AWS Certified Security – Specialty (SCS-C03) Exam Learning Path

I recently re-certified the updated AWS Certified Security – Specialty (SCS-C03) certification exam. The format has been restructured with reorganized domains, new question types (ordering and matching), and expanded coverage for Generative AI security, identity management, and modern governance controls.

AWS Certified Security – Specialty (SCS-C03) Exam Content

• AWS Certified Security – Specialty (SCS-C03) exam focuses on the AWS Security and Compliance concepts. It basically validates
  • An understanding of specialized data classifications and AWS data protection mechanisms.
  • An understanding of data-encryption methods and AWS mechanisms to implement them.
  • An understanding of secure Internet protocols and AWS mechanisms to implement them.
  • The ability to make tradeoff decisions with regard to cost, security, and deployment complexity to meet a set of application requirements.
  • An understanding of security operations and risks

Refer to AWS Certified Security – Specialty (SCS-C03) Exam Guide

AWS Certified Security – Specialty (SCS-C03) Exam Domains

Domain	SCS-C03 Weight	Change from SCS-C02
Domain 1: Detection	16%	Restructured
Domain 2: Incident Response	14%	Restructured
Domain 3: Infrastructure Security	18%	⬇︎ 2%
Domain 4: Identity and Access Management	20%	⬆︎ 4%
Domain 5: Data Protection	18%	—
Domain 6: Security Foundations and Governance	14%	Renamed

Key domain changes from SCS-C02 to SCS-C03:

• SCS-C02’s “Threat Detection and Incident Response” (14%) and “Security Logging and Monitoring” (18%) have been restructured into:
  • Domain 1: Detection (16%) — Monitoring, logging, alerting, log analysis
  • Domain 2: Incident Response (14%) — Response plans, forensics, automated remediation
• Identity and Access Management is now the heaviest domain at 20% (up from 16%), reflecting that identity is the new security perimeter
• Domain 6 renamed from “Management and Security Governance” to “Security Foundations and Governance” with expanded governance coverage

AWS Certified Security – Specialty (SCS-C03) Exam Summary

• Specialty exams are tough, lengthy, and tiresome. Most of the questions and answers options have a lot of prose and a lot of reading that needs to be done, so be sure you are prepared and manage your time well.
• SCS-C03 exam has 65 questions to be solved in 170 minutes which gives you roughly 2 1/2 minutes to attempt each question.
• SCS-C03 exam includes four types of questions: multiple-choice, multiple-response, ordering questions (arrange steps in correct sequence), and matching questions (match services to functions).
  • Ordering questions ask you to select 3-5 responses and arrange them in the correct sequence (e.g., incident response steps in order).
  • Matching questions present 3-7 prompts to match with corresponding responses (e.g., match security services to their primary function).
• SCS-C03 has a scaled score between 100 and 1,000. The scaled score needed to pass the exam is 750.
• Specialty exams currently cost $300 + tax.
• You can get an additional 30 minutes if English is your second language by requesting Exam Accommodations. It might not be needed for Associate exams but is helpful for Professional and Specialty ones.
• As always, mark the questions for review, move on, and come back to them after you are done with all.
• As always, having a rough architecture or mental picture of the setup helps focus on the areas that you need to improve. Trust me, you will be able to eliminate 2 answers for sure and then need to focus on only the other two. Read the other 2 answers to check the difference area and that would help you reach the right answer or at least have a 50% chance of getting it right.
• AWS exams can be taken either remotely or online, I prefer to take them online as it provides a lot of flexibility. Just make sure you have a proper place to take the exam with no disturbance and nothing around you.
• Also, if you are taking the AWS Online exam for the first time try to join at least 30 minutes before the actual time as I have had issues with both PSI and Pearson with long wait times.
• New question formats mean pure memorization is less effective. You need to understand how services relate to each other and what order operations happen in, not just what each service does in isolation.

AWS Certified Security – Specialty (SCS-C03) Exam Resources

Online Courses

• Stephane Maarek – Ultimate AWS Certified Security Specialty [SCS-C03] (Updated Jan 2026 for SCS-C03)
• Adrian Cantrill – AWS Certified Security – Specialty
• Whizlabs – AWS Certified Security Specialty (SCS-C03) Course
• DolfinEd – AWS Certified Security Specialty

Practice Tests

• Braincert AWS Certified Security – Specialty Practice Exams
• Stephane Maarek – AWS Certified Security – Specialty Practice Exams
• Whizlabs – AWS Certified Security Specialty (SCS-C03) Practice Tests
• Tutorials Dojo – AWS Certified Security Specialty SCS-C03 Practice Exams

AWS Certified Security – Specialty (SCS-C03) Study Strategy

• Weight your study time by domain percentage:
  • IAM (20%) + Data Protection (18%) + Infrastructure Security (18%) = 56% of your score. Master these three domains first.
  • Detection (16%) + Incident Response (14%) + Governance (14%) fill the remaining 44%.
• Master IAM and KMS before anything else — these two services appear across every domain.
• Build hands-on experience with IAM policies, KMS key policies, GuardDuty, Security Hub, CloudTrail, and Amazon Bedrock guardrails.
• Aim for 80-85% consistently on practice exams before scheduling your real exam.
• Typical preparation takes 8-16 weeks at 1-2 hours per day.

AWS Certified Security – Specialty (SCS-C03) Exam Topics

• AWS Certified Security – Specialty (SCS-C03) exam focuses a lot on Security and compliance concepts involving Data Encryption at rest or in transit, Data protection, Auditing, Compliance and regulatory requirements, automated remediation, and Generative AI security.

Security, Identity & Compliance

• Identity and Access Management (IAM)
  • IAM Roles to grant the service, users temporary access to AWS services.
    • IAM Role can be used to give cross-account access and usually involves creating a role within the trusting account with a trust and permission policy and granting the user in the trusted account permissions to assume the trusting account role.
  • Identity Providers & Federation to grant external user identity (SAML or Open ID compatible IdPs) permissions to AWS resources without having to be created within the AWS account.
  • IAM Policies help define who has access & what actions can they perform.
  • IAM Access Analyzer
    • identifies resources shared with external entities (external access findings).
    • identifies unused IAM roles, unused access keys, unused console passwords, and unused service/action-level permissions (unused access findings).
    • supports custom policy checks to proactively detect nonconformant updates to policies that grant public access or critical resource access ahead of deployments.
    • generates fine-grained policies based on access activity (policy generation).
  • IAM Identity Center (formerly AWS SSO)
    • provides centralized workforce identity management for multi-account access.
    • supports SAML 2.0, SCIM provisioning, and built-in identity store.
• Deep dive into Key Management Service (KMS). There would be quite a few questions on this.
  • is a managed encryption service that allows the creation and control of encryption keys to enable data encryption.
  • uses Envelope Encryption which uses a master key to encrypt the data key, which is then used to encrypt the data.
  • Understand how KMS works
  • Understand IAM Policies, Key Policies, Grants to grant access.
    • Key policies are the primary way to control access to KMS keys. Unless the key policy explicitly allows it, you cannot use IAM policies to allow access to a KMS key.
  • are regional, however, supports multi-region keys, which are KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions.
  • KMS Multi-region keys
    • are AWS KMS keys in different AWS Regions that can be used interchangeably – as though having the same key in multiple Regions.
    • are not global and each multi-region key needs to be replicated and managed independently.
  • Understand the difference between CMK with generated and imported key material esp. in rotating keys. SCS-C03 specifically tests the differences between imported key material and AWS-generated key material.
  • KMS usage with VPC Endpoint which ensures the communication between the VPC and KMS is conducted entirely within the AWS network.
  • KMS ViaService condition
  • KMS External Key Store (XKS) — allows using cryptographic keys stored outside of AWS in an external key manager.
• Cloud HSM
  • is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud
• AWS Certificate Manager (ACM)
  • helps provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services
  • to use an ACM Certificate with CloudFront, the certificate must be imported into the US East (N. Virginia) region.
  • is regional and you need to request certificates in all regions and associate individually in all regions.
  • does not support EC2 instances and private keys cannot be exported.
  • AWS Private Certificate Authority (Private CA) — for creating private certificates for internal resources; SCS-C03 tests managing certificates across single and multiple Regions.
• AWS Secrets Manager
  • protects secrets needed to access applications, services, etc.
  • enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle
  • supports automatic rotation of credentials for RDS, DocumentDB, etc.
• Secrets Manager vs. Systems Manager Parameter Store
  • Secrets Manager supports automatic rotation while SSM Parameter Store does not
  • Parameter Store is cost-effective as compared to Secrets Manager.
• AWS GuardDuty
  • is a threat detection service that continuously monitors the AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
  • supports CloudTrail S3 data events and management event logs, DNS logs, EKS audit logs, and VPC flow logs.
  • Runtime Monitoring — provides runtime threat detection for EKS, ECS (Fargate), and EC2 instances using a security agent for visibility into file access, process execution, and network connections.
  • Extended Threat Detection — uses correlation algorithms to identify multi-stage attack sequences across EC2, ECS, and EKS clusters.
  • Malware Protection — scans EBS volumes for malware when suspicious behavior is detected.
• AWS Inspector
  • is an automated vulnerability management service that continually scans workloads for software vulnerabilities and unintended network exposure.
  • supports EC2 instances, container images in ECR, and Lambda functions.
• Amazon Macie
  • is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in S3.
• Amazon Detective
  • analyzes and visualizes security data to help investigate potential security issues.
  • automatically creates a behavior graph from CloudTrail, VPC Flow Logs, GuardDuty findings, and EKS audit logs.
  • helps determine the root cause and scope of security findings.
• Amazon Security Lake
  • automatically centralizes security data from AWS, SaaS providers, on-premises, and cloud sources into a purpose-built data lake.
  • normalizes data to Open Cybersecurity Schema Framework (OCSF) format for interoperable security analytics.
  • SCS-C03 expects understanding of ingesting data in OCSF format and integrating with third-party services.
• AWS Security Incident Response
  • helps prepare for, respond to, and recover from security events (account takeovers, data breaches, ransomware).
  • provides automated security finding monitoring and triage, AI-powered investigation, and containment capabilities.
  • integrates with GuardDuty and Security Hub findings.
  • provides 24/7 access to the AWS Customer Incident Response Team (CIRT).
• AWS Artifact is a central resource for compliance-related information that provides on-demand access to AWS’ security and compliance reports and select online agreements
• AWS Shield & Shield Advanced
  • for DDoS protection and integrates with Route 53, CloudFront, ALB, and Global Accelerator.
• AWS WAF
  • protects from common attack techniques like SQL injection and XSS, Conditions based include IP addresses, HTTP headers, HTTP body, and URI strings.
  • integrates with CloudFront, ALB, API Gateway, App Runner, and Cognito.
  • supports Web ACLs and can block traffic based on IPs, Rate limits, and specific countries as well
  • allows IP match set rules to allow/deny specific IP addresses and rate-based rules to limit the number of requests.
  • logs can be sent to the CloudWatch Logs log group, an S3 bucket, or Kinesis Data Firehose.
  • SCS-C03 tests configuring integrations with third-party WAF rules.
• AWS Security Hub is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation.
• AWS Network Firewall is a stateful, fully managed, network firewall and intrusion detection and prevention service (IDS/IPS) for VPCs.
• AWS Resource Access Manager helps you securely share your resources across AWS accounts, within your organization or organizational units (OUs), and with IAM roles and users for supported resource types.
• AWS Signer is a fully managed code-signing service to ensure the trust and integrity of your code.
• AWS Audit Manager to map your compliance requirements to AWS usage data with prebuilt and custom frameworks and automated evidence collection.
• AWS Cognito esp. User Pools
• Firewall Manager helps centrally configure and manage firewall rules across the accounts and applications in AWS Organizations which includes a variety of protections, including WAF, Shield Advanced, VPC security groups, Network Firewall, and Route 53 Resolver DNS Firewall.
• Amazon Verified Permissions
  • provides fine-grained authorization using the Cedar policy language.
  • supports both role-based access control (RBAC) and attribute-based access control (ABAC) models.
  • integrates with Cognito for authentication and API Gateway for authorization decisions.
• AWS Verified Access
  • provides zero-trust network access to corporate applications without requiring a VPN.
  • evaluates each application request in real time against security policies.

Generative AI Security (New in SCS-C03)

• Amazon Bedrock
  • Foundation model security — understand access controls, guardrails, and content filtering.
  • IAM controls for who can invoke which models and what resource-based policies govern access.
  • CloudTrail logging of Bedrock API calls.
  • Bedrock Guardrails — content filters, denied topics, word filters, sensitive information filters, and contextual grounding checks.
• Amazon SageMaker AI
  • Network isolation for training jobs and endpoints.
  • IAM roles for training jobs and endpoint invocation.
  • Inter-node encryption for distributed training (specifically tested in SCS-C03).
  • Encryption at rest for notebooks, training artifacts, and model artifacts.
• Amazon Q Business — permission scoping and data source access controls.
• Amazon Q Developer — security scanning in development workflows.
• Amazon CodeGuru Security — code security scanning within CI/CD pipelines.
• GenAI OWASP Top 10 for LLM Applications — SCS-C03 expects understanding of protections against prompt injection, data poisoning, model denial of service, and other LLM-specific threats.

Networking & Content Delivery

• Virtual Private Connect – VPC
  • Security Groups, NACLs
    • NACLs are stateless, Security groups are stateful
    • NACLs at the subnet level, Security groups at the instance level
    • NACLs need to open ephemeral ports for response traffic.
  • VPC Gateway Endpoints to provide access to S3 and DynamoDB
  • VPC Interface Endpoints or PrivateLink provide access to a variety of services like SQS, Kinesis, or Private APIs exposed through NLB.
  • VPC Peering
    • to enable communication between VPCs within the same or different regions.
    • Route tables need to be configured on either VPC for them to be able to communicate.
    • does not allow cross-region security group reference.
  • VPC Flow Logs help capture information about the IP traffic going to and from network interfaces in the VPC
  • NAT Gateway provides managed NAT service that provides better availability, higher bandwidth and requires less administrative effort.
• Virtual Private Network – VPN & Direct Connect to establish connectivity a secured, low latency access between an on-premises data center and VPC.
  • IPSec VPN over Direct Connect to provide secure connectivity.
• CloudFront
  • integrates with S3 to improve latency and performance.
  • provides multiple security features
  • supports encryption at rest and end-to-end encryption
    • Viewer Protocol Policy and Origin Protocol Policy to enforce HTTPS – can be configured to require that viewers use HTTPS to request the files so that connections are encrypted when CloudFront communicates with viewers.
    • Integrates with ACM and requires certs to be in the us-east-1 region
    • Underlying origin can be applied certs from ACM or issued by a third party.
  • CloudFront Origin Shield
    • helps improve the cache hit ratio and reduce the load on the origin.
    • requests from other regional caches would hit the Origin shield rather than the Origin.
    • should be placed in the regional cache and not in the edge cache
    • should be deployed to the region closer to the origin server
  • CloudFront provides Encryption at Rest
    • uses SSDs which are encrypted for edge location points of presence (POPs), and encrypted EBS volumes for Regional Edge Caches (RECs).
    • Function code and configuration are always stored in an encrypted format on the encrypted SSDs on the edge location POPs, and in other storage locations used by CloudFront.
  • Restricting access to content
    • Configure HTTPS connections
    • Use signed URLs or cookies to restrict access for selected users
    • Restrict access to content in S3 buckets using Origin Access Control (OAC) — the recommended replacement for the legacy Origin Access Identity (OAI), to prevent users from using the direct URL of the file.
    • Restrict direct to load balancer using custom headers, to prevent users from using the direct load balancer URLs.
    • Set up field-level encryption for specific content fields
    • Use AWS WAF web ACLs to create a web access control list (web ACL) to restrict access to your content.
    • Use Geo-restriction, also known as geoblocking, to prevent users in specific geographic locations from accessing content served through a CloudFront distribution.
• Route 53
  • is a highly available and scalable DNS web service.
  • Resolver Query logging
    • logs the queries that originate in specified VPCs, on-premises resources that use inbound resolver or ones using outbound resolver as well as the responses to those DNS queries.
    • can be logged to CloudWatch logs, S3, and Kinesis Data Firehose
  • Route 53 DNSSEC secures DNS traffic, and helps protect a domain from DNS spoofing man-in-the-middle attacks.
• Elastic Load Balancer
  • End to End encryption
    • can be done NLB with TCP listener as pass through and terminating SSL on the EC2 instances
    • can be done with ALB with SSL termination and using HTTPS between ALB and EC2 instances
• Gateway Load Balancer – GWLB
  • helps deploy, scale, and manage virtual appliances, such as firewalls, IDS/IPS systems, and deep packet inspection systems.

Management & Governance Tools

• CloudWatch
  • CloudWatch logs
  • CloudWatch Subscription Filters and their integration with other services.
  • EventBridge (formerly CloudWatch Events) for real-time alerts and automated response workflows.
  • CloudWatch Logs data protection policies — for masking sensitive data in log groups (tested in SCS-C03).
• CloudTrail for audit and governance
  • CloudTrail can be enabled for all regions at one go and supports log file integrity validation
  • With Organizations, the trail can be configured to log CloudTrail from all accounts to a central account.
  • CloudTrail Lake — enables advanced SQL-based querying of CloudTrail events for security investigations.
• AWS Config
  • AWS Config rules can be used to alert for any changes and Config can be used to check the history of changes. AWS Config can also help check approved AMIs compliance
  • allows you to remediate noncompliant resources using AWS Systems Manager Automation documents.
  • AWS Config -> EventBridge -> Lambda/SNS
• CloudTrail vs Config
  • CloudTrail provides the WHO and Config provides the WHAT.
• Systems Manager
  • Parameter Store provides secure, scalable, centralized, hierarchical storage for configuration data and secret management. Does not support secrets rotation. Use Secrets Manager instead
  • Systems Manager Patch Manager helps select and deploy the operating system and software patches automatically across large groups of EC2 or on-premises instances
  • Systems Manager Run Command provides safe, secure remote management of your instances at scale without logging into the servers, replacing the need for bastion hosts, SSH, or remote PowerShell
  • Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.
• AWS Organizations
  • is an account management service that enables consolidating multiple AWS accounts into an organization that can be managed centrally.
  • can configure Organization Trail to centrally log all CloudTrail logs.
  • Service Control Policies (SCPs)
    • acts as guardrails and specifies the services and actions that users and roles can use in the accounts that the SCP affects.
    • are similar to IAM permission policies except that they don’t grant any permissions.
  • Resource Control Policies (RCPs) — New in 2024
    • offer central control over the maximum available permissions for resources in your organization.
    • complement SCPs: while SCPs control what principals can do, RCPs control what can be done to resources.
    • help enforce consistent access controls and restrict external access to resources across multiple accounts.
    • do not affect resources in the management account — only member accounts.
  • Declarative Policies — New in 2024
    • newer organizational policy types that complement SCPs and RCPs.
    • define desired-state configurations that are automatically enforced.
  • AI Service Opt-Out Policies — control whether AWS AI services can use your content for service improvement.
• AWS Trusted Advisor
  • inspects the AWS environment to make recommendations for system performance, saving money, availability, and closing security gaps
• CloudFormation
  • Deletion Policy to prevent, retain, or backup RDS, EBS Volumes
  • Stack policy can prevent stack resources from being unintentionally updated or deleted during a stack update. Stack Policy only applies for Stack updates and not stack deletion.
  • CloudFormation Guard provides an open-source, general-purpose, policy-as-code evaluation tool.
• Control Tower
  • to setup, govern, and secure a multi-account environment
  • strongly recommended guardrails cover EBS encryption

Storage & Databases

• Simple Storage Service – S3
  • Understand S3 Security in detail
  • S3 Encryption supports both data at rest and data in transit encryption.
    • Data in transit encryption can be provided by enabling communication via SSL or using client-side encryption
    • Data at rest encryption can be provided using Server Side or Client Side encryption
    • Enforce S3 Encryption at Rest using default encryption of bucket policies
    • Enforce S3 encryption in transit using secureTransport in the S3 bucket policy
  • S3 permissions can be handled using
    • IAM User Policies
    • Resource-based policies which include Bucket policies, Bucket ACL, and Object ACL
    • S3 Access Points
  • S3 Object Lock helps to store objects using a WORM model and can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.
  • S3 Block Public Access provides controls across an entire AWS Account or at the individual S3 bucket level to ensure that objects never have public access, now and in the future.
  • S3 Access Points simplify data access for any AWS service or customer application that stores data in S3.
  • S3 Versioning with MFA Delete can be enabled on a bucket to ensure that data in the bucket cannot be accidentally overwritten or deleted.
  • S3 Access Analyzer monitors the access policies, ensuring that the policies provide only the intended access to your S3 resources.
• Glacier Vault Lock helps deploy and enforce compliance controls for individual S3 Glacier vaults with a vault lock policy.
• EBS Encryption
• Relational Database Services – RDS
  • is a web service that makes it easier to set up, operate, and scale a relational database in the cloud.
  • supports the same encryption at rest methods as EBS
  • does not support enabling encryption after creation. Need to create a snapshot, copy the snapshot to an encrypted snapshot, and restore it as an encrypted DB.

Compute

• EC2 access using an IAM Role, Lambda using the Execution role & ECS using the Task role.
• EC2 Instance Metadata Service version 2 (IMDSv2) and enforcement of the same.
  • IMDSv2 uses session-oriented requests with a token to mitigate SSRF attacks.
  • Can enforce IMDSv2-only at launch or for running instances.
• Inter-resource encryption in-transit — SCS-C03 specifically tests inter-node encryption for Amazon EMR, EKS, SageMaker AI, and Nitro encryption.

Data Protection (New Additions for SCS-C03)

• Data masking — CloudWatch Logs data protection policies and Amazon SNS message data protection for masking sensitive data.
• Inter-resource encryption in-transit — understanding how different services implement encryption between nodes/components.
• Certificate management across Regions — creating and managing encryption keys and certificates across single or multiple AWS Regions using KMS and Private CA.

Integration Tools

• Know how CloudWatch integration with SNS and Lambda can help in notification and automated remediation
• EventBridge for event-driven security automation (GuardDuty → EventBridge → Lambda/Step Functions)

Whitepapers and Articles

• AWS Certification – Security Services – Cheat Sheet
• AWS Certification – Identity Services – Cheat Sheet
• AWS Security Incident Response Guide
• AWS DDoS Resiliency Best Practices
• Well-Architected – Security Pillar
• AWS Security Best Practices

On the Exam Day

• Make sure you are relaxed and get some good night’s sleep. The exam is not tough if you are well-prepared.
• If you are taking the AWS Online exam
  • Try to join at least 30 minutes before the actual time as I have had issues with both PSI and Pearson with long wait times.
  • The online verification process does take some time and usually, there are glitches.
  • Remember, you would not be allowed to take the exam if you are late by more than 30 minutes.
  • Make sure you have your desk clear, no hand-watches, or external monitors, keep your phones away, and nobody can enter the room.

Finally, All the Best 🙂