AWS Certified Security - Specialty
Validates expertise in securing workloads and architectures on AWS. Covers threat detection and incident response, security logging and monitoring, infrastructure security, identity and access management, data protection, and management and security governance. Requires five or more years of IT security experience with at least two years of hands-on AWS security experience, demonstrating proficiency in implementing security controls, managing security operations, and understanding specialized data classifications and AWS data protection mechanisms.
Exam domains
- Infrastructure Security20%
Design and implement security controls for edge services (AWS Shield Standard - included automatically for L3/L4 DDoS, Shield Advanced - 24/7 DRT, Layer 7 protection, advanced WAF rules, DDoS-cost protection; AWS WAF web ACLs - managed rule groups including OWASP Top 10/Bot Control/Account Takeover Prevention/Fraud Control, rate-based rules, IP sets, regex pattern sets, geo-blocking, custom rules with statements and labels, WAF logs with full inspection; AWS Firewall Manager for centralized WAF/Shield/Network Firewall/Route 53 Resolver DNS Firewall policy; AWS Network Firewall stateful firewall with Suricata rules, encrypted SNI inspection; Amazon CloudFront security - signed URLs and cookies, geo-restrictions, field-level encryption, origin access control - OAC for S3; API Gateway resource policies, mTLS, request validation, throttling). Design and implement network security controls (Amazon VPC design - public/private subnets, NAT Gateway with elastic IP, VPC endpoints - gateway for S3/DynamoDB vs interface PrivateLink for other services, VPC endpoint policies; security groups stateful vs NACLs stateless, ephemeral port ranges; VPC peering vs Transit Gateway with security domains via route tables, AWS Cloud WAN attachment policies; AWS Site-to-Site VPN with IKEv2, accelerated VPN, AWS Direct Connect with MACsec encryption for Dedicated Connections, AWS PrivateLink for service-to-service private connectivity; Route 53 Resolver DNS Firewall with managed domain lists and custom domain lists for blocking malicious DNS lookups). Design and implement security controls for compute workloads (EC2 instance security - Nitro System root of trust, IMDSv2 enforcement, EC2 Instance Connect Endpoint, Systems Manager Session Manager replacing SSH bastion; container security - ECR image scanning enhanced with Inspector, ECS task IAM roles, EKS Pod Security Standards, IRSA for IAM Roles for Service Accounts, GuardDuty EKS Runtime Monitoring, Kubernetes admission controllers; Lambda security - VPC mode, Lambda function URLs with IAM auth, Lambda code signing with AWS Signer; Outposts and Wavelength edge compute hardening; AWS Nitro Enclaves for confidential computing with attestation, cryptographic enclave isolation).
- Data Protection18%
Sources
Questions are grounded in 150 references from official and authoritative materials.