The AWS SCS-C03 exam preparation guide is designed to provide candidates with necessary information about the Security Specialty exam. It includes exam summary, sample questions, practice test, objectives and ways to interpret the exam objectives to enable candidates to assess the types of questions-answers that may be asked during the AWS Certified Security - Specialty exam.
It is recommended for all the candidates to refer the SCS-C03 objectives and sample questions provided in this preparation guide. The AWS Security Specialty certification is mainly targeted to the candidates who want to build their career in Specialty domain and demonstrate their expertise. We suggest you to use practice exam listed in this cert guide to get used to with exam environment and identify the knowledge areas where you need more work prior to taking the actual AWS Certified Security - Specialty exam.
AWS SCS-C03 Exam Summary:
| Exam Name | AWS Certified Security - Specialty |
| Exam Code | SCS-C03 |
| Exam Price | $300 USD |
| Duration | 170 minutes |
| Number of Questions | 65 |
| Passing Score | 750 on a scale of 100 to 1000 |
| Recommended Training / Books |
AWS Security Fundamentals (Second Edition) Security Engineering on AWS AWS Cloud Quest Security Role |
| Schedule Exam | AWS Certification |
| Sample Questions | AWS SCS-C03 Sample Questions |
| Recommended Practice | AWS Certified Security - Specialty Practice Test |
AWS Security Specialty Syllabus:
| Section | Objectives |
|---|---|
Detection - 16% |
|
|
Design and implement monitoring and alerting solutions for an AWS account or organization.
|
- Analyze workloads to determine monitoring requirements.
- Design and implement workload monitoring strategies (for example, by configuring resource health checks). - Aggregate security and monitoring events. - Create metrics, alerts, and dashboards to detect anomalous data and events (for example, Amazon GuardDuty, Amazon Security Lake, AWS Security Hub, Amazon Macie). - Create and manage automations to perform regular assessments and investigations (for example, by deploying AWS Config conformance packs, Security Hub, AWS Systems Manager State Manager). |
| Design and implement logging solutions. |
- Identify sources for log ingestion and storage based on requirements.
- Configure logging for AWS services and applications (for example, by configuring an AWS CloudTrail trail for an organization, by creating a dedicated Amazon CloudWatch logging account, by configuring the Amazon CloudWatch Logs agent). - Implement log storage and log data lakes (for example, Security Lake) and integrate with third-party security tools. - Use AWS services to analyze logs (for example, CloudWatch Logs Insights, Amazon Athena, Security Hub findings). - Use AWS services to normalize, parse, and correlate logs (for example, Amazon OpenSearch Service, AWS Lambda, Amazon Managed Grafana). - Determine and configure appropriate log sources based on network design, threats, and attacks (for example, VPC Flow Logs, transit gateway flow logs, Amazon Route 53 Resolver logs). |
| Troubleshoot security monitoring, logging, and alerting solutions. |
- Analyze the functionality, permissions, and configuration of resources (for example, Lambda function logging, Amazon API Gateway logging, health checks, Amazon CloudFront logging).
- Remediate misconfiguration of resources (for example, by troubleshooting CloudWatch Agent configurations, troubleshooting missing logs). |
Incident Response - 14% |
|
| Design and test an incident response plan. |
- Design and implement response plans and runbooks to respond to security incidents (for example, Systems Manager OpsCenter, Amazon SageMaker AI notebooks).
- Use AWS service features and capabilities to configure services to be prepared for incidents (for example, by provisioning access, deploying security tools, minimizing the blast radius, configuring AWS Shield Advanced protections). - Recommend procedures to test and validate the effectiveness of an incident response plan (for example, AWS Fault Injection Service, AWS Resilience Hub). - Use AWS services to automatically remediate incidents (for example, Systems Manager, Automated Forensics Orchestrator for Amazon EC2, AWS Step Functions, Amazon Application Recovery Controller, Lambda functions). |
| Respond to security events. |
- Capture and store relevant system and application logs as forensic artifacts.
- Search and correlate logs for security events across applications and AWS services. - Validate findings from AWS security services to assess the scope and impact of an event. - Respond to affected resources by containing and eradicating threats, and recover resources (for example, by implementing network containment controls, restoring backups). - Describe methods to conduct root cause analysis (for example, Amazon Detective). |
Infrastructure Security - 18% |
|
|
Design, implement, and troubleshoot security controls for network edge services.
|
- Define and select edge security strategies based on anticipated threats and attacks.
- Implement appropriate network edge protection (for example, CloudFront headers, AWS WAF, AWS IoT policies, protecting against OWASP Top 10 threats, Amazon S3 cross-origin resource sharing [CORS], Shield Advanced). - Design and implement AWS edge controls and rules based on requirements (for example, geography, geolocation, rate limiting, client fingerprinting). - Configure integrations with AWS edge services and third-party services (for example, by ingesting data in Open Cybersecurity Schema Framework [OCSF] format, by using third-party WAF rules). |
|
Design, implement, and troubleshoot security controls for compute workloads.
|
- Design and implement hardened Amazon EC2 AMIs and container images to secure compute workloads and embed security controls (for example, Systems Manager, EC2 Image Builder).
- Apply instance profiles, service roles, and execution roles appropriately to authorize compute workloads. - Scan compute resources for known vulnerabilities (for example, scan container images and Lambda functions by using Amazon Inspector, monitor compute runtimes by using GuardDuty). - Deploy patches across compute resources to maintain secure and compliant environments by automating update processes and by integrating continuous validation (for example, Systems Manager Patch Manager, Amazon Inspector). - Configure secure administrative access to compute resources (for example, Systems Manager Session Manager, EC2 Instance Connect). - Configure security tools to discover and remediate vulnerabilities within a pipeline (for example, Amazon Q Developer, Amazon CodeGuru Security). - Implement protections and guardrails for generative AI applications (for example, by applying GenAI OWASP Top 10 for LLM Applications protections). |
| Design and troubleshoot network security controls. |
- Design and troubleshoot appropriate network controls to permit or prevent network traffic as required (for example, security groups, network ACLs, AWS Network Firewall).
- Design secure connectivity between hybrid and multi-cloud networks (for example, AWS Site-to-Site VPN, AWS Direct Connect, MAC Security [MACsec]). - Determine and configure security workload requirements for communication between hybrid environments and AWS (for example, by using AWS Verified Access). - Design network segmentation based on security requirements (for example, north/south and east/west traffic protections, isolated subnets). - Identify unnecessary network access (for example, AWS Verified Access, Network Access Analyzer, Amazon Inspector network reachability findings). |
Identity and Access Management - 20% |
|
| Design, implement, and troubleshoot authentication strategies. |
- Design and establish identity solutions for human, application, and system authentication (for example, AWS IAM Identity Center, Amazon Cognito, multi-factor authentication [MFA], identity provider [IdP] integration).
- Configure mechanisms to issue temporary credentials (for example, AWS Security Token Service [AWS STS], Amazon S3 presigned URLs). - Troubleshooting authentication issues (for example, CloudTrail, Amazon Cognito, IAM Identity Center permission sets, AWS Directory Service). |
| Design, implement, and troubleshoot authorization strategies. |
- Design and evaluate authorization controls for human, application, and system access (for example, Amazon Verified Permissions, IAM paths, IAM Roles Anywhere, resource policies for cross-account access, IAM role trust policies).
- Design attribute-based access control (ABAC) and role-based access control (RBAC) strategies (for example, by configuring resource access based on tags or attributes). - Design, interpret, and implement IAM policies by following the principle of least privilege (for example, permission boundaries, session policies). - Analyze authorization failures to determine causes or effects (for example, IAM Policy Simulator, IAM Access Analyzer). - Investigate and correct unintended permissions, authorizations, or privileges granted to a resource, service, or entity (for example, IAM Access Analyzer). |
Data Protection - 18% |
|
| Design and implement controls for data in transit. |
- Design and configure mechanisms to require encryption when connecting to connect to resources (for example, by configuring Elastic Load Balancing [ELB] security policies, by enforcing TLS configurations).
- Design and configure mechanisms for secure and private access to resources (for example, AWS PrivateLink, VPC endpoints, AWS Client VPN, AWS Verified Access). - Design and configure inter-resource encryption in transit (for example, inter-node encryption configurations for Amazon EMR, Amazon Elastic Kubernetes Service [Amazon EKS], SageMaker AI, Nitro encryption). |
| Design and implement controls for data at rest. |
- Design, implement, and configure data encryption at rest based on specific requirements (for example, by selecting the appropriate encryption key service such as AWS CloudHSM or AWS Key Management Service [AWS KMS] or by selecting the appropriate encryption type such as client-side encryption or serverside encryption).
- Design and configure mechanisms to protect data integrity (for example, S3 Object Lock, S3 Glacier Vault Lock, versioning, digital code signing, file validation). - Design automatic lifecycle management and retention solutions for data (for example, S3 Lifecycle policies, S3 Object Lock, Amazon Elastic File System [Amazon EFS] Lifecycle policies, Amazon FSx for Lustre backup policies). - Design and configure secure data replication and backup solutions (for example, Amazon Data Lifecycle Manager, AWS Backup, ransomware protection, AWS DataSync). |
|
Design and implement controls to protect confidential data, credentials, secrets, and cryptographic key materials.
|
- Design management and rotation of credentials and secrets (for example, AWS Secrets Manager).
- Manage and use imported key material (for example, by managing and rotating imported key material, by managing and configuring external key stores). - Describe the differences between imported key material and AWS generated key material. - Mask sensitive data (for example, CloudWatch Logs data protection policies, Amazon Simple Notification Service [Amazon SNS] message data protection). - Create and manage encryption keys and certificates across a single AWS Region or multiple Regions (for example, AWS KMS customer managed AWS KMS keys, AWS Private Certificate Authority). |
Security Foundations and Governance - 14% |
|
| Develop a strategy to centrally deploy and manage AWS accounts. |
- Deploy and configure organizations by using AWS Organizations.
- Implement and manage AWS Control Tower in new and existing environments, and deploy optional and custom controls. - Implement organization policies to manage permissions (for example, SCPs, RCPs, AI service opt-out policies, declarative policies). - Centrally manage security services (for example, delegated administrator accounts). - Manage AWS account root user credentials (for example, by centralizing root access for member accounts, managing MFA, designing breakglass procedures). |
| Implement a secure and consistent deployment strategy for cloud resources. |
- Use infrastructure as code (IaC) to deploy cloud resources consistently and securely across accounts (for example, CloudFormation stack sets, third-party IaC tools, CloudFormation Guard, cfn-lint).
- Use tags to organize AWS resources into groups for management (for example, by grouping by department, cost center, environment). - Deploy and enforce policies and configurations from a central source (for example, AWS Firewall Manager). - Securely share resources across AWS accounts (for example, AWS Service Catalog, AWS Resource Access Manager [AWS RAM]). |
| Evaluate the compliance of AWS resources. |
- Create or enable rules to detect and remediate noncompliant AWS resources and to send notifications (for example, by using AWS Config to aggregate alerts and remediate non-compliant resources, Security Hub).
- Use AWS audit services to collect and organize evidence (for example, AWS Audit Manager, AWS Artifact). - Use AWS services to evaluate architecture for compliance with AWS security best practices (for example, AWS Well-Architected Framework tool). |