The AWS Certified Security - Specialty (SCS-C03) is AWS's deep cloud-security certification for people who secure production environments, not just design them. AWS is testing whether you can detect threats, respond to incidents, harden infrastructure, control identity, protect data, and enforce governance across real multi-account environments.
That role definition matters. SCS-C03 is not a generic IAM exam and it is not a pure compliance exam. The official blueprint expects 3-5 years of cloud security experience and explicitly emphasizes tradeoffs among security, cost, and deployment complexity. Strong answers usually combine prevention, visibility, and operational follow-through rather than selecting one control in isolation.
AWS also tightened the blueprint around modern security operations. The current outline includes organization-wide logging, Security Lake, delegated administration, software supply chain risks, generative AI application guardrails, and compliance automation. Study for a current AWS security-engineering role, not for the 2021-era version of the exam.
Exam At a Glance
| Attribute | Value |
|---|---|
| Certification | AWS Certified Security - Specialty |
| Exam code | SCS-C03 |
| Level | Specialty |
| Duration | 170 minutes |
| Question count | 65 total questions |
| Question types | Multiple choice, multiple response, ordering, and matching |
| Scored questions | 50 |
| Unscored questions | 15 |
| Cost | $300 USD |
| Passing score | 750 / 1000 |
| Recommended background | 3-5 years of experience securing cloud solutions |
| Target candidate | Security engineers, cloud security architects, incident responders, and governance-focused AWS practitioners |
- Official certification page: AWS Certified Security - Specialty
- Official exam guide: AWS Certified Security - Specialty exam guide
- Official exam prep plan: AWS Skill Builder exam prep resources
- Official in-scope services reference: SCS-C03 in-scope AWS services
Official Exam Domains
- Detection (16%)
- Incident Response (14%)
- Infrastructure Security (18%)
- Identity and Access Management (20%)
- Data Protection (18%)
- Security Foundations and Governance (14%)
The weighting explains how AWS thinks about cloud security. Detection, infrastructure, identity, and data protection carry most of the score, but governance and incident response are large enough that you cannot treat them as add-ons.
1. Detection
This domain covers organization-wide monitoring, logging, anomaly detection, and troubleshooting broken visibility pipelines.
- Design monitoring and alerting across accounts - Study aggregated findings, centralized dashboards, anomaly detection, and recurring assessment automation. Official docs: SCS-C03 Domain 1 objectives, What is Amazon GuardDuty?, What is AWS Security Hub?.
- Implement logging architectures that support investigation - The official outline explicitly includes organization trails, dedicated logging accounts, security data lakes, and correlation workflows. Official docs: Task 1.2: Design and implement logging solutions, What is Amazon Security Lake?, AWS CloudTrail User Guide.
- Choose the right log sources based on threat models - Know when VPC Flow Logs, transit gateway flow logs, Route 53 Resolver logs, application logs, and CloudFront logs are the deciding visibility layer. Official docs: Domain 1 task statements.
- Troubleshoot missing or misconfigured detection controls - AWS expects you to diagnose broken logging, missing permissions, bad agent setup, or gaps in alert routing. Official docs: Task 1.3: Troubleshoot security monitoring, logging, and alerting solutions.
- Detection is about usable signal - The strongest answer usually improves signal quality and investigation speed, not just log volume.
Exam tip: If the prompt starts with suspicious activity, do not jump straight to containment. First ask whether the real issue is missing detection coverage, poor log design, or broken correlation.
2. Incident Response
This domain measures whether you can prepare for incidents before they happen and respond with controlled, automatable playbooks when they do.
- Design and test incident response plans - Study runbooks, blast-radius control, preparedness, resilience testing, and how AWS services support repeatable response plans. Official docs: SCS-C03 Domain 2 objectives, What is AWS Systems Manager?.
- Automate containment and remediation - AWS explicitly calls out automated response using Systems Manager, Lambda, Step Functions, and other orchestration patterns. Official docs: Task 2.1: Design and test an incident response plan.
- Collect forensic evidence and correlate impact - Domain 2 includes storing relevant logs, validating findings, and tracing incident scope across applications and AWS services. Official docs: Task 2.2: Respond to security events, What is Amazon Detective?.
- Contain, eradicate, recover - Expect questions that separate early containment from full remediation and final recovery, especially when backups and network isolation are involved.
- Good IR answers reduce chaos - AWS usually rewards repeatable, testable response paths over heroics or manual improvisation.
Exam tip: For response questions, think in this order: prepare -> detect -> contain -> investigate -> recover -> improve. AWS often hides the right answer in that sequence.
3. Infrastructure Security
This domain is about edge controls, compute hardening, vulnerability management, and network segmentation for production systems.
- Secure the network edge - Study WAF, Shield Advanced, CloudFront headers, rate limits, geolocation rules, and edge integrations for L7 protection. Official docs: SCS-C03 Domain 3 objectives, AWS WAF Developer Guide.
- Harden compute platforms and images - The official tasks include hardened AMIs, container image security, vulnerability scanning, patching, and secure administrative access. Official docs: Task 3.2: Design, implement, and troubleshoot security controls for compute workloads, What is Amazon Inspector?.
- Design network segmentation and private connectivity - Know security groups, NACLs, Network Firewall, hybrid security boundaries, east-west and north-south controls, and reachability analysis. Official docs: Task 3.3: Design and troubleshoot network security controls, What is AWS Network Firewall?.
- Modern infra security includes software pipelines and GenAI - The blueprint now includes pipeline vulnerability discovery and guardrails for generative AI workloads, which is a strong signal of the current scope.
- Infrastructure security answers should be enforceable - Prefer answers that can be deployed, audited, and troubleshot consistently at scale.
Exam tip: In this domain, look for the control closest to the threat surface. AWS often distinguishes between edge filtering, network segmentation, and compute hardening.
4. Identity and Access Management
This domain tests authentication, authorization, temporary credentials, least privilege, and investigation of unintended access across humans and workloads.
- Authentication strategy for humans and systems - Study IAM Identity Center, Cognito, MFA, external IdPs, STS, and troubleshooting permission-set or federation issues. Official docs: SCS-C03 Domain 4 objectives, What is IAM?.
- Authorization strategy with least privilege - AWS explicitly calls out RBAC, ABAC, trust policies, resource policies, permission boundaries, session policies, and cross-account access models. Official docs: Task 4.2: Design, implement, and troubleshoot authorization strategies.
- Analyze and correct unintended permissions - You should know how to investigate auth failures and over-permissioned resources using IAM analysis tooling and policy reasoning. Official docs: Domain 4 task statements.
- Identity is multi-account by default - Strong SCS answers usually assume organizations, delegated admin, and cross-account boundaries instead of a single-account view. Official docs: What is AWS Organizations?.
- IAM questions are rarely only about syntax - The exam wants access strategy and failure analysis, not policy trivia.
Exam tip: When multiple IAM answers seem plausible, prefer the one that preserves temporary credentials, least privilege, and auditable cross-account access.
5. Data Protection
This domain covers encryption in transit and at rest, secrets management, key material handling, data retention, and private access patterns.
- Protect data in transit - Study TLS policies, private connectivity, endpoint design, inter-node encryption, and secure service-to-service communications. Official docs: SCS-C03 Domain 5 objectives.
- Choose the right at-rest protection mechanism - The official tasks include KMS, CloudHSM, client-side versus server-side encryption, integrity controls, retention, and backup design. Official docs: Task 5.2: Design and implement controls for data at rest, AWS Key Management Service.
- Protect secrets, credentials, and certificates - Know secret rotation, imported key material, certificate management, data masking, and multi-Region key strategies. Official docs: Task 5.3: Design and implement controls to protect confidential data, credentials, secrets, and cryptographic key materials, AWS Secrets Manager.
- Data protection is also lifecycle management - SCS-C03 includes retention, immutability, replication, backup controls, and ransomware-aware protection patterns, not just encryption checkboxes.
- Protection answers should match sensitivity and access patterns - The right control depends on who needs access, from where, and under which compliance constraints.
Exam tip: If the question says confidential, regulated, secret, or key material, stop and separate data in transit, data at rest, and credential protection before comparing answers.
6. Security Foundations and Governance
This domain covers the organizational control plane: central account governance, secure deployment standards, and evidence-based compliance.
- Design multi-account security governance - Study AWS Organizations, delegated administration, Control Tower, SCPs, root credential management, and central service enablement. Official docs: SCS-C03 Domain 6 objectives, AWS Organizations, What is AWS Control Tower?.
- Enforce secure deployment consistency - The official tasks include IaC, StackSets, tagging, Firewall Manager, and central policy deployment across accounts. Official docs: Task 6.2: Implement a secure and consistent deployment strategy for cloud resources.
- Evaluate and prove compliance - AWS expects Config rules, remediation automation, Audit Manager, Artifact, and Well-Architected-style evaluation workflows. Official docs: Task 6.3: Evaluate the compliance of AWS resources, What is AWS Config?, What is AWS Audit Manager?.
- Governance answers should centralize control without blocking teams unnecessarily - AWS likes scalable guardrails more than one-off manual reviews.
- This domain ties the exam together - Many questions from other domains become easier when you think in terms of central policy, delegated admin, and compliance evidence.
Exam tip: If the problem involves many accounts, many teams, or audit evidence, it is often really a governance architecture question disguised as a service-selection question.
Recommended 6-Week Study Plan
| Week | Focus | Primary resources |
|---|---|---|
| 1 | Exam guide, detection architecture, org logging, Security Hub and GuardDuty | Exam guide, Domain 1 page, Security Hub, GuardDuty, Security Lake, CloudTrail |
| 2 | Incident response planning, containment, forensics, remediation automation | Domain 2 page, Systems Manager, Detective |
| 3 | Edge security, compute hardening, segmentation, vulnerability management | Domain 3 page, WAF, Network Firewall, Inspector |
| 4 | Authentication, authorization, least privilege, multi-account access | Domain 4 page, IAM, Organizations |
| 5 | Data protection, keys, secrets, certificate management, private access | Domain 5 page, KMS, Secrets Manager |
| 6 | Governance, secure deployment standards, compliance evidence, mixed practice | Domain 6 page, Organizations, Control Tower, Config, Audit Manager, practice questions |
Last-Mile Exam Strategy
- Read each question as a security-operations scenario first. AWS usually wants prevention plus visibility plus response, not a single isolated control.
- Memorize the common service groupings the exam tests together: GuardDuty + Security Hub + Security Lake, WAF + Shield + CloudFront, Organizations + Control Tower + delegated admin, and KMS + secrets + certificates.
- Use the official domain task pages as your scope boundary because SCS-C03 is very objective-driven.
- Prefer answers that scale across accounts, improve evidence collection, and preserve automation over point fixes inside one workload.
- Do not treat governance as secondary. Multi-account control and compliance automation are central to the current version of the exam.
If you want exam-style reinforcement after the official docs, use our AWS Security Specialty practice questions. If your role also owns complex network perimeter design, pair this with our AWS Advanced Networking Specialty study guide. If you want a broader market comparison, see our cloud security certifications comparison.
The fastest path to passing SCS-C03 is to think like the person responsible for keeping AWS environments provably secure over time: detect early, contain quickly, harden repeatably, control access precisely, protect data deliberately, and govern everything centrally. That is exactly what the official blueprint rewards.