New! 2018 AWS Security Specialty BETA Exam Resouces

Finally, it’s here!

AWS Certified Security – Specialty Beta Exam

SCS-C01.  registered last night, it is only $150 – which is much better than the usual $300 for each of the other two Specialty Exams.  This beta exam will only be available from January 15th to March 2nd – so I scheduled mine when… ? Feb 28th. I’ll be compiling a resource list for anyone else who wants to do this exam. 

Ok, now the nitty gritty, what resources are needed?

Official Exam Guide

First, here is the pdf of the  AWS Exam Guide for the BETA SCS-C01

Now, here is my resource collection:

I can start by telling you I’ve already purchased the

AWS Certified Security – Specialty Course from

It’s the course from the original BETA exam that came out (early 2017?), but it covers all the fundamentals and the guys at update their content regularly when it comes to Exam courses. I believe the cost on this is $60. Outstanding value!

UPDATE from Founder Ryan Kroonenburg – Ryan sat this exam on Jan 15th in London. He made this video giving general exam experience feedback and he also said that he will be updating the above mentioned AWS Security course based on his experience.


Next, I think this Exam will hit every corner of the AWS Universe, which means diving deep into the AWS Security and Compliance Whitepapers

Out of those, The Well Architected Framework – Security Pillar would be the one to know like the back of your hand.

Re:Invent 2017 Security Vids

After that, the AWS RE:Invent 2017  IAM Policy Ninja Video is an incredible resource and to be sure, I will watch (and practice) this multiple times over the next several weeks. And other RE:Invent 2017 Security Vids:

AWS Philosophy of Security
Architecting Security and Governance Across Multiple-Accounts
Security Anti-Patterns: Mistakes to Avoid
Best Practices for Managing Security Operations on AWS
AWS Security State of the Union
Compliance and Top Security Threats in the Cloud
Incident Response in the Cloud
Five New Security Automation Improvements You Can Make by Using CloudWatch Events and AWS Config Rules
Using AWS Lambda as a Security Team
 CloudTrail to Enhance Governance and Compliance of Ama

Now the AWS recomended Training for the SCS-C01 BETA exam:

AWS Security Fundamentals e-course
Online Resources for AWS Security

Exam Topic Specific Resources SCS-C01

Domain 1: Incident Response

RE:Invent Video: Incident Response in the Cloud

1.1 Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys.

I received a notification that my AWS resources or account may be compromised. What should I do?

1.2 Verify that the Incident Response plan includes relevant AWS services

Building a Cloud-Specific Incident Response Plan

1.3 Evaluate configuration of automated alerting and execute possible remediation of security-related incidents and emerging issues

How to Remediate Amazon Inspector Security Findings Automatically
How to Detect and Automatically Remediate Unintended Permissions in Amazon S3 Object ACLs with CloudWatch Events

Domain 2: Logging and Monitoring

2.1 Design and implement security monitoring and alerting.

Designing Centralized Logging
How to Monitor Host-Based Intrusion Detection System Alerts on Amazon EC2 Instances
How to Receive Alerts When Your IAM Configuration Changes
SID341 – Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection

2.2 Troubleshoot security monitoring and alerting.

Troubleshoot SNS Deliveries
Troubleshoot SES Notifications

2.3 Design and implement a logging solution.

Logging Whitepaper
How to Monitor and Visualize Failed SSH Access Attempts to Amazon EC2 Linux Instances

2.4 Troubleshoot logging solutions

Troubleshooting CloudWatch Events

Domain 3: Infrastructure Security

3.1 Design edge security on AWS.

AWS Shield
Protect Dynamic Content using Shield and Route53
Serving Private Content Through CloudFront
SID342 – Protect Your Web Applications from Common Attack Vectors Using AWS WAF
SID401 – Let’s Dive Deep Together: Advancing Web Application Security

3.2 Design and implement a secure network infrastructure.

Setting Up an AWS VPN Connection – Amazon Virtual Private Cloud
VPN Connections – Amazon Virtual Private Cloud – AWS Documentation
Well Architected Framework – Security Pillar

3.3 Troubleshoot a secure network infrastructure.

Troubleshooting – Amazon Virtual Private Cloud – AWS Documentation
Troubleshoot Connecting to an Instance in a VPC – AWS –
Troubleshooting AWS Direct Connect – AWS Documentation
VPN Tunnel Troubleshooting – AWS –

3.4 Design and implement host-based security

IDS and IPS for EC2 Instances
How to Monitor Host-Based Intrusion Detection System Alerts on Amazon EC2 Instances
Amazon Inspector – Security Assessment Service

Domain 4: Identity and Access Management

4.1 Design and implement a scalable authorization and authentication system to access AWS resources.

AWS Identity and Access Management (IAM) Documentation
IAM Best Practices – AWS Identity and Access Management
Enabling SAML 2.0 Federated Users to Access the AWS Management …
SID337 – Best Practices for Managing Access to AWS Resources Using IAM Roles
AWS Cognito
SID344 – Soup to Nuts: Identity Federation for AWS

4.2 Troubleshoot an authorization and authentication system to access AWS resources.

Troubleshooting IAM – AWS Identity and Access Management
Troubleshooting IAM Roles – AWS Identity and Access Management
Troubleshoot IAM Policies – AWS Identity and Access Management
Troubleshooting Amazon EC2 and IAM – AWS Identity and Access …
Troubleshooting Amazon S3 and IAM – AWS Identity and Access …

Domain 5: Data Protection

5.1 Design and implement key management and use.

AWS Key Management Service Concepts – AWS Documentation
RE:Invent Video – Best Practices for Implementing KMS
Whitepaper – Best Practices for KMS
SID345 – AWS Encryption SDK: The Busy Engineer’s Guide to Client-Side Encryption
Amazon Macie

5.2 Troubleshoot key management.

Verifying and Troubleshooting KMS Key Permissions – AWS .
Determining Access to an AWS KMS Customer Master Key – AWS Key …
Limits – AWS Key Management Service – AWS Documentation
Troubleshooting Key Signing Errors

5.3 Design and implement a data encryption solution for data at rest and data in transit.

How to Protect Data at Rest with Amazon EC2 … – AWS –
Encrypting Amazon RDS Resources – AWS Documentation
Encrypting Data at Rest ( non AWS BLOG )
How to Encrypt and Decrypt Your Data with the AWS Encryption CLI
How to Address the PCI DSS Requirements for Data Encryption in Transit Using Amazon VPC
Architecture for HIPAA Compliance on AWS

The Full List of the Security, Compliance, and Identity Sessions, Workshops, and Chalk Talks at AWS re:Invent 2017

Based on Founder Ryan Kroonenburg’s Feeback on the Exam, I’ve added some more study links:

Cloud HSM FAQs
Cloud HSM AWS Documentation
Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3)
Protecting Data Using Client-Side Encryption in S3
IAM Policies and Bucket Policies and ACLs! Oh, My!
This entry was posted in AWS, AWS Certified Solutions Architect, Cloud Security, Cyber Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s