AWS offers six specialty certifications, and they are not equal. The gap between the Security Specialty and the SAP on AWS Specialty in terms of career impact is roughly the same as the gap between a CISSP and a vendor-specific appliance certification — both exist, both certify real knowledge, but one opens substantially more doors for substantially more candidates.
Most discussions of AWS specialty certifications treat them as a collection to evaluate abstractly. The correct frame is different: which specialty certification aligns with where you're already working, and which opens doors to roles you're actively targeting? Answered that way, most candidates have an obvious answer within five minutes.
The Six AWS Specialty Certifications
AWS specialty certifications sit above the associate and professional tiers. They're not prerequisites to other certifications, and AWS doesn't require holding any lower-tier certification before attempting a specialty. In practice, specialty exams assume associate-level cloud knowledge, and most failing candidates lack it.
| Certification | Exam Code | Primary Focus | Difficulty |
|---|---|---|---|
| Security | SCS-C02 | Cloud security, compliance, threat detection | High |
| Advanced Networking | ANS-C01 | Network architecture, hybrid connectivity | Very High |
| Machine Learning | MLS-C01 | ML on AWS, SageMaker, data engineering | High |
| Data Analytics | DAS-C01 | Kinesis, Redshift, Glue, Athena | High |
| Database | DBS-C01 | RDS, Aurora, DynamoDB, migration | Moderate-High |
| SAP on AWS | PAS-C01 | SAP workloads on AWS infrastructure | Narrow |
Every specialty exam: 65 questions, 170 minutes, ~750/1000 passing score, $300.
Tier 1 — Highest Career Impact
AWS Security Specialty (SCS-C02)
AWS Certified Security – Specialty (SCS-C02) is the most broadly valuable AWS specialty certification. Security roles exist at virtually every organization running cloud workloads, which means the market depth for security-credentialed engineers is far larger than the market for, say, SAP architects.
What SCS-C02 actually tests in depth:
The exam has six domains:
| Domain | Weight | Key Services |
|---|---|---|
| Threat Detection and Incident Response | 14% | GuardDuty, Security Hub, CloudTrail, Detective |
| Security Logging and Monitoring | 18% | CloudWatch, CloudTrail, Athena for log analysis |
| Infrastructure Security | 20% | Security Groups, NACLs, WAF, Shield, Network Firewall |
| Identity and Access Management | 16% | IAM advanced, SCPs, permission boundaries, Cognito |
| Data Protection | 18% | KMS, CloudHSM, Macie, S3 encryption, Secrets Manager |
| Management and Security Governance | 14% | AWS Config, Security Hub, AWS Organizations policy |
The hardest domain is Infrastructure Security (20%) — specifically, questions about Network Firewall rule groups, WAF rule conditions, and VPC architecture for security. Candidates who haven't used these services operationally consistently underperform here.
KMS depth required: the exam goes deep on AWS KMS. You need to understand the difference between AWS-managed keys, customer-managed keys, and customer-provided keys (SSE-C). You need to know when to use KMS key policies vs IAM policies vs VPC endpoint policies to control access. You need to understand cross-account KMS key sharing. This is more than "encryption exists" — it's operational knowledge.
Study resources: Adrian Cantrill's Security Specialty course (learn.cantrill.io) is the deepest technical option. Stephane Maarek's Udemy course is more accessible. Tutorials Dojo practice exams from Jon Bonso are widely considered the best exam-simulation resource.
Who should pursue SCS-C02: cloud security engineers, DevSecOps engineers, cloud architects moving into security specialization, anyone whose job involves configuring AWS security controls. It's also the first specialty most generalist cloud architects should pursue — every organization needs cloud security, and no role is too far removed from security concerns.
Salary context: cloud security engineers with SCS-C02 in major US markets earn $140,000-$200,000+. The credential signals genuine operational depth that generic security certifications don't provide for cloud environments.
AWS Advanced Networking Specialty (ANS-C01)
AWS Certified Advanced Networking – Specialty (ANS-C01) is widely considered the hardest AWS certification, harder than either Professional exam for candidates with networking backgrounds. The exam assumes deep understanding of both traditional enterprise networking (BGP, OSPF, DNS, multicast) and how AWS implements network services.
What ANS-C01 actually tests:
| Domain | Weight | Key Topics |
|---|---|---|
| Network Design | 30% | VPC design at scale, multi-account networking, Transit Gateway |
| Network Implementation | 26% | Direct Connect, Site-to-Site VPN, VPC peering |
| Network Management and Operations | 20% | Route 53, CloudFront, network monitoring |
| Network Security and Compliance | 24% | WAF, Network Firewall, security group design |
The Direct Connect depth: Direct Connect — AWS's dedicated network connection service — is tested at a level that requires having worked with it or studied it extensively. Candidates must understand:
- Hosted connections vs dedicated connections vs hosted VIFs
- Public, private, and transit virtual interfaces
- BGP over Direct Connect: route filtering, AS-PATH manipulation, community tagging
- Failover: Direct Connect + VPN backup, multiple Direct Connect locations
- Direct Connect Gateway for multi-region connectivity
This is genuine networking engineering knowledge, not AWS-specific trivia.
The Route 53 depth: Route 53 is tested beyond basic record types. Resolver inbound and outbound endpoints for hybrid DNS, Route 53 Resolver DNS Firewall, health checks with failover routing policies, and the behavior of alias records vs CNAME records in specific edge cases.
"The ANS-C01 is the certification that separates candidates who've read about AWS networking from those who've designed it. The Transit Gateway scenarios specifically require understanding how route tables propagate across attachment types — something you only internalize by actually configuring it." — A Cloud Guru, ANS-C01 course instructor notes
Who should pursue ANS-C01: network engineers transitioning to cloud, cloud architects specializing in network design, candidates targeting principal network architect roles. Do not pursue this certification without either traditional networking experience (BGP, enterprise routing) or 2+ years of hands-on AWS VPC and connectivity work.
Tier 2 — Strong Value in Aligned Roles
AWS Machine Learning Specialty (MLS-C01)
AWS Certified Machine Learning – Specialty (MLS-C01) requires both ML knowledge and AWS knowledge. The exam will not teach you machine learning — it assumes you already understand supervised vs unsupervised learning, can evaluate models using precision, recall, and AUC, and know when to apply different algorithm families.
Domain breakdown:
- Data Engineering (20%): S3, Kinesis, Glue, feature engineering
- Exploratory Data Analysis (24%): statistical analysis, data preprocessing
- Modeling (36%): SageMaker training jobs, hyperparameter tuning, algorithm selection
- ML Implementation and Operations (20%): SageMaker deployment, monitoring, A/B testing
SageMaker is the core: approximately 60-70% of the exam relates to SageMaker — the end-to-end ML platform. SageMaker Studio, SageMaker Pipelines, SageMaker Feature Store, SageMaker Model Monitor, and SageMaker Ground Truth all appear. Candidates who haven't used SageMaker hands-on consistently fail the operational questions.
Frank Kane, author of the most popular MLS-C01 Udemy course and co-author of multiple O'Reilly ML books, specifically warns: "If you don't already have a machine learning background, don't start with this certification. Study ML fundamentals first, then the AWS implementation layer."
Who should pursue MLS-C01: ML engineers and data scientists who run models on AWS. The certification validates that you can use SageMaker effectively — it doesn't make you an ML engineer.
AWS Data Analytics Specialty (DAS-C01)
AWS Certified Data Analytics – Specialty (DAS-C01) covers the end-to-end data engineering pipeline on AWS: ingestion, storage, processing, analysis, and visualization.
Domain breakdown:
- Collection (18%): Kinesis Data Streams, Kinesis Firehose, Database Migration Service
- Storage (22%): S3 data lakes, RDS, DynamoDB, Redshift
- Processing (24%): EMR (Spark/Hadoop), Glue, Lambda
- Analysis and Visualization (18%): Athena, Redshift ML, QuickSight
- Security (18%): encryption, access control, compliance
The Redshift depth problem: Redshift is tested at depth that catches unprepared candidates. Distribution styles (KEY, EVEN, ALL), sort keys (compound vs interleaved), workload management (WLM) queues, AQUA (Advanced Query Accelerator), and Redshift Spectrum for querying S3 data all appear. Candidates who've configured Redshift in production handle these confidently. Candidates who've only read about it fail the scenario questions.
Who should pursue DAS-C01: data engineers, analytics engineers, and BI developers who build data pipelines and warehouses on AWS. Growing demand as organizations invest in data infrastructure makes this a strong specialty to hold in 2024-2025.
Tier 3 — Narrow Value
AWS Database Specialty (DBS-C01)
AWS Certified Database – Specialty (DBS-C01) has the narrowest applicability of the non-SAP specialties. It goes deep on every AWS database service — RDS, Aurora, DynamoDB, ElastiCache, Neptune, DocumentDB — but the depth is only useful if database work is your primary job function.
Where DBS-C01 fails to differentiate: most cloud engineers who need database knowledge get sufficient coverage from SAA-C03. DBS-C01 adds depth on RDS parameter groups, Aurora zero-downtime patching, DynamoDB adaptive capacity, and Neptune SPARQL — knowledge that dedicated DBAs need but general cloud architects rarely use.
Who should pursue DBS-C01: database administrators transitioning to AWS, platform engineers whose primary responsibility is database infrastructure, migration specialists who move database workloads to AWS.
AWS SAP on AWS Specialty (PAS-C01)
AWS Certified SAP on AWS – Specialty (PAS-C01) is meaningful exclusively to practitioners who work with SAP systems on AWS. SAP is an enterprise software platform (ERP, CRM, supply chain) that runs at thousands of large enterprises globally. Running SAP on AWS requires specific expertise around instance sizing for HANA databases, storage configuration for SAP ASCS/ERS clustering, and migration using SAP-specific tooling (RISE with SAP, SAP LaMa).
For anyone not in the SAP ecosystem, this certification is irrelevant. For SAP Basis administrators and consultants, it's increasingly relevant as SAP workloads migrate from on-premises to AWS.
How to Choose Your Specialty
The decision framework that produces the right answer:
What services do you configure daily? The specialty that covers your daily tools is the one you'll pass most efficiently and benefit from most immediately.
Which job postings list which specialties? Search LinkedIn for your target role title + "AWS." The specialties appearing in requirements reveal employer priorities.
Do you have the prerequisite depth? Specialty certifications are not beginner exams. ANS-C01 without networking experience produces consistent failures. MLS-C01 without ML background is nearly impossible. Be honest about your starting point.
Is this a direction you're moving professionally? A specialty certificate should represent a career direction, not a collection point. SCS-C02 as your second AWS cert makes sense if you're moving toward cloud security. DBS-C01 as your second AWS cert makes sense if you're a DBA. Getting DBS-C01 to have it when you're a network engineer is a poor use of time.
Preparation Strategy by Specialty
Each specialty follows a different preparation model based on how much hands-on lab time is necessary versus conceptual study.
Security Specialty (SCS-C02) Preparation
The most effective SCS-C02 preparation combines structured video courses with hands-on lab work in three specific service areas:
GuardDuty and Security Hub: enable GuardDuty on a personal AWS account, generate sample findings, and practice investigating them in Security Hub. Understand how findings flow from GuardDuty through Security Hub into event-driven response via EventBridge and Lambda. This workflow appears in exam scenarios repeatedly.
IAM Conditions and Permission Boundaries: the exam tests IAM at a depth that many architects haven't encountered operationally. Specifically: permission boundaries (used to limit what permissions a role can grant to other roles), resource-based policy evaluation, and Service Control Policies in AWS Organizations. Adrian Cantrill's course specifically covers permission evaluation logic in detail — this is where most study guides fall short.
KMS Cross-Account Sharing: set up a scenario where an S3 bucket in Account A is encrypted with a KMS key, and Account B needs to decrypt it. Walk through both the key policy and the IAM policy changes required. This exact scenario appears as an exam question.
Practice exam threshold: score 80%+ on Tutorials Dojo practice exams consistently before scheduling. The real exam is slightly easier than Tutorials Dojo according to community consensus.
Advanced Networking Specialty (ANS-C01) Preparation
ANS-C01 has a longer preparation timeline than any other AWS certification. The community average is 16-24 weeks for candidates with strong networking backgrounds; longer for those who need to fill networking knowledge gaps alongside AWS-specific content.
The BGP requirement: Direct Connect uses BGP. The exam tests BGP behavior in specific scenarios — what happens to routes when a Direct Connect connection fails, how AS-PATH prepending redirects traffic, how communities can be used to set local preference at the AWS side. Candidates without BGP experience need to build it before studying Direct Connect exam content.
Recommended study path:
- Complete SAA-C03 and SysOps/DevOps Associate or equivalent hands-on experience
- Work through Cantrill's ANS-C01 course (longest and most technical AWS course available)
- Build a lab environment with VPC peering, Transit Gateway, and Site-to-Site VPN
- Study Direct Connect documentation including the Direct Connect FAQs and whitepapers
- Complete Tutorials Dojo practice exams targeting 78%+ before scheduling
Machine Learning Specialty (MLS-C01) Preparation
The MLS-C01 preparation problem is unique: two knowledge gaps must be filled simultaneously for most candidates.
Gap 1 — ML foundations: if you don't already have ML knowledge, start here before touching AWS-specific content. The A Cloud Guru "Machine Learning Specialty" course includes an ML foundations section. Fast.ai's "Practical Deep Learning for Coders" (free) provides the algorithm intuition the exam tests. Andrew Ng's Machine Learning Specialization on Coursera provides the theoretical foundation.
Gap 2 — SageMaker operations: SageMaker's architecture is unique enough that AWS documentation is essential. Specifically: the SageMaker Developer Guide sections on training jobs, hyperparameter optimization, endpoint deployment, and Model Monitor. The exam tests SageMaker at a depth that only the official documentation fully covers.
The Preparation Timeline Reality
Specialty certifications require substantially more preparation time than associate-level certifications. Candidates who treat specialty exams as "just another AWS cert" consistently underestimate the required depth.
| Specialty | Minimum Realistic Timeline | With Prior Domain Experience |
|---|---|---|
| Security (SCS-C02) | 12-14 weeks | 8-10 weeks |
| Networking (ANS-C01) | 20-24 weeks | 14-18 weeks |
| Machine Learning (MLS-C01) | 14-18 weeks | 10-12 weeks (with ML background) |
| Data Analytics (DAS-C01) | 12-16 weeks | 8-10 weeks |
| Database (DBS-C01) | 10-14 weeks | 8-10 weeks |
The "domain experience" modifier: the largest variable is whether you've worked with the relevant technology professionally. A security engineer who has operated GuardDuty and KMS for two years will study for SCS-C02 in 8-10 weeks. A cloud engineer who has never touched GuardDuty needs 12-14 weeks to build both the knowledge and the intuition for how these services interact in real scenarios.
Stacking Specialties: What Makes Sense
Some specialty combinations provide compounding career value; others are redundant.
High-value stacks:
- SCS-C02 + ANS-C01: the network security engineer profile. Architects who understand both the networking layer and the security overlay are rare. This combination opens senior cloud architect and cloud security architect roles.
- MLS-C01 + DAS-C01: the data/ML engineer profile. Covers the full pipeline from data ingestion and warehousing through ML model training and deployment. Strong positioning for ML engineering and data platform roles.
Lower-value stacks:
- DBS-C01 + DAS-C01: overlap in data storage content makes this redundant for most candidates. DAS-C01 covers Redshift and S3 at sufficient depth for analytics engineering roles.
- Multiple specialties before professional tier: the Professional-level certifications (SAP and DevOps) provide broader architecture depth than additional specialties. Most candidates benefit more from SAP-C02 or DOP-C02 than from a third specialty certification.
The progression question: specialty certifications don't replace the professional tier. AWS Solutions Architect Professional (SAP-C02) and AWS DevOps Engineer Professional (DOP-C02) test multi-service architectural judgment that no specialty covers. Candidates pursuing senior cloud architect roles should target one specialty plus a professional certification rather than two specialties.
See also: AWS Solutions Architect Professional: how to prepare without burning out, Cloud security certifications: CCSP, AWS Security, and Azure Security compared
References
- Amazon Web Services. AWS Certification — Specialty Certifications Overview. AWS, 2024. https://aws.amazon.com/certification/
- Amazon Web Services. AWS Certified Security – Specialty (SCS-C02) Exam Guide. AWS, 2024. https://d1.awsstatic.com/training-and-certification/docs-security-spec/AWS-Certified-Security-Specialty_Exam-Guide.pdf
- Amazon Web Services. AWS Certified Advanced Networking – Specialty (ANS-C01) Exam Guide. AWS, 2024. https://d1.awsstatic.com/training-and-certification/docs-advnetworking-spec/AWS-Certified-Advanced-Networking_Exam-Guide.pdf
- Kane, Frank. AWS Certified Machine Learning Specialty 2024 — Hands On! Udemy, 2024. (Primary MLS-C01 preparation course, 100,000+ students enrolled)
- Bonso, Jon (Tutorials Dojo). AWS Specialty Certification Practice Exams. Tutorials Dojo, 2024. https://tutorialsdojo.com (Community-recommended exam simulation for all AWS specialties)
- Cantrill, Adrian. AWS Certified Security Specialty and Advanced Networking Specialty Courses. learn.cantrill.io, 2024. https://learn.cantrill.io (Technical depth courses for SCS-C02 and ANS-C01)
Frequently Asked Questions
Which AWS specialty certification has the highest career impact?
AWS Security Specialty (SCS-C02) has the highest demand and broadest career impact. Security expertise is needed across all industries and company sizes. Advanced Networking Specialty (ANS-C01) commands the highest compensation in specialized roles but has a narrower job market.
How hard is AWS Advanced Networking Specialty ANS-C01?
ANS-C01 is widely considered harder than the professional-level exams for many candidates. It requires deep knowledge of BGP, Direct Connect failover configurations, Transit Gateway routing, and hybrid DNS. Network engineers with traditional networking backgrounds have a significant advantage.
Is AWS Machine Learning Specialty worth it without ML experience?
No. MLS-C01 assumes you already understand ML concepts — precision vs recall, gradient boosting, feature engineering, confusion matrices. Candidates who approach it as 'AWS with ML names' fail consistently. It validates existing ML expertise on AWS, it doesn't create it.
Should generalist cloud architects pursue specialty certifications?
SCS-C02 (Security) is the best first specialty for generalist architects — security knowledge applies across all cloud work. Beyond that, specialty certifications deliver value proportional to how specialized your actual role is. Collecting specialties in areas you don't use produces resume lines without genuine expertise.
How long does AWS specialty exam preparation take?
ANS-C01 and MLS-C01 typically require 12-20 weeks of serious study. SCS-C02 and DAS-C01 typically require 10-14 weeks. DBS-C01 requires 8-12 weeks for candidates with database experience. All specialty exams require relevant professional experience to pass reliably.