Passing the AWS Certified Security Specialty exam

Guidelines & tips for passing the AWS Security –Specialty Exam from someone who just passed it

The AWS Security Specialty certification sits at the intersection of two of the hottest trends in technology today - the cloud and security. If you work in the security arena, then taking your security knowledge and applying it to the cloud is a logical next step in expanding your expertise. If, like me, you work more on the cloud architecture and development side of the equation, understanding cloud security can help you design more secure systems. Building security into an application from the beginning is much easier than trying to retrofit security after the application has been built.

Before we begin, let me give you a bit of my background so you understand my perspective on the exam, which may differ from your own. I’m a Lead Software Engineer at Capital One. While security is a part of every system we build, most of my focus is spent on application development and architecting AWS resources for our applications. I have a background in security with CISSP, CEH, and GIAC GWEB certifications and have worked in various aspects of security over the years from network and firewall configuration to cybersecurity policy.

The AWS Certified Security - Specialty exam

Amazon recommends five years of IT security experience and at least two years of hands-on experience working with AWS security before taking the AWS Certified Security-Specialty exam. If you have taken any of the other AWS exams, you might be surprised to learn that the specialty exams are slightly more expensive at $300. The exam is broken down into five domains: Incident Response, Logging and Monitoring, Infrastructure Security, Identity and Access Management, and Data Protection. The domains are not weighted equally and some domains have more questions than others. The following table shows the percentage of questions for each security domain on the AWS Security-Specialty exam.  The details for each of these domains are covered in the next section.

Security domain Number questions
Incident response 12%
Logging and monitoring 20%
Infrastructure security 26%
Identity and access management 20%
Data protection 22%

Also, despite having the same 65 questions as an associate exam, you are given 170 minutes for these exams as opposed to the 130 minutes for the associate exams. The extra time is necessary as the questions are generally more complex and, in my opinion, more difficult than the questions on the associate exams. I finished the associate exams well under the time limit, but it took nearly the entire allotted time to complete and review the questions on the AWS Security-Specialty exam.

Like all AWS exams the questions are scenario based. While other exams may focus on the most cost-effective way to solve a problem, the security exam will give you questions that focus on a secure way to solve a problem. You may be given more than one answer that solves a problem, but some of the solutions may not be secure. It is important to not only understand the various security services available on AWS, but how they work and the security aspects they address and more importantly don’t address.

Details on the AWS Certified Security - Specialty exam

The AWS Security-Specialty exam guide describes each of the five domains covered in the exam. Below are details of what falls within each of those domains:

Incident response

  • Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys.
  • Verify that the Incident Response plan includes relevant AWS services.
  • Evaluate the configuration of automated alerting, and execute possible remediation of security-related incidents and emerging issues.
    • Amazon GuardDuty

Logging and monitoring

  • Design and implement security monitoring and alerting.
    • Piping events to Lambda to automate monitoring responses
    • Sending events to SNS to deliver notifications
    • VPC traffic monitoring
  • Troubleshoot security monitoring and alerting.
    • IAM Policies needed for logging and sending alerts to other services
  • Design and implement a logging solution.
    • Using Athena to search CloudTrail and other logs in S3
  • Troubleshoot logging solutions.

Infrastructure security

  • Design edge security on AWS.
    • CloudFront and AWS WAF
  • Design and implement a secure network infrastructure.
    • VPC configuration
    • NAT gateway
    • Virtual Private Gateway
    • VPC Endpoints
    • VPC Gateway Endpoints for S3 and DynamoDB
  • Troubleshoot a secure network infrastructure.
  • Design and implement host-based security.
    • Security Groups vs Network Access Control Lists
    • AWS Session Manager
    • Amazon Inspector

Identity and access management

  • Design and implement a scalable authorization and authentication system to access AWS resources.
    • Cognito
  • Troubleshoot an authorization and authentication system to access AWS resources.
    • Policy evaluation between resources and roles
    • Effects of explicit deny
    • Policy condition clauses

Data protection

  • Design and implement key management and use.
    • KMS Key Grants
    • Cross account key access permissions
  • Troubleshoot key management
    • KMS Roles
    • KMS IAM Policies
  • Design and implement a data encryption solution for data at rest and data in transit
    • KMS vs CloudHSM and when to use each

Studying for the AWS Certified Security - Specialty exam

There is no right way to study for the AWS Security-Specialty exam. People learn differently and what works for me may not work for you. My approach to AWS certification exams starts with taking on-line classes followed by reading the AWS FAQs and white papers on the services. Most of the on-line classes have labs that give you practical experience with the tools. You can pass the exam with extensive studying and little hands on experience, but that is more of the exception than the rule. Hands-on experience, especially on the job, is a much more intuitive way to learn the material. Of course, not everyone works in a security role at their company, and in large companies you may not be able to access all the security features in AWS. I recommend trying these features on a personal AWS account. Since AWS services are charged by usage, you can enable security features, test them, and then disable the features when you are done while incurring minimal charges.


There are many on-line training certification training classes available through a variety of vendors.  I found the following classes gave me a solid foundation for the material, but most classes cover the basics so use the vendor of your choice. No class will cover every facet of the exam, so I encourage you not to take a class and then immediately sit for the exam. Using a variety of materials in your exam study prep will give you a more thorough understanding of the material than relying on a single method.

AWS training resources

The Amazon YouTube account has a wealth of resources for studying for this and other AWS exams. There are many videos from the annual re:Invent conference where new AWS features are first introduced. Additionally, the re:Inforce conference is devoted to cybersecurity and those videos are worth watching while studying for the AWS Security-Specialty exam. Here are some that I found especially helpful when studying: 


The AWS FAQs are a wonderful source of information about the individual security services and include essential details and limitations. Some of the key FAQs I recommend focusing on are:

AWS security white papers

There are dozens of AWS Security White Papers online, but I found the following to be particularly useful in my studies:

Practice exams

Once you have reviewed the material you can take practice exams to determine if you are ready for the real AWS Security-Specialty exam and to help identify any areas of weakness where you could use more work. Online classes typically include a practice exam, while some allow you to purchase the exam separately. I took the practice exams as part of my training classes from A Cloud Guru and Udemy, but also took a separate practice exam from Whizlabs:

In addition, you can register to take a practice exam for $20 directly through AWS training. The questions on this practice exam usually differ quite a bit from the real AWS Security-Specialty exam questions, but that is true of most practice exams.

Taking the AWS Certified Security - Specialty exam

Some people suggest that you sign up for an exam date so that you have a deadline and incentive to study. I caution you not to do this too early. Setting an exam date before you begin your studies is usually a mistake. You don’t know what you don’t know. Maybe you have years of experience on AWS security and review the material only to discover it is all familiar to you. But maybe you review the material and find out that there are a lot of areas you need to spend time on. You won’t know until you spend time reviewing all the material for the exam and perhaps take a practice exam or two. Once you determine where you stand in your understanding of the exam material, you’ll have a better idea of how far out to schedule the exam.

At the time of writing this, COVID-19 is still an issue and many people are taking exams remotely. I’ve taken a couple tests remotely and the process is similar to in person exams but proctors may vary in their requirements. If you are taking a remote exam, you will need to clear the area around your computer and show the area with your camera. You will be monitored and recorded on camera while taking the test and cannot leave the computer.

The first test I took I cleared the area around my desk within reach and the proctor seemed fine with that approach. For the second test they wanted my desk completely clear. I had to remove all the books from a shelf on my desk along with assorted nick knacks.


I hope this article and the thoughts I shared help you to prepare for your AWS Security-Specialty Exam. Both cyber security and the cloud are interesting areas on their own, but the combination of the two introduces a unique blend of opportunities and challenges. Regardless of your specific job function security is everyone’s responsibility and the more you know about how security works in the cloud the more secure your systems will be.  

Best of luck on your exam!

Kelly Jo Brown, Distinguished Engineer, Digital Commerce and Innovation

I am a Distinguished Engineer at Capital One working on the virtual card numbers. I enjoy all aspects of technology and have worked as a front-end developer, back-end developer, mobile developer, and in cybersecurity. My current focus is on AWS and cloud technologies. When not working or getting yet another technical certification I enjoy playing computer and role-playing games. You can connect with me on LinkedIn (

Related Content