AWS Certified Security - Specialty Exam Prep
The AWS Certified Security - Specialty (SCS-C02) exam validates Threat detection, security logging, infrastructure security, IAM, data protection, and security governance. ExamPal publishes 583 premium questions and a 40-question free practice exam for this AWS certification, with pages mapped to 6 blueprint domains. The local official-details index records: 170 minutes; 65 total: 50 scored + 15 unscored; Multiple choice / multiple response; SCS-C03 adds ordering/matching/content type changes. Local ExamPal metadata marks this exam spec as retired/replaced after 2025-12-01, so candidates should verify the currently required AWS exam version before booking.
Exam Details
Exam Overview
Administered by
AWS Certification
Exam Format
65 total: 50 scored + 15 unscored; 170 minutes; Multiple choice / multiple response; SCS-C03 adds ordering/matching/content type changes
Passing Score
750 / 1000
Exam Fee
$300
Prerequisite
AWS security engineering, identity, monitoring, and governance experience are recommended.
Topics Covered
ExamPal covers all major topics tested on the AWS Certified Security - Specialty exam. Our questions are grounded in official study materials.
Domain 1: Threat Detection and Incident Response
This domain covers designing and implementing incident response capabilities, detecting threats and anomalies, and responding to compromised resources and workloads in AWS environments. It emphasizes AWS security services, incident handling workflows, and forensic and remediation practices.
Domain 2: Security Logging and Monitoring
Covers designing, implementing, troubleshooting, and analyzing logging, monitoring, and alerting solutions for security events in AWS environments. The domain emphasizes selecting appropriate AWS services, configuring alerts and log collection, and ensuring solutions align with business and security requirements.
Domain 3: Infrastructure Security
This domain covers securing AWS edge services, network paths, compute workloads, and troubleshooting security-related connectivity issues. It emphasizes selecting and combining AWS security controls, monitoring for threats, and using telemetry and logs to detect and resolve attacks or misconfigurations.
Domain 4: Identity and Access Management
Covers AWS authentication and authorization concepts, including how identities are created and managed, how credentials are issued and used, and how access is controlled across AWS resources. It also includes troubleshooting access problems using AWS tools and services such as CloudTrail, IAM Access Advisor, and the IAM policy simulator.
Domain 5: Data Protection
This domain covers protecting data in transit, at rest, and through its lifecycle, as well as protecting credentials, secrets, and cryptographic key materials. It emphasizes selecting and implementing AWS security controls that preserve confidentiality and integrity across network, storage, and key-management scenarios.
Domain 6: Management and Security Governance
This domain covers centrally managing AWS accounts, deploying cloud resources securely and consistently, evaluating compliance, and identifying security gaps through reviews and cost analysis. It emphasizes governance controls, multi-account administration, and continuous assessment using AWS security and management services.
Exam Blueprint
What the AWS Certified Security - Specialty Exam Tests
The exam is divided into 6 domains. Here is what each domain covers and how much weight it carries on the test.
Domain 1: Threat Detection and Incident Response
14% of examThis domain covers designing and implementing incident response capabilities, detecting threats and anomalies, and responding to compromised resources and workloads in AWS environments. It emphasizes AWS security services, incident handling workflows, and forensic and remediation practices.
- Task 1.1: Design and implement an incident response plan
- AWS best practices for incident response
- Cloud incidents
- Task 1.2: Detect security threats and anomalies by using AWS services
- AWS managed security services that detect threats
- Anomaly and correlation techniques to join data across services
- Task 1.3: Respond to compromised resources and workloads
Key references: AWS SCS-C02 official exam guide · ExamPal shared topic tree
Domain 2: Security Logging and Monitoring
18% of examCovers designing, implementing, troubleshooting, and analyzing logging, monitoring, and alerting solutions for security events in AWS environments. The domain emphasizes selecting appropriate AWS services, configuring alerts and log collection, and ensuring solutions align with business and security requirements.
- Task 2.1: Design and implement monitoring and alerting to address security events
- AWS services that monitor events and provide alarms
- AWS services that automate alerting
- Task 2.2: Troubleshoot security monitoring and alerting
- Configuration of monitoring services
- Relevant data that indicates security events
- Task 2.3: Design and implement a logging solution
Key references: AWS SCS-C02 official exam guide · ExamPal shared topic tree
Domain 3: Infrastructure Security
20% of examThis domain covers securing AWS edge services, network paths, compute workloads, and troubleshooting security-related connectivity issues. It emphasizes selecting and combining AWS security controls, monitoring for threats, and using telemetry and logs to detect and resolve attacks or misconfigurations.
- Task 3.1: Design and implement security controls for edge services
- Security features on edge services
- Common attacks, threats, and exploits
- Task 3.2: Design and implement network security controls
- VPC security mechanisms
- Inter-VPC connectivity
- Task 3.3: Design and implement security controls for compute workloads
Key references: AWS SCS-C02 official exam guide · ExamPal shared topic tree
Domain 4: Identity and Access Management
16% of examCovers AWS authentication and authorization concepts, including how identities are created and managed, how credentials are issued and used, and how access is controlled across AWS resources. It also includes troubleshooting access problems using AWS tools and services such as CloudTrail, IAM Access Advisor, and the IAM policy simulator.
- Task 4.1: Design, implement, and troubleshoot authentication for AWS resources
- Methods and services for creating and managing identities
- Long-term and temporary credentialing mechanisms
- Task 4.2: Design, implement, and troubleshoot authorization for AWS resources
- Different IAM policies
- Components and impact of a policy
Key references: AWS SCS-C02 official exam guide · ExamPal shared topic tree
Domain 5: Data Protection
18% of examThis domain covers protecting data in transit, at rest, and through its lifecycle, as well as protecting credentials, secrets, and cryptographic key materials. It emphasizes selecting and implementing AWS security controls that preserve confidentiality and integrity across network, storage, and key-management scenarios.
- Task 5.1: Design and implement controls that provide confidentiality and integrity for data in transit
- TLS concepts
- VPN concepts (for example, IPsec)
- Task 5.2: Design and implement controls that provide confidentiality and integrity for data at rest
- Encryption technique selection (for example, client-side, server-side, symmetric, asymmetric)
- Integrity-checking techniques (for example, hashing algorithms, digital signatures)
- Task 5.3: Design and implement controls to manage the lifecycle of data at rest
Key references: AWS SCS-C02 official exam guide · ExamPal shared topic tree
Domain 6: Management and Security Governance
14% of examThis domain covers centrally managing AWS accounts, deploying cloud resources securely and consistently, evaluating compliance, and identifying security gaps through reviews and cost analysis. It emphasizes governance controls, multi-account administration, and continuous assessment using AWS security and management services.
- Task 6.1: Develop a strategy to centrally deploy and manage AWS accounts
- Multi-account strategies
- Managed services that allow delegated administration
- Task 6.2: Implement a secure and consistent deployment strategy for cloud resources
- Deployment best practices with infrastructure as code (IaC) (for example, AWS CloudFormation template hardening and drift detection)
- Best practices for tagging
- Task 6.3: Evaluate the compliance of AWS resources
Key references: AWS SCS-C02 official exam guide · ExamPal shared topic tree
Why study with ExamPal
Everything you need to prepare for and pass the AWS Certified Security - Specialty exam, in one app.
- 583 SCS-C02 premium practice questions
- Free 40-question interactive practice exam
- 6 official AWS blueprint domains covered
- 149 glossary terms loaded from the shared terminology pack
- Detailed explanations and per-option rationales for study review
- Domain-level review paths with study guide, glossary, and static question pages
AWS Certified Security - Specialty Exam — Common Questions
What is the SCS-C02 exam?
How many SCS-C02 questions are in ExamPal?
What domains does SCS-C02 cover?
Does the free SCS-C02 practice exam include explanations?
Where do the SCS-C02 website pages get their data?
Start your AWS Certified Security - Specialty exam prep today
Download ExamPal, take a free diagnostic, and see exactly where you stand before you start studying.