“The enemy knows the system,” Kerckhoff's Principle states.

That is, design cryptographic systems that assume the enemy knows all the workings of the system except for the key material itself.

But there is a corollary to this principle as a CISO: You must know the systems you want to defend. If the enemy knows the system, then you better know it too.

How else can you play defense against an active, hostile adversary?

Today, for better or for worse, AWS is the operating system of the internet.

And AWS has reached such a degree of complexity and abstraction that it's no longer enough to know, for example, the deep inner workings of Linux as an operating system.

I've been working professionally with Linux since 2002, as a developer, as a sysadmin, and as a security engineer. And while Linux is the foundational building block of (almost) all cloud infrastructure, saying deep Linux knowledge alone qualifies you as a cloud security expert is like saying you know how to pour concrete but you haven't the foggiest idea how to architect a building. Foundations are great but at a certain point you have to go beyond that.

In the cloud that means kubernetes and proprietary cloud tools and configurations. If you don't have these two higher layers of abstraction under your belt, then you have a major blind spot on your radar.

(Because blind belts show up on radars? Mixed metaphors for the win!)

I already had some AWS technical knowledge from many years of work experience at multiple companies, but there were definitely gaps in my understanding. So over the course of six months I worked in my scarce free time to pick up the seven certifications that, in my view, represent a core understanding of AWS.

For those unfamiliar with AWS certifications, they are actually pretty difficult. While it's true they are multiple choice, the time limits are tight and if you don't know the material cold then you will fail the exam. And while holding these certs doesn't prove that you are a keyboard maestro, the dozens and dozens of hours spent reading AWS documentation is time well spent, and the certs are meaningful. As a hiring manager myself, if I see these certs on a candidate's CV, that definitely is a plus from my point of view.

There's a reason why Wiz, the insta-unicorn cloud security vendor that owns the CPSM space, has been so successful so quickly. Every new layer of abstraction brings new security risk, and in any sufficiently-complex system lurks risk of both accidental human error as well as willful, malicious exploitation by active adversaries.

Does getting all these certs make sense for every security engineer, or every CISO? Maybe not, but it makes sense for me. I work for a cloud-first, cloud-native tech company with extreme security risk. I don't have any on-prem or hybrid infrastructure to defend, so sharpening my cloud security skills serves my employer well. It also, incidentally, manages my employment risk—in a volatile market it is wise to strengthen your professional value should the unlikely event occur that you need to find new employment. The stronger your skills, the stronger your CV, the more valuable you are on the market.

Some certs are a joke, and a waste of time and money, it is true. But the AWS technical certs are inexpensive, offer meaningful knowledge improvement, and serve as a reasonable proxy for technical ability.