How to Pass the AWS Security Specialty Exam (SCS-C02)
A hands-on strategy for passing the AWS Certified Security – Specialty exam, covering IAM, detective controls, infrastructure security, data protection, and incident response in AWS.
AWS Security Specialty: The Cloud Security Deep Dive
The AWS Certified Security – Specialty (SCS-C02) is one of the most demanding cloud certifications. Unlike vendor-neutral certs like CCSP, this exam tests deep, practical knowledge of AWS security services and their configuration. You need hands-on AWS experience to pass.
The exam has 65 questions (multiple-choice and multiple-response) in 170 minutes with a passing score of 750/1000. It covers five domains.
Domain-by-Domain Strategy
Domain 1: Threat Detection and Incident Response (14%)
Key services to know: Amazon GuardDuty (threat detection), AWS Security Hub (aggregation), Amazon Detective (investigation), CloudTrail (API logging), VPC Flow Logs, AWS Config (configuration compliance), Amazon EventBridge (event-driven automation).
Focus area: Know how to set up automated incident response. Example: GuardDuty detects a compromised EC2 instance → EventBridge triggers a Lambda function → Lambda isolates the instance by modifying its security group. This automation chain appears frequently on the exam.
Domain 2: Security Logging and Monitoring (18%)
Key services: CloudTrail (management events, data events, insights events), CloudWatch Logs, VPC Flow Logs, S3 access logs, ELB access logs, AWS Config, AWS Security Hub.
Focus area: CloudTrail is the most-tested service across the entire exam. Know the difference between management events and data events. Know how to enable organization-wide trail logging. Know how to detect when CloudTrail logging is disabled (this is an attack indicator). Understand log integrity — CloudTrail log file validation using SHA-256 hashes.
Domain 3: Infrastructure Security (20%)
Key services: VPC (subnets, NACLs, security groups, route tables), AWS WAF, AWS Shield (Standard and Advanced), AWS Firewall Manager, AWS Network Firewall, CloudFront, Route 53, AWS PrivateLink, VPC endpoints.
Focus area: Network architecture questions are common. Know when to use security groups vs NACLs (stateful vs stateless). Know the difference between interface VPC endpoints and gateway VPC endpoints. Understand multi-VPC architectures: Transit Gateway, VPC peering, PrivateLink. WAF rule creation for common attacks (SQL injection, XSS, rate limiting).
Domain 4: Identity and Access Management (16%)
Key services: IAM (users, groups, roles, policies), AWS Organizations, SCPs, AWS SSO (IAM Identity Center), Cognito, STS, AWS RAM.
Focus area: IAM policy evaluation logic — this is critical. Know the policy evaluation order: explicit deny → SCP → resource-based policy → identity-based policy → permission boundary → session policy. Understand cross-account access patterns. Know when to use IAM roles vs IAM users. Understand the difference between identity-based policies and resource-based policies. Know how SCPs work in AWS Organizations.
Domain 5: Data Protection (22%)
Key services: KMS (CMK types: AWS-managed, customer-managed, AWS-owned), CloudHSM, ACM (SSL/TLS certificates), S3 encryption (SSE-S3, SSE-KMS, SSE-C, client-side), Secrets Manager, Systems Manager Parameter Store, Macie.
Focus area: KMS is the most-tested service in this domain. Know the key hierarchy: data key → CMK → key material. Know the difference between symmetric and asymmetric CMKs. Key rotation: AWS-managed keys rotate automatically; customer-managed keys can be configured for automatic rotation. Know when to use KMS vs CloudHSM (CloudHSM for FIPS 140-2 Level 3, custom key stores, and applications requiring direct HSM access).
The Scenario-Based Question Pattern
AWS Security Specialty questions follow a consistent pattern: a scenario describes a security requirement or incident, and you must select the AWS service or configuration that best addresses it. The wrong answers are usually real AWS services that do not fit the specific scenario.
Example pattern: "A company needs to ensure that all S3 buckets across 50 accounts cannot be made public. The solution must be preventive, not detective. What should they implement?"
The answer requires understanding the difference between preventive (SCPs, S3 Block Public Access at the organization level) and detective (AWS Config rules, Security Hub) controls.
Hands-On Labs You Must Do
Before sitting the exam, you should have personally configured:
AWS Free Tier covers many of these services. Use it.
Study Plan (8 Weeks)
Weeks 1-2: Domain 4 (IAM) — foundation for everything.
Weeks 3-4: Domain 5 (Data Protection) — highest weight.
Weeks 5-6: Domain 3 (Infrastructure) and Domain 2 (Logging).
Week 7: Domain 1 (Incident Response).
Week 8: Practice exams under timed conditions.
Practice AWS Security Specialty questions on CyberCertPrep with scenario-based questions that mirror the real exam's depth and complexity.
Sources & References
Daniel Agrici
CEH, Security+, PenTest+
Daniel is the founder of CyberCertPrep. With a background in penetration testing and security consulting, he has passed 8 cybersecurity certifications and writes about exam strategies and career development.
Ready to start practicing?
50+ certifications. 99,000+ questions. 20 free per cert.