Getting my AWS Advanced Networking & Security Specialty Certifications

I was asked to write a short post about my experiences and what I can share with others about my recent AWS certification journey. Thanks to @bulletproofnet for their support along the way.

Over the past few months I have been working towards obtaining all of my AWS Specialty certifications. In January I completed the last of the #all5 resulting in Solution Architect Professional and DevOps Engineer Professional certs.

The AWS Security Speciality had just been released as beta so keeping up the momentum I scheduled my exam for late January. Being a beta exam, the results weren’t immediately available like other AWS exams. I had to wait until today to receive my results. Another difference between other exams is that you receive a percentage score. For the beta it is simply ‘pass’.  A fortnight or so later, I schedule and completed the Network exam.  I wasn’t successful on my first attempt – another humbling experience.  Back to the ‘books’ for a few more weeks, really cramming the knowledge.  I felt I knew where I was lacking so focus on those areas. Second times a charm, they say – and I passed. Goes to show that persistence pays off.

A short background, I have around 5 years experience with AWS designing and implementing and 25 years in IT generally, covering everything from operations, engineering, architecture and consulting. I’ve learnt a thing or two about networking and security over the years within ‘traditional IT’ so I was comfortable with most general aspects I expected to face in the exam.

The Exams are between 170 and 180 minutes and the questions are multiple choice with multiple answers appearing to be correct. Choose the best fit. But consider what the question is asking for. Is it asking for Reliability or Cost Optimisation? They usually conflict when trying to build a solution but use the same technology. To attempt the the Specialty exams, you must have an Associate level certification first.  I’d suggest at least 1 of the Professional certifications will also give you additional confidence to attempt the Specialty exams.

Time is a factor in all of the exams but unlike the SA Pro Exam, I found I completed these exams with more time to spare against the clock.

Study techniques and material

  • I have consistently used acloud.guru for all of my structured learning. I completed the Advanced Networking and Security Specialty courses (thanks @KroonenburgRyan & team). These are great courses and cover a range of ever expanding topics. I can highly recommend them.
  • Exam blueprint and Practice Questions. None of the Advanced Exams have practice exams. Security Exam didn’t have practice questions as it was in beta. That will likely change. But do the questions early – before studying even. This helped me focus on certain topics a little more. You can try them again after studying to measure your improvement.
  • I read nearly all of the suggested whitepapers (find them in the blueprints). That’s a lot of reading. Even if I skimmed through some, where I felt I understood or knew the content, there is lots of information gold.
  • Get hands-on, tinker, build something. It’s usually only a few cents/dollars to try a new idea.
  • YouTube Re:Invent videos. A couple of great collections. Advanced Networking Playlist. Security and Compliance Playlist. SA Pro Playlist. Pick and choose (so many great ones but they can be up to 1 hour long), but watch as many as you can. There is days of content there.
  • If you have colleagues, talk about your AWS solutions and even AWS blogs. Challenge and test each other.  I’m constantly being challenged which makes me dive deep to reinforce that knowledge I’ve gained.

Overall, I would have studied for 50+ hours for each exam (even at double speed videos!), and the same for the Professional level exams.

Ok, the good stuff.

For Networking focus on;

  • Deep DX, VLANs/802.1q, public and private VIFs, how to setup DX with 3rd party telcos.
  • Network redundancy and how VPNs, DX, BGP and inter-region traffic can work.
  • Solid routing skills covering VGW, route tables, BGP, AS-Path and MED for influencing traffic.
  • Deep knowledge of VPC and what NATGW, IGW, VGW, CGW are, limits of each and why you use them, redundancy and reliability are tested a lot.
  • Good understanding of VPNs, VPC peering, multi-VPC design and IP subnetting for VPCs.
  • Deep ELB knowledge, including cross zone LB, ELB balancing algorithms, ELB security policies, HTTPS, headers and  IP requirements,
  • Brush up on CloudHub – not used often (I’ve never used it) but serves a purpose.
  • Excellent knowledge of how DNS between cloud and corporate network works for multiple scenarios, including DNS Forwarders and Route53 knowledge
  • Data charges for network traffic over IGW, DX, S3 and Cloudfront. Check out this guide to AWS Data Charges in a nice diagram.
  • Learn to read VPC Flow Logs and understand why you might have ACCEPT and REJECT traffic. Understand your ‘firewall controls’ in AWS
  • AWS Enhanced Networking including how to use it (think instance types, ENAs, Placement Groups), what the limits are, speeds, when to use them
  • AWS support levels (Personal Health Dashboard, Trust Advisor), Automating incident response and troubleshooting network issues features heavily as well

For Security Specialty focus on;

  • Tested knowledge of ports or protocols. Think about VPN, SSL, Windows
  • Good understanding of IAM and STS.
  • Web attacks, SQL injection and DDoS defence techniques, detecting port scans, performing penetration scanning and know how deep packet inspection is done and the services you might use. Think about WAF and Shield, techniques to throttle traffic.
  • Know the AWS Shared Responsibility Model
  • Using Security Groups, NACLs, S3 ACLs to control access to resources.
  • Understand how you could control traffic for 169.254 networks, external networks, how you control outbound web filtering and restrict EC2 traffic at the host level
  • Know how auditing in AWS is achieved using different logging services, Cloudtrail and VPC Flow logs
  • Know the difference between Guard Duty, Inspector and Trusted Advisor security features. Check out my other blog for a quick run down on Guard Duty and Inspector for a 3 min refresher.
  • Thorough understand of how you encrypt at rest and in transit, including when KMS, CloudHSM and other tools which might be used for data encryption and VPNs, Bastions, ACM, SSL for securing traffic.
  • Workspaces is part of this exam, so understand how it is implemented
  • Security Incident Response in AWS

Conclusion

It has been a great experience overall. I feel humbled to be part of the first group to get the Security Certification. In terms of difficulty compared to other exams, the Advanced Network Speciality was 2nd hardest to the Solution Architect Professional exam. The Security Specialty seemed a little easier (at least for me). Everyone will come to the exam with different experiences so it may be different for you.    My AWS transcript can be found here.

If you have the chance to give it a try – go for it. The exam is now out of beta and available generally. Good luck!

What’s next?, well Big Data Specialty of course.

Advertisements

Free SSL – Secure your website

letsencrypt.org

Get a free SSL Certificate for use with your sites.


These notes are pretty rough and really a reference for me.

I am using a Bitnami Joomla stack and hence I edit bitnami.conf (instead of httpd.conf)

###letsencypt install
## Main point is DNS MUST resolve to right IP
## Cannot put wiki.name.com and http://www.name.com on same certificate as they are on different IPs.
##
### Make sure nothing is listening on Port 80 as we start our own web-server.
sudo apt-get update
sudo apt-get -y install git
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
./letsencrypt-auto certonly -a standalone -w /opt/bitnami/apache2/htdocs/ -d yourdomain.com -d http://www.yourdomain.com

sudo crontab -e
#Add this to crontab for auto renewal
30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
####
#Update SSL Cert in Apache (httpd.conf/bitnami.conf)
# remove old and add these
SSLCertificateFile “/etc/letsencrypt/live/yourdomain.com/cert.pem”
SSLCertificateKeyFile “/etc/letsencrypt/live/yourdomain.com/privkey.pem”
SSLCertificateChainFile “/etc/letsencrypt/live/yourdomain.com/fullchain.pem”

Force SSL in Apache
From here > https://wiki.bitnami.com/Components/Apache#How_to_force_HTTPS_redirection_for_my_application.3f
# Add these to Apache (httpd.conf/bitnami.conf)
#<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]