AWS Certified Security – Specialty (SCS-C03) Exam Learning Path
The AWS Certified Security – Specialty (SCS-C03) exam validates advanced security skills for designing and implementing AWS security solutions. This updated version went live on December 2, 2025, replacing the SCS-C02. This comprehensive learning path covers everything you need to pass the exam — domains, study resources, an 8-week study plan, exam topics with links, and practice questions.
SCS-C03 Exam Overview
| Detail | Value |
|---|---|
| Exam Code | SCS-C03 |
| Format | 65 questions (multiple-choice, multiple-response, ordering, matching) |
| Duration | 170 minutes |
| Passing Score | 750 / 1000 |
| Cost | $300 USD |
| Delivery | Pearson VUE (testing center or online) |
| Prerequisite | None required (5+ years security experience recommended) |
| Live Since | December 2, 2025 |
Refer to the AWS Certified Security – Specialty (SCS-C03) Exam Guide
SCS-C03 Exam Domains
| Domain | Weight | Key Topics |
|---|---|---|
| Domain 1: Detection | 16% | GuardDuty, Security Hub, Detective, CloudTrail, VPC Flow Logs, Security Lake (OCSF) |
| Domain 2: Incident Response | 14% | Automated remediation, forensics, containment, AWS Security Incident Response |
| Domain 3: Infrastructure Security | 18% | VPC, Network Firewall, WAF, Verified Access, Firewall Manager, Shield |
| Domain 4: Identity and Access Management | 20% | IAM policies, Verified Permissions/Cedar, Identity Center, SCPs, RCPs, Cognito |
| Domain 5: Data Protection | 18% | KMS, CloudHSM, ACM, inter-node encryption, data masking, Bedrock Guardrails |
| Domain 6: Security Foundations & Governance | 14% | Organizations, Control Tower, Config, compliance frameworks, AWS Audit Manager |
What’s New in SCS-C03 vs SCS-C02
Key Changes in SCS-C03
- Generative AI Security — Amazon Bedrock Guardrails, OWASP LLM Top 10 protections, AgentCore security, and SageMaker AI model protection are now in scope.
- OCSF & Security Lake — Open Cybersecurity Schema Framework (OCSF) normalization and Amazon Security Lake for centralized security data analytics.
- IAM Weight Increased — Domain 4 (IAM) increased from 16% to 20%, reflecting identity as the new security perimeter.
- SNS/CloudWatch Data Protection — Data masking policies for CloudWatch Logs and Amazon SNS message data protection.
- Inter-node Encryption — Encryption in-transit between nodes for Amazon EMR, EKS, SageMaker AI, and Nitro enclaves.
- AWS Verified Access — Zero-trust network access without VPNs now explicitly tested.
- Amazon Verified Permissions & Cedar — Fine-grained authorization using Cedar policy language with RBAC and ABAC models.
- Domain Restructuring — Detection and Incident Response are now separate domains; “Management and Security Governance” renamed to “Security Foundations & Governance.”
- New Question Types — Ordering (arrange steps in sequence) and matching (match services to functions) alongside traditional multiple-choice.
Recommended Study Resources
Online Courses
- Stephane Maarek — Ultimate AWS Certified Security Specialty [SCS-C03] (Updated Jan 2026 for SCS-C03). Comprehensive coverage of all domains with hands-on demos.
- Adrian Cantrill — AWS Certified Security – Specialty. Deep-dive technical labs with real-world scenarios.
- Whizlabs — AWS Certified Security Specialty (SCS-C03) Course + Labs. Video course with integrated hands-on labs.
Practice Tests
- Stephane Maarek — AWS Certified Security – Specialty Practice Exams. 4 full-length practice exams (260 questions) with detailed explanations.
- Whizlabs — AWS Certified Security Specialty (SCS-C03) Practice Tests. 500+ practice questions with section tests per domain.
- Tutorials Dojo — AWS Certified Security Specialty SCS-C03 Practice Exams. Timed-mode and review-mode with cheat sheets included.
AWS Official Resources
- SCS-C03 Exam Guide (PDF)
- AWS Skill Builder – Exam Prep Course
- AWS Security Incident Response Guide
- Well-Architected Framework – Security Pillar
Whitepapers & Cheat Sheets
- AWS Security Services – Cheat Sheet
- AWS Identity Services – Cheat Sheet
- AWS DDoS Resiliency Best Practices
8-Week Study Plan
This plan assumes 1.5–2 hours of study per day. Adjust timelines based on your existing AWS security experience.
| Week | Focus Area | Activities |
|---|---|---|
| Week 1 | IAM Foundations (Domain 4) |
|
| Week 2 | Advanced IAM & Identity (Domain 4) |
|
| Week 3 | Data Protection (Domain 5) |
|
| Week 4 | Infrastructure Security (Domain 3) |
|
| Week 5 | Detection (Domain 1) |
|
| Week 6 | Incident Response & GenAI Security (Domains 2 & 5) |
|
| Week 7 | Governance & Review (Domain 6) |
|
| Week 8 | Practice Exams & Final Review |
|
Pro tip: Start with IAM and KMS because they appear across every domain. If you’re scoring below 75% on practice exams by Week 7, extend to 10 weeks.
Exam Topics & Related Posts
Domain 1: Detection (16%)
- Amazon GuardDuty — Threat detection using CloudTrail, VPC Flow Logs, DNS logs, EKS audit logs. Covers runtime monitoring, extended threat detection, and malware protection.
- Amazon Detective — Security investigation using behavior graphs from CloudTrail, VPC Flow Logs, and GuardDuty findings.
- AWS Security Hub — Centralized security posture management, automated compliance checks (CIS, PCI DSS, AWS Foundational), and cross-account/cross-region aggregation.
- Amazon Security Lake — Centralizes security data in OCSF format from AWS services, SaaS providers, and on-premises sources for security analytics.
- AWS CloudTrail — Audit logging, CloudTrail Lake for SQL-based event querying, Insights for anomaly detection, organization trails.
- Amazon CloudWatch — Metric filters, alarms, anomaly detection, CloudWatch Logs with data protection policies for sensitive data masking.
- Amazon Inspector — Automated vulnerability scanning for EC2, ECR containers, and Lambda functions.
- Amazon Macie — ML-powered sensitive data discovery and classification in S3.
Domain 2: Incident Response (14%)
- AWS Security Incident Response — Automated triage of GuardDuty and Security Hub findings, AI-powered investigation, containment, and 24/7 CIRT access.
- Automated Remediation Patterns:
- GuardDuty → EventBridge → Lambda (isolate instance, revoke credentials)
- Config Rule → EventBridge → Systems Manager Automation (remediate non-compliant resources)
- Security Hub → EventBridge → Step Functions (multi-step workflows)
- Forensics: EBS snapshot isolation, memory acquisition, VPC isolation for compromised instances, CloudTrail Lake investigation.
- AWS Config — Resource configuration history, compliance rules, and automated remediation.
Domain 3: Infrastructure Security (18%)
- AWS VPC — Security Groups, NACLs, VPC endpoints (Gateway & Interface/PrivateLink), VPC Flow Logs, VPC peering, Transit Gateway.
- AWS Network Firewall — Stateful/stateless inspection, IDS/IPS, Suricata-compatible rules, centralized deployment via Firewall Manager.
- AWS WAF — Web ACLs, managed rule groups, rate-based rules, Bot Control, Fraud Control (Account Takeover/Creation), IP reputation lists.
- Network Firewall vs WAF vs Security Groups vs NACLs — Understanding when to use each layer.
- Network Firewall vs Gateway Load Balancer — Choosing between AWS-managed and third-party appliances.
- AWS Verified Access — Zero-trust access to corporate applications without VPN, evaluating requests against security policies in real-time.
- AWS Firewall Manager — Centrally configure WAF, Shield Advanced, Security Groups, Network Firewall, and DNS Firewall rules across Organizations.
- AWS Shield & Shield Advanced — DDoS protection for CloudFront, Route 53, ALB, and Global Accelerator.
- AWS VPN — Site-to-site VPN, IPSec encryption, VPN over Direct Connect.
Domain 4: Identity and Access Management (20%)
- AWS IAM Overview — Users, groups, roles, and policy evaluation logic.
- IAM Access Management — Identity-based policies, resource-based policies, permission boundaries, session policies.
- IAM Roles — Cross-account access, service roles, role chaining, confused deputy protection.
- IAM Federation — SAML 2.0, OIDC, custom identity brokers.
- IAM Best Practices — Least privilege, MFA enforcement, credential rotation.
- Amazon Verified Permissions — Fine-grained authorization using Cedar policy language, supporting RBAC and ABAC models, integrating with Cognito and API Gateway.
- IAM Identity Center (formerly SSO) — Centralized workforce identity management for multi-account access with SAML 2.0 and SCIM provisioning.
- Amazon Cognito — User Pools for authentication, Identity Pools for temporary AWS credentials.
- AWS Organizations — SCPs, Resource Control Policies (RCPs), Declarative Policies, AI service opt-out policies.
- IAM Access Analyzer — External access findings, unused access findings, custom policy checks, and policy generation based on access activity.
Domain 5: Data Protection (18%)
- AWS KMS — Key policies, grants, multi-region keys, imported key material, External Key Store (XKS), ViaService conditions.
- Envelope Encryption — Data keys encrypted by KMS CMKs for efficient large-data encryption.
- S3 Encryption — SSE-S3, SSE-KMS, SSE-C, client-side encryption, bucket keys, default encryption.
- S3 Security — Bucket policies, ACLs, Block Public Access, Access Points, Object Lock.
- AWS Certificate Manager (ACM) — Public/private certificates, Private CA for internal resources, cross-region certificate management.
- AWS Secrets Manager — Automatic rotation, cross-region replication, comparison with Parameter Store.
- Inter-node Encryption — Amazon EMR (in-transit encryption), EKS (pod-to-pod with service mesh), SageMaker (inter-container training encryption), Nitro enclaves.
- Data Masking — CloudWatch Logs data protection policies for masking PII/PHI, Amazon SNS message data protection for filtering sensitive data in messages.
- Amazon Bedrock Guardrails — Content filters, denied topics, word filters, sensitive information filters (PII), contextual grounding checks for GenAI security.
Domain 6: Security Foundations & Governance (14%)
- AWS Organizations — Multi-account strategy, OU structure, consolidated billing.
- AWS Control Tower — Landing zone setup, guardrails (preventive, detective, proactive).
- AWS Config — Configuration recording, managed/custom rules, conformance packs, remediation.
- AWS RAM — Secure cross-account resource sharing within Organizations.
- AWS Audit Manager — Automated evidence collection, prebuilt frameworks (SOC 2, PCI DSS, GDPR).
- AWS Artifact — On-demand access to compliance reports and agreements.
- CloudTrail — Organization trails, log file integrity validation, integration with Security Lake.
SCS-C03 Practice Questions
Test your readiness with these sample questions covering new SCS-C03 topics:
Question 1 — GenAI Security (Domain 5)
A company uses Amazon Bedrock to power a customer-facing chatbot. The security team needs to prevent the model from generating content about competitors, block personally identifiable information (PII) in responses, and log all denied requests. Which combination of actions should the security engineer take? (Choose TWO)
- Create a Bedrock Guardrail with denied topics for competitor names and enable the sensitive information filter for PII detection.
- Use an AWS WAF web ACL with custom rules to inspect Bedrock API request/response bodies.
- Configure CloudTrail data events for Bedrock model invocations and create a CloudWatch metric filter for guardrail interventions.
- Deploy a Lambda@Edge function on CloudFront to scan all responses for PII before delivery.
- Enable Bedrock model access logging to S3 and use Macie to scan the logs for PII.
Show Answer
Correct: A, C
Explanation: Bedrock Guardrails (A) provide native content filtering with denied topics and sensitive information filters for PII — this is the purpose-built solution for controlling model outputs. CloudTrail data events with CloudWatch metric filters (C) provide the logging and alerting for denied requests. WAF (B) operates at the HTTP layer and cannot inspect Bedrock model response content. Lambda@Edge (D) doesn’t have access to Bedrock API responses. Macie (E) discovers PII in S3 objects but doesn’t prevent PII in real-time responses.
Question 2 — Verified Permissions & Cedar (Domain 4)
A SaaS application needs fine-grained authorization where users can access only their own documents, and managers can access documents of all team members. The authorization decisions must be evaluated in under 10ms and support both role-based and attribute-based access control. Which solution meets these requirements?
- Write IAM policies with conditions for each user and attach them to Cognito Identity Pool roles.
- Use Amazon Verified Permissions with Cedar policies that define role-based rules for managers and attribute-based rules matching document owner to the requesting user.
- Deploy a custom authorization Lambda function that queries DynamoDB for user-document mappings on each request.
- Use API Gateway resource policies with IAM conditions to restrict document access based on the caller’s identity.
Show Answer
Correct: B
Explanation: Amazon Verified Permissions is purpose-built for fine-grained application authorization using the Cedar policy language. It supports both RBAC (role-based — managers can access team documents) and ABAC (attribute-based — users can access their own documents) in a single policy store with low-latency evaluation. IAM policies (A) are for AWS resource access, not application-level authorization. A custom Lambda (C) adds complexity and may not meet 10ms latency. API Gateway resource policies (D) are coarse-grained and don’t support per-document authorization.
Question 3 — Security Lake & OCSF (Domain 1)
A security operations team needs to centralize security findings from GuardDuty, Security Hub, CloudTrail, and VPC Flow Logs across 50 AWS accounts into a single queryable data store using a standardized schema. Third-party SIEM tools must be able to consume this data. Which approach meets these requirements with the LEAST operational overhead?
- Configure each account to send findings to a centralized S3 bucket using EventBridge rules, then use Athena for querying.
- Enable Amazon Security Lake as a delegated administrator in the Organizations management account, which automatically collects and normalizes data to OCSF format and provides subscriber access for third-party tools.
- Deploy a Kinesis Data Firehose in each account to stream logs to a central OpenSearch cluster with custom parsing rules.
- Use CloudTrail Lake with organization-level event data stores for all accounts and grant third-party tools direct query access.
Show Answer
Correct: B
Explanation: Amazon Security Lake automatically collects security data from multiple sources (GuardDuty, Security Hub, CloudTrail, VPC Flow Logs, Route 53, S3, Lambda, EKS), normalizes it to the Open Cybersecurity Schema Framework (OCSF), and stores it in a purpose-built data lake. It supports subscriber access for third-party SIEM tools with minimal operational overhead. Option A requires custom schema normalization. Option C adds significant operational complexity. Option D (CloudTrail Lake) only covers CloudTrail events, not all the required sources.
Question 4 — Inter-node Encryption (Domain 5)
A company runs distributed machine learning training jobs on Amazon SageMaker AI using multiple instances. The compliance team requires that all data transmitted between training instances during distributed training is encrypted in transit. How should the security engineer meet this requirement?
- Deploy the training instances in a private subnet with a security group that only allows HTTPS traffic between instances.
- Enable inter-container traffic encryption in the SageMaker training job configuration.
- Configure a VPN connection between each training instance using AWS Site-to-Site VPN.
- Use AWS PrivateLink endpoints for all communication between SageMaker training instances.
Show Answer
Correct: B
Explanation: SageMaker AI provides a native inter-container traffic encryption option that encrypts all data transmitted between training instances during distributed training. This is enabled via the EnableInterContainerTrafficEncryption parameter in the training job configuration. Security groups (A) control traffic flow but don’t encrypt it. Site-to-Site VPN (C) is for on-premises to AWS connectivity. PrivateLink (D) is for accessing AWS services privately, not for inter-instance communication within a training job.
Question 5 — Verified Access & Zero Trust (Domain 3)
A company wants to provide remote employees access to internal web applications without requiring a VPN. Access must be granted based on the user’s identity (from the corporate IdP), device security posture, and the specific application being accessed. All access decisions must be logged. Which solution meets these requirements?
- Deploy an Application Load Balancer with OIDC authentication action rules that validate tokens from the corporate IdP.
- Configure AWS Client VPN with certificate-based mutual authentication and posture assessment.
- Set up AWS Verified Access with trust providers for the corporate IdP and a device management solution, create access policies per application, and enable access logs.
- Use Amazon CloudFront with Lambda@Edge functions that validate JWT tokens and check device certificates.
Show Answer
Correct: C
Explanation: AWS Verified Access provides zero-trust network access to corporate applications without a VPN. It evaluates each request against access policies using trust providers (identity providers for user identity and device management solutions for device posture). Access logs capture all authorization decisions. ALB with OIDC (A) validates identity but doesn’t assess device posture or provide zero-trust per-request evaluation. Client VPN (B) contradicts the no-VPN requirement. CloudFront with Lambda@Edge (D) requires custom development and doesn’t natively integrate with device posture providers.
Exam Day Tips
- Time management: 170 minutes for 65 questions = ~2.5 minutes per question. Ordering and matching questions take longer — budget 3–4 minutes for those.
- Mark and move: Flag difficult questions and return after completing all others.
- Elimination strategy: On multi-choice questions, eliminate 2 obviously wrong answers first, then focus on the remaining 2.
- Read carefully: Questions have significant prose. Identify the key requirement (cost, security, least operational overhead) before evaluating answers.
- Ordering questions: Think about logical dependencies — what must happen before what? E.g., you must isolate before you investigate.
- Online exam: Join 30 minutes early. Clear your desk. No external monitors, phones, or watches.
- ESL accommodation: Request 30 extra minutes if English is not your first language.
All the best! 🎯
Frequently Asked Questions
What is the AWS SCS-C03 exam?
The AWS Certified Security – Specialty (SCS-C03) is an advanced certification for security professionals. It has 65 questions over 170 minutes, requires 750/1000 to pass, costs $300, and covers 6 domains: Detection, Incident Response, Infrastructure Security, IAM, Data Protection, and Security Foundations.
What changed from SCS-C02 to SCS-C03?
Key changes include: GenAI security topics (Bedrock Guardrails, OWASP LLM Top 10), OCSF/Security Lake integration, IAM weight increased from 16% to 20%, new services (Verified Access, Verified Permissions), inter-node encryption, SNS data protection, and domain restructuring (Detection + Incident Response split).
How long should I study for SCS-C03?
With 2+ years of AWS security experience, 8-10 weeks of dedicated study is recommended. Focus on hands-on labs with IAM policies, KMS, GuardDuty, Security Hub, and the new GenAI security features in Bedrock.