AWS Certified Security Specialty
275 practice questions
Last reviewed: April 2026
Personal notes and resource links for your study journey
Filter by Certification
The AWS Certified Security Specialty (SCS-C03) is the senior-tier security-focused credential and one of the most respected cloud security certifications. It validates the ability to design and operate secure AWS workloads β including identity, data protection, infrastructure security, threat detection, incident response, and governance. The exam targets cloud security engineers, cloud security architects, and DevSecOps engineers with multi-year AWS and security experience. Expect long, scenario-heavy questions that combine IAM, KMS, networking, and detection services and ask for the BEST security answer under realistic constraints. SCS-C03 launched in July 2023, refreshing SCS-C01 with broader detection, GenAI-adjacent governance, and modernized data-protection coverage. The exam is conceptual; no hands-on labs.
Logging architecture (CloudTrail organization trails, VPC Flow Logs, DNS query logs, S3 access logs), centralized logging with Security Hub aggregation, and Athena queries over CloudTrail. Common stumbling block: distinguishing CloudTrail Lake from Athena-on-CloudTrail tradeoffs.
Containment patterns (isolating compromised EC2/ECS workloads, rotating credentials, quarantining S3 buckets), forensic-evidence preservation, and runbooks with SSM. Often missed: the precise sequence for IAM credential compromise.
VPC security (security groups, NACLs, endpoints, PrivateLink), AWS WAF and Shield, Network Firewall, and edge protection. Heavy emphasis on defense-in-depth layering.
The largest domain at 20%. Permission boundaries, SCPs, condition keys (especially aws:PrincipalOrgID, aws:SourceVpce, aws:CalledVia), STS, Identity Center, and resource-based policies. The single highest-density area on the exam.
KMS (key policies, grants, multi-region keys, BYOK), encryption in transit (ACM, certificate management), Macie, and S3 protection patterns. Nuanced KMS key-policy evaluation is a frequent stumbling block.
Multi-account governance with Organizations, Control Tower, Config conformance packs, and Audit Manager. Smaller weight but tests strategic security thinking.
Services you'll encounter on the exam and why each one matters.
Identity, role, and policy primitive β managed and inline policies, trust policies, ABAC tags, session policies, and permission boundaries enforce every authorization decision.
Why it's on the exam: Domain 4 (Identity and Access Management) is wholly about IAM mechanics β least-privilege policy authoring, cross-account roles, and policy evaluation order are the most-tested topics on the exam.
Centralized workforce SSO and multi-account permission-set distribution, federating from external IdPs (Entra ID, Okta) into AWS Organizations accounts.
Why it's on the exam: Domain 4 questions on federation, ABAC at scale, and replacing long-lived IAM users with short-lived role sessions cite Identity Center as the AWS-native answer.
Continuous threat-detection across VPC Flow Logs, DNS logs, CloudTrail, S3, EKS audit, and Lambda runtime β emits findings for compromised credentials, crypto-mining, and known-bad IPs.
Why it's on the exam: Domain 1 (Threat Detection and Incident Response) names GuardDuty as the primary continuous-detection signal, with EventBridge-driven automation as the canonical response pattern.
Continuous vulnerability assessment for EC2, ECR container images, and Lambda functions β scoring CVEs and network-reachability findings against discovered software inventory.
Why it's on the exam: Domain 3 (Infrastructure Security) tests Inspector for workload-vulnerability posture; distinguish it from GuardDuty (runtime threats) and Macie (data classification).
Cross-service finding aggregator with built-in standards checks (CIS, PCI DSS, AWS FSBP, NIST 800-53) and integrations from GuardDuty, Inspector, Macie, and partner tools.
Why it's on the exam: Domain 2 (Security Logging and Monitoring) and Domain 6 (Governance) name Security Hub as the org-level single pane of glass for prioritized findings and compliance scoring.
ML-powered sensitive-data discovery for S3 β automated PII, credentials, financial, and health-data detection plus continuous bucket inventory and posture evaluation.
Why it's on the exam: Domain 5 (Data Protection) tests Macie as the named service for discovering and classifying sensitive data in S3 before applying encryption, retention, or access controls.
Layer-7 web ACL for CloudFront, ALB, API Gateway, AppSync, and App Runner β managed rule groups (OWASP, bot control, account takeover) plus rate-based and custom rules.
Why it's on the exam: Domain 3 (Infrastructure Security) questions on protecting public web endpoints from injection, scraping, and credential stuffing name WAF as the AWS-native edge defense.
Managed DDoS protection β Standard included free at edge, Advanced adds 24Γ7 SRT response, cost protection, and Layer-3/4/7 attack analytics for CloudFront, Route 53, ALB, and Global Accelerator.
Why it's on the exam: Domain 3 distinguishes Shield Standard (always-on, free, L3/L4) from Shield Advanced (paid, SRT, cost-protect) β a recurring scenario question on DDoS resilience.
Managed cryptographic key service β AWS-managed, customer-managed, and external/imported keys with grants, key policies, and CloudTrail-logged usage across 100+ services.
Why it's on the exam: Domain 5 (Data Protection) tests envelope encryption, cross-account key sharing, key rotation, and the difference between key policies and IAM policies on every exam form.
Provisions and auto-renews public TLS certs for CloudFront, ALB, API Gateway, and App Runner; ACM Private CA issues internal certificates with managed CRL/OCSP.
Why it's on the exam: Domain 5 questions on data-in-transit encryption and Domain 3 on private-CA hierarchies for internal mTLS name ACM and ACM Private CA as the AWS-native answers.
Encrypted secret storage with automatic rotation for RDS, Redshift, DocumentDB, and custom Lambda-driven rotation; fine-grained IAM access and CloudTrail audit.
Why it's on the exam: Domain 4 + Domain 5 cite Secrets Manager for short-lived database credentials and the contrast with Parameter Store (free, no rotation) is a frequent distractor pair.
Network isolation primitive β subnets, route tables, security groups (stateful), NACLs (stateless), VPC Flow Logs, VPC endpoints, and Traffic Mirroring for packet capture.
Why it's on the exam: Domain 3 (Infrastructure Security) is largely VPC mechanics β defense-in-depth between SGs and NACLs, private connectivity via interface endpoints, and Flow Logs for forensics.
Managed stateful firewall for VPCs β Suricata-compatible rules for deep packet inspection, domain filtering, IPS, and centralized egress filtering across an Organization.
Why it's on the exam: Domain 3 scenarios on stateful L3-L7 inspection beyond what SGs/NACLs offer β egress-only filtering and centralized inspection VPCs β name Network Firewall as the answer.
Org-wide policy enforcement for WAF rules, Shield Advanced, Network Firewall, Route 53 Resolver DNS Firewall, and security groups across accounts in AWS Organizations.
Why it's on the exam: Domain 6 (Governance) questions on enforcing security baselines across many accounts cite Firewall Manager + Organizations as the multi-account control plane.
Investigation graph that ingests VPC Flow Logs, CloudTrail, GuardDuty, and EKS audit data into a behavioral model for root-cause analysis of suspicious activity.
Why it's on the exam: Domain 1 (Threat Detection and Incident Response) tests Detective as the named follow-up to a GuardDuty finding β pivoting to context, blast radius, and affected resources.
Hierarchical config and secret store with String, StringList, and SecureString (KMS-backed) types; free tier covers most cases with optional advanced parameters at higher quotas.
Why it's on the exam: Domain 5 questions on storing config and low-volume secrets compare Parameter Store (free, no rotation) against Secrets Manager (paid, rotation) β the trade-off is reliably tested.
Immutable API-call audit log β org-wide trails, management/data/Insights events, log-file integrity validation, and Lake for SQL-queryable retention.
Why it's on the exam: Domain 2 (Security Logging and Monitoring) names CloudTrail as the foundational audit signal; integrity validation and centralized org trails are common compliance-scenario questions.
Configuration history and continuous-compliance evaluation β managed and custom rules, auto-remediation via SSM, and conformance packs for CIS/PCI/HIPAA baselines.
Why it's on the exam: Domain 6 (Governance) tests Config as the configuration-drift and continuous-compliance engine that complements CloudTrail's API-call audit trail.
Automated evidence collection mapped to frameworks (PCI DSS, HIPAA, SOC 2, GDPR, FedRAMP) with assessment scoping and exportable auditor-ready reports.
Why it's on the exam: Domain 6 questions on producing audit evidence and mapping controls to compliance frameworks cite Audit Manager as the AWS-native evidence-collection service.
Multi-account management β OUs, Service Control Policies (SCPs), Resource Control Policies, consolidated billing, and delegated administration for security services.
Why it's on the exam: Domain 6 (Governance) and Domain 4 (IAM) test SCPs as the permission-boundary backstop above IAM and the prerequisite for org-wide GuardDuty, Security Hub, and Config aggregation.
$140kβ$200kβ$290k USD annual
Range covers US-based mid-to-senior cloud security roles where AWS proficiency is required. Top-tier financial services, FAANG, and security-focused unicorns frequently exceed $350k TC. Entry "security engineer" titles in non-coastal markets fall below the low end. Security specialty certs reliably command a premium relative to general cloud certs.
Source: levels.fyi 2025β2026 cloud security roles, U.S. BLS OEWS May 2024 (15-1212 information security analysts). Figures are approximate; actual compensation depends on role, region, and experience.
Cloud security hiring remained strong through 2024β2026 as enterprises continued maturing security programs around multi-account AWS estates, zero-trust patterns, and supply-chain risk. SCS-C03 is widely listed as preferred for cloud security engineer and architect roles, and is one of the more universally respected single security credentials alongside CISSP and CCSP. Recruiters at financial services, healthcare, and security-focused SaaS treat it as a credible signal of AWS-specific security depth. It pairs naturally with SAA-C03 or SAP-C02, the Advanced Networking Specialty (ANS-C01), and cross-vendor credentials. The cert does NOT by itself qualify candidates for CISO or VP-security roles β those expect broader program leadership and risk-management experience.
There are no formal prerequisites. AWS recommends at least 3β5 years of general IT security experience and at least 2 years of hands-on AWS security experience.
Most candidates approach SCS-C03 after SAA-C03 (architectural foundation) and ideally after SAP-C02 or DOP-C02 for additional depth. Candidates with strong general security backgrounds (CISSP, CompTIA Security+) but limited AWS exposure should plan substantial extra time on IAM (especially permission boundaries and SCPs), KMS key policies, and the AWS detection-services taxonomy. A working multi-account AWS Organizations lab with Control Tower, Config conformance packs, and centralized logging is the highest-ROI preparation artifact.
SCS-C03 is rated Specialty and is one of the harder AWS exams. Plan 80β140 hours over 10β14 weeks for candidates already working in cloud security; 160β220+ hours for those coming from general security or general AWS backgrounds. The exam is 65 scored questions in 170 minutes β multiple-choice and multiple-response, no labs.
The single biggest stumbling block is IAM policy evaluation depth: understanding precisely how identity policies, resource policies, permission boundaries, SCPs, and session policies combine, and how condition keys interact with cross-account access. KMS key-policy evaluation runs a close second. Candidates also routinely lose points on detection-service differentiation (GuardDuty vs. Security Hub vs. Detective vs. Inspector) and on subtle VPC traffic-flow questions involving endpoints and PrivateLink.
Current version. Modernized coverage of detection services, multi-account governance, KMS multi-region keys, and Network Firewall. Updated incident-response patterns reflecting EventBridge / SSM Automation maturity.
Brief intermediate revision. Retired in 2023.
Original Security Specialty. Long retired; pre-Security-Hub-era detection tooling.
SCS-C03 (AWS Certified Security Specialty) is a a deeply specialized exam covering advanced topics in a narrow domain β expect hands-on experience to be a prerequisite Specialty-level exam. Most candidates need 100β200 hours of study spread over 2β4 months for specialty exams. These assume hands-on experience in the specialty domain. Most candidates who score consistently above the passing threshold on practice exams pass on their first attempt.
Most candidates need 100β200 hours of study spread over 2β4 months for specialty exams. These assume hands-on experience in the specialty domain. Time-to-pass varies widely by prior experience. Engineers with hands-on production experience in the underlying technology typically need less; candidates new to the platform should plan toward the upper end of that range.
SCS-C03 is a recognized credential in the AWS ecosystem and signals validated knowledge to employers, recruiters, and clients. Whether it is worth the time and fee for you depends on your role and goals β it tends to pay off most for cloud engineers, architects, and consultants who work with AWS day-to-day or want to move into roles that do.
The passing score for SCS-C03 is 750 / 1000. The exam contains 65 questions and lasts 2 hr 50 min.
The SCS-C03 exam fee is $300 USD. Fees are set by AWS and may vary by region; always confirm the current price on the official AWS certification page before booking.
AWS certifications are valid for 3 years. Recertify by passing the current version of the same exam, or by passing a higher-level exam in the same path before expiration.
Yes. You can take the exam online (proctored via the provider's secure browser, available 24/7 in most regions) or at an in-person Pearson VUE test center during business hours. Both formats use the same questions, time limit, and passing score.
CertLabPro provides 15 study modes across the practice question bank for SCS-C03. The exam-simulation mode mirrors the real exam: 65 questions in 2 hr 50 min, with the same passing threshold of 750 / 1000. Browse mode lets you read every Q&A statically.