How to Pass AWS Certified Security Specialty (SCS-C03) in 2026: Complete Study Guide

# How to Pass AWS Certified Security Specialty (SCS-C03) in 2026: Complete Study Guide The AWS Certified Security Specialty (SCS-C03) is one of the most demanding AWS certifications available. At $300 and with a 170-minute time limit, it targets security engineers, cloud architects, and compliance specialists who design and operate secure AWS environments. It is not a beginner exam — AWS recommends at least five years of IT security experience and two years working with AWS. If you meet that bar, this guide will help you structure your preparation efficiently. We will cover all six domains, the services you must know cold, and an eight-week study plan that respects the depth this exam requires. ## Exam Format at a Glance | Detail | Value | |---|---| | Exam code | SCS-C03 | | Cost | $300 USD | | Questions | 65 (multiple choice + multiple response) | | Duration | 170 minutes | | Passing score | 75% | | Valid for | 3 years | | Recommended experience | 5 years IT security + 2 years AWS | At 75% passing score and $300 per attempt, preparation quality matters more here than on most AWS exams. Budget at least 8 weeks of serious study time. ## Domain Breakdown | Domain | Topic | Weight | |---|---|---| | 1 | Threat Detection and Incident Response | 14% | | 2 | Security Logging and Monitoring | 18% | | 3 | Infrastructure Security | 20% | | 4 | Identity and Access Management | 16% | | 5 | Data Protection | 18% | | 6 | Management and Security Governance | 14% | Infrastructure Security (20%) and the logging/data domains (18% each) form the bulk of the exam. IAM at 16% is smaller than you might expect, but the questions are typically harder — the exam tests edge cases in policy evaluation, not just basic role creation. ## Domain 1: Threat Detection and Incident Response (14%) ### Amazon GuardDuty GuardDuty is AWS's managed threat detection service. It analyzes VPC Flow Logs, CloudTrail events, DNS logs, and EKS/RDS/S3/Lambda logs to detect threats automatically. Key finding categories you must recognize: - **Recon**: port scanning, unusual API calls probing account resources - **UnauthorizedAccess**: credential use from unusual locations, impossible travel - **CryptoCurrency**: EC2 instances communicating with known crypto mining pools - **Trojan**: EC2 instances communicating with known C&C servers - **Backdoor**: unusual outbound traffic, DNS exfiltration - **Pentest**: use of Kali Linux, Parrot Security, or known pentest tool signatures - **PrivilegeEscalation**: IAM policy changes suggesting privilege escalation attempts GuardDuty findings integrate with Security Hub and EventBridge for automated response. GuardDuty Malware Protection scans EBS volumes of potentially compromised EC2 instances. ### Amazon Detective Detective helps investigate security findings by correlating data from CloudTrail, VPC Flow Logs, and GuardDuty findings into a graph model. Use Detective when you need to understand what happened during an incident — GuardDuty tells you something is wrong, Detective helps you figure out the blast radius and timeline. ### AWS Security Hub Security Hub aggregates findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, and third-party tools into a centralized console. It scores your account against security standards (AWS Foundational Best Practices, CIS AWS Foundations, PCI DSS). ## Domain 2: Security Logging and Monitoring (18%) ### AWS CloudTrail CloudTrail is the cornerstone of AWS security logging. It records API calls made against your account. Three event types: - **Management events**: control plane operations (CreateBucket, RunInstances, CreateUser). Enabled by default. - **Data events**: data plane operations (S3 GetObject/PutObject, Lambda function invocations). Must be explicitly enabled — high volume, higher cost. - **CloudTrail Insights**: anomaly detection on write management events (detects unusual API call rates, unusual error rates). Separate cost. For threat investigation, CloudTrail + Athena is a common pattern: store CloudTrail logs in S3, use Athena to run SQL queries for forensic analysis across billions of events. ### AWS Config Config continuously evaluates your resource configurations against desired-state rules. - **Config Rules**: can be AWS-managed (250+ pre-built) or custom (Lambda-backed) - **Conformance Packs**: bundled set of rules for compliance standards (CIS, PCI, HIPAA) - **Config Aggregator**: collects configuration data across accounts and regions into a single view - **Remediation**: auto-remediate non-compliant resources via Systems Manager Automation ### Amazon Macie Macie uses ML to discover and classify sensitive data (PII, financial data, credentials) in S3 buckets. It generates findings for sensitive data and bucket security issues (public access, no encryption). Used for data discovery and DLP (Data Loss Prevention). ## Domain 3: Infrastructure Security (20%) ### AWS WAF Web Application Firewall protects ALB, API Gateway, CloudFront, and AppSync: - **Web ACL**: collection of rules evaluated in priority order - **Managed Rule Groups**: pre-built rule sets from AWS and AWS Marketplace partners (OWASP Top 10, SQL injection, known bad IPs) - **Rate-based rules**: block source IPs that exceed a request rate threshold - **Scope**: WAF web ACLs are either regional (ALB, API Gateway, AppSync) or global (CloudFront) 💡 **Exam Tip:** CloudFront-attached WAF is a global resource (deployed in us-east-1). ALB/API Gateway WAF is regional. A web ACL cannot be shared across scopes. ### AWS Shield - **Shield Standard**: automatic protection against common L3/L4 DDoS attacks. Included free for all AWS customers. - **Shield Advanced**: enhanced protection for EC2, ALB, CloudFront, Route 53, Global Accelerator. Benefits include: 24/7 DDoS Response Team (DRT) access, cost protection against DDoS-induced scaling charges, advanced attack visibility. ### AWS Network Firewall Stateful network firewall for VPCs: - Deep packet inspection (L7) - Supports Suricata-compatible IDS/IPS rules - Deployed in a dedicated firewall subnet - Centralized inspection architecture using Transit Gateway and inspection VPC ### IAM Access Analyzer Analyzes resource-based policies to identify resources shared with external entities (outside your account or organization): - Detects: S3 buckets, KMS keys, IAM roles, Lambda functions, SQS queues, Secrets Manager secrets accessible externally - Access Analyzer for S3: scans bucket policies and ACLs - Policy validation: checks new policies for errors and security best practices before applying them ## Domain 4: Identity and Access Management (16%) ### Service Control Policies (SCPs) SCPs are applied to AWS Organizations accounts or OUs. They define the maximum permissions available in an account — they do not grant permissions directly. Critical properties: - SCPs affect ALL principals in the account, including the root user - An explicit Deny in an SCP cannot be overridden by any IAM policy - SCP Deny + IAM Allow = Deny - Management account of the organization is NOT affected by SCPs - If no SCP explicitly allows an action, it is denied (unless AWS Organizations uses "full access" as the default) ### Permission Boundaries Permission Boundaries limit the maximum permissions an IAM identity (user or role) can exercise. They do NOT grant permissions themselves. - IAM policy grants: what the identity CAN do - Permission boundary: the outer limit of what the identity is ALLOWED to do - Effective permissions: the intersection of the IAM policy and the permission boundary **Exam trap**: "A developer was given a permission boundary for S3 full access. They cannot access DynamoDB even though their IAM policy allows it." This is correct behavior — the permission boundary limits them to S3. ### KMS Key Policies vs Grants vs IAM Policies | Mechanism | Where Applied | Use Case | |---|---|---| | Key policy | On the KMS key | Define who can use/manage the key; REQUIRED | | IAM policy | On the IAM identity | Allow AWS services to use the key | | Grant | Programmatic delegation | Temporary, fine-grained access for AWS services | A KMS key without a key policy that allows the root account = permanently inaccessible key. Every key policy must include a statement allowing the root account to manage the key via IAM. ## Domain 5: Data Protection (18%) ### S3 Server-Side Encryption Types | Type | Key Management | Who Controls Key | |---|---|---| | SSE-S3 | AWS manages keys automatically | AWS | | SSE-KMS | KMS CMK (AWS-managed or customer-managed) | Customer (CMKMS) or AWS (aws/s3) | | SSE-C | Customer provides key with each request | Customer | | DSSE-KMS | Dual-layer KMS encryption | Customer | SSE-KMS gives you audit trails (CloudTrail logs every key use) and fine-grained access control. SSE-C puts full key management burden on the client. DSSE-KMS applies two layers of encryption for regulatory requirements. ### S3 Object Lock S3 Object Lock prevents object deletion or overwriting for a retention period: - **Governance mode**: users with special IAM permissions can override or delete protected objects - **Compliance mode**: NO user — including root — can delete or overwrite during the retention period. Immutable once set. - **Legal Hold**: indefinite protection independent of retention dates; can be toggled by users with the `s3:PutObjectLegalHold` permission - Requires versioning enabled on the bucket ### CloudHSM vs KMS | | KMS | CloudHSM | |---|---|---| | Management | Fully managed | You manage HSM cluster | | FIPS 140-2 Level | Level 2 | Level 3 | | Key accessibility | AWS has access | Only you have access | | Integration | Native AWS service integration | Custom application integration | | Use case | Most encryption needs | Regulatory requirements for exclusive key control | ### Secrets Manager Rotation Secrets Manager stores and rotates secrets automatically: - Built-in rotation support for RDS (MySQL, PostgreSQL, Oracle, MSSQL, Aurora), Redshift, DocumentDB - Custom rotation via Lambda function for other secret types - Rotation changes the secret value while maintaining access — applications retrieve the current secret value by name, not a hardcoded value - Multi-user rotation strategy: keeps an alternate user with the previous secret active during rotation to avoid downtime ### ACM (AWS Certificate Manager) ACM provisions and manages SSL/TLS certificates: - Public certificates: free, automatically renewed - Private certificates: via ACM Private CA, for internal services - Deployed to: ELB, CloudFront, API Gateway - **Cannot export**: ACM certificates for ELB/CloudFront are not exportable — you cannot use them on-premises ## 8-Week Study Plan ### Week 1: Threat Detection Services - GuardDuty: finding types, enabling, EventBridge integration, malware scanning - Detective: use cases, relationship to GuardDuty - Security Hub: aggregation, ASFF format, standards ### Week 2: Logging and Monitoring - CloudTrail: event types, multi-region trails, CloudTrail Insights, Athena analysis - Config: rules, conformance packs, aggregator, auto-remediation - Macie: data discovery, sensitive data findings, bucket security ### Week 3: Network and Infrastructure Security - WAF: rule types, managed rules, rate-based rules, scope - Shield Standard vs Advanced: DRT, cost protection - Network Firewall: architecture, Suricata rules - IAM Access Analyzer: finding types, policy validation ### Week 4: IAM Advanced - SCPs: evaluation logic, root user impact, management account exclusion - Permission Boundaries: mechanics, intersection with IAM policies - Cross-account access: role assumption, trust policies, resource policies ### Week 5: KMS Deep Dive - Key hierarchy: CMK, data keys, envelope encryption - Key policy structure: required root access statement - Grants: when to use vs IAM policies - Cross-account key sharing - KMS vs CloudHSM: when to use each ### Week 6: Data Protection - S3 encryption types: SSE-S3 vs SSE-KMS vs SSE-C vs DSSE-KMS - S3 Object Lock: governance vs compliance mode, legal hold - Secrets Manager: rotation strategies, multi-user rotation - ACM: certificate types, export limitations ### Week 7: Governance and Advanced Scenarios - AWS Organizations: SCP inheritance, OU hierarchy - AWS Control Tower: landing zone, guardrails, account factory - Security automation: EventBridge + Lambda for auto-remediation ### Week 8: Full Practice Exams and Review - Take 3 full timed practice exams - Prioritize reviewing IAM policy evaluation and KMS key policy questions - All incorrectly answered questions: trace to the official AWS security documentation ## Ready to Assess Your Readiness? The SCS-C03 is a comprehensive exam that rewards deep knowledge over surface familiarity. The best preparation is working through realistic scenario questions that force you to apply concepts, not just recall them. Our [AWS Security Specialty practice exam](/exams/aws-certified-security-specialty-scs-c03-340-questions) contains 340 questions across all six domains with detailed explanations covering every answer choice. It is designed to surface exactly the gaps you need to close before attempting the real exam.