The AWS Certified Security - Specialty (SCS-C02) is the deepest security exam AWS offers. It tests not just which services exist, but how they integrate, where they fall short, and how to respond when they detect threats. The exam is scenario-heavy, with complex multi-service questions involving incident response, forensics, and the intersection of compliance requirements and technical controls.
This guide covers all five exam domains with depth on the topics that define whether you pass.
Exam Overview
The SCS-C02 exam contains 65 questions (50 scored, 15 unscored) with a 170-minute time limit. The passing score is 750 out of 1000. It is a multiple choice and multiple response exam.
Domain Weights
| Domain | Weight |
|---|---|
| Domain 1: Threat Detection and Incident Response | 14% |
| Domain 2: Security Logging and Monitoring | 18% |
| Domain 3: Infrastructure Security | 20% |
| Domain 4: Identity and Access Management | 16% |
| Domain 5: Data Protection | 32% |
Domain 1: Threat Detection and Incident Response (14%)
Amazon GuardDuty
GuardDuty continuously analyzes CloudTrail management events, S3 data events, VPC Flow Logs, DNS query logs, and EKS audit logs for malicious activity.
Finding categories:
| Category | Example |
|---|---|
| Backdoor | EC2 instance communicating with known C&C server |
| Behavior | IAM credentials used from an unusual location |
| Cryptocurrency | EC2 instance querying cryptocurrency mining domains |
| Exfiltration | Unusually high S3 data transfer |
| Recon | API calls to list IAM users or security groups at unusual volume |
Multi-account GuardDuty: Use AWS Organizations to designate an administrator account. Member account findings aggregate to the administrator account. Member accounts cannot disable GuardDuty.
Incident Response Automation
Automated isolation of a compromised EC2 instance:
- EventBridge rule matches a GuardDuty finding of type
UnauthorizedAccess:EC2/SSHBruteForce - Lambda function is invoked
- Lambda replaces the instance's security group with a quarantine security group (no inbound or outbound access)
- Lambda creates a snapshot of the EBS volume for forensics
- Lambda sends an SNS notification to the security team
EC2 forensics process:
- Isolate instance (quarantine security group)
- Capture memory with SSM Run Command if the instance is still running
- Detach EBS volume
- Create snapshot
- Attach snapshot to a forensics instance in an isolated VPC
- Analyze without contaminating the evidence
Domain 2: Security Logging and Monitoring (18%)
AWS CloudTrail
CloudTrail is the foundational audit log for AWS API activity. Key configuration requirements:
- Organization trail: A trail that logs all accounts in an AWS Organization; created from the management account
- Multi-region trail: Log events from all regions to a single S3 bucket (recommended for all accounts)
- Log file validation: Enable to detect if log files have been tampered with (uses SHA-256 hash and RSA signature)
- CloudTrail Insights: Detects unusual API activity (e.g., a spike in RunInstances calls)
Event types:
| Event Type | Description | Default |
|---|---|---|
| Management events | Control plane operations (CreateBucket, RunInstances) | On by default |
| Data events | Object-level operations (S3 GetObject, Lambda Invoke) | Off by default; incur cost |
| Insights events | Anomalous API activity | Off by default |
S3 Server Access Logging vs. S3 Data Events
The exam distinguishes these:
- S3 Server Access Logging: Logs HTTP requests to the bucket; best-effort delivery; stored in a target S3 bucket
- CloudTrail S3 Data Events: Logs API-level operations (GetObject, PutObject, DeleteObject); near real-time; integrated with CloudTrail
Use CloudTrail Data Events for compliance and security monitoring. Use S3 Server Access Logging for web server log analysis patterns.
Security Hub
Security Hub aggregates findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, and partner tools. Key concepts:
- Security standards: Evaluate account configuration against CIS AWS Foundations Benchmark, AWS Foundational Security Best Practices, PCI DSS
- Finding severity: Critical, High, Medium, Low, Informational
- Automated response and remediation: Use EventBridge to trigger Lambda functions based on Security Hub findings
- Cross-region and cross-account aggregation: Designate a home region for Security Hub to aggregate findings from all regions and accounts
Domain 3: Infrastructure Security (20%)
VPC Security Architecture
Defense in depth for a three-tier application:
Internet
|
Internet Gateway
|
Public Subnet (NACL: allow 443/80 inbound, deny all else)
|
Application Load Balancer + WAF
|
Private Subnet (NACL: allow from ALB subnet only)
|
Application Tier (Security Group: allow 8080 from ALB SG only)
|
Private Subnet (NACL: allow from App subnet only)
|
Database Tier (Security Group: allow 5432 from App SG only)
Each layer restricts traffic further. Security groups use source security group references (not CIDR) for precise control.
AWS WAF
WAF protects HTTP/HTTPS applications using rules:
- Managed rule groups: Pre-built rule sets from AWS or AWS Marketplace partners (e.g., OWASP Top 10, bot control, IP reputation)
- Custom rules: Match on IP addresses, request headers, query strings, URI paths, body content
- Rate-based rules: Block IPs exceeding a request rate threshold (DDoS mitigation)
WAF integrates with CloudFront, ALB, API Gateway, and AppSync.
AWS Network Firewall
Network Firewall is a managed stateful firewall for VPCs. It operates at the network level (L3/L4) and also supports deep packet inspection (L7 Suricata rules):
- Deploy in dedicated inspection VPCs with Traffic Mirroring or via route table manipulation
- Rules: 5-tuple stateless rules and stateful Suricata-compatible rules
- Use to inspect and filter VPC-to-VPC, VPC-to-internet, and VPC-to-on-premises traffic
Domain 4: Identity and Access Management (16%)
Advanced IAM Policy Evaluation
IAM policy evaluation order:
- Explicit Deny (any policy) → DENY
- SCP Deny → DENY
- Resource-based policy Allow (without requiring role assumption) → ALLOW
- IAM policy (identity-based) Allow → ALLOW
- Default → DENY
Condition keys for fine-grained control:
{
"Effect": "Deny",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": ["us-east-1", "us-west-2"]
}
}
}
This policy denies all S3 actions from regions other than us-east-1 and us-west-2, enforcing data residency requirements.
IAM Access Analyzer
Access Analyzer identifies resources shared with external principals (outside the account or organization):
- Analyzes S3 buckets, IAM roles, KMS keys, Lambda functions, SQS queues, Secrets Manager secrets
- Generates findings when external access is detected
- Archive rules suppress expected access patterns
IAM Access Analyzer policy validation: Check policies for errors, security warnings, and suggestions before deploying them. Integrated into the IAM console and CLI.
AWS SSO / IAM Identity Center
IAM Identity Center is the successor to AWS SSO. It provides centralized access management for multiple AWS accounts and cloud applications:
- Integrates with Active Directory (AWS Managed Microsoft AD or on-premises AD via AD Connector)
- Uses permission sets (pre-defined IAM policies assigned to accounts)
- Users authenticate once and assume roles in any assigned account without re-entering credentials
Domain 5: Data Protection (32%)
This is the most heavily weighted domain. Deep knowledge of encryption, key management, and data classification is required.
AWS KMS Architecture
Key hierarchy:
AWS KMS Root Key (hardware security module)
|
Customer Master Key (CMK)
|
Data Encryption Key (DEK)
|
Encrypted data
CMK types:
| Type | Key Material Origin | Rotation | Use Case |
|---|---|---|---|
| AWS Managed Key | AWS | Automatic (3 years) | Default for AWS services |
| Customer Managed Key | AWS | Optional annual | Custom key policies, auditing |
| External key (BYOK) | Customer-imported | Manual | Regulatory requirements |
| Custom key store (CloudHSM) | CloudHSM | Manual | Dedicated HSM compliance |
Key policies: Unlike IAM policies, KMS key policies must explicitly allow the root account or no IAM policies will work with the key. The default key policy grants the root account full access.
KMS grants: Temporary, scoped delegation of KMS permissions to a service or user without modifying the key policy. Used by AWS services (like EBS, S3) on your behalf.
Envelope Encryption at Scale
The envelope encryption pattern avoids transmitting large amounts of data to KMS:
- Call
GenerateDataKeyto get a plaintext and encrypted data key - Encrypt data locally using the plaintext data key
- Discard the plaintext data key from memory
- Store the encrypted data key alongside the ciphertext
To decrypt:
- Call
Decryptwith the encrypted data key → get plaintext data key - Decrypt the ciphertext locally
Amazon Macie
Macie uses ML to discover and classify sensitive data in S3:
- Detects PII, financial data, credentials, and custom data identifiers
- Generates findings for sensitive data discovery and policy violations
- Multi-account: Designate a Macie administrator account via Organizations
Secrets Manager vs. Parameter Store
| Feature | Secrets Manager | Parameter Store |
|---|---|---|
| Automatic rotation | Yes (Lambda-backed) | No |
| Cost | Per secret per month | Free (Standard); charge for Advanced |
| Cross-account | Yes | Limited |
| Encryption | KMS always | Optional (SecureString uses KMS) |
| Best for | Database passwords, API keys requiring rotation | App configuration, non-rotating values |
"The Security Specialty exam is built around one core question: given an incident or a compliance requirement, which controls do you apply and in what order? Candidates who have only read documentation consistently miss questions where the answer depends on understanding the interaction between GuardDuty, EventBridge, and Lambda — not any one of them in isolation." — John Rhoton, author of AWS Security Specialty Certification Guide (Packt, 2022)
Study Timeline
Recommended: 10-14 weeks. Requires Associate-level foundation.
| Week | Focus |
|---|---|
| 1-2 | KMS architecture, envelope encryption, CloudHSM |
| 3-4 | IAM advanced: policy evaluation, Access Analyzer, Identity Center |
| 5-6 | GuardDuty, Macie, Inspector, Security Hub integration |
| 7-8 | VPC security, WAF, Network Firewall |
| 9-10 | CloudTrail, logging architecture, centralized monitoring |
| 11-12 | Incident response patterns, forensics workflows |
| 13-14 | Practice exams, documentation review |
See also: AWS Solutions Architect Associate (SAA-C03) Study Guide: Domains, Services, and Scenarios
References
- AWS. "AWS Certified Security - Specialty Exam Guide (SCS-C02)." https://d1.awsstatic.com/training-and-certification/docs-security-spec/AWS-Certified-Security-Specialty_Exam-Guide.pdf
- AWS. "AWS Key Management Service Developer Guide." https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
- AWS. "Amazon GuardDuty User Guide." https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html
- AWS. "AWS Security Best Practices." AWS Whitepaper. https://docs.aws.amazon.com/whitepapers/latest/aws-security-best-practices/aws-security-best-practices.html
- AWS. "AWS CloudTrail User Guide." https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html
- Rhoton, John. "AWS Security Specialty Certification Guide." Packt, 2022.
- AWS. "IAM Access Analyzer." https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
- AWS. "AWS Foundational Security Best Practices Standard." https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html
Frequently Asked Questions
What is the most heavily weighted domain on the AWS Security Specialty exam?
Domain 5: Data Protection carries the highest weight at 32%. It covers KMS key management, envelope encryption, Secrets Manager, Parameter Store, Macie, and encryption patterns for S3, EBS, and RDS.
What is the difference between an AWS Managed Key and a Customer Managed Key in KMS?
AWS Managed Keys are created and managed by AWS services automatically, rotate every 3 years, and cannot have custom key policies. Customer Managed Keys give you full control over key policies, optional annual rotation, and audit via CloudTrail.
How does IAM Access Analyzer work?
Access Analyzer continuously analyzes resource-based policies on S3 buckets, IAM roles, KMS keys, Lambda functions, SQS queues, and Secrets Manager secrets to identify any access granted to principals outside your account or AWS Organization.
What steps should you take to forensically investigate a compromised EC2 instance?
Isolate the instance with a quarantine security group, optionally capture memory via SSM Run Command, detach the EBS volume, create a snapshot, attach the snapshot to a forensics instance in an isolated VPC, and analyze the volume without modifying the original.
What is the difference between Secrets Manager and Parameter Store?
Secrets Manager supports automatic secret rotation via Lambda and is designed for credentials like database passwords. Parameter Store is cheaper (Standard tier is free), suited for application configuration and non-rotating values, and supports SecureString encryption with KMS.