The definitive free course for the AWS Certified Security – Specialty exam. Master GuardDuty threat detection, CloudTrail Lake forensic queries, WAF and Shield Advanced DDoS defense, KMS envelope encryption, Secrets Manager rotation, IAM policy evaluation, SCPs, and incident response automation. Scenario-based approach — every module maps directly to exam question types.
| Exam fact | Details |
|---|---|
| Exam code | SCS-C02 |
| Full name | AWS Certified Security – Specialty |
| Questions | 65 (mix of single-answer MCQ and multiple-response) |
| Passing score | 750 / 1000 |
| Duration | 170 minutes |
| Price | $300 USD |
| Prerequisites | 5+ years IT security experience; AWS Associate-level certification recommended |
| Renewal | Free annual online assessment or recertify every 3 years |
Establish the mental model that underpins every SCS-C02 domain. Understand exactly what AWS manages (hardware, hypervisor, global infrastructure) versus what you own (IAM configuration, OS patching, network ACLs, data encryption). Learn the Well-Architected Security Pillar's seven design principles: strong identity foundation, enabling traceability, applying security at all layers, automating security best practices, protecting data in transit and at rest, keeping people away from data, and preparing for security events.
Build automated threat detection and response pipelines that cover the full PICERL lifecycle (Prepare, Identify, Contain, Eradicate, Recover, Learn). GuardDuty continuously analyzes VPC Flow Logs, DNS logs, CloudTrail, and S3 data events to detect threats across 300+ finding types. Amazon Detective automatically creates entity behavior graphs from GuardDuty, CloudTrail, and VPC Flow Logs to accelerate investigation. Learn the EventBridge→Lambda automation pattern for auto-isolation of compromised EC2 instances and RDS snapshots for forensics.
Build a tamper-resistant, centralized audit trail across all accounts. CloudTrail management events are free but data events (S3 object-level, Lambda invocations, DynamoDB operations) must be explicitly enabled. CloudTrail Lake is the SQL-based analytics service for long-term event retention (up to 7 years) with organization event data stores. Security Hub aggregates findings from 20+ AWS services, scoring your posture against FSBP, CIS, and PCI DSS. Audit Manager pre-built frameworks automatically collect evidence for HIPAA, SOC 2, and GDPR audits.
Defend AWS network perimeters at every layer. AWS WAF inspects HTTP/HTTPS traffic at layer 7 with managed rules (IP reputation, bot control, core rule set) and custom rules (rate-based, regex, geographic match). Rule evaluation order is critical: always place IP allow rules at higher priority (lower number) than block rules. Shield Advanced provides DDoS financial protection and 24/7 DRT access for volumetric, state exhaustion, and application-layer attacks. AWS Network Firewall adds stateful deep packet inspection with Suricata rule groups. Gateway Load Balancer enables transparent third-party IDS/IPS appliance insertion.
Move beyond basic IAM to the advanced patterns the SCS-C02 exam loves. Service Control Policies are evaluated BEFORE IAM policies — an explicit SCP Deny blocks even root users and AdministratorAccess roles. Permission boundaries define the MAXIMUM permissions an entity can have; effective permissions are the intersection of boundary + identity policy. Attribute-Based Access Control (ABAC) uses aws:PrincipalTag and resource tag condition keys to scale access control without maintaining endless ARN lists. IAM Identity Center with Active Directory eliminates long-term credentials for workforce access.
Protect data at rest and in transit using the full suite of AWS cryptographic services. AWS KMS uses envelope encryption: data is encrypted with a data key, the data key is encrypted with a CMK. KMS key policies are the primary access control — unlike S3, KMS does NOT fall back to IAM policies unless the root account ARN is explicitly in the key policy. CloudHSM provides FIPS 140-2 Level 3, single-tenant HSM hardware where AWS has zero access to your keys. Secrets Manager supports automatic rotation via Lambda for databases, API keys, and custom credentials. S3 Object Lock Compliance mode is the only protection that even the AWS root account cannot bypass.
Build preventive and detective governance at organization scale. AWS Control Tower sits on top of Organizations and Landing Zone to deploy a secure multi-account environment with guardrails. Preventive guardrails are SCPs — they block actions before they happen. Detective guardrails are Config rules — they detect non-compliance after the fact. Proactive guardrails use CloudFormation Hooks to validate IaC templates pre-deployment. AWS Config conformance packs bundle multiple rules into a deployable package that StackSets can push to all accounts automatically when new members join the organization.
KMS key policies do NOT fall back to IAM policies unless the key policy includes the account root ARN. A new Lambda role has no KMS access by default — even with an AdministratorAccess policy — until the key policy explicitly grants it. This trips up ~40% of SCS-C02 candidates.
SCPs are evaluated BEFORE IAM policies. An SCP Deny blocks the action regardless of what IAM policies allow — even for the account root user. The effective permission is always the most restrictive intersection of all policy types. Memorize the evaluation order: SCP → Permission Boundary → Identity Policy → Resource Policy.
The SCS-C02 almost always asks about the first step in incident response. The answer is always contain, never terminate immediately. Containment preserves forensic evidence (EBS snapshot + quarantine SG). Immediate termination destroys the evidence you need to understand the attack vector.
Condition: Null: aws:ViaAWSService: false. Real exam scenarios specifically test this edge case.The Solutions Architect Associate (SAA-C03) asks how to build resilient, scalable architectures with security as one of four domains. The Security Specialty (SCS-C02) assumes you can already architect on AWS — it goes deep on forensic investigation, key management subtleties, cross-account policy evaluation, and compliance evidence collection. If you passed SAA-C03, expect about 2–3 months of additional focused study on security-specific services (GuardDuty, Detective, Macie, Audit Manager, CloudHSM, ACM Private CA) before attempting SCS-C02.
60 advanced scenario-based questions across all 6 SCS-C02 domains — free, no signup, no time limit.