AWS security certifications have burst onto the scene in recent years, with more than 13 percent of professionals looking to get certified in cybersecurity specifically pursuing a certification around Amazon Web Services, according to IT training company Global Knowledge.
The AWS Certified Security – Specialty certification can serve as a stepping stone to higher pay, with roughly one-quarter of respondents indicating to Global Knowledge they got a post-certification pay bump due to either their performance in their current job, a promotion within their company or a lateral move to another company.
AWS security certificate-holders most commonly work in cybersecurity, cloud or IT architecture or design, and more than two-thirds have gotten a new certification within the past six months, according to Global Knowledge. The other certifications they hold are either from other vendors like Microsoft or Cisco or vendor-neutral certificates from (ISC)2, CompTIA or ISACA, Global Knowledge found.
This feature recommendations from security experts at eight firms as to how practitioners can maximize the value of their AWS security certifications, examining everything from the proper amount of industry experience and hands-on practice to the recommended certification path to what type of salary bump certificate-holders can expect. AWS did not respond to repeated requests for comment.
10. Go broad when starting with AWS, then specialise
Practitioners looking to build up a broad knowledge base around AWS will often get two or even all three of the associate-level certifications, which span the gamut from developer to solutions architect to SysOps administrator, according to Ken Underhill, Cybrary’s master instructor.
From there, Underhill said practitioners normally narrow their purview as they move onto professional-level or specialty certifications. Underhill said he’s seen people go for specialties in both security and advanced networking since each requires a lot of infrastructure work.
Foundational or associate-level certificates for AWS don’t have any prerequisites, but people pursuing a professional-level or specialty certification in AWS must have at least one associate-level certification first, according to Leif Jackson, Cybrary’s vice president of content and community.
9. Capitalise on hard work with promotion or new job
AWS is a very widespread and highly regarded cloud provider and, as a result, people looking to get promoted or find new jobs tend to go after these certifications, according to Brad Puckett, global portfolio director at Global Knowledge.
And within security, Puckett said many mid-career SOC (Security Operations Center) analysts are looking to find and develop their skills in an emerging area. Given that cybersecurity and cloud are the most in-demand areas for practitioners, Puckett said the AWS Certified Security – Specialist certification allows people to hone their expertise in both fields.
The average salary for an AWS Certified Security – Specialist certification holders jumped by more than 12 percent over the past year from $102,301 in 2019 to $115,705 in 2020, according to Global Knowledge. Nearly half of the AWS Security certificate-holders who responded to the Global Knowledge survey changed employers or job roles soon after obtaining the certification, the company found.
8. Gain a deep understanding of the infrastructure
Since rolling out a public cloud track, Fortinet has seen an uptick from both customers and cloud-native partners looking to achieve marketplace certifications, according to Jon Bove, vice president of Americas channels. Fortinet has built a curriculum of best practices for AWS than spans both security and network competencies, said Matt Pley, vice president of cloud and service providers.
The company has focused on developing competency around the components making up the infrastructure requirements for public cloud providers such as high availability, auto-scaling, software-defined networking connectors and managing traffic, Bove said. Fortinet is trying to give stakeholders background on security challenges in the cloud as well as a sense of how to manage traffic and auto- scaling, he said.
Many security professionals are more DevOps-minded and less DevSecOps-minded, and Pley said they need to learn how to build and reuse security applications and infrastructure. When building in the cloud, Pley said practitioners must think about security as being two steps ahead of infrastructure.
7. Capitalise on certifications early in a career
Certifications create differentiation, which is really fundamental for security practitioners in the early phases of their career, according to Matt Chiodi, Palo Alto Networks’ chief security officer of public cloud. But as practitioners mature in their career and gain more experience, Chiodi said the value of certifications starts to drop off unless the person is looking to pivot into a new specialty.
The AWS Certified Security – Specialty certification makes sense for organizations that are heavily invested in AWS, Chiodi said. But when it comes to maximizing the individual benefits of professional development, Chiodi said he puts more stock in broad vendor-neutral certifications.
The CISSP (Certified Information Systems Security Professionals) has remained the most trusted certification in cybersecurity for many years, Chiodi said, while the CEH (Certified Ethical Hackers) helps practitioners better understand how hackers operate by getting them into the mindset of the adversary.
6. Obtain traditional security certifications as well
The AWS Certified Security – Specialty is great for mastering the AWS environment itself, but for security for an entire ecosystem, traditional security certifications are needed as well, said Rohit Dhamankar, Alert Logic’s vice president of threat intelligence products. Security practitioners still must know how malware works and have basic knowledge at the application level to enjoy success more broadly, he said.
Practitioners must well-rounded knowledge of the environment in which attacks are taking place as well as an understanding of where vulnerabilities can be found, said Onkar Birk, Alert Logic’s chief product officer. If a security practitioner doesn’t understand the environment he or she is operating in in the first place, Birk said leveling security on top of that is an exercise in futility.
Practitioners must understand how AWS relates to the environment they’re currently working in, what commonalities apply and where they occur, according to Birk. To be more tactical, Birk said practitioners should have a grasp of where microservices, APIs at rest and different types of databases apply.
5. Hands-on experience is vital
The AWS certifications create standardization and provide people with a way to jump into the cloud, especially as they on-board at a new company, according to Marina Segal, Check Point Software Technologies’ head of product management for cloud SecOps and compliance.
The foundational certifications provide a more theoretical examination of AWS security, but as the certifications become more advanced, Segal said the need for hands-on competency rises. People looking to master AWS security should set up an account, start creating and click through the platform to get their hands dirty since it’s difficult to recall how to put abstract knowledge into action.
Meanwhile, the AWS Certified Solutions Architect provides a very good set of content to cover and ensures practitioners know about the latest platform advancements, according to Segal. Certifications can dramatically shorten the amount of time needed to build up cloud security knowledge from weeks to just four hours of concise and practical learning, Segal said.
4. Verify baseline of security knowledge to employer
The AWS Certified Security – Specialty ensures practitioners have the knowledge needed to set up key stores, apply identity and access management correctly, manage keys to a particular instance, and understand what life-cycle management should look like in a container environment, according to Tim Mackey, principal security strategist at Synopsys.
The certification provides a baseline of known expertise so that a company can be confident that the person managing its cloud operations knows the basic principles of delegated access and doesn’t arbitrarily allow a back door to authentication, Mackey said. The certification ensures that someone coming in knows the basics of how an AWS environment is secured and avoids things like open S3 buckets.
Mackey praised AWS’s architecture-related certifications for ensuring broad swaths of the problem space are taken care of so that a database manager or operator knows where to go to change configuration settings, Mackey said. Asking the right kinds of questions to an app owner can help businesses avoid having to clean up a mess after the fact, according to Mackey.
3. AWS DevOps Certification also useful in security settings
The AWS Certified DevOps Engineer – Professional ties into cloud adoption frameworks and can teach practitioners a lot about building well-running services effectively and implementing best practices, according to Mark Nunnikhoven, Trend Micro’s vice president of cloud research.
The AWS DevOps certification asks about edge cases that pop up more than users might think and helps practitioners figure out the optimal architecture for a deployment, Nunnikhoven said. While the security team has threat knowledge, the DevOps team has infrastructure knowledge that can help address some vulnerabilities, said Steve Quane, executive vice president of network defense and hybrid cloud security.
Associate and professional certifications outside security also harp on identity and access management, Nunnikhoven said, ensuring practitioners know how to apply permissions, make secure connections between services, and understand what an error looks like. The security skills delivered through AWS certifications help ensure the principle of least privilege is being applied, he said.
2. Associate certs provide high-level view of AWS
There are literally hundreds if not thousands of different features and solutions offered by AWS, and the AWS Certified Solutions Architect – Associate provides a broad, high-level view of those features, according to Cybrary’s Underhill. For this reason, Underhill said it makes a good starting point for practitioners looking to immerse themselves in AWS.
From there, Underhill said AWS’ professional-level certifications provide a more detailed look at components like securing S3 buckets or identity and access management. Taking a deep dive in those areas that go beyond just passing an exam will make AWS security practitioners more successful, according to Underhill.
The AWS Certified Security – Specialist will also talk about protocols, data classification and encryption as well as incident response, log monitoring and infrastructure security, Underhill said. Obtaining this certification solidifies an employee as the go-to expert within their organization for cloud security, according to Underhill.
1. Should have at least mid-career security skills
The AWS Certified Security – Specialist requires previous architecture and security engineering training as well as detailed knowledge of AWS workloads and technology, said Global Knowledge’s Puckett. Those pursuing the certification should have an advanced understanding of what security workloads look like on AWS as well as what’s required on AWS for those particular security controls, Puckett said.
Certificate-seekers should understand both the patching order on AWS as well as what AWS’ computational and storage systems look like, according to Puckett. Obtaining this level of skill typically requires at least five years of on-the-job training and learning in IT security as well as a year or two of concentrated exposure to AWS, Puckett said.
Sixty-five percent of AWS Certified Security – Specialist certificate-holders have at least 11 years of career experience, while just 11 percent have five years of experience or less, according to Global Knowledge data. Having knowledge across the eight pillars of cybersecurity provides holistic understanding of a company’s security operation, according to Puckett.