AWSSpecialty2026 Updated

AWS Security Specialty SCS-C02 Exam Guide 2026: Everything You Need to Pass

Updated May 1, 202612 min readWritten by Certsqill experts

Quick facts — SCS-C02

Exam cost

$300 USD

Questions

65 items

Time limit

170 minutes

Passing score

750 / 1000

Valid for

3 years

Testing

Pearson VUE

Who this exam is for

The AWS Security Specialty SCS-C02 certification is designed for professionals who work with or want to work with AWS technologies in a professional capacity. It is taken by cloud engineers, DevOps practitioners, IT administrators, and technical professionals looking to validate their expertise.

You do not need extensive prior experience to attempt it, but you will benefit from hands-on familiarity with the subject matter. The exam tests applied knowledge and architectural judgment, not just memorization. If you can reason about trade-offs and real-world scenarios, structured practice will handle the rest.

Domain breakdown

The SCS-C02 exam is built around official domains, each with a fixed percentage of the question pool. This distribution should directly inform how you allocate your study time.

Domain

Weight

Focus areas

Threat Detection & Incident Response

14%

GuardDuty finding types and severity, Macie sensitive data discovery alerts, Security Hub aggregated findings, and incident response runbooks using Systems Manager Automation.

Security Logging & Monitoring

18%

CloudTrail organisation trails, VPC flow logs, DNS query logging, S3 server access logging, ELB access logs, and CloudWatch Logs centralisation with immutable log storage.

Infrastructure Security

20%

VPC security: security groups, NACLs, PrivateLink, VPC endpoints, WAF web ACLs, Shield Advanced, Network Firewall, and designing defence-in-depth network architectures.

Identity & Access Management

16%

IAM policy evaluation logic, permission boundaries, SCPs, resource-based policies, identity federation with SAML 2.0 and OIDC, AWS SSO/IAM Identity Center, and cross-account access patterns.

Data Protection

18%

KMS key types, key policies, grants, and cross-account access. CloudHSM cluster design. S3 encryption options (SSE-S3, SSE-KMS, SSE-C, DSSE-KMS). Secrets Manager rotation and RDS encryption.

Management & Security Governance

14%

AWS Organizations governance, Config conformance packs, Security Hub standards (CIS, PCI-DSS, FSBP), AWS Audit Manager, Detective for root-cause investigation, and compliance automation.

Note the domain with the highest weight — many candidates under-invest here because it feels conceptual. In practice, this is where the exam is most precise, with scenario-based questions that test specifics.

What the exam actually tests

This is not a memorization exam. Questions require applied judgment under constraints. Almost every question includes a scenario with explicit requirements and asks you to select the most appropriate solution.

Here are examples of the question types you will encounter:

GuardDuty finding investigation

"GuardDuty reports a finding of type UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom for an IAM user. Which action should the security engineer take FIRST?"

Tests GuardDuty finding types, severity levels, and the correct incident response sequence. The answer involves disabling the access key and rotating credentials before investigating the finding in CloudTrail — containment before investigation.

Encryption key management

"A company must ensure that an S3 bucket can only store objects encrypted with a specific customer-managed KMS key. Objects uploaded without encryption or with a different key must be automatically rejected. How should this be enforced?"

Tests S3 bucket policies with Deny conditions using aws:RequestedRegion and s3:x-amz-server-side-encryption-aws-kms-key-id condition keys. Requires understanding of KMS key ARN-based policy conditions.

IAM policy troubleshooting

"A developer can list S3 buckets but receives an Access Denied error when attempting to read objects in a specific bucket. An IAM policy grants s3:GetObject on all resources. What is the MOST likely cause?"

Tests IAM policy evaluation order: explicit deny beats allow. The bucket likely has a resource-based policy with an explicit Deny or an SCP blocking access. Understanding policy evaluation logic is essential for the 16% IAM domain.

How to prepare — 4-week study plan

This plan assumes one hour per weekday and roughly 30 minutes of lighter review on weekends. It is calibrated for someone with some relevant experience. If you are starting from zero, add an extra week before Week 1 to familiarise yourself with the basics.

Week 1: Infrastructure Security & IAM

Study VPC security in depth: security group rule evaluation, NACL stateless processing, VPC endpoint types (gateway vs interface), and PrivateLink service design
Master IAM policy evaluation logic: identity-based policies, resource-based policies, permission boundaries, session policies, SCPs, and the explicit deny hierarchy
Learn WAF v2: web ACL rules, managed rule groups, rate-based rules, IP set references, and integration with ALB, API Gateway, and CloudFront
Study IAM Identity Center (SSO): permission sets, attribute-based access control, SAML federation flows, and external IdP integration

Week 2: Data Protection & KMS

Master KMS: symmetric vs asymmetric keys, key policies vs IAM policies for access control, key grants, cross-account key sharing, and automatic key rotation
Learn S3 encryption in depth: SSE-S3, SSE-KMS (with key policy enforcement via bucket policy Deny), SSE-C, DSSE-KMS, and client-side encryption
Study Secrets Manager: secret rotation with Lambda functions, cross-account access, resource-based policies, and integration with RDS, Redshift, and DocumentDB
Understand CloudHSM: FIPS 140-2 Level 3 use cases, cluster architecture, when to use CloudHSM over KMS, and the shared responsibility boundary

Week 3: Threat Detection, Logging & Governance

Learn GuardDuty finding categories: Backdoor, Behavior, CryptoCurrency, PenTest, Policy, Recon, Stealth, Trojan, UnauthorizedAccess — and typical remediation steps for each
Study Security Hub: ASFF finding format, security standards (CIS AWS Foundations, AWS FSBP, PCI-DSS), cross-account aggregation, and integration with EventBridge for automated response
Understand AWS Config: conformance packs, proactive evaluation mode, and Config aggregator for multi-account findings with Security Hub integration
Study CloudTrail: log file integrity validation, organisation trails, encryption with KMS, and using Athena to query CloudTrail logs in S3

Week 4: Incident Response & Mock Exams

Study the AWS incident response lifecycle: detection (GuardDuty/Security Hub), containment (IAM key disable, security group isolation), eradication, recovery, and post-incident analysis with Detective
Learn AWS Detective: behaviour graphs, resource profile analysis, and how it uses VPC flow logs, CloudTrail, and GuardDuty findings as data sources
Complete two full 65-question mock exams under 170-minute timed conditions and identify weak domains
Drill GuardDuty finding types and KMS key policy troubleshooting — the highest-failure-rate topics on this exam

Common mistakes candidates make

These patterns appear repeatedly among candidates who resit this exam. Knowing them in advance is worth several percentage points.

Weak on GuardDuty finding type interpretation

GuardDuty questions require knowing specific finding category names (e.g., UnauthorizedAccess:EC2/TorIPCaller vs Recon:EC2/PortProbeUnprotectedPort) and the correct incident response steps for each. Candidates who only understand GuardDuty at a high level lose marks on the specific finding type questions that appear in the Threat Detection domain.

Confusing KMS and CloudHSM use cases

KMS and CloudHSM overlap in function but serve different compliance requirements. CloudHSM is required for FIPS 140-2 Level 3 compliance, dedicated hardware tenancy, and custom key store integration with KMS. Questions often present a compliance requirement and expect you to choose the right encryption solution — know the exact compliance levels each service meets.

Not understanding AWS Organizations SCPs in security contexts

SCPs are tested heavily in the Governance domain and as preventive controls in other domains. Candidates confuse SCP allow-list models with deny-list models, do not know that SCPs do not affect the management account, and struggle with SCP inheritance across the OU hierarchy. Practice writing SCP deny policies for common compliance requirements.

Underestimating the IAM policy evaluation complexity

IAM policy evaluation with permission boundaries, session policies, and resource-based policies in cross-account scenarios is consistently the hardest topic on this exam. When an identity in account A tries to access a resource in account B, you need both the identity-based policy in account A and the resource-based policy in account B to grant access. Draw the evaluation graph for each scenario.

Is Certsqill right for you?

Honestly: Certsqill is built for candidates who have already done some studying and want to convert knowledge into exam performance. If you have never touched the subject, start with a foundational course first — then come to Certsqill when you are ready to practice.

Where Certsqill is strong: question depth, AI-powered explanations, and domain analytics. Every question is mapped to the exam blueprint. When you get something wrong, the AI tutor explains why the right answer is right and why each wrong answer fails under the specific constraints in the question.

Where Certsqill is not a replacement: video courses and hands-on labs. Use Certsqill to test and sharpen — not as your first exposure to a topic you have never encountered.

Ready to start practicing?

720 SCS-C02 questions. AI tutor. 5 mock exams. 7-day free trial.