and risks

Refer to AWS Certified Security – Speciality Exam Guide

AWS Certified Security – Speciality (SCS-C01) Exam Summary

  • AWS Certified Security – Speciality exam, as its name suggests, covers a lot of Security and compliance concepts for VPC, EBS, S3, IAM, KMS services
  • One of the key tactic I followed when solving any AWS exam is to read the question and use paper and pencil to draw a rough architecture and focus on the areas that you need to improve. Trust me, you will be able eliminate 2 answers for sure and then need to focus on only the other two. Read the other 2 answers to check the difference area and that would help you reach to the right answer or atleast have a 50% chance of getting it right.
  • Be sure to cover the following topics
    • Security, Identity & Compliance
      • Make sure you know all the services and deep dive into IAM, KMS.
      • Identity and Access Management (IAM)
      • Deep dive into Key Management Service (KMS). There would be quite a few questions on this.
      • Understand AWS Cognito esp. User Pools
      • Know AWS GuardDuty as managed threat detection service
      • Know AWS Inspector as automated security assessment service that helps improve the security and compliance of applications deployed on AWS
      • Know Amazon Macie as a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS
      • Know AWS Artifact as a central resource for compliance-related information that provides on-demand access to AWS’ security and compliance reports and select online agreements
      • Know AWS Certificate Manager (ACM) for certificate management. (hint : To use an ACM Certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region)
      • Know Cloud HSM as a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud
      • Know AWS Secrets Manager to protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle
      • Know AWS Shield esp. the Shield Advanced option and the features it provides
      • Know WAF as Web Traffic Firewall – (Hint – WAF can be attached to your CloudFront, Application Load Balancer, API Gateway to dynamically detect and prevent attacks)
    • Networking & Content Delivery
      • Understand VPC
        • Understand VPC Endpoints esp. services supported by Gateway and Interface Endpoints. Interface Endpoints are also called Private Links. (hint: application endpoints can be exposed using private links)
        • Understand VPC Flow Logs to capture information about the IP traffic going to and from network interfaces in the VPC (hint: can help in port scans but not in packet inspection)
      • Know Virtual Private Network & Direct Connect to establish connectivity a secured, low latency access between on-premises data center and AWS VPC
      • Understand CloudFront esp. with S3 (hint: Origin Access Identity to restrict direct access to S3 content)
      • Know Elastic Load Balancer at high level esp. End to End encryption.
    • Management & Governance Tools
      • Understand AWS CloudWatch for Logs and Metrics. Also, CloudWatch Events more real time alerts as compared to CloudTrail
      • Understand CloudTrail for audit and governance (hint: CloudTrail can be enabled for all regions at one go and supports log file integrity validation)
      • Understand AWS Config and its use cases (hint: AWS Config rules can be used to alert for any changes and Config can be used to check the history of changes. AWS Config can also help check approved AMIs compliance)
      • Understand CloudTrail provides the WHO and Config provides the WHAT.
      • Understand Systems Manager
        • Systems Manager provide parameter store which can used to manage secrets (hint: using Systems Manager is cheaper than Secrets manager for storage if limited usage)
        • Systems Manager provides agent based and agentless mode. (hint: agentless does not track process)
        • Systems Manager Patch Manager helps select and deploy operating system and software patches automatically across large groups of EC2 or on-premises instances
        • Systems Manager Run Command provides safe, secure remote management of your instances at scale without logging into the servers, replacing the need for bastion hosts, SSH, or remote PowerShell
      • Understand AWS Organizations to control what member account can do. (hint: can also control the root accounts)
      • Know AWS Trusted Advisor
    • Storage
    • Compute
      • Know EC2 access to services using IAM Role and Lambda using Execution role.
    • Integration Tools
      • Know how CloudWatch integration with SNS and Lambda can help in notification (Topics are not required to be in detail)
    • Whitepapers and articles

AWS Certified Security – Speciality (SCS-C01) Exam Resources

27 thoughts on “AWS Certified Security – Speciality (SCS-C01) Exam Learning Path

  1. Hey Jay is it Braincert AWS Certified Security – Speciality Practice Exams really helpfull and do you recommend any other practice test ?

  2. It’s T J. I follow your instruction, again and no surprise, pass the exam with higher score than 939 😉 HAHA. Thank you for everything you collect and summary – everything is well-organized, informative and freshest.

    My next target is the Big Data Specialty. Would you mind share something with us?

    1. Congrats TJ that was a very good score. Just a quick one, did you use the braincert practice text in your preparation for the exam as Jay suggested and was it any useful?

      Thanks

    2. Congrats TJ that was a very good score. Just a quick one, did you use the braincert practice text in your preparation for the exam as Jay suggested and was it any useful?

      Thanks

  3. Hi,
    Can you please clarify the below question.

    A company wants to enable single sign-on (SSO) so its employees can log in to the management console using their corporate directory identity. Which steps below are required as part of the process? (Select 2)

    Answers:-

    A. Create a Direct Connect connection between the corporate network and the AWS region with the company’s infrastructure.
    B. Create IAM policies that can be mapped to group memberships in the corporate directory.
    C. Create a Lambda function to assign IAM roles to the temporary security tokens provided to the users.
    D. Create IAM users that can be mapped to the employees corporate identities.
    E. Create an IAM role that establishes a trust relationship between IAM and the corporate directory identity provider(IdP).

    Right Answer:- A,D

    But some website’s are mentioned right answer B,D.

    Answer B – Create IAM policies that can be mapped to group memberships in the corporate directory is wrong.
    (Because IAM policies are not directly mapped to group memberships in the corporate directory.
    IAM roles are mapped.)

    Please advise,

    Thanks,
    Iyappan.M

  4. A company wants to enable single sign-on (SSO) so its employees can log in to the management console using their corporate directory identity. Which steps below are required as part of the process? (Select 2)

    Answers:-

    A. Create a Direct Connect connection between the corporate network and the AWS region with the company’s infrastructure.
    B. Create IAM policies that can be mapped to group memberships in the corporate directory.
    C. Create a Lambda function to assign IAM roles to the temporary security tokens provided to the users.
    D. Create IAM users that can be mapped to the employees corporate identities.
    E. Create an IAM role that establishes a trust relationship between IAM and the corporate directory identity provider(IdP).

    Right answers:- A,D.

    But some website mentioned answers are B,D.

    Answe B:- Create IAM policies that can be mapped to group memberships in the corporate directory is wrong.

    (Because IAM policies are not directly mapped to group memberships in the corporate directory.
    IAM roles are mapped.)

    Please advise.

    Thanks,
    Iyappan.M

  5. Hi, I’ve been working in the security field for about three years now and do not have any experience working in an AWS environment.

    I’m planning to take the security speciality cert to improve my profile.

    My question is, is it possible for someone without any real work experience handling AWS workloads to crack this test by just studying the content of ACG and Linux academy and white papers and whatever I can get my hands on?

    1. Hi Sanjay,

      AWS Security focuses more on the AWS Security services like KMS, Encryption with various other services at rest and in transit, IAM and fine grained access control. So with a security background it surely gives you a jump start as you don’t need to understand the concepts but focus mostly on AWS pieces and it can be cleared easily without practical experience.

  6. Hi,
    Have you compared acloudguru course for security speciality? Is it inline with linuxacademy course? Need to buy one of those.
    Please suggest.

    Regards,
    Rohit

    1. For Speciality exams, i haven’t checked acloudguru courses. I used Linux Academy mostly but surely it does not cover all the details that are required for the exam. Check for the practice tests in the resources, they can be a great help in building and preparing for the exam.

    1. Not seen much on Whizlabs lately, but have good feedback for Braincert. But then use the practice exams to clear the concepts. As long as you do not treat them as dumps, the associate exams are easy to clear.

      1. Hi Jay,
        I have passed the exam with score 860. Would thank you for centralize the content and studying material.

        Would be great if you share your LinkedIn profile.

  7. I have don’t have daily experience in working with aws but will I able to complete the certification of aws security with the course offered by Linux academy or acloudguru ?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.