The AWS Certified Security – Specialty (SCS-C03) is the benchmark credential for cloud security engineers working in AWS environments. It validates that you can design, implement, and troubleshoot security controls across the full AWS service stack — not just configure a policy and call it done.
The exam was substantially updated in December 2025. Every SCS-C02 study guide on the internet is now out of date. This guide covers the current SCS-C03 blueprint: the new domain structure, what changed, which AWS services carry the most exam weight, and a realistic 6–8 week preparation plan.
SCS-C03 Exam Details at a Glance
| Detail | Value |
|---|---|
| Questions | 65 total (50 scored + 15 unscored) |
| Passing score | 750 / 1,000 |
| Duration | 170 minutes |
| Cost | $300 USD |
| Validity | 3 years |
| Prerequisites | None (AWS recommends 5 years IT security + 2+ years hands-on AWS) |
| Pass rate | ~65% |
One important change from C02: the SCS-C03 is no longer purely multiple choice. The exam now includes ordering questions (arrange 3–5 responses in the correct sequence) and matching questions (match 3–7 prompts to the right answers). Both question types require fully correct answers to score — partial credit doesn't apply. If you've only practiced with traditional multiple choice, this will catch you off guard.
What Changed From SCS-C02 to SCS-C03
This is the most important thing to know before you start studying. The December 2025 update wasn't a minor refresh.
Domain restructuring
| Domain | SCS-C02 Weight | SCS-C03 Weight | Change |
|---|---|---|---|
| Identity and Access Management | 16% | 20% | +4% |
| Infrastructure Security | 20% | 18% | −2% |
| Data Protection | 22% | 18% | −4% |
| Detection | — | 16% | New split |
| Incident Response | — | 14% | New split |
| Security Foundations and Governance | — | 14% | Renamed |
Detection and Incident Response were formerly combined into a single domain. They're now separate, which means you need genuine depth in both — not just awareness that CloudTrail logs exist.
New topics added
- Generative AI/LLM application security — The GenAI OWASP Top 10 now appears in the exam scope. Prompt injection, data leakage from model context, and securing AI workloads on AWS (Bedrock, SageMaker) are testable topics
- Resource Control Policies (RCPs) — A new AWS Organizations control type that enforces maximum permissions on resources across accounts, distinct from SCPs which limit principal permissions
- Declarative policies — Organization-wide policy enforcement that applies automatically to new accounts and services
- Third-party integrations — OCSF (Open Cybersecurity Schema Framework) data ingestion into Security Lake, third-party WAF rule sets
If your study materials don't cover RCPs and GenAI security, they were written for C02.
The Six SCS-C03 Domains
Domain 1: Identity and Access Management (20%)
IAM is now the single heaviest domain, accounting for one in five exam questions. The exam goes well beyond "attach a policy to a role." Expect scenario questions involving:
- Permission boundaries — How they interact with identity-based policies and resource-based policies simultaneously
- Cross-account access patterns — Role chaining, resource-based policies vs. role assumption, when to use each
- Service Control Policies (SCPs) — Inheritance through OU hierarchies, allow-list vs. deny-list strategies, interaction with permission boundaries
- Resource Control Policies (RCPs) — New in C03; limit resource-level access regardless of identity policies
- IAM Access Analyzer — Detecting external access, validating policies, generating least-privilege policies from CloudTrail
The hardest IAM questions layer three or four of these controls together and ask what the effective permission is. The only way to get comfortable with these is hands-on practice — reading documentation alone is insufficient.
Domain 2: Infrastructure Security (18%)
Network security and compute hardening across AWS services:
- VPC design — Security groups vs. NACLs, private subnet patterns, VPC endpoints (interface vs. gateway), traffic inspection with AWS Network Firewall
- Edge protection — AWS WAF (managed rule groups, custom rules, rate limiting), AWS Shield Advanced (DDoS protection, cost protection, proactive support)
- EC2 and container security — IMDSv2 enforcement, Systems Manager Session Manager vs. SSH, ECS/EKS security contexts
- Secrets management — AWS Secrets Manager vs. Parameter Store (SecureString), automatic rotation, cross-account access patterns
VPC Flow Logs analysis questions are common. Know how to read them, identify suspicious patterns, and correlate with other log sources.
Domain 3: Data Protection (18%)
Encryption at rest and in transit across every major storage and data service:
- AWS KMS — Customer-managed keys vs. AWS-managed keys, key policies, grants, cross-account key usage, automatic vs. manual rotation
- S3 security — Bucket policies, ACLs (now discouraged), Object Lock (WORM compliance), server-side encryption options (SSE-S3, SSE-KMS, SSE-C), presigned URLs
- Database encryption — RDS encryption (at-rest with KMS, TLS in-transit), DynamoDB encryption, Redshift encryption
- Certificate management — ACM certificate issuance, private CA, certificate pinning
A significant portion of Data Protection questions are KMS policy interpretation scenarios. Study key policy structure (Principal, Action, Resource, Condition) as carefully as you study IAM policies.
Domain 4: Detection (16%)
Building the visibility layer that makes everything else actionable:
- Amazon GuardDuty — Threat intelligence feeds, finding types (reconnaissance, credential compromise, malware), S3 protection, EKS protection, multi-account deployment via Organizations
- AWS Security Hub — Aggregating findings, security standards (CIS, AWS Foundational Security Best Practices, PCI DSS), custom insights
- Amazon Macie — Sensitive data discovery in S3, custom data identifiers, automated findings
- Amazon Detective — Investigation of GuardDuty findings using graph analysis across CloudTrail, VPC Flow Logs, and GuardDuty data
- Amazon Security Lake — Centralizing security logs in OCSF format, integrating third-party tools
The Detection domain tests your ability to choose the right service for a given detection need — GuardDuty detects threats, Macie finds sensitive data, Detective investigates them, Security Hub aggregates everything. Confusing these on the exam is a common failure mode.
Domain 5: Incident Response (14%)
What you do after detection fires:
- Automated response — EventBridge rules triggering Lambda functions or Systems Manager Automation runbooks
- Forensics on AWS — Isolating EC2 instances, creating forensic snapshots, memory capture options, chain-of-custody considerations
- Compromise scenarios — IAM credential exposure (rotate, invalidate sessions, audit usage), S3 data exfiltration (block public access, enable Macie, audit CloudTrail), ransomware response
- IR playbook design — NIST IR framework applied to AWS-specific scenarios
Incident Response questions are almost always multi-step scenarios. The exam doesn't just ask "what service detects this?" — it asks what you do in what order after the alarm fires.
Domain 6: Security Foundations and Governance (14%)
The organizational and compliance layer:
- AWS Organizations — Organizational structure, delegated administration, cross-account security tools
- AWS Config — Config rules, conformance packs, remediation actions, aggregators
- AWS Audit Manager — Evidence collection for compliance frameworks
- Compliance frameworks — How AWS services map to PCI DSS, HIPAA, SOC 2, ISO 27001 requirements
- Shared Responsibility Model — Where AWS responsibility ends and customer responsibility begins for each service category
For broader context on the threat landscape that makes these governance controls necessary, our guide to cloud security threats in 2026 covers the attack vectors that governance and detection controls are designed to catch.
Key AWS Services by Exam Weight
These services appear across multiple domains and generate the most questions:
Tier 1 — Know deeply:
- IAM (policies, roles, Permission Boundaries, Access Analyzer)
- AWS KMS (key policies, grants, rotation, cross-account)
- Amazon GuardDuty (all protection types, multi-account)
- AWS CloudTrail (management events, data events, log file integrity, multi-region, organization trails)
- AWS Security Hub (standards, findings, custom actions)
Tier 2 — Know well:
- Amazon Macie, Amazon Detective
- AWS WAF and Shield Advanced
- Amazon VPC (Flow Logs, endpoints, Network Firewall)
- AWS Organizations (SCPs, RCPs, Organizational Units)
- AWS Config (rules, remediation, conformance packs)
- AWS Secrets Manager
Tier 3 — Know the use case:
- Amazon Inspector (EC2 and container vulnerability scanning)
- AWS Audit Manager
- AWS Security Lake (OCSF, data sources, third-party integration)
- ACM Private CA
What the Exam Actually Looks Like
SCS-C03 questions are scenario-heavy. A typical question describes a company with a specific AWS architecture and a specific problem — a compromised credential, a misconfigured S3 bucket, a compliance finding — and asks what the security engineer should do.
The distractor answers are frequently plausible. AWS consistently includes options that would work in a different scenario, or that address a symptom rather than a root cause. The exam rewards understanding why each service exists and how they interact, not just knowing what each service does in isolation.
A representative scenario type:
A company uses AWS Organizations with multiple accounts. A GuardDuty finding indicates an IAM access key was used from an unusual geographic location. What should the security engineer do first?
Wrong answer traps: deleting the IAM user (too destructive), disabling GuardDuty (backwards), changing the S3 bucket policy (unrelated). The correct sequence involves invalidating active sessions, rotating the key, reviewing CloudTrail for what was accessed, and then investigating scope — in that order.
SCS-C03 Salary and Career Value in 2026
AWS Certified Security – Specialty is consistently ranked among the highest-paying technical certifications. 2026 salary data:
| Level | Annual Salary |
|---|---|
| Entry-level cloud security | $70,000–$95,000 |
| Mid-level security engineer | $125,000–$155,000 |
| Senior security architect | $155,000–$180,000+ |
| Major metro (SF, NYC, Seattle) | $180,000–$220,000+ |
The median reported salary for AWS Security Specialty-certified professionals nationally is approximately $158,600. Job listings requiring this certification increased 73% in a recent 12-month tracking period, and demand has continued to accelerate as organizations face growing regulatory requirements and cloud-native threat actor sophistication.
The credential is most valuable when paired with hands-on experience and a foundational cert. If you haven't yet earned the AWS Solutions Architect Associate, it's worth reviewing whether that's the right first step — our AWS Solutions Architect Associate study guide covers the foundational AWS knowledge that underpins a lot of the SCS-C03 content.
The 6-Week Study Plan
AWS's own recommendation is 5 years of IT security experience and 2+ years of hands-on AWS security work before attempting this exam. Community consensus is closer to 3–5 years of cloud experience. This is not an entry-level certification, and the ~65% pass rate reflects that.
With the right background, 6–8 weeks of focused study is sufficient for most candidates.
Weeks 1–2: Foundations and IAM
Goal: Eliminate IAM as a weak spot before anything else.
- Read the official SCS-C03 Exam Guide on AWS — this is your canonical study scope, not a third-party summary
- Complete the AWS Skill Builder Exam Prep Plan for SCS-C03 (free tier covers the structured plan; Enhanced tier adds labs and official pretests)
- Spend significant time on IAM deep dives: policy evaluation logic, permission boundaries, cross-account patterns, SCPs, and the new RCPs
- Lab: Create complex cross-account IAM scenarios in a real AWS environment. Read the policy evaluation documentation carefully
Weeks 3–4: Detection and Infrastructure
Goal: Understand the detection service ecosystem and how each piece connects.
- Enable GuardDuty, Security Hub, Macie, and Config in a personal AWS account. Review the findings they generate
- Study VPC Flow Logs: download sample logs, practice reading them, correlate with GuardDuty findings
- Work through the AWS Security Incident Response Guide (free whitepaper)
- Lab: Simulate a credential compromise scenario — what does GuardDuty detect? What does CloudTrail show? How would you remediate?
Weeks 5–6: Data Protection, Governance, and Practice Exams
Goal: Lock in KMS, fill gaps, reach exam readiness.
- Deep study of KMS key policy structure — practice writing and interpreting key policies for cross-account scenarios
- Study S3 security controls systematically: bucket policies, Object Lock, encryption options, Block Public Access settings
- Work through AWS Config conformance packs and remediation configurations
- Review GenAI security topics: Bedrock security controls, prompt injection patterns, data isolation in AI workloads
- Take 3–4 full-length practice exams. Tutorials Dojo is widely recommended for question style and difficulty calibration
- Review every question you got wrong. For each wrong answer, trace back to the specific AWS documentation that clarifies the right answer
Building Your Reference Sheet
Unlike many exams, the SCS-C03 allows you to know the shape of the problem before you see the specific question. Build a reference document covering:
- Detection service decision tree: GuardDuty vs. Macie vs. Inspector vs. Security Hub — when to use each
- KMS key policy vs. IAM policy vs. bucket policy — what controls what
- SCP vs. RCP vs. Permission Boundary — scope and interaction rules
- Incident response sequence for the three most common scenarios: credential compromise, S3 data exposure, ransomware
Practice With Real AWS Security Tools
The SCS-C03 is one of the most hands-on specialty certifications AWS offers. The scenario questions are designed to distinguish engineers who've actually configured GuardDuty multi-account deployments and debugged KMS key policy permission errors from those who've only read about them.
CloudaQube's AWS security labs put you inside live environments where you can enable and configure real security services, generate and investigate GuardDuty findings, work through IAM policy debugging, and practice the incident response sequences the exam tests. Building that hands-on intuition before exam day is the most reliable way to push your score above 750.
