Stay ahead by continuously learning and advancing your career. Learn More

AWS Certified Security – Specialty (SCS-C02)

AWS Certified Security – Specialty (SCS-C02)

The AWS Certified Security – Specialty (SCS-C02) certification is designed to validate an individual’s advanced skills and expertise in securing data, applications, and infrastructure within the AWS Cloud. It assesses the candidate’s ability to implement robust security controls and measures using native AWS tools and services.

This certification is ideal for professionals who are responsible for security in their organization’s cloud environment and wish to showcase their ability to design and execute security solutions effectively.

– Key Competencies Validated

Candidates who earn this certification will demonstrate proficiency in the following areas:

  • Understanding of advanced data classification techniques and AWS-native data protection services
  • Knowledge of data encryption methodologies and how to apply AWS tools to secure sensitive information
  • Implementation of secure internet protocols and associated AWS security mechanisms
  • Hands-on experience with AWS security services and their configuration to ensure a secure and compliant production environment
  • Ability to make strategic decisions balancing cost, security, and deployment complexity based on application requirements
  • Strong grasp of security operations, risk management, and incident response within the AWS ecosystem

– Target Audience

This certification is intended for individuals who:

  • Perform security roles and responsibilities within an AWS environment
  • Have 3–5 years of experience in designing and deploying security solutions
  • Possess at least 2 years of hands-on experience in securing AWS workloads and leveraging AWS security services

– Recommended AWS Knowledge

Before attempting the SCS-C02 exam, candidates should be familiar with the following concepts:

  • AWS Shared Responsibility Model and how it applies to security responsibilities
  • Core AWS services and best practices for cloud solution deployment
  • Implementation of security controls for cloud-based environments
  • Logging, monitoring, and auditing strategies for AWS workloads
  • Vulnerability management and security automation techniques
  • Integration of AWS security services with third-party security tools
  • Disaster recovery and backup planning for business continuity
  • Principles of cryptography and key management in the AWS ecosystem
  • Identity and Access Management (IAM) strategies
  • Data retention, archiving, and lifecycle management
  • Troubleshooting and resolving common security-related issues
  • Managing multi-account environments and ensuring organizational compliance
  • Threat detection, risk assessment, and incident response procedures

Exam Details

AWS SCS-C02
  • The AWS Certified Security – Specialty (SCS-C02) exam falls under the Specialty certification category and is designed for individuals with deep expertise in securing AWS environments.
  • The total duration of the exam is 170 minutes, during which candidates are required to answer 65 questions presented in either multiple-choice or multiple-response formats.
  • Candidates have the flexibility to take the exam through a Pearson VUE testing center or via an online proctored option, depending on their preference and availability.
  • The exam is available in several languages, including English, Japanese, Korean, Portuguese (Brazil), Simplified Chinese, and Spanish (Latin America), making it accessible to a global audience.
  • Results are reported as a scaled score ranging from 100 to 1,000, with a minimum passing score of 750. This scaled scoring system ensures consistency in evaluating performance across different versions of the exam.

Course Outline

The exam covers the following topics:

1. Understand Threat Detection and Incident Response (14%)

Task Statement 1.1: Designing and implementing an incident response plan.

Knowledge of:

Skills in:

Task Statement 1.2: Detecting security threats and anomalies by using AWS services.

Knowledge of:

Skills in:

  • Evaluating findings from security services (for example, GuardDuty, Security Hub, Macie, AWS Config, IAM Access Analyzer) (AWS Documentation: AWS service integrations with AWS Security Hub)
  • Searching and correlating security threats across AWS services (for example, by using Detective)
  • Performing queries to validate security events (for example, by using Amazon Athena) (AWS Documentation: Querying AWS CloudTrail logs)
  • Creating metric filters and dashboards to detect anomalous activity (for example, by using Amazon CloudWatch) (AWS Documentation: Using CloudWatch anomaly detection)

Task Statement 1.3: Responding to compromised resources and workloads.

Knowledge of:

Skills in:

  • Automating remediation by using AWS services (for example, AWS Lambda, AWS Step Functions, EventBridge, AWS Systems Manager runbooks, Security Hub, AWS Config) (AWS Documentation: AWS Systems Manager Automation)
  • Responding to compromised resources (for example, by isolating Amazon EC2 instances) (AWS Documentation: Remediating a potentially compromised Amazon EC2 instance)
  • Investigating and analyzing to conduct root cause analysis (for example, by using Detective) (AWS Documentation: What is Amazon Detective?)
  • Capturing relevant forensics data from a compromised resource (for example, Amazon Elastic Block Store [Amazon EBS] volume snapshots, memory dump) (AWS Documentation: Amazon EBS snapshots)
  • Querying logs in Amazon S3 for contextual information related to security events (for example, by using Athena) (AWS Documentation: Querying AWS CloudTrail logs)
  • Protecting and preserving forensic artifacts (for example, by using S3 Object Lock, isolated forensic accounts, S3 Lifecycle, and S3 replication) (AWS Documentation: Using S3 Object Lock)
  • Preparing services for incidents and recovering services after incidents (AWS Documentation: Recovery)

2. Learn About Security Logging and Monitoring (18%)

Task Statement 2.1: Designing and implementing monitoring and alerting to address security events.

Knowledge of:

  • AWS services that monitor events and provide alarms (for example, CloudWatch, EventBridge) (AWS Documentation: Alarm events and EventBridge)
  • AWS services that automate alerting (for example, Lambda, Amazon Simple Notification Service [Amazon SNS], Security Hub) (AWS Documentation: Automated response and remediation)
  • Tools that monitor metrics and baselines (for example, GuardDuty, Systems Manager)

Skills in:

Task Statement 2.2: Troubleshooting security monitoring and alerting.

Knowledge of:

Skills in:

  • Analyzing the service functionality, permissions, and configuration of resources after an event that did not provide visibility or alerting (AWS Documentation: Refining permissions in AWS using last accessed information)
  • Analyzing and remediating the configuration of a custom application that is not reporting its statistics (AWS Documentation: What Is AWS Config?)
  • Evaluating logging and monitoring services for alignment with security requirements (AWS Documentation: Monitoring and Logging)

Task Statement 2.3: Designing and implementing a logging solution.

Knowledge of:

Skills in:

Task Statement 2.4: Troubleshooting logging solutions.

Knowledge of:

Skills in:

Task Statement 2.5: Designing a log analysis solution.

Knowledge of:

Skills in:

3. Understand Infrastructure Security (20%)

Task Statement 3.1: Designing and implementing security controls for edge services.

Knowledge of:

Skills in:

  • Defining edge security strategies for common use cases (for example, public website, serverless app, mobile app backend) (AWS Documentation: Identity and access management)
  • Selecting appropriate edge services based on anticipated threats and attacks (for example, OWASP Top 10, DDoS)
  • Selecting appropriate protections based on anticipated vulnerabilities and risks (for example, vulnerable software, applications, libraries) (AWS Documentation: Vulnerability Reporting)
  • Defining layers of defense by combining edge security services (for example, CloudFront with AWS WAF and load balancers)
  • Applying restrictions at the edge based on various criteria (for example, geography, geolocation, rate limit) (AWS Documentation: Restricting the geographic distribution of your content)
  • Activating logs, metrics, and monitoring around edge services to indicate attacks (AWS Documentation: Metrics and alarms)

Task Statement 3.2: Designing and implementing network security controls.

Knowledge of:

Skills in:

  • Implementing network segmentation based on security requirements (for example, public subnets, private subnets, sensitive VPCs, on-premises connectivity)
  • Designing network controls to permit or prevent network traffic as required (for example, by using security groups, network ACLs, and Network Firewall) (AWS Documentation: Control traffic to subnets using network ACLs)
  • Designing network flows to keep data off the public internet (for example, by using Transit Gateway, VPC endpoints, and Lambda in VPCs) (AWS Documentation: What is a transit gateway?)
  • Determining which telemetry sources to monitor based on network design, threats, and attacks (for example, load balancer logs, VPC Flow Logs, Traffic Mirroring) (AWS Documentation: Monitor your Network Load Balancers)
  • Determining redundancy and security workload requirements for communication between on-premises environments and the AWS Cloud (for example, by using AWS VPN, AWS VPN over Direct Connect, and MACsec) (AWS Documentation: AWS Direct Connect)
  • Identifying and removing unnecessary network access (AWS Documentation: Security best practices in IAM)
  • Managing network configurations as requirements change (for example, by using AWS Firewall Manager) (AWS Documentation: Working with AWS Firewall Manager policies)

Task Statement 3.3: Designing and implementing security controls for compute workloads.

Knowledge of:

  • Provisioning and maintenance of EC2 instances (for example, patching, inspecting, creation of snapshots and AMIs, use of EC2 Image Builder) (AWS Documentation: What is EC2 Image Builder?)
  • IAM instance roles and IAM service roles (AWS Documentation: IAM roles)
  • Services that scan for vulnerabilities in compute workloads (for example, Amazon Inspector, Amazon Elastic Container Registry [Amazon ECR]) (AWS Documentation: Scanning Amazon ECR container images with Amazon Inspector)
  • Host-based security (for example, firewalls, hardening)

Skills in:

Task Statement 3.4: Troubleshooting network security.

Knowledge of:

  • How to analyze reachability (for example, by using VPC Reachability Analyzer and Amazon Inspector) (AWS Documentation: Getting started with Reachability Analyzer)
  • Fundamental TCP/IP networking concepts (for example, UDP compared with TCP, ports, Open Systems Interconnection [OSI] model, network operating system utilities)
  • How to read relevant log sources (for example, Route 53 logs, AWS WAF logs, VPC Flow Logs) (AWS Documentation: Logging IP traffic using VPC Flow Logs)

Skills in:

AWS Certified Security – Specialty exam

4. Learn About Identity and Access Management (16%)

Task Statement 4.1: Designing, implementing, and troubleshooting authentication for AWS resources.

Knowledge of:

Skills in:

Task Statement 4.2: Designing, implementing, and troubleshooting authorization for AWS resources.

Knowledge of:

Skills in:

5. Understand Concepts of Data Protection (18%)

Task Statement 5.1: Designing and implementing controls that provide confidentiality and integrity for data in transit.

Knowledge of:

Skills in:

  • Designing secure connectivity between AWS and on-premises networks (for example, by using Direct Connect and VPN gateways) (AWS Documentation: AWS Direct Connect )
  • Designing mechanisms to require encryption when connecting to resources (for example, Amazon RDS, Amazon Redshift, CloudFront, Amazon S3, Amazon DynamoDB, load balancers, Amazon Elastic File System [Amazon EFS], Amazon API Gateway) (AWS Documentation: Encrypting Amazon RDS resources)
  • Requiring TLS for AWS API calls (for example, with Amazon S3) (AWS Documentation: Infrastructure security in Amazon S3)
  • Designing mechanisms to forward traffic over secure connections (for example, by using Systems Manager and EC2 Instance Connect) (AWS Documentation: Connect using EC2 Instance Connect)
  • Designing cross-Region networking by using private VIFs and public VIFs

Task Statement 5.2: Designing and implementing controls that provide confidentiality and integrity for data at rest.

Knowledge of:

  • Encryption technique selection (for example, client-side, server-side, symmetric, asymmetric) (AWS Documentation: AWS KMS concepts)
  • Integrity-checking techniques (for example, hashing algorithms, digital signatures) (AWS Documentation: Checking object integrity)
  • Resource policies (for example, for DynamoDB, Amazon S3, and AWS Key Management Service [AWS KMS]) (AWS Documentation: Key policies in AWS KMS)
  • IAM roles and policies (AWS Documentation: Policies and permissions in IAM)

Skills in:

  • Designing resource policies to restrict access to authorized users (for example, S3 bucket policies, DynamoDB policies) (AWS Documentation: Examples of Amazon S3 bucket policies)
  • Designing mechanisms to prevent unauthorized public access (for example, S3 Block Public Access, prevention of public snapshots and public AMIs) (AWS Documentation: Blocking public access to your Amazon S3 storage)
  • Configuring services to activate encryption of data at rest (for example, Amazon S3, Amazon RDS, DynamoDB, Amazon Simple Queue Service [Amazon SQS], Amazon EBS, Amazon EFS) (AWS Documentation: Encryption at rest in Amazon SQS)
  • Designing mechanisms to protect data integrity by preventing modifications (for example, by using S3 Object Lock, KMS key policies, S3 Glacier Vault Lock, and AWS Backup Vault Lock) (AWS Documentation: Using S3 Object Lock)
  • Designing encryption at rest by using AWS CloudHSM for relationaldatabases (for example, Amazon RDS, RDS Custom, databases on EC2 instances)
  • Choosing encryption techniques based on business requirements (AWS Documentation: Creating an enterprise encryption strategy for data at rest)

Task Statement 5.3: Designing and implementing controls to manage the lifecycle of data at rest.

Knowledge of:

  • Lifecycle policies
  • Data retention standards

Skills in:

  • Designing S3 Lifecycle mechanisms to retain data for required retention periods (for example, S3 Object Lock, S3 Glacier Vault Lock, S3 Lifecycle policy) (AWS Documentation: Managing your storage lifecycle)
  • Designing automatic lifecycle management for AWS services and resources (for example, Amazon S3, EBS volume snapshots, RDS volume snapshots, AMIs, container images, CloudWatch log groups, Amazon Data Lifecycle Manager) (AWS Documentation: Amazon Data Lifecycle Manager)
  • Establishing schedules and retention for AWS Backup across AWS services (AWS Documentation: Creating a backup plan)

Task Statement 5.4: Designing and implementing controls to protect credentials, secrets, and cryptographic key materials.

Knowledge of:

Skills in:

  • Designing management and rotation of secrets for workloads (for example, database access credentials, API keys, IAM access keys, AWS KMS customer managed keys)
  • Designing KMS key policies to limit key usage to authorized users (AWS Documentation: Key policies in AWS KMS)
  • Establishing mechanisms to import and remove customer-provided key material (AWS Documentation: Importing key material for AWS KMS keys)

6. Understand about Management and Security Governance (14%)

Task Statement 6.1: Developing a strategy to centrally deploy and manage AWS accounts.

Knowledge of:

Skills in:

Task Statement 6.2: Implementing a secure and consistent deployment strategy for cloud resources.

Knowledge of:

  • Deployment best practices with infrastructure as code (IaC) (for example, AWS CloudFormation template hardening and drift detection) (AWS Documentation: AWS CloudFormation best practices)
  • Best practices for tagging (AWS Documentation: Best Practices for Tagging AWS Resources)
  • Centralized management, deployment, and versioning of AWS services
  • Visibility and control over AWS infrastructure

Skills in:

Task Statement 6.3: Evaluating the compliance of AWS resources.

Knowledge of:

Skills in:

Task Statement 6.4: Identifying security gaps through architectural reviews and cost analysis.

Knowledge of:

Skills in:

AWS Certified Security Specialty Exam FAQs

Check here for FAQs!

AWS SCS-C02 FAQS

AWS Certification Exam Policy

Amazon Web Services (AWS) has established a comprehensive set of certification policies to ensure a secure, equitable, and consistent testing experience for all candidates. These policies uphold the integrity and credibility of the AWS Certification Program and encompass important areas such as retake regulations, scoring procedures, and the inclusion of unscored questions for research and exam development purposes.

– Exam Retake Policy

Candidates who do not pass an AWS certification exam must wait a minimum of 14 days before attempting the same exam again. While there is no restriction on the number of retakes, each attempt requires the full payment of the exam fee. This policy is designed to promote thorough preparation and maintain the value and recognition of AWS certifications.

– Scoring and Results

To pass the exam, candidates are evaluated based on their overall performance, not individual sections. This means you do not need to pass each domain separately, but rather achieve a total scaled score of 750 or higher (on a scale of 100–1,000) to be considered successful. Some questions may be unscored and are included solely for statistical analysis and future exam improvements.

AWS Certified Security Specialty Exam Study Guide

AWS Certified Security – Specialty (SCS-C02)

Step 1: Understand the Exam Objectives Thoroughly

Begin your preparation by carefully reviewing the official AWS exam guide for the SCS-C02 certification. This guide outlines the key domains, knowledge areas, and skills that will be assessed in the exam. Pay special attention to the weightage of each domain—such as incident response, logging and monitoring, infrastructure security, identity and access management (IAM), and data protection. Understanding the structure and focus areas will help you prioritize your study plan and allocate time effectively across topics.

Step 2: Use Official AWS Training Resources

AWS offers a variety of official training materials tailored to help candidates prepare for certification exams. Explore free and paid training options directly from AWS Training and Certification. These resources are designed by AWS experts and align closely with the exam objectives. They provide foundational knowledge, real-world use cases, and best practices that reinforce key security concepts within AWS environments.

Step 3: Leverage AWS Skill Builder

AWS Skill Builder is a valuable learning platform that hosts curated learning plans, video tutorials, and exam-specific content. For the SCS-C02 exam, you can follow a dedicated learning plan for security professionals, which covers core concepts and advanced scenarios related to AWS security services. It also includes quizzes, knowledge checks, and learning assessments to measure your progress.

Step 4: Enroll in Digital Courses to Address Knowledge Gaps

As you move through your learning plan, identify any areas where your understanding is incomplete or where hands-on experience is lacking. AWS offers on-demand digital courses that target specific domains such as cryptography, secure network architecture, identity and access controls, and monitoring strategies. These courses allow you to focus on weak areas and build confidence before taking the exam.

Step 5: Gain Practical Experience with AWS Builder Labs, Cloud Quest, and AWS Jam

Theoretical knowledge alone is not enough for the SCS-C02 exam. You need hands-on experience to confidently solve scenario-based questions. Use AWS Builder Labs to get guided, real-world exercises in a sandbox environment. Additionally, explore AWS Cloud Quest, a gamified learning experience that strengthens your skills by solving security-related tasks in a virtual setting. For more advanced practice, participate in AWS Jam events, which provide team-based challenges that simulate real-world security incidents and threat mitigation.

Step 6: Join Study Groups and Engage with the Community

Preparing alone can be challenging, so consider joining study groups, forums, or local user communities focused on AWS certifications. Engaging with peers can expose you to different perspectives, clarify difficult topics, and keep you motivated. Platforms like Reddit, LinkedIn, Discord, and AWS re:Post host active discussions where you can ask questions, share insights, and access additional learning materials.

Step 7: Take Practice Exams and Assess Your Readiness

As your exam date approaches, begin taking full-length practice tests designed specifically for the AWS Certified Security – Specialty exam. These tests simulate the actual exam environment and help you evaluate your time management, comprehension, and decision-making skills. Review your performance critically to identify persistent weaknesses and revisit those topics. Practice tests also familiarize you with the question formats and help reduce anxiety on exam day.

AWS Certified Security – Specialty (SCS-C02)
keyboard_arrow_up