AWS Security Specialty (SCS-C03) Exam Learning Path

AWS Certified Security – Specialty (SCS-C03) Exam Learning Path

The AWS Certified Security – Specialty (SCS-C03) exam validates advanced security skills for designing and implementing AWS security solutions. This updated version went live on December 2, 2025, replacing the SCS-C02. This comprehensive learning path covers everything you need to pass the exam — domains, study resources, an 8-week study plan, exam topics with links, and practice questions.

SCS-C03 Exam Overview

Detail Value
Exam Code SCS-C03
Format 65 questions (multiple-choice, multiple-response, ordering, matching)
Duration 170 minutes
Passing Score 750 / 1000
Cost $300 USD
Delivery Pearson VUE (testing center or online)
Prerequisite None required (5+ years security experience recommended)
Live Since December 2, 2025

Refer to the AWS Certified Security – Specialty (SCS-C03) Exam Guide

SCS-C03 Exam Domains

Domain Weight Key Topics
Domain 1: Detection 16% GuardDuty, Security Hub, Detective, CloudTrail, VPC Flow Logs, Security Lake (OCSF)
Domain 2: Incident Response 14% Automated remediation, forensics, containment, AWS Security Incident Response
Domain 3: Infrastructure Security 18% VPC, Network Firewall, WAF, Verified Access, Firewall Manager, Shield
Domain 4: Identity and Access Management 20% IAM policies, Verified Permissions/Cedar, Identity Center, SCPs, RCPs, Cognito
Domain 5: Data Protection 18% KMS, CloudHSM, ACM, inter-node encryption, data masking, Bedrock Guardrails
Domain 6: Security Foundations & Governance 14% Organizations, Control Tower, Config, compliance frameworks, AWS Audit Manager

What’s New in SCS-C03 vs SCS-C02

Key Changes in SCS-C03

  • Generative AI Security — Amazon Bedrock Guardrails, OWASP LLM Top 10 protections, AgentCore security, and SageMaker AI model protection are now in scope.
  • OCSF & Security Lake — Open Cybersecurity Schema Framework (OCSF) normalization and Amazon Security Lake for centralized security data analytics.
  • IAM Weight Increased — Domain 4 (IAM) increased from 16% to 20%, reflecting identity as the new security perimeter.
  • SNS/CloudWatch Data Protection — Data masking policies for CloudWatch Logs and Amazon SNS message data protection.
  • Inter-node Encryption — Encryption in-transit between nodes for Amazon EMR, EKS, SageMaker AI, and Nitro enclaves.
  • AWS Verified Access — Zero-trust network access without VPNs now explicitly tested.
  • Amazon Verified Permissions & Cedar — Fine-grained authorization using Cedar policy language with RBAC and ABAC models.
  • Domain Restructuring — Detection and Incident Response are now separate domains; “Management and Security Governance” renamed to “Security Foundations & Governance.”
  • New Question Types — Ordering (arrange steps in sequence) and matching (match services to functions) alongside traditional multiple-choice.

Recommended Study Resources

Online Courses

Practice Tests

AWS Official Resources

Whitepapers & Cheat Sheets

8-Week Study Plan

This plan assumes 1.5–2 hours of study per day. Adjust timelines based on your existing AWS security experience.

Week Focus Area Activities
Week 1 IAM Foundations (Domain 4)
  • IAM policies (identity-based, resource-based, permission boundaries)
  • IAM Access Analyzer, policy evaluation logic
  • SCPs, RCPs, and Declarative Policies
  • Hands-on: Write and test IAM policies with conditions
Week 2 Advanced IAM & Identity (Domain 4)
  • IAM Identity Center (SSO), federation (SAML, OIDC)
  • Amazon Verified Permissions & Cedar policy language
  • Cognito User Pools & Identity Pools
  • Cross-account access patterns, role chaining
  • Hands-on: Configure Verified Permissions with Cognito
Week 3 Data Protection (Domain 5)
  • KMS (key policies, grants, multi-region keys, imported key material, XKS)
  • Envelope encryption, S3 encryption options
  • CloudHSM, ACM, Private CA
  • Inter-node encryption (EMR, EKS, SageMaker, Nitro)
  • Data masking: CloudWatch Logs data protection, SNS message data protection
  • Hands-on: Create KMS keys with custom policies, enable S3 default encryption
Week 4 Infrastructure Security (Domain 3)
  • VPC security: Security Groups, NACLs, VPC endpoints, Flow Logs
  • AWS Network Firewall (stateful/stateless rules, IDS/IPS)
  • AWS WAF (Web ACLs, rate-based rules, managed rule groups)
  • AWS Verified Access (zero-trust without VPN)
  • Firewall Manager for centralized management
  • Shield & Shield Advanced, DDoS mitigation
  • Hands-on: Deploy Network Firewall with custom rules
Week 5 Detection (Domain 1)
  • GuardDuty (runtime monitoring, extended threat detection, malware protection)
  • Amazon Detective (behavior graphs, investigation)
  • Amazon Security Lake & OCSF format
  • Security Hub (controls, standards, cross-region aggregation)
  • CloudTrail (Lake, Insights, organization trails)
  • CloudWatch alarms, metric filters, anomaly detection
  • Hands-on: Enable GuardDuty with EKS runtime monitoring, query Security Lake
Week 6 Incident Response & GenAI Security (Domains 2 & 5)
  • AWS Security Incident Response service
  • Automated remediation (EventBridge → Lambda/Step Functions)
  • Forensics: EBS snapshots, memory dumps, isolated VPCs
  • Amazon Bedrock Guardrails (content filters, denied topics, PII detection)
  • OWASP LLM Top 10 (prompt injection, data poisoning, model DoS)
  • AgentCore security controls
  • Hands-on: Build automated remediation for GuardDuty findings
Week 7 Governance & Review (Domain 6)
  • AWS Organizations, Control Tower, landing zones
  • AWS Config rules and remediation
  • AWS Audit Manager, Artifact
  • Well-Architected Security Pillar review
  • Multi-account security strategies
  • Review all domains — focus on weak areas identified in practice tests
  • Take first full-length practice exam (target: 70%+)
Week 8 Practice Exams & Final Review
  • Take 2–3 full-length practice exams (target: 80%+ consistently)
  • Review incorrect answers — identify knowledge gaps
  • Re-read AWS FAQs for GuardDuty, KMS, IAM, Security Hub
  • Review ordering/matching question formats
  • Light review on exam day — no cramming

Pro tip: Start with IAM and KMS because they appear across every domain. If you’re scoring below 75% on practice exams by Week 7, extend to 10 weeks.

Exam Topics & Related Posts

Domain 1: Detection (16%)

  • Amazon GuardDuty — Threat detection using CloudTrail, VPC Flow Logs, DNS logs, EKS audit logs. Covers runtime monitoring, extended threat detection, and malware protection.
  • Amazon Detective — Security investigation using behavior graphs from CloudTrail, VPC Flow Logs, and GuardDuty findings.
  • AWS Security Hub — Centralized security posture management, automated compliance checks (CIS, PCI DSS, AWS Foundational), and cross-account/cross-region aggregation.
  • Amazon Security Lake — Centralizes security data in OCSF format from AWS services, SaaS providers, and on-premises sources for security analytics.
  • AWS CloudTrail — Audit logging, CloudTrail Lake for SQL-based event querying, Insights for anomaly detection, organization trails.
  • Amazon CloudWatch — Metric filters, alarms, anomaly detection, CloudWatch Logs with data protection policies for sensitive data masking.
  • Amazon Inspector — Automated vulnerability scanning for EC2, ECR containers, and Lambda functions.
  • Amazon Macie — ML-powered sensitive data discovery and classification in S3.

Domain 2: Incident Response (14%)

  • AWS Security Incident Response — Automated triage of GuardDuty and Security Hub findings, AI-powered investigation, containment, and 24/7 CIRT access.
  • Automated Remediation Patterns:
    • GuardDuty → EventBridge → Lambda (isolate instance, revoke credentials)
    • Config Rule → EventBridge → Systems Manager Automation (remediate non-compliant resources)
    • Security Hub → EventBridge → Step Functions (multi-step workflows)
  • Forensics: EBS snapshot isolation, memory acquisition, VPC isolation for compromised instances, CloudTrail Lake investigation.
  • AWS Config — Resource configuration history, compliance rules, and automated remediation.

Domain 3: Infrastructure Security (18%)

  • AWS VPC — Security Groups, NACLs, VPC endpoints (Gateway & Interface/PrivateLink), VPC Flow Logs, VPC peering, Transit Gateway.
  • AWS Network Firewall — Stateful/stateless inspection, IDS/IPS, Suricata-compatible rules, centralized deployment via Firewall Manager.
  • AWS WAF — Web ACLs, managed rule groups, rate-based rules, Bot Control, Fraud Control (Account Takeover/Creation), IP reputation lists.
  • Network Firewall vs WAF vs Security Groups vs NACLs — Understanding when to use each layer.
  • Network Firewall vs Gateway Load Balancer — Choosing between AWS-managed and third-party appliances.
  • AWS Verified Access — Zero-trust access to corporate applications without VPN, evaluating requests against security policies in real-time.
  • AWS Firewall Manager — Centrally configure WAF, Shield Advanced, Security Groups, Network Firewall, and DNS Firewall rules across Organizations.
  • AWS Shield & Shield Advanced — DDoS protection for CloudFront, Route 53, ALB, and Global Accelerator.
  • AWS VPN — Site-to-site VPN, IPSec encryption, VPN over Direct Connect.

Domain 4: Identity and Access Management (20%)

  • AWS IAM Overview — Users, groups, roles, and policy evaluation logic.
  • IAM Access Management — Identity-based policies, resource-based policies, permission boundaries, session policies.
  • IAM Roles — Cross-account access, service roles, role chaining, confused deputy protection.
  • IAM Federation — SAML 2.0, OIDC, custom identity brokers.
  • IAM Best Practices — Least privilege, MFA enforcement, credential rotation.
  • Amazon Verified Permissions — Fine-grained authorization using Cedar policy language, supporting RBAC and ABAC models, integrating with Cognito and API Gateway.
  • IAM Identity Center (formerly SSO) — Centralized workforce identity management for multi-account access with SAML 2.0 and SCIM provisioning.
  • Amazon Cognito — User Pools for authentication, Identity Pools for temporary AWS credentials.
  • AWS OrganizationsSCPs, Resource Control Policies (RCPs), Declarative Policies, AI service opt-out policies.
  • IAM Access Analyzer — External access findings, unused access findings, custom policy checks, and policy generation based on access activity.

Domain 5: Data Protection (18%)

  • AWS KMS — Key policies, grants, multi-region keys, imported key material, External Key Store (XKS), ViaService conditions.
  • Envelope Encryption — Data keys encrypted by KMS CMKs for efficient large-data encryption.
  • S3 Encryption — SSE-S3, SSE-KMS, SSE-C, client-side encryption, bucket keys, default encryption.
  • S3 Security — Bucket policies, ACLs, Block Public Access, Access Points, Object Lock.
  • AWS Certificate Manager (ACM) — Public/private certificates, Private CA for internal resources, cross-region certificate management.
  • AWS Secrets Manager — Automatic rotation, cross-region replication, comparison with Parameter Store.
  • Inter-node Encryption — Amazon EMR (in-transit encryption), EKS (pod-to-pod with service mesh), SageMaker (inter-container training encryption), Nitro enclaves.
  • Data Masking — CloudWatch Logs data protection policies for masking PII/PHI, Amazon SNS message data protection for filtering sensitive data in messages.
  • Amazon Bedrock Guardrails — Content filters, denied topics, word filters, sensitive information filters (PII), contextual grounding checks for GenAI security.

Domain 6: Security Foundations & Governance (14%)

  • AWS Organizations — Multi-account strategy, OU structure, consolidated billing.
  • AWS Control Tower — Landing zone setup, guardrails (preventive, detective, proactive).
  • AWS Config — Configuration recording, managed/custom rules, conformance packs, remediation.
  • AWS RAM — Secure cross-account resource sharing within Organizations.
  • AWS Audit Manager — Automated evidence collection, prebuilt frameworks (SOC 2, PCI DSS, GDPR).
  • AWS Artifact — On-demand access to compliance reports and agreements.
  • CloudTrail — Organization trails, log file integrity validation, integration with Security Lake.

SCS-C03 Practice Questions

Test your readiness with these sample questions covering new SCS-C03 topics:

Question 1 — GenAI Security (Domain 5)

A company uses Amazon Bedrock to power a customer-facing chatbot. The security team needs to prevent the model from generating content about competitors, block personally identifiable information (PII) in responses, and log all denied requests. Which combination of actions should the security engineer take? (Choose TWO)

  1. Create a Bedrock Guardrail with denied topics for competitor names and enable the sensitive information filter for PII detection.
  2. Use an AWS WAF web ACL with custom rules to inspect Bedrock API request/response bodies.
  3. Configure CloudTrail data events for Bedrock model invocations and create a CloudWatch metric filter for guardrail interventions.
  4. Deploy a Lambda@Edge function on CloudFront to scan all responses for PII before delivery.
  5. Enable Bedrock model access logging to S3 and use Macie to scan the logs for PII.
Show Answer

Correct: A, C

Explanation: Bedrock Guardrails (A) provide native content filtering with denied topics and sensitive information filters for PII — this is the purpose-built solution for controlling model outputs. CloudTrail data events with CloudWatch metric filters (C) provide the logging and alerting for denied requests. WAF (B) operates at the HTTP layer and cannot inspect Bedrock model response content. Lambda@Edge (D) doesn’t have access to Bedrock API responses. Macie (E) discovers PII in S3 objects but doesn’t prevent PII in real-time responses.

Question 2 — Verified Permissions & Cedar (Domain 4)

A SaaS application needs fine-grained authorization where users can access only their own documents, and managers can access documents of all team members. The authorization decisions must be evaluated in under 10ms and support both role-based and attribute-based access control. Which solution meets these requirements?

  1. Write IAM policies with conditions for each user and attach them to Cognito Identity Pool roles.
  2. Use Amazon Verified Permissions with Cedar policies that define role-based rules for managers and attribute-based rules matching document owner to the requesting user.
  3. Deploy a custom authorization Lambda function that queries DynamoDB for user-document mappings on each request.
  4. Use API Gateway resource policies with IAM conditions to restrict document access based on the caller’s identity.
Show Answer

Correct: B

Explanation: Amazon Verified Permissions is purpose-built for fine-grained application authorization using the Cedar policy language. It supports both RBAC (role-based — managers can access team documents) and ABAC (attribute-based — users can access their own documents) in a single policy store with low-latency evaluation. IAM policies (A) are for AWS resource access, not application-level authorization. A custom Lambda (C) adds complexity and may not meet 10ms latency. API Gateway resource policies (D) are coarse-grained and don’t support per-document authorization.

Question 3 — Security Lake & OCSF (Domain 1)

A security operations team needs to centralize security findings from GuardDuty, Security Hub, CloudTrail, and VPC Flow Logs across 50 AWS accounts into a single queryable data store using a standardized schema. Third-party SIEM tools must be able to consume this data. Which approach meets these requirements with the LEAST operational overhead?

  1. Configure each account to send findings to a centralized S3 bucket using EventBridge rules, then use Athena for querying.
  2. Enable Amazon Security Lake as a delegated administrator in the Organizations management account, which automatically collects and normalizes data to OCSF format and provides subscriber access for third-party tools.
  3. Deploy a Kinesis Data Firehose in each account to stream logs to a central OpenSearch cluster with custom parsing rules.
  4. Use CloudTrail Lake with organization-level event data stores for all accounts and grant third-party tools direct query access.
Show Answer

Correct: B

Explanation: Amazon Security Lake automatically collects security data from multiple sources (GuardDuty, Security Hub, CloudTrail, VPC Flow Logs, Route 53, S3, Lambda, EKS), normalizes it to the Open Cybersecurity Schema Framework (OCSF), and stores it in a purpose-built data lake. It supports subscriber access for third-party SIEM tools with minimal operational overhead. Option A requires custom schema normalization. Option C adds significant operational complexity. Option D (CloudTrail Lake) only covers CloudTrail events, not all the required sources.

Question 4 — Inter-node Encryption (Domain 5)

A company runs distributed machine learning training jobs on Amazon SageMaker AI using multiple instances. The compliance team requires that all data transmitted between training instances during distributed training is encrypted in transit. How should the security engineer meet this requirement?

  1. Deploy the training instances in a private subnet with a security group that only allows HTTPS traffic between instances.
  2. Enable inter-container traffic encryption in the SageMaker training job configuration.
  3. Configure a VPN connection between each training instance using AWS Site-to-Site VPN.
  4. Use AWS PrivateLink endpoints for all communication between SageMaker training instances.
Show Answer

Correct: B

Explanation: SageMaker AI provides a native inter-container traffic encryption option that encrypts all data transmitted between training instances during distributed training. This is enabled via the EnableInterContainerTrafficEncryption parameter in the training job configuration. Security groups (A) control traffic flow but don’t encrypt it. Site-to-Site VPN (C) is for on-premises to AWS connectivity. PrivateLink (D) is for accessing AWS services privately, not for inter-instance communication within a training job.

Question 5 — Verified Access & Zero Trust (Domain 3)

A company wants to provide remote employees access to internal web applications without requiring a VPN. Access must be granted based on the user’s identity (from the corporate IdP), device security posture, and the specific application being accessed. All access decisions must be logged. Which solution meets these requirements?

  1. Deploy an Application Load Balancer with OIDC authentication action rules that validate tokens from the corporate IdP.
  2. Configure AWS Client VPN with certificate-based mutual authentication and posture assessment.
  3. Set up AWS Verified Access with trust providers for the corporate IdP and a device management solution, create access policies per application, and enable access logs.
  4. Use Amazon CloudFront with Lambda@Edge functions that validate JWT tokens and check device certificates.
Show Answer

Correct: C

Explanation: AWS Verified Access provides zero-trust network access to corporate applications without a VPN. It evaluates each request against access policies using trust providers (identity providers for user identity and device management solutions for device posture). Access logs capture all authorization decisions. ALB with OIDC (A) validates identity but doesn’t assess device posture or provide zero-trust per-request evaluation. Client VPN (B) contradicts the no-VPN requirement. CloudFront with Lambda@Edge (D) requires custom development and doesn’t natively integrate with device posture providers.

Exam Day Tips

  • Time management: 170 minutes for 65 questions = ~2.5 minutes per question. Ordering and matching questions take longer — budget 3–4 minutes for those.
  • Mark and move: Flag difficult questions and return after completing all others.
  • Elimination strategy: On multi-choice questions, eliminate 2 obviously wrong answers first, then focus on the remaining 2.
  • Read carefully: Questions have significant prose. Identify the key requirement (cost, security, least operational overhead) before evaluating answers.
  • Ordering questions: Think about logical dependencies — what must happen before what? E.g., you must isolate before you investigate.
  • Online exam: Join 30 minutes early. Clear your desk. No external monitors, phones, or watches.
  • ESL accommodation: Request 30 extra minutes if English is not your first language.

All the best! 🎯

Frequently Asked Questions

What is the AWS SCS-C03 exam?

The AWS Certified Security – Specialty (SCS-C03) is an advanced certification for security professionals. It has 65 questions over 170 minutes, requires 750/1000 to pass, costs $300, and covers 6 domains: Detection, Incident Response, Infrastructure Security, IAM, Data Protection, and Security Foundations.

What changed from SCS-C02 to SCS-C03?

Key changes include: GenAI security topics (Bedrock Guardrails, OWASP LLM Top 10), OCSF/Security Lake integration, IAM weight increased from 16% to 20%, new services (Verified Access, Verified Permissions), inter-node encryption, SNS data protection, and domain restructuring (Detection + Incident Response split).

How long should I study for SCS-C03?

With 2+ years of AWS security experience, 8-10 weeks of dedicated study is recommended. Focus on hands-on labs with IAM policies, KMS, GuardDuty, Security Hub, and the new GenAI security features in Bedrock.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.