Amazon Web Services · 2026 Edition
A complete preparation guide written by Amazon Web Services-certified engineers. Covers the exam format,all 6 blueprint domains, a week-by-week study plan, and proven tips for passing first time.
3–5 months
Prep time
Advanced
Difficulty
65
Exam questions
750/1000
Pass mark
Exam code
SCS-C02
Full name
AWS Security Specialty
Vendor
Amazon Web Services
Duration
170 minutes
Questions
65 items
Passing score
750/1000 (scaled)
Domains covered
6 blueprint domains
Recommended experience
2+ years of AWS security experience; AWS Solutions Architect Associate or Security+ recommended
Typical prep time
3–5 months
SCS-C02 earns the AWS Certified Security – Specialty designation. It validates advanced knowledge of the AWS shared responsibility model, data protection, identity, infrastructure security, logging, and monitoring — credentials expected for cloud security engineer roles.
Job roles this opens
Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.
Weeks 1–2
Threat Detection and Incident Response: GuardDuty, Security Hub, Detective, Macie
Tip: Amazon GuardDuty continuously monitors VPC flow logs, CloudTrail events, and DNS logs for threat patterns. Know the GuardDuty finding types: Reconnaissance, InstanceCompromise, Policy violations, and Stealth findings. Security Hub aggregates GuardDuty findings with those from other services into a single dashboard.
Weeks 3–5
Security Logging and Monitoring: CloudTrail, CloudWatch Logs, S3 access logs, VPC flow logs
Tip: VPC Flow Logs capture IP traffic to/from network interfaces. Know the flow log record format: srcaddr, dstaddr, srcport, dstport, protocol, action (ACCEPT/REJECT). Questions give a flow log excerpt and ask what type of traffic it represents or why a connection was rejected.
Weeks 6–8
Infrastructure Security: WAF, Shield, Network Firewall, Security Groups, NACLs, PrivateLink
Tip: AWS WAF rules are tested in depth. Know the difference between AWS Managed Rules (pre-built rule groups like AWSManagedRulesCommonRuleSet), rate-based rules (throttle by IP), IP set rules (block/allow specific addresses), and regex pattern set rules (match request patterns).
Weeks 9–12
IAM, Data Protection, KMS, Secrets Manager, Certificate Manager, and Governance
Tip: KMS key types: AWS Managed Keys (AWS creates and manages, free, no access to key material), Customer Managed Keys (you control key policy, rotation, deletion — cost per key per month), and Customer Provided Keys (SSE-C for S3, you manage the key material completely). Know the use case for each.
IAM policy evaluation is a foundational skill for SCS-C02. Know the evaluation order: SCPs (filter what's allowed at org level) → resource-based policies → identity-based policies → permission boundaries → session policies. An explicit deny at any layer blocks the request.
AWS Lake Formation provides fine-grained access control for a data lake on S3. Know that Lake Formation uses table and column-level permissions in addition to S3 bucket policies — it is the recommended way to implement column-level security on Glue Data Catalog tables.
Cross-account access patterns: resource-based policies (S3 bucket policy, KMS key policy) vs IAM role assumption (sts:AssumeRole). Know that resource-based policies can grant cross-account access directly; role assumption requires an STS call and generates temporary credentials.
AWS Certificate Manager (ACM) automatically renews SSL/TLS certificates for services it integrates with (ALB, CloudFront, API Gateway). Know that ACM certificates cannot be exported — if you need to install a cert on an EC2 instance, you must import a certificate or use a third-party CA.
Amazon Macie uses machine learning to discover and classify sensitive data in S3. Know the Macie finding types: Policy findings (misconfigured S3 bucket settings like public access, no encryption) and Sensitive Data findings (PII, financial data, credentials detected in object content).
Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.
Deep-dive explanations of the key topics tested on SCS-C02 — with exam key points and common misconceptions.