AWS Certified Security – Specialty (SCS-C02): The Cert That Separates Cloud Builders from Security Practitioners

Why SCS-C02 is the cert most cloud engineers skip — and shouldn’t

The AWS Solutions Architect cert teaches you to build on AWS. The Security Specialty teaches you to harden what you’ve built. These are genuinely different disciplines, and the exam reflects that gap. SCS-C02, updated in July 2023, replaced SCS-C01 with broader coverage of incident response automation, data perimeter design, and the newer generation of AWS security services like Security Lake, GuardDuty Malware Protection, and IAM Access Analyzer. The exam costs $300 USD and AWS recommends at least two years of hands-on AWS security experience, though the prerequisite is not enforced.

The exam contains 65 questions — a mix of standard multiple choice and multiple select — and runs for 170 minutes. The scaled passing score is 750 out of 1000. Questions are scenario-heavy by design: you are placed in a realistic operational situation and asked to choose the right combination of AWS services to detect, investigate, or remediate a security event. Memorising service descriptions will not get you through; you need to know how the services interact with each other under pressure.

The SCS-C02 mental model

AWS security is layered: Preventive controls (IAM, SCPs, VPC security groups, KMS) stop threats before they happen. Detective controls (GuardDuty, CloudTrail, Config, Security Hub) surface threats that got through. Responsive controls (Lambda automations, Systems Manager, EventBridge rules) contain and remediate active incidents. Every exam scenario maps to one or more layers of this stack — identify which layer is being tested before reading the answer choices.

The six exam domains

AWS publishes the SCS-C02 exam guide at aws.amazon.com/certification. The six domains and their exam weights are:

Domain 1 — Threat Detection and Incident Response (14%)

This domain covers identifying active threats and responding to them systematically. The focus is on automating detection-to-response pipelines, not manual investigation.

GuardDuty: AWS’s managed threat detection service. Uses ML and threat intelligence feeds to identify unusual API calls, cryptocurrency mining, data exfiltration patterns, and compromised EC2 instances. Enable it across all regions and link it to Security Hub for centralised finding management. GuardDuty does not block — it only alerts.
Incident response automation: The exam’s preferred pattern is GuardDuty finding → EventBridge rule → Lambda function → remediation action (e.g., isolate the EC2 instance, revoke the IAM key, snapshot the disk for forensics). Know this chain well.
Forensic preservation: Before remediating a compromised instance, capture evidence — memory via SSM Session Manager, disk via EBS snapshot, network traffic via VPC Flow Logs. Terminate only after evidence is secured and isolated.
Detective: AWS’s graph-based investigation service. Ingests GuardDuty findings, CloudTrail logs, and VPC Flow Logs to build behaviour graphs. Use it for post-incident root cause analysis, not real-time alerting — that distinction appears in exam distractors.

Domain 2 — Security Logging and Monitoring (18%)

The highest-weighted domain alongside Data Protection. Logging is the foundation of every other security domain — you can’t investigate what you didn’t record.

CloudTrail: Records every AWS API call (who did what, when, from where). Enable multi-region trails with log file validation and S3 Object Lock to prevent log tampering. CloudTrail Insights detects unusual write API activity patterns automatically. Management events are logged by default; data events (S3 object reads, Lambda invocations) must be enabled explicitly and cost extra.
VPC Flow Logs: Network-level telemetry for accepted and rejected traffic. Published to CloudWatch Logs or S3. Essential for detecting lateral movement, port scanning, and exfiltration. Flow logs do not capture payload content — only the five-tuple (source IP, destination IP, source port, destination port, protocol) plus accept/reject.
Security Hub: Aggregates findings from GuardDuty, Macie, Inspector, IAM Access Analyzer, Firewall Manager, and third-party tools into a single view. Runs automated compliance checks against CIS AWS Foundations Benchmark and AWS Foundational Security Best Practices. This is the single pane of glass for multi-account security posture.
Amazon Security Lake: Centralises security data from AWS services, third-party tools, and custom sources into a single S3-based data lake using the Open Cybersecurity Schema Framework (OCSF). Enables long-term retention and querying via Athena or third-party SIEM tools. Newer service that appeared on SCS-C02 after the July 2023 update.
CloudWatch alarms and metric filters: Create metric filters from CloudTrail logs to count specific API calls (e.g., DeleteBucket, AuthorizeSecurityGroupIngress) and trigger alarms when thresholds are crossed. This is the lightweight alerting path when Security Hub is overkill.

Domain 3 — Infrastructure Security (20%)

The largest domain by weight. It covers network perimeter controls, compute hardening, and supply chain security at the infrastructure level.

VPC security model: Security groups (stateful, instance-level, allow-only rules) vs NACLs (stateless, subnet-level, allow and deny). Know that NACL deny rules are evaluated before allow rules, and that ephemeral ports (1024–65535) must be explicitly allowed for return traffic in NACLs.
AWS Network Firewall: Stateful, managed VPC firewall supporting Suricata rule syntax. Positioned in a dedicated inspection VPC in hub-and-spoke architectures using Transit Gateway. Use it for deep packet inspection, domain-based filtering, and centralised egress control.
AWS WAF and Shield: WAF operates at Layer 7, protecting ALBs, CloudFront, API Gateway, and AppSync. Shield Standard is automatic and free; Shield Advanced adds DDoS cost protection, Response Team (DRT) access, and near-real-time attack visibility. WAF Managed Rules provide pre-built protections for common threats (OWASP Top 10, bot control, known malicious IPs).
EC2 hardening: Use IMDSv2 (hop limit 1, require tokens) to prevent SSRF-based metadata service abuse. Remove unnecessary IAM role permissions from instance profiles. Use Systems Manager Session Manager for shell access instead of SSH (no open port 22 required). Enable Inspector for continuous vulnerability scanning of EC2 instances and ECR container images.
Supply chain security: Amazon Inspector scans ECR images for known CVEs before deployment. AWS Signer signs Lambda functions and container images. CodeArtifact caches approved packages internally, reducing dependency on external registries. Binary Authorization (in GKE parlance) maps to these AWS controls on the exam.

Domain 4 — Identity and Access Management (16%)

IAM is the most nuanced domain on the exam. Getting the right access to the right principal at the right scope is the difference between a least-privilege architecture and a breach waiting to happen.

Permissions boundaries: An IAM feature that sets the maximum permissions a principal can have, independent of what policies grant. Used by central platform teams to delegate IAM permission creation to application teams without allowing privilege escalation. The exam will test whether you understand that a permissions boundary limits the ceiling but does not grant access by itself — both the identity policy and the boundary must allow an action.
Service Control Policies (SCPs): AWS Organizations feature that restricts what actions member accounts can take, even for the root user. SCPs do not grant permissions — they define the maximum permission envelope for an account. Know the difference between preventive guardrails (SCPs) and detective guardrails (Config rules, Security Hub controls).
IAM Access Analyzer: Identifies resources that are shared outside your AWS account or organization — S3 buckets, KMS keys, SQS queues, Lambda functions. Also runs policy validation to flag overly permissive statements before deployment. The “finding” means external access exists; it does not mean it is unintended.
Cross-account access patterns: Resource-based policies (S3 bucket policies, KMS key policies, SQS policies) + identity-based policies + role assumption. The exam tests multi-step access chains: Account A assumes a role in Account B, which has permission to read a KMS key in Account C. Know the evaluation logic for each hop.
Attribute-based access control (ABAC): Policies that use IAM condition keys (aws:PrincipalTag, aws:ResourceTag) to scale permissions without creating per-resource policies. Reduces the total number of policies needed in large, multi-team environments.

Domain 5 — Data Protection (18%)

Tied with logging as the second-highest weighted domain. Data protection covers encryption at rest, encryption in transit, secrets management, and sensitive data discovery.

AWS KMS: The central encryption service. Symmetric CMKs for most workloads; asymmetric CMKs for digital signing and public-key operations. Key policies are resource-based policies — they must explicitly grant the root account access, or even the account admin cannot use the key. Automatic key rotation is available for customer-managed symmetric keys (annual, opt-in). KMS key grants allow temporary access delegation without policy changes.
AWS Secrets Manager vs SSM Parameter Store: Secrets Manager provides automatic credential rotation (natively for RDS, Redshift, DocumentDB), cross-account access, and full audit trail via CloudTrail. Parameter Store is cheaper and suitable for non-secret configuration values. Use Secrets Manager for database credentials and API keys; Parameter Store for application configuration that isn’t sensitive.
Amazon Macie: Uses ML to discover and classify sensitive data (PII, financial records, credentials) stored in S3 buckets. Generates findings for unencrypted buckets, publicly accessible buckets, and high-severity sensitive data exposures. Triggered automatically by bucket inventory scanning or on-demand jobs.
S3 data protection: Server-Side Encryption (SSE-S3, SSE-KMS, SSE-C), client-side encryption, S3 Block Public Access (account-level override), Bucket Policies with aws:SecureTransport condition to enforce HTTPS, S3 Object Lock for WORM (Write Once Read Many) compliance retention. Know the difference between governance mode (override possible with specific permission) and compliance mode (no override, even by root) in Object Lock.
TLS in transit: ACM (AWS Certificate Manager) provides free public TLS certificates for use with CloudFront, ALBs, API Gateway, and CloudFront. ACM Private CA issues private certificates for internal services. Know that ACM certificates cannot be exported — use IAM certificate store for export-required workloads.

Domain 6 — Management and Security Governance (14%)

Governance is about operating security at scale across multi-account AWS Organizations environments. It covers compliance automation, policy enforcement, and audit readiness.

AWS Config: Tracks the configuration history of AWS resources and evaluates them against managed or custom rules. Config rules fire on configuration changes or periodically. Non-compliant findings integrate with Security Hub. Config is stateful — it records what resources looked like at every point in time, enabling drift detection and compliance audits.
AWS Organizations and Control Tower: Control Tower sets up a multi-account landing zone with pre-configured guardrails (preventive SCPs + detective Config rules), centralised logging to a log archive account, and audit account separation. It is the exam’s recommended answer for “set up a secure multi-account AWS environment from scratch.”
AWS Firewall Manager: Centrally manages WAF rules, Shield Advanced protections, Security Group policies, and Network Firewall policies across all accounts in an Organization. The exam answer for “enforce a WAF rule consistently across 50 AWS accounts” is always Firewall Manager.
Compliance frameworks: AWS Artifact provides on-demand access to AWS compliance reports (SOC 2, PCI DSS, ISO 27001). Security Hub’s compliance standards automate checks against CIS Benchmarks and PCI DSS controls. Know that AWS’s compliance does not automatically make your workload compliant — the shared responsibility model divides accountability between AWS and the customer.

The single most common SCS-C02 trap: confusing detection with prevention. GuardDuty detects — it does not block. Security Groups prevent — they do not log. The exam will present scenarios where choosing the wrong layer causes a missed threat or an undetected breach. Map each service to its layer before picking an answer.

Service pairings you must know before exam day

If you can reason through these scenarios without hesitation, you are exam-ready:

GuardDuty + EventBridge + Lambda: The automated incident response pipeline. GuardDuty detects, EventBridge routes the finding, Lambda executes the remediation. Know how to write the EventBridge rule pattern to match a specific GuardDuty finding type.
Security Hub + Config + Macie: Security posture management. Security Hub aggregates findings; Config tracks resource drift against compliance rules; Macie surfaces sensitive data exposure in S3. Together they cover the compliance reporting workflow.
KMS + Secrets Manager + IAM: Secrets Manager encrypts secrets with a KMS key; IAM controls who can call GetSecretValue; the KMS key policy controls which principals can use the key for decryption. All three must allow the action for access to succeed.
Network Firewall + Transit Gateway + VPC: Centralised inspection architecture. All spoke VPC traffic routes through a Transit Gateway to an inspection VPC running Network Firewall before reaching the internet or other VPCs. The exam tests the routing table configuration that forces this traffic path.
SCPs + Permissions Boundaries + IAM Policies: The three-layer access control model. SCPs cap what an account can do; permissions boundaries cap what a specific principal within the account can do; identity policies grant the actual permissions. A permission requires all three layers to allow it.

Why it matters for cert candidates

SCS-C02 is DoD 8570/8140 compliant at IAL Level 3, making it a formal requirement for many government and defense contractor cloud security roles. Outside government, it signals to employers that you can operate a production AWS environment with audit-grade security — not just deploy workloads and hope nothing breaks. For anyone on a path toward Cloud Security Engineer, DevSecOps, or Cloud Architect roles, this is the cert that makes the difference between a candidate who understands AWS and one who can be trusted to run it. Study time for engineers with AWS Solutions Architect experience is typically 4–8 weeks at 1–2 hours per day. Use a dedicated sandbox account, enable GuardDuty and Security Hub, and work through simulated incident scenarios — the scenario questions are far easier when you’ve actually triggered and investigated a GuardDuty finding yourself.

What comes after SCS-C02

The Security Specialty pairs naturally with several other advanced certifications depending on your career trajectory:

AWS Certified DevOps Engineer – Professional (DOP-C02): Covers CI/CD, infrastructure as code, and operational monitoring at the Professional tier. Complements SCS-C02 by adding the DevSecOps pipeline perspective — shifting security checks left into the build process rather than only enforcing at runtime.
ISC2 CCSP (Certified Cloud Security Professional): Vendor-neutral cloud security certification recognised by (ISC)². Covers governance, risk, compliance, and cloud architecture security across all providers. The SCS-C02 and CCSP cover complementary territory — SCS-C02 is deep on AWS-specific controls; CCSP is broad on cloud-agnostic frameworks.
CompTIA CASP+ (CAS-004): Advanced practitioner-level security cert from CompTIA, DoD 8570 IAT Level III approved. Focuses on risk management, enterprise security architecture, and integrating security across complex hybrid environments. A strong complement for candidates targeting senior security architect roles.
AWS Certified Solutions Architect – Professional (SAP-C02): If you hold SCS-C02 and want the architecture breadth to match, SAP-C02 is the natural next step. It tests cost optimisation, migration strategies, and multi-region design patterns at a depth the Associate tier does not reach.

Ready to test your AWS security knowledge? We have scenario-based practice questions covering GuardDuty, IAM, KMS, Security Hub, VPC firewalls, and incident response — timed, randomised, and free.

Start AWS Security Practice Questions →