Skip to main content

AWS Certified Security – Specialty Certification


Intro Video

Photo of Adrian Cantrill

Adrian Cantrill

Training Architect







Hands-on Labs




Course Details

The AWS Certified Security Specialty is a certification based around securing applications in AWS. It is one one three specialty certifications offered by AWS. The certification focuses on five components or domains when designing and operating security in the cloud. These are:

Identity and Access Management Detective Controls Infrastructure Protection Data Protection Incident Response

This course has been developed to provide you with the requisite knowledge to not only pass the AWS Certified Security Specialty certification exam but also gain the hands-on experience required to become a qualified AWS security specialist working in a real-world environment.

Please connect with us at in the #security channel if you have questions or feedback.


Course Introduction

Getting Started

Course Introduction


Lesson Description:

Introduction This lesson introduces the AWS Certified Security Specialty course. To access the Security Specialty Runbook: As of October 11, 2018, AWS no longer requires you to hold an Associate or Foundational certification to sit for any Professional or Specialty certification exam. However, to ensure your success, we highly recommend you follow Linux Academy's suggested prerequisites (for both our coursework and AWS exams). These prerequisite suggestions can be found in the "details'' section of the course syllabus.

About the Training Architect


Lesson Description:

Course Author This video introduces Adrian, the course instructor. Social Media Contacts

Introduction to the Security Runbook Interactive Diagram


Lesson Description:

In this lesson I step through the Security Specialty Runbook - the interactive learning aid created for this course. The document is available here : and I'd encourage you to download it and watch through this lesson as a primer for the course.

Course Features and Tools


Lesson Description:

This lesson introduces all of the tools available to the student as they go through the AWS Certified Security Specialty preparation course. Lesson Links

Domain 1 : Incident Response

Domain 1 - Introduction

Domain 1 - Introduction


Lesson Description:

A quick introduction into the topics covered in domain 1 of the course, and perhaps more importantly, why these topics are essential for any security professional.

1.1 - Given an AWS Abuse Notice, Evaluate a Suspected Compromised Instance or Exposed Access Keys

AWS Abuse Notification


Lesson Description:

AWS is externally monitoring traffic traveling in and out of the AWS infrastructure. They will take action and notify account holders if patterns are found, such as port scanning, penetration testing, IP spoofing, and interception. These detections can sometimes be false positives as legitimate business functions can appear like attacks. As a security specialist, it is vital that you follow the AWS Acceptable Use Policy and that any security testing of our environments has prior authorization from AWS. Important Links: AWS Acceptable Use Policy ( NOTE, some tests now do not require prior approval. For details, see:

Responding to AWS Abuse Notifications


Lesson Description:

Once we have received an AWS Abuse notification, it is vital that we take action to remedy the situation and respond to AWS. The response depends on what resources have been compromised or exposed. This video offers some response options as well as discusses some best practices to avoid compromise and exposure altogether.

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.


AWS Abuse Notification


1.2 Verify that the Incident Response plan includes relevant AWS services.

What is Incident Response?


Lesson Description:

Before diving into what services we can use for each phase of incident response, we need to discuss the overall framework and where it came from. This video discusses incident response at a very high-level and introduces the phases of the IR framework. lesson Links

Incident Response Framework: Part 1


Lesson Description:

A high-level discussion of the Incident Response framework is necessary so that we have an understanding of how the different services and details fit into the framework later on. We will be referring back to the phases of this framework throughout the course. This video discusses the first three phases: preparation, identification, and containment.

Incident Response Framework: Part 2


Lesson Description:

A high-level discussion of the Incident Response framework is necessary so that we have an understanding of how the different services and details fit into the framework later on. We will be referring back to the phases of this framework throughout the course. This video discusses the remaining four phases: investigation, eradication, recovery, and follow-up.

Incident Response Plan


1.3 Evaluate the Configuration of Automated Alerting and Execute Possible Remediation of Security-Related Incidents and Emerging Issues

Automated Alerting


Lesson Description:

One of the benefits of cloud computing is the automatic scalability and reliability. Security in the cloud should be no different. We can use automation to help make our jobs easier and to fill in the gaps that human error can sometimes create. This video discusses automated alerting and a way we can categorize actions in the process and provides two examples of how we can get automated email notifications whenever we create an IAM user. Note: If following along with this video, change your region to us-east-1.

Automated Incident Response


Lesson Description:

Continuing with our discussion of security automation in AWS. We can use many different triggers and responders in our automation chains. The possibilities for automating exposure remediation are almost endless. This video discusses three stages of automation, as well as some examples of how to use automated response in AWS.

CloudTrail Automation Example


Lesson Description:

CloudTrail is very important in the security realm because it records every API call executed on our resources. Making sure that you enable CloudTrail logging is a best security practice. This video is a walkthrough of how to set up automation that starts logging if CloudTrail is stopped. Lambda function code:

import json
import boto3
import sys

print('Loading function')
""" Function to define Lambda Handler """
def lambda_handler(event, context):

        client = boto3.client('cloudtrail')
        if event['detail']['eventName'] == 'StopLogging':
            response = client.start_logging(Name=event['detail']['requestParameters']['name'])

    except Exception, e:

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.


Domain 2 : Logging and Monitoring

Domain 2 - Introduction

Logging and Monitoring Introduction


Lesson Description:

In this video, I'll introduce the topics covered in domain 2 of the course, including the flip of objectives 2.1/2.2/2.3 and 2.4.

2.1 Design and implement security monitoring and alerting.

S3 Events


Lesson Description:

S3 events can be used to create notifications based on object actions. When an object event occurs, we can then use SNS, SQS, or Lambda to notify and possibly take actions on that object. This video discusses the basics and walks through a sample configuration using SNS as the notification service. Snippet Added to SNS Topic Policy

    "Sid" : "s3eventsD",
    "Effect" : "Allow",
    "Principal" : {
        "Service" : ""
    "Action" : [
    "Resource" : "arn:aws:sns:us-east-1:ACCOUNTID:TOPIC"
Files for second demo

CloudWatch Logs: Metric Filters and Custom Metrics


Lesson Description:

Once CloudWatch Logs collects the logs, we can then use filters to create custom metrics. We can also alert SNS using those same filters, creating a monitoring workflow from the collection of logs. This video discusses and shows how to accomplish this.

CloudWatch Events


Lesson Description:

CloudWatch Events allow us to create rules that we can trigger by services and API calls or through scheduling. These rules can then interact with many different services in our environment. CloudWatch Events are the central block in many automation workflows we can build as well. This lesson dives into the specifics and shows some examples of how we can use this service. Links Lambda Function

import boto3

def lambda_handler(event, context):

    # set the region to the region the event occured in

    print 'detected stopped instance : ' + str(instances)
    ec2 = boto3.client('ec2', region_name=region)
    print 'started your instances: ' + str(instances)

Multi-Account: CloudWatch Event Buses


Lesson Description:

CloudWatch Event Buses are convenient ways for us to share CloudWatch Events across accounts. In a multi-account environment, we can configure CloudWatch Events in all of the secondary accounts to send to the primary account's Event bus. We can set up automation based on these events and interact with all the resources in our organization regardless of which account event the event was sent from. This lesson looks at an example of centralizing event triggers and rules to manage organization.

AWS Config


Lesson Description:

AWS Config can inventory our resources and track configurations of those resources over time. We can also set up rules that will evaluate our resources and alert us to those that are not compliant with our rules. This lesson looks at how we enable AWS Config and will show both the historical configurations as well as using Config as a configuration compliance tool.

AWS Inspector


Lesson Description:

AWS Inspector allows us to run vulnerability scans on our EC2 instances. The instances can be evaluated using security best practices, runtime behaviors, common vulnerabilities, and CIS security configuration benchmarks. This lesson shows how Inspector is used to evaluate EC2 instances and discusses some of its findings. Links

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.


Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.


Design, Implement, and Troubleshoot Monitoring and Alerting


2.2 Troubleshoot security monitoring and alerting.
Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.


2.3 Design and Implement a Logging Solution

CloudTrail Logging


Lesson Description:

CloudTrail is very important in the security realm because it records every API call executed on our resources. We can also create trails that allow us to store logs longer than 90 days and use them to trigger automation events. It is a best security practice to make sure CloudTrial logging is always enabled. This video gives information about what CloudTrail does and how to configure it.

CloudWatch Logs: CloudTrail


Lesson Description:

CloudWatch Logs is a service that helps us to aggregate logs from several different resources into one location. These resources include CloudTrail, VPC Flow Logs, CloudWatch Agent for EC2, and DNS Query Logs. In this video, we will discuss CloudWatch Logs and walk through how to send CloudTrail into a Log Group.

CloudWatch Logs: VPC Flow Logs


Lesson Description:

Flow logs from our VPCs give us IP traffic information we can use to determine what hosts are communicating with our resources and what conversations and ports are accepted. Flows are also a great tool to see just how often hosts on the internet are probing our resources for vulnerabilities. This video is a walkthrough of the configuration of VPC flow logs and a brief look at what information these logs contain.

CloudWatch Logs: Agent for EC2


Lesson Description:

OS-Level metrics and Logs are not sent to CloudWatch from EC2 by default. These metrics include memory, disk-use percentages, and swap file usage. For you to be able to incorporate these in your logging, the CloudWatch Agent must be installed. This video walks through a CloudWatch Agent install and configuration and shows examples of the logs. Commands to install CloudWatch Agent:

sudo ./
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.json -s
Fetching Config From SSM
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c ssm:AmazonCloudWatch-linux -s
SSM Commands Run AWS-ConfigureAWSPackage and AmazonCloudWatch-ManageAgent

CloudWatch Logs: DNS Query Logs


Lesson Description:

DNS Query logs responses from different DNS edge locations around the world. The domain can be registered using R53 or another registrar but it must use R53 as a nameserver provider for this to work. This video shows how to enable DNS query logging and shows some examples. The locations in the logs match airport codes.

S3 Access Logs


Lesson Description:

S3 access logs are a collection of access requests for whatever buckets we have them enabled on. It is important to know these are not near-real-time logs and take a while to report. There is some good information in these logs, but this same information is available in easier forms with other services, for the most part. This video walks through the process of configuring S3 access logs and what permissions are necessary.

Multi-Account: Centralized Logging


Lesson Description:

The security best practice of dividing our business into multiple accounts presents a challenge when it comes to obtaining logs. We must become very familiar with resource policies and cross-account roles for us to be able to collect the logs effectively. This lesson shows how to set up CloudTrail API logging with three accounts logging to a single, secured bucket in a security account.

Design, Implement, and Troubleshoot Logging Solutions


2.4 Troubleshoot Logging Solutions

Troubleshoot Logging


Lesson Description:

Troubleshooting logging solutions in AWS is a straightforward process. To determine where the problem is, start at the beginning and work through step by step, checking configurations along the way. This video presents some of the common issues that can cause problems with logging in AWS. Lesson Links

Multi-Account: Troubleshoot Logging


Lesson Description:

Many factors can be wrong with multi-account logging. The most common of these involves permissions. Resource policies such as bucket and key policies must be correct for us to collect logs from other accounts. This lesson discusses some of the potential issues we face and some of the problems I experienced in building environments for this course. It also is a reminder to use a methodical, end-to-end approach when troubleshooting these issues.

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.


Domain 3: Infrastructure Security

3.1 Design Edge Security on AWS



Lesson Description:

CloudFront CloudFront is a Content Delivery Network (CDN) provided via AWS Edge Locations. It's often the entry point for customers, and potentially attackers. In this lesson, we walk through and demo some of the important security related aspects of the product. Lesson Links

Restricting S3 to CloudFront


Lesson Description:

Restricting S3 to CloudFront In this lesson we build on the CloudFront foundations introduced in the previous lesson. We'll walk through the concept of Origin Access Identities (OAI) and how they can be used to secure S3 against direct access.

Signed URLs and Cookies


Lesson Description:

Signed URLs and Cookies Signed URLs and Cookies provide a very granular level of control over content distribution, and support advanced content restriction. In this lesson I talk through and demo the usage of signed URLs and discuss when Cookies are and aren't appropriate. Lesson Links

CloudFront Geo Restriction


Lesson Description:

CloudFront Geo Restriction Security of content is often more about controlling where your content is viewed than who it's viewed by. In this lesson we'll explore the two main ways that content distirbution can be controlled: the in-built CloudFront method, and extending the functionality using 3rd-Party solutions.

Forcing S3 Encryption


Lesson Description:

Forcing S3 Encryption S3 provides a host of methods for encrypting objects. In this lesson we'll explore a few ways to enforce encryption on objects under our control, using bucket policies and default encyryption settings.

S3 Cross Region Replication (CRR) - Security


Lesson Description:

S3 Cross Region Replication (CRR) - Security S3 is capable of replicating objects between regions using CRR. As Security Engineers, we need to be aware of the security implications. In this lesson we'll examine those implications using four scenarios:Single AccountCross AccountCross Account (Owner Change)KMS Secured Objects Lesson Links

Web Application Firewall (WAF) and AWS Shield


Lesson Description:

Web Application Firewall (WAF) and AWS Shield In this lesson, we'll explore the architecture and implementation of AWS WAF, and see how Shield fits into the AWS security portfolio. The focus is specifically on the differences between Shield Standard, which is included by default with all AWS services, and Shield Advanced which includes additional features and capabilities. Lesson Links

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.


3.2 Design and implement a secure network infrastructure.

VPC Design and Security


Lesson Description:

VPC Design and Security The VPC is the core security entity for AWS private networking. In this lesson I'll talk you through VPC's, how I visualise them, and some of my thoughts around VPC design. We'll focus specifically on multi-tier vs flat architecture.

Security Groups


Lesson Description:

Security Groups are a core security control within AWS. They provide a stateful method of controlling ingress and egress traffic moving around a VPC. In this lesson we'll look at Security Groups in detail, including their architecture. We'll also examine some of their advanced features, like the ability to reference themselves, other security groups, and logical resources inside a VPC.

Network Access Control Lists (NACLs)


Lesson Description:

Network Access Control Lists (NACLs) offer a traditional stateless filtering feature set within AWS. They are attached to subnets, and control the traffic entering and leaving those subnets. In this lesson we'll walk through their functionality from a security engineer's perspective, focusing on their appropriate use and limitations.

VPC Peering


Lesson Description:

VPC Peering provides a scalable, private, secure, and high-bandwidth connection between VPCs. VPC Peers work within the same account, or in a cross-account architecture. They also function, with some limitations, between AWS regions. This lesson focusses on their features and limitations across these scenarios.

VPC Endpoints


Lesson Description:

This lesson looks at the architecture of VPC Endpoints. They are a feature of AWS VPCs which provide access to AWS public endpoints without using an Internet Gateway. We'll compare and contrast Gateway Endpoints and Interface Endpoints and watch how their functionality can be extended via resource and endpoint policies. Lesson Links

Serverless Security


Lesson Description:

Serverless is a systems architecture which introduces a new set of security concerns and considerations. In this lesson, we'll examine AWS Lambda specifically and how to approach its security within a wider serverless ecosystem. Lesson Links

NAT Gateways


Lesson Description:

NAT Gateways are a AWS managed implementation of NAT Instances (NAT Software running on EC2). In this lesson we'll walk through the security changes, limitations, and benefits of NAT Gateways, then we'll compare them to NAT Instances from a security perspective. Lesson Links

Egress-Only Internet Gateways


Lesson Description:

Egress-Only Internet Gateways are IPV6-specific versions of regular Internet Gateways. They are stateful, and only allow outgoing VPC originating traffic. In this lesson we look together at why they exist, and when and how to use them in a secure way.

Bastion Hosts / Jump Boxes


Lesson Description:

A Bastion Host, or Jump Box, fills a critical role in the security of most Internet connected environments. In this lesson we discuss why jump boxes exist, how to implement them securely, and what advanced functionality they can provide.

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.


3.3 Troubleshoot a secure network infrastructure.

Troubleshoot a VPC


Lesson Description:

Troubleshoot a VPC Troubleshooting is a key skill for any AWS security engineer. The ability to identity and correct issues within a VPC, in a safe and secure manner, is a great skill to have. In this lesson we'll step through some common issues relating to VPC fault-finding, from a security perspective. To see VPC Quotas, check out:

3.4 Design and implement host-based security.

AWS Host/Hypervisor Security (disk/memory)


Lesson Description:

As a shared environment, the isolation and security of AWS is critical. This lesson looks at how the hypervisor isolates resources, with a specific focus on memory and disk.

Host Proxy Servers


Lesson Description:

In this lesson, we'll explore why running a proxy server on an EC2 instance can, in some cases, be worthwhile. Proxy servers can allow for security filtering and traffic control beyond traditional AWS services.

Host-Based IDS/IPS


Lesson Description:

This lesson looks at IDS & IPS running on EC2 instances. Why bother? And where does it fit into the AWS security services? Lesson Links

Systems Manager


Lesson Description:

AWS Systems manager is an operational management service. In this lesson we'll delve into the aspects of Systems Manager, which are important from a security perspective. Lesson Links

Packet Capture on EC2


Lesson Description:

In this lesson we build upon the features provided by AWS Flow Logs, and install a simple packet capture application in EC2, then review the results.

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.


Identity and Access Management

4.1 Design and Implement a Scalable Authorization and Authentication System to Access AWS Resources.

IAM Policies


Lesson Description:

IAM policies are used extensivly throughout AWS products and services. Being able to understand and create secure IAM policies that are flexible and provide the minimum rights required for a task is essential. As a security engineer you will be solely responsible for creating and evaluating policies and so in this lesson I discuss their architecture in addition to some advanced functionality. Lesson Links Example Policy

  "Version": "2012-10-17",
  "Statement": [
      "Action": ["s3:ListBucket"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::la-homefolders"],
      "Condition": {"StringLike": {"s3:prefix": ["${aws:username}/*"]}}
      "Action": [
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::la-homefolders/${aws:username}/*"]

Users, Groups, and Roles


Lesson Description:

IAM Users, Groups, and Roles are the three identities provided by IAM to which identity policies can be applied. Understanding the features, limitations, and appropriate usage of all three is an essential security skill. This lesson steps through each one, and provides some key guidance on when and how each should be used within an AWS environment. Lesson Links

Permission Boundaries and Policy Evaluation


Lesson Description:

Permissions boundaries are a method to limit the effective permissions of IAM users, groups, and roles within AWS. They are a challenging concept to fully understand, but provide a substantial amount of security control for entities under your management. This lesson looks at permissions boundaries, together with how they impact permission evaluation. We'll also step through the global permissions evaluation process within AWS. Lesson Links

Organizations and Service Control Policies


Lesson Description:

AWS Organizations is an extension of consolidated billing. It provides billing management for organizations using multiple AWS accounts. In this lesson we'll start by exploring the features of AWS organizations as they relate to a security professional. We'll be looking specifically at cross-account security. In the second part of the lesson, we'll look in detail at Service Control Policies, a feature which allows account level restrictions to be placed on managed accounts.

Resource Policies: S3 Bucket Policies


Lesson Description:

In this lesson I=we delve into S3 bucket policies, focusing mainly on when you would use bucket policies, and how they are different than IAM policies. We'll step through a number of examples designed to demonstrate the features of resource policies applied to S3 buckets. Lesson Links

Resource Policies: KMS Key Policies


Lesson Description:

Following up on the last lesson about S3 Resource policies, in this lesson I take a look at KMS key policies. We discuss the multiple roles available within KMS, Key Admins and Key Usage, and how this separation enhances the security of the platform. Some advanced key policy concepts enter the picture here. We will get acquainted and discuss features and limitations, with a specific focus on the security certification. Lesson Links

Cross-Account Access to S3 Buckets and Objects


Lesson Description:

Securing S3 buckets for access via a single account can often be challenging enough. In this lesson we'll step through how to provide access to buckets and objects using Cross-Account policies and roles. We review the pros and cons of each, and discuss appropriate usage. Lesson Links

      "Condition": {
        "StringNotEquals": {"s3:x-amz-acl":"bucket-owner-full-control"}

Identity Federation


Lesson Description:

Identity federation is the process of allowing external ID providers (IdP) to authenticate and identify users, and then providing those identified users with access to AWS resources. In this lesson, we'll go over the two main Identity Federation architectures, Web Identity Federation and SAML2.0 Identity Federation. Lesson Links

AWS Systems Manager Parameter Store


Lesson Description:

In this lesson, we return to Systems Manager to look at the Systems Manager Parameter Store. This is a feature allowing the secure management of configuration and secrets within AWS. The Parameter Store is an essential tool for caching and distributing secrets securely to AWS resources. Here in this lesson, we'll get to see it in action. Lesson Links Sample Code

import os, traceback, json, configparser, boto3

# Initialize boto3 client at global scope for connection reuse
client = boto3.client('ssm')
env = os.environ['ENV']
app_config_path = os.environ['APP_CONFIG_PATH']
full_config_path = '/' + env + '/' + app_config_path

def lambda_handler(event, context):
    global app
    # Initialize app if it doesn't yet exist

    print("Loading config and creating new MyApp...")
    print("Config Path:" + full_config_path)

    param_details = client.get_parameters_by_path(
IAM Role
  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": [
      "Resource": "*"

4.2 Troubleshoot an Authorization and Authentication System to Access AWS Resources.

Troubleshooting Permissions Union (IAM//RESOURCE//ACL)


Lesson Description:

Permissions within AWS are controlled with Identity Policies, ACL's, and resource policies. Understanding how to design and interpret these when used in combination is the key to implemententing systems securely within AWS. In this lesson we'll step through how permissions union works. This is a key requirement for any security professional, and for the security specialty exam.

Troubleshooting Cross-Account Roles


Lesson Description:

In this lesson we'll see some common issues facing a security engineer when implementing cross-account roles. There will be a brief review of role architecture, but with a focus on using it between accounts. Lesson Links

Troubleshooting Identity Federation


Lesson Description:

Web and SAML2.0 Federation are both complex architectures. They allow external identities to be used in accessing AWS resources. In this lesson we look at some common troubleshooting steps to identity and fix federation issues.

Troubleshooting KMS CMK's


Lesson Description:

KMS Key Policies are resource policies applied to KMS keys. They have unique characteristics which separate them from other resource policies. In this lesson we look at Key Policies from a troubleshooting perspective. Lesson Links

Data Protection

5.1 Design and implement key management and use.

Key Management System (KMS)


Lesson Description:

WS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. It's a FIPS 140-2 level 2 Compliant service and in this lesson I step through its architecture and key points as they relate to real-world usage and the exam. Lesson Links

KMS in a Multi-Account Configuration


Lesson Description:

This lesson takes a closer look at how KMS can be utilized in a multi or cross-account configuration to achieve a reduciton in risk, improvements to logging and auditing and performance improvements.



Lesson Description:

A CloudHSM is an dedicated appliance allowing for the secure creation, management and usage of CMKs. The hardware is FIPS 140-2 Level 3 compliant, and supports industry standard API access. In this lesson I discuss CLoudHSM Architecture, when to use CloudHSM and the key differences between it and AWS KMS. Lesson Links

5.2 Troubleshoot key management.

Troubleshooting KMS Permissions


Lesson Description:

KMS Key permissions are a crucial part of securing an AWS account. Being an effective security engineer means understanding the end to end chain of permissions relating to KMS. In this lesson we take a look at just that, with a troubleshooting focus.

KMS Limits


Lesson Description:

KMS like any other AWS Services have limits which require awareness. KMS can be impacted to a greater degree than others, because KMS is used by other AWS services to handle encryption. In this lesson I step through the limits which can cause throttling and how this can impact KMS and other services. Lesson Links

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.


5.3 Design and implement a data encryption solution for data at rest and data in transit.

Data At Rest: KMS


Lesson Description:

KMS integrates with many other AWS services to provide key creation, management and cryptographic functionality. All services are responsible for their own component of this process and in this lesson I run through how EBS, DynamoDB, RDS and S3 integrate with KMS. Lesson Links

Data At Rest: Server-side encryption with SSE-C


Lesson Description:

SSE-C is an import, but fairly narrow usecase for encryption within S3. It's used when you as the customer need to control and manage the encryption keys used for object level encryption. In this lesson I step through how SSE-C is different from other S3 encryption methods. Lesson Links

Data In Transit: Certificate Manager (ACM)


Lesson Description:

ACM is an essential service which can generate, manage and import X509 SSL/TLS certificates to be used on other AWS services. This lesson is a brief introduction to the service from a security perspective.

Encryption SDKs


Lesson Description:

The AWS Encryption SDK provides a well engineered and secure set of interfaces to KMS and other encryption stacks. This lesson introduces the SDK at a high level. Lesson Links

Compliance Examples


Lesson Description:

AWS Provide a wealth of compliance related resources via its compliance portal and AWS Artifact service. In this lesson I give a brief overview of these resources. Lesson Links

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.



Practice Exam

AWS Certified Security Specialty


Final Steps

How to Prepare for the Exam


Lesson Description:

This lesson goes over the steps you can take to ensure your success on the exam. We’ll outline a full strategy for preparing for the exam, including study tips, key terms you should know and helpful test-taking strategies. Lesson Links

What's Next After Certification?


Lesson Description:

This lesson discusses your options for continued learning after you've completed the AWS Certified Security Specialty course. Lesson Links Please connect with me using Twitter or LinkedIN if I can help in any way

Get Recognized!


Lesson Description:

In this video, Linux Academy Founder and CEO Anthony James explains the steps you can take to get recognized after successfully passing your certification exam. Anthony will explain how to connect with him on LinkedIn and Twitter so that he can endorse you for the skills you have mastered by getting your certification.

Take this course and learn a new skill today.

Transform your learning with our all access plan.

Start 7-Day Free Trial