Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSCS-C02Study Guide

Amazon Web Services · 2026 Edition

SCS-C02 Study Guide — How to Pass AWS Security Specialty

A complete preparation guide written by Amazon Web Services-certified engineers. Covers the exam format,all 6 blueprint domains, a week-by-week study plan, and proven tips for passing first time.

3–5 months

Prep time

Advanced

Difficulty

65

Exam questions

750/1000

Pass mark

Exam OverviewPractice TestExam DomainsSample QuestionsStudy Guide

On this page

  1. 1. SCS-C02 Exam at a Glance
  2. 2. Why Earn the SCS-C02?
  3. 3. Exam Domains & Weights
  4. 4. Study Plan
  5. 5. Exam Tips
  6. 6. Practice Questions

SCS-C02 Exam at a Glance

Exam code

SCS-C02

Full name

AWS Security Specialty

Vendor

Amazon Web Services

Duration

170 minutes

Questions

65 items

Passing score

750/1000 (scaled)

Domains covered

6 blueprint domains

Recommended experience

2+ years of AWS security experience; AWS Solutions Architect Associate or Security+ recommended

Typical prep time

3–5 months

Why Earn the SCS-C02?

SCS-C02 earns the AWS Certified Security – Specialty designation. It validates advanced knowledge of the AWS shared responsibility model, data protection, identity, infrastructure security, logging, and monitoring — credentials expected for cloud security engineer roles.

Job roles this opens

AWS Security EngineerCloud Security EngineerSecurity ArchitectIAM EngineerCompliance Engineer

SCS-C02 Exam Domains

Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.

Threat Detection and Incident Response
Security Logging and Monitoring
Identity and Access Management
Management and Security Governance
Infrastructure Security
Data Protection

Detailed domain breakdown with subtopics →

SCS-C02 Study Plan

Weeks 1–2

Threat Detection and Incident Response: GuardDuty, Security Hub, Detective, Macie

Tip: Amazon GuardDuty continuously monitors VPC flow logs, CloudTrail events, and DNS logs for threat patterns. Know the GuardDuty finding types: Reconnaissance, InstanceCompromise, Policy violations, and Stealth findings. Security Hub aggregates GuardDuty findings with those from other services into a single dashboard.

Weeks 3–5

Security Logging and Monitoring: CloudTrail, CloudWatch Logs, S3 access logs, VPC flow logs

Tip: VPC Flow Logs capture IP traffic to/from network interfaces. Know the flow log record format: srcaddr, dstaddr, srcport, dstport, protocol, action (ACCEPT/REJECT). Questions give a flow log excerpt and ask what type of traffic it represents or why a connection was rejected.

Weeks 6–8

Infrastructure Security: WAF, Shield, Network Firewall, Security Groups, NACLs, PrivateLink

Tip: AWS WAF rules are tested in depth. Know the difference between AWS Managed Rules (pre-built rule groups like AWSManagedRulesCommonRuleSet), rate-based rules (throttle by IP), IP set rules (block/allow specific addresses), and regex pattern set rules (match request patterns).

Weeks 9–12

IAM, Data Protection, KMS, Secrets Manager, Certificate Manager, and Governance

Tip: KMS key types: AWS Managed Keys (AWS creates and manages, free, no access to key material), Customer Managed Keys (you control key policy, rotation, deletion — cost per key per month), and Customer Provided Keys (SSE-C for S3, you manage the key material completely). Know the use case for each.

SCS-C02 Exam Tips

IAM policy evaluation is a foundational skill for SCS-C02. Know the evaluation order: SCPs (filter what's allowed at org level) → resource-based policies → identity-based policies → permission boundaries → session policies. An explicit deny at any layer blocks the request.

AWS Lake Formation provides fine-grained access control for a data lake on S3. Know that Lake Formation uses table and column-level permissions in addition to S3 bucket policies — it is the recommended way to implement column-level security on Glue Data Catalog tables.

Cross-account access patterns: resource-based policies (S3 bucket policy, KMS key policy) vs IAM role assumption (sts:AssumeRole). Know that resource-based policies can grant cross-account access directly; role assumption requires an STS call and generates temporary credentials.

AWS Certificate Manager (ACM) automatically renews SSL/TLS certificates for services it integrates with (ALB, CloudFront, API Gateway). Know that ACM certificates cannot be exported — if you need to install a cert on an EC2 instance, you must import a certificate or use a third-party CA.

Amazon Macie uses machine learning to discover and classify sensitive data in S3. Know the Macie finding types: Policy findings (misconfigured S3 bucket settings like public access, no encryption) and Sensitive Data findings (PII, financial data, credentials detected in object content).

Ready to practice SCS-C02?

Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.

Free Practice TestStart Practising

SCS-C02 concept guides

Deep-dive explanations of the key topics tested on SCS-C02 — with exam key points and common misconceptions.

AWS Security Specialty

The AWS Security Specialty (SCS-C02) is the deepest AWS security credential — it tests your ability to design and implement security controls across the full AWS architecture.

Related Study Guides

SAA-C03

Solutions Architect Associate

SY0-701

CompTIA Security+

CISSP

ISC2 CISSP