Skip to main content

Free study guide · written by holders of the cert

AWS Certified Security — Specialty

What the SCS-C02 actually tests, the topics our team flags as load-bearing in real engagements, and the labs that translate study time into a pass.

Last updated: April 30, 2026 Author: FactualMinds AWS Architects Reviewed by: Palaniappan P · AWS Solutions Architect — Professional, Security Specialty, DevOps Engineer

Exam code

SCS-C02

Duration

170 minutes

Questions

65

Cost

$300 USD

Passing score

750 / 1000

Format

Multiple choice and multiple response

Valid for

3 years

Recommended experience

5 years of IT security experience designing and implementing security solutions; 2 years of hands-on experience securing AWS workloads

Exam domains

6 domains · 58 topics

1

Threat Detection and Incident Response

14%
  • GuardDuty: finding types, suppression rules, multi-account aggregation, runtime monitoring for EKS and Fargate
  • Security Hub: standards (CIS, AWS Foundational, NIST 800-53, PCI DSS), insights, automation rules
  • Detective: behavioral analytics, finding investigation graphs
  • Macie: S3 PII discovery, custom data identifiers
  • AWS Audit Manager for continuous compliance evidence
  • Inspector v2: continuous scanning of EC2, ECR images, and Lambda
  • Incident response automation with EventBridge → Lambda / Step Functions
  • Forensic patterns: VPC traffic mirroring, EBS volume snapshot for analysis, Memory dumps via SSM
  • Amazon Security Lake (OCSF format) for centralized security data
  • AWS Health and Personal Health Dashboard during incident response
2

Security Logging and Monitoring

18%
  • CloudTrail: management vs data events, organization trails, log file integrity validation
  • CloudTrail Lake for SQL-based audit queries; CloudTrail vs CloudWatch Logs trade-offs
  • VPC Flow Logs (standard vs custom format), Route 53 Resolver query logs
  • AWS Config: managed and custom rules, conformance packs, Config aggregator
  • CloudWatch Logs metric filters, subscription filters → Kinesis / Lambda for SIEM
  • Centralized logging architecture: log archive account, S3 Object Lock for tamper-proofing
  • SIEM integration patterns (Splunk, Datadog, Sentinel) — push via Kinesis Data Firehose
  • Log retention strategy and cost: CloudWatch Logs Tiered Storage, S3 Intelligent-Tiering
  • AWS X-Ray for distributed tracing during security incidents
3

Infrastructure Security

20%
  • VPC design: public / private / isolated subnets, NAT Gateway vs VPC Endpoints
  • PrivateLink for SaaS and inter-VPC service exposure without public internet exposure
  • Security groups (stateful) vs NACLs (stateless), reachability analyzer
  • Transit Gateway for hub-and-spoke; AWS Cloud WAN for global multi-region networks
  • AWS Network Firewall vs WAF: stateless / stateful filtering vs L7 web filtering
  • Shield Standard (free) vs Shield Advanced (DDoS Response Team, cost protection)
  • WAF managed rule groups, rate-based rules, Bot Control, CAPTCHA, geo-match
  • AWS Verified Access for workforce zero-trust without VPN (2024 GA, 2025 exam refresh)
  • EC2 Instance Connect Endpoint vs Bastion vs SSM Session Manager
  • AWS Firewall Manager for organization-wide WAF and Shield policies
4

Identity and Access Management

16%
  • IAM users vs roles, identity providers, federation patterns
  • IAM policy types: identity-based, resource-based, permission boundaries, SCPs, session policies
  • Policy evaluation logic: explicit deny, organization SCP, resource policy, identity policy
  • IAM Access Analyzer: external access findings, unused access findings (added in 2024 refresh)
  • IAM Identity Center: permission sets, multi-account assignments, external IdP federation (Okta, Entra ID)
  • Cognito User Pools (B2C) vs Identity Pools (federated identities for AWS access)
  • STS AssumeRole, AssumeRoleWithSAML, AssumeRoleWithWebIdentity
  • Cross-account access patterns: IAM roles, resource-based policies, least-privilege role chaining
  • EC2 Instance Profiles, IRSA for EKS, Pod Identity, Lambda execution roles
  • AWS Verified Permissions for application-level fine-grained authorization (Cedar policies)
5

Data Protection

18%
  • KMS: AWS managed vs customer managed keys, key rotation, multi-region keys, key policies
  • KMS grants vs key policies; envelope encryption pattern
  • CloudHSM for FIPS 140-3 Level 3 requirements; KMS Custom Key Store backed by CloudHSM
  • Secrets Manager: rotation, cross-region replication, resource-based policies
  • ACM-issued public certs vs ACM Private CA for internal certs
  • S3 encryption: SSE-S3, SSE-KMS (with bucket key for cost), SSE-C, dual-layer (DSSE-KMS)
  • S3 Object Lock (governance / compliance modes) for WORM compliance
  • EBS encryption defaults, EFS encryption, RDS encryption (cannot be enabled in place)
  • AWS Payment Cryptography for PCI workloads
  • Macie for S3 PII discovery; integration with custom data identifiers
6

Management and Security Governance

14%
  • AWS Organizations: OU structure, SCPs as deny-all-then-allow guardrails
  • AWS Control Tower: mandatory and elective controls, account vending
  • Resource control policies (RCPs) — newer than SCPs, apply to resource-based policies
  • Tagging strategies for security: data classification, owner, cost allocation, compliance scope
  • AWS Config conformance packs aligned to NIST, CIS, PCI DSS
  • AWS Audit Manager evidence collection for SOC 2, HIPAA, PCI
  • License Manager for software license compliance
  • AWS Backup with Backup Vault Lock for compliance-grade backups
  • GenAI security: Bedrock Guardrails, model evaluation, prompt injection mitigation (added in 2025)

Why this exam is worth it

Of all the AWS certifications, Security Specialty is the one whose content most directly translates into the work. The IAM policy evaluation patterns, KMS key design questions, and detection-and-response scenarios show up in real Landing Zone designs, in real audits, and in real incident responses. Most of our compliance and security engagements (HIPAA, SOC 2, PCI) lean directly on this body of knowledge.

A 10-week study plan

Weeks 1–2 — Identity foundation. IAM policy types, evaluation logic, IAM Identity Center, STS, federation. This is the spine of the exam — every other domain assumes fluency here.

Weeks 3–4 — Data protection. KMS in depth (key policies vs grants, multi-region keys, custom key stores), Secrets Manager rotation, ACM and ACM Private CA. Build the labs.

Weeks 5–6 — Infrastructure and network security. VPC, Network Firewall, WAF, Shield, Verified Access, PrivateLink. This domain has the highest weight (20%); spend the time.

Weeks 7–8 — Detection, logging, and incident response. CloudTrail, GuardDuty, Security Hub, Detective, Macie, Inspector, Security Lake. The 2024 and 2025 service updates land heavily here.

Weeks 9–10 — Governance and final ramp. Organizations, Control Tower, SCPs, RCPs, Audit Manager, Backup Vault Lock, Bedrock Guardrails. Take three full-length practice exams in the last week — aim for 80%+ before booking.

Where this knowledge meets the work

This certification’s content map is essentially the first half of every Cloud Compliance Services and AWS Cloud Security engagement we run. The exam validates fluency; the engagements force application under real-world constraints.

Study resources we recommend

official

AWS Certified Security — Specialty Exam Guide (Official PDF)

Read the exam guide cover to cover. Twice. The objective wording is more precise than any third-party material.

course

AWS Skill Builder — Security Specialty learning plan

Free AWS-published path with official practice questions. Use this as your primary structured material.

course

Stephane Maarek — Ultimate AWS Certified Security Specialty (Udemy)

Solid, well-paced. Best paired with hands-on AWS access so you can replicate the IAM, KMS, and VPC labs.

course

Adrian Cantrill — AWS Certified Security Specialty

Deeper than Stephane on networking and KMS. The right course if you want to genuinely understand the material rather than memorize.

practice

Tutorials Dojo — SCS-C02 Practice Tests

The closest practice exam to real difficulty. Use review mode aggressively.

whitepaper

AWS Security Reference Architecture (SRA)

The reference architecture for organization-wide security. Several scenario questions are direct applications of SRA patterns.

whitepaper

AWS Well-Architected Security Pillar whitepaper

Tracks closely to the exam's logging, detection, and IAM domains.

whitepaper

AWS Encryption Best Practices whitepaper

Read once. KMS, envelope encryption, and key policy questions become much easier.

lab

CloudGoat (Rhino Security Labs)

Vulnerable-by-design AWS environments to practice attack and detection. Optional, but pays back if you want to genuinely understand IAM privilege escalation.

Recommended reading from our blog

How to Set Up AWS Security Hub for Compliance Monitoring

AWS Security Hub aggregates security findings from 200+ sources (GuardDuty, Config, IAM Access Analyzer, Inspector). This guide covers setup, compliance standards (PCI-DSS, CIS, NIST), automated remediation, and building a compliance dashboard without hiring a SOC team.

AWS GuardDuty Threat Detection: A Production Setup Guide

How to deploy, tune, and operationalize Amazon GuardDuty for production threat detection — covering finding types, multi-account setup, automated response, and reducing false positives.

How to Achieve SOC 2 Type II Compliance on AWS (2026 Checklist)

SOC 2 Type II certification proves your controls are effective over 6-12 months. This guide covers the compliance roadmap, AWS security controls, documentation requirements, and audit preparation for 2026 certification.

How to Implement a HIPAA-Compliant Architecture on AWS — An Engineer's Build Guide

A solutions architect's build guide for HIPAA on AWS. KMS key strategy, VPC isolation, RDS/S3/Lambda configuration patterns, IaC controls, and continuous validation — code-level decisions, not policy templates.

ISO 27001 Certification on AWS: ISMS Implementation Guide for 2026

A practical guide to ISO 27001:2022 certification on AWS — building an ISMS that survives Stage 1 and Stage 2 audits, mapping the 93 Annex A controls to AWS services, and producing the evidence packages assessors actually request.

Where this certification's topics show up in our consulting

AWS Security Consulting

AWS security consulting from an AWS Select Tier Partner. 2-week assessment, 4–6 week remediation, zero disruption. IAM hardening, public exposure, compliance gaps, and continuous monitoring.

AWS Managed SOC & MDR Services

24/7 managed SOC and MDR for AWS — GuardDuty, Security Hub, Security Lake. Threat hunting, automated containment, incident response from an AWS Select Tier Partner.

AWS Penetration Testing Services

AWS-aware penetration testing — IAM privilege escalation, S3 misconfiguration, instance metadata exploitation, web app and API testing. OSCP-certified testers, OWASP/PTES methodology, AWS-compliant scope.

Cloud Compliance Services — HIPAA, SOC 2, PCI DSS on AWS

Cloud compliance services — HIPAA, SOC 2, PCI DSS, ISO 27001, GDPR. Expert consulting from FactualMinds.

Frequently asked questions

How hard is the Security Specialty compared to the SAA?

Materially harder. The questions are longer, more scenario-heavy, and assume you can reason about IAM policy evaluation and KMS key policies under pressure. Plan for 8–12 weeks of focused study, even if you already hold the SAA. The 2025 content refresh also added GenAI security topics that most existing material does not yet cover well.

Should I take this before or after the Solutions Architect Professional?

Either order works. Many engineers we hire take the Security Specialty first because it is more directly aligned with day-to-day work in regulated environments (HIPAA, PCI, SOC 2). The Professional certifies broader architectural judgment; the Security Specialty certifies depth in one critical pillar. Pick based on your near-term role.

How important are the whitepapers?

More important than for the SAA. The AWS Security Reference Architecture and the Encryption Best Practices whitepaper are essentially required reading — several exam questions are direct applications of patterns from those documents. Allocate at least one full study day to each.

What new topics did the 2025 refresh add?

Bedrock Guardrails, model evaluation, and prompt injection mitigation in the Governance domain. AWS Verified Access and Verified Permissions in the Infrastructure and IAM domains. IAM Access Analyzer unused-access findings as a standard baseline. Resource Control Policies (RCPs) alongside SCPs. Macie custom data identifiers. Confirm topic coverage in your video course before relying on a pre-2025 study plan.

Need this certification's expertise on your team?

FactualMinds engineers hold 50+ AWS certifications. Whether you're hiring, training, or staffing a project, we can match the right depth to your engagement.

Talk to AWS Experts
Hire a dedicated AWS expert