What does the AWS Security Specialty exam cover?
The AWS Security Specialty SCS-C02 exam covers six security domains specific to AWS: threat detection and incident response, security logging and monitoring, infrastructure security, IAM, data protection, and management and security governance. It requires passing the AWS Solutions Architect Associate or equivalent AWS experience first and costs $300 USD.
The AWS Certified Security – Specialty (SCS-C02) is Amazon Web Services' advanced security certification, validating expertise in securing AWS environments. It is one of six AWS specialty certifications and covers the AWS-specific implementation of security controls for identity, data protection, infrastructure, logging, threat detection, and governance.
AWS Security Specialty is among the most valuable certifications for cloud security professionals working in AWS environments, with certified professionals commanding salaries of $130,000-$175,000. The exam costs $300 USD and requires a passing score of 750 out of 1000.
Exam Overview
| Detail | Information |
|---|---|
| Exam Code | SCS-C02 |
| Full Name | AWS Certified Security – Specialty |
| Number of Questions | 65 |
| Time Limit | 170 minutes |
| Passing Score | 750/1000 |
| Cost | $300 USD |
| Prerequisites | AWS Associate certification or 2+ years AWS security experience |
| Validity | 3 years |
The exam covers six domains:
- Threat detection and incident response (14%)
- Security logging and monitoring (18%)
- Infrastructure security (20%)
- Identity and access management (16%)
- Data protection (18%)
- Management and security governance (14%)
"AWS Security Specialty is where the theoretical cloud security knowledge tested in CCSP becomes AWS-specific operational expertise. You must know not just that 'CloudTrail logs API calls' but the exact log format, which services CloudTrail covers, what it does not log, and how to detect specific attack patterns in CloudTrail data." -- AWS Security Specialty certified professional community
Domain 1: Threat Detection and Incident Response (14%)
AWS Threat Detection Services
Amazon GuardDuty is AWS's managed threat detection service:
- Data sources: VPC Flow Logs, DNS logs, AWS CloudTrail events, S3 data events
- Threat categories: Reconnaissance (port scans, instance profiling), instance compromise (cryptocurrency mining, C2 traffic), account compromise (unusual API calls, root account usage)
- Findings: Structured threat findings with severity rating, affected resource, and recommended remediation
- Integration: GuardDuty findings can trigger EventBridge rules for automated response
AWS Security Hub:
- Aggregates findings from GuardDuty, Inspector, Macie, Firewall Manager, and third-party tools
- Provides automated security checks against CIS AWS Foundations Benchmark and AWS Foundational Security Best Practices
- Normalized finding format (ASFF - Amazon Security Finding Format) for cross-service correlation
Incident Response in AWS
Automated remediation patterns:
- GuardDuty finding → EventBridge rule → Lambda function → Remediation action (revoke IAM credentials, isolate EC2 instance, block IP in WAF)
- AWS Systems Manager Automation documents provide pre-built runbooks for common remediation tasks
Domain 2: Security Logging and Monitoring (18%)
AWS Logging Services
| Service | What It Logs | Retention |
|---|---|---|
| CloudTrail | All AWS API calls (management events) | 90 days default; archive to S3 |
| CloudTrail Data Events | S3 object operations, Lambda function invocations | Separate trail required |
| VPC Flow Logs | Network traffic metadata at VPC/subnet/ENI level | S3 or CloudWatch Logs |
| Route 53 DNS Logs | All DNS queries to Route 53 | CloudWatch Logs |
| S3 Server Access Logs | S3 bucket request logs | Destination S3 bucket |
| ALB/ELB Access Logs | Load balancer request details | S3 bucket |
| CloudFront Access Logs | CDN request details | S3 bucket |
CloudTrail best practices:
- Enable multi-region trail to capture all regions including global services
- Enable log file integrity validation to detect tampering
- Encrypt CloudTrail logs with SSE-KMS using a CMK
- Send CloudTrail logs to CloudWatch Logs for real-time alerting
- Never delete CloudTrail; use SCP to prevent disabling
Amazon Macie
Amazon Macie discovers and protects sensitive data in S3:
- Automated discovery of S3 buckets containing PII, PHI, financial data, credentials
- Customizable data identifiers for organization-specific sensitive data patterns
- Policy findings: Buckets that are publicly accessible, unencrypted, or not replicated
- Sensitive data findings: Specific objects containing detected sensitive data
Domain 3: Infrastructure Security (20%)
VPC Security Architecture
Defense-in-depth for VPC:
- Security Groups: Instance-level stateful firewall. Inbound rules specify what traffic is allowed in; by default all outbound is allowed. Changes take effect immediately.
- Network ACLs: Subnet-level stateless firewall. Rules evaluated in order from lowest rule number. Must explicitly allow both inbound and outbound. Stateless means return traffic needs an explicit rule.
- AWS Network Firewall: Managed stateful firewall and intrusion prevention system for VPC traffic inspection. Supports Suricata-compatible rules.
- AWS WAF: Layer 7 protection for CloudFront, ALB, API Gateway, AppSync. Protects against OWASP Top 10, rate limiting, geo-blocking.
AWS Shield
- AWS Shield Standard: Automatic protection against Layer 3 and 4 DDoS attacks, included for all AWS customers at no cost
- AWS Shield Advanced: Enhanced protection ($3,000/month) with DDoS Response Team access, financial protection (service credits for scaling costs during attacks), and enhanced detection
Private Connectivity
- VPC Endpoints: Gateway endpoints (S3, DynamoDB) and Interface endpoints (all other services) allow private access to AWS services without internet gateway
- PrivateLink: Service provider creates an NLB; service consumer creates an interface endpoint; traffic stays on AWS backbone
- Direct Connect: Dedicated private network connection to AWS; bypasses public internet
Domain 4: Identity and Access Management (16%)
IAM Policy Evaluation
IAM policy evaluation logic (order of evaluation):
- Explicit DENY (anywhere in the evaluation) = DENY
- Service Control Policy (SCP) ALLOW required in Organizations
- Resource-based policy (if applicable)
- IAM permission boundary (if set)
- Session policy (if using STS assume-role)
- IAM identity policy ALLOW
Key policy evaluation rule: An explicit DENY always overrides any ALLOW. The absence of a DENY does not mean allowed -- there must be an explicit ALLOW.
AWS Organizations and SCPs
Service Control Policies (SCPs) restrict what actions can be performed in member accounts:
{
"Effect": "Deny",
"Action": [
"cloudtrail:StopLogging",
"cloudtrail:DeleteTrail",
"guardduty:DisassociateFromMasterAccount"
],
"Resource": "*"
}
This SCP prevents any account in the organization from disabling security controls, even if administrators have full IAM permissions.
AWS Identity Center (SSO)
AWS IAM Identity Center provides centralized SSO for AWS accounts and business applications:
- Users authenticate through Identity Center (or federated IdP)
- Permission sets define IAM role-equivalent permissions
- Assignment maps users/groups to accounts and permission sets
- Supports AD Connector (on-premises AD) or Managed AD for identity source
Domain 5: Data Protection (18%)
AWS KMS (Key Management Service)
Key types in AWS KMS:
| Key Type | Managed By | Use Case |
|---|---|---|
| AWS managed keys | AWS | Default encryption for AWS services |
| Customer managed keys (CMK) | Customer | Fine-grained key policy control |
| Customer provided keys (SSE-C) | Customer | S3 only; customer provides key per request |
Key policies control who can use and administer CMKs. Key policies plus IAM policies both must allow an action.
KMS key rotation: Customer managed keys can be automatically rotated annually. The old key material is retained for decryption of existing data; new data uses the new key material.
S3 Encryption
| Encryption Type | Key Management | Notes |
|---|---|---|
| SSE-S3 (AES-256) | AWS managed | Default encryption; no cost |
| SSE-KMS | CMK or AWS managed KMS | Audit trail, fine-grained control; KMS costs apply |
| SSE-C | Customer provided | Customer manages and provides key per request |
| Client-side encryption | Customer | Data encrypted before upload; AWS never sees plaintext |
S3 bucket security:
- Block Public Access settings (4 independent settings) prevent accidental public exposure
- Bucket policies enforce encryption at upload (
aws:SecureTransport,s3:x-amz-server-side-encryption) - S3 Object Lock prevents object deletion or modification (WORM compliance)
Domain 6: Management and Security Governance (14%)
AWS Config
AWS Config records configuration changes and evaluates compliance:
- Configuration recorder: Captures configuration state of AWS resources and changes over time
- Managed rules: Pre-built compliance rules (s3-bucket-public-read-prohibited, encrypted-volumes, access-keys-rotated)
- Custom rules: Lambda-based custom compliance evaluation logic
- Conformance packs: Collections of rules for specific compliance frameworks (CIS, PCI-DSS, HIPAA)
- Remediation actions: Automated or manual remediation triggered by non-compliant resources
AWS Trusted Advisor
Trusted Advisor provides recommendations across five categories:
- Cost Optimization
- Performance
- Security (most relevant for this exam)
- Fault Tolerance
- Service Limits
Security checks include: S3 buckets with open access, security groups with unrestricted access, IAM use, MFA on root account, exposed access keys.
Frequently Asked Questions
What AWS certifications should I have before AWS Security Specialty? AWS recommends the Solutions Architect Associate or equivalent experience before attempting Security Specialty. Security Specialty assumes deep knowledge of AWS services including VPCs, IAM, S3, EC2, and Lambda. Candidates who have not passed an AWS Associate certification typically spend more time understanding the services themselves rather than their security configurations.
How is AWS Security Specialty different from CCSP for cloud security careers? AWS Security Specialty validates technical AWS-specific implementation knowledge -- you need to know exact service names, configuration options, and how AWS services integrate. CCSP validates vendor-neutral cloud security governance and architecture knowledge. Both are valuable; AWS Security Specialty is essential for hands-on AWS security practitioners while CCSP demonstrates broader cloud security leadership credentials.
What study resources are most effective for AWS Security Specialty? The most effective combination is Stephane Maarek's AWS Security Specialty course on Udemy, Zeal Vora's Security Specialty course, hands-on labs in a personal AWS account (use Free Tier services where possible), and Adrian Cantrill's courses for deep service understanding. AWS documentation for GuardDuty, CloudTrail, KMS, and WAF should be read in full. Practice exams from Tutorials Dojo (Jon Bonso) align most closely with actual exam question style.
References
- Amazon Web Services. (2025). AWS Certified Security – Specialty Exam Guide. https://aws.amazon.com/certification/certified-security-specialty/
- Amazon Web Services. (2025). AWS Security Documentation. https://docs.aws.amazon.com/security/
- Amazon Web Services. (2025). AWS Well-Architected Security Pillar. https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/
- Maarek, S. (2025). AWS Certified Security Specialty Course. Udemy.
- Tutorials Dojo. (2025). AWS Security Specialty Practice Exams. https://tutorialsdojo.com/
- CIS. (2025). CIS AWS Foundations Benchmark. https://www.cisecurity.org/benchmark/amazon_web_services