How to Pass the AWS Security Specialty (SCS-C02) Exam in 2026

The AWS Certified Security Specialty is one of the most respected credentials in cloud security. It proves you can design and implement security solutions on AWS at scale, and it commands some of the highest salaries in the cloud certification landscape. But it is also one of the hardest AWS exams, with pass rates significantly lower than the associate-level certifications.

This guide covers every domain on the SCS-C02 exam, walks through the services you absolutely must master, and gives you a concrete study plan to pass on your first attempt.

What Is the SCS-C02 Exam?

The SCS-C02 replaced the SCS-C01 and is the current version of the AWS Security Specialty certification. It tests your ability to design, implement, and troubleshoot security solutions in AWS environments. You need a scaled score of 750 out of 1000 to pass. The exam has 65 questions and you get 170 minutes to complete it.

AWS recommends at least five years of IT security experience and two years of hands-on experience securing AWS workloads before attempting this exam. That said, candidates with strong associate-level knowledge and dedicated preparation have passed with less experience.

The exam costs $300 USD. If you have already passed an AWS certification, you receive a 50% discount voucher.

Who Should Take This Exam?

The Security Specialty is ideal for security engineers, security architects, cloud security analysts, and anyone whose role involves securing AWS environments. It sits at the specialty level in the AWS certification path, which means it is not tied to a specific associate or professional prerequisite, but AWS strongly recommends holding at least one associate-level certification before attempting it.

If you work in a regulated industry — finance, healthcare, government — this certification carries significant weight with employers and clients.

The Five Domains You Must Master

AWS organizes the SCS-C02 exam into five domains. Each domain has a specific weight, and understanding these weights is critical for allocating your study time.

Domain 1: Threat Detection and Incident Response (14%)

This domain tests your ability to detect threats and respond to security incidents in AWS. While it carries the lowest weight, the questions tend to be scenario-heavy and require deep understanding of how detection services work together.

Key services and concepts to master:

• Amazon GuardDuty — understand finding types, severity levels, suppression rules, and how GuardDuty integrates with EventBridge for automated response. Know the difference between GuardDuty findings for EC2, S3, IAM, and Kubernetes workloads.
• AWS Security Hub — know how Security Hub aggregates findings from GuardDuty, Inspector, Macie, and third-party tools. Understand compliance standards like CIS AWS Foundations Benchmark and AWS Foundational Security Best Practices.
• Amazon Detective — understand when to use Detective for root cause analysis versus GuardDuty for detection.
• AWS CloudTrail — management events vs data events, CloudTrail Lake for querying, organization trails, log file integrity validation.
• Amazon CloudWatch — metric filters, alarms, anomaly detection, and how to create custom metrics for security monitoring.
• Incident response automation — using EventBridge rules to trigger Lambda functions or Step Functions for automated remediation. Know how to isolate a compromised EC2 instance by modifying security groups programmatically.

Study tip: build a mental flowchart for incident response. When a GuardDuty finding fires, what happens next? How does it flow through Security Hub, trigger EventBridge, invoke Lambda, and create a notification in SNS?

Domain 2: Security Logging and Monitoring (18%)

This domain focuses on designing and implementing logging solutions that give you visibility into your AWS environment.

Key areas to study:

• Centralized logging architecture — sending CloudTrail, VPC Flow Logs, DNS logs, and application logs to a central S3 bucket or CloudWatch Logs group in a security account.
• VPC Flow Logs — understand the log format, the difference between accepted and rejected traffic, and how to analyze flow logs with Athena.
• AWS Config — managed rules vs custom rules, conformance packs, remediation actions, multi-account aggregation with AWS Organizations.
• Amazon Macie — discovering and protecting sensitive data in S3, custom data identifiers, automated classification.
• S3 access logging and server access logs — know when to use S3 server access logging vs CloudTrail data events for S3.
• Cross-account log delivery — resource policies for CloudWatch Logs destinations, S3 bucket policies for cross-account delivery, and KMS key policies for encrypted logs.

The exam frequently asks about scenarios where you need to prevent log tampering. Understand S3 Object Lock, CloudTrail log file integrity validation, and how to use separate accounts for log storage.

Domain 3: Infrastructure Security (20%)

This domain tests your ability to secure the network and compute layers of your AWS architecture.

Critical services and concepts:

• VPC security — security groups vs NACLs, the stateful vs stateless distinction, VPC endpoints (interface vs gateway), PrivateLink, and VPC peering security considerations.
• AWS WAF — web ACLs, managed rule groups, rate-based rules, custom rules with regex patterns, and WAF logging to S3 or CloudWatch. Know how to block SQL injection and XSS attacks.
• AWS Shield — Standard vs Advanced, DDoS response team, cost protection, and how Shield integrates with CloudFront, ALB, and Route 53.
• AWS Firewall Manager — centralized management of WAF rules, security groups, and Shield Advanced across an organization.
• AWS Network Firewall — stateful and stateless rule groups, domain filtering, intrusion prevention, and deployment models (centralized vs distributed).
• Amazon CloudFront security — origin access control (OAC), field-level encryption, signed URLs and cookies, geo-restriction, and TLS/SSL configuration.
• Systems Manager — Session Manager for bastion-less access, Patch Manager for compliance, and Parameter Store vs Secrets Manager.

Expect questions that combine multiple services. For example, a scenario might describe a web application that needs protection against DDoS attacks, SQL injection, and unauthorized API access, and you need to choose the right combination of Shield, WAF, and API Gateway configurations.

Domain 4: Identity and Access Management (16%)

IAM is the foundation of AWS security, and the questions on this domain go deep.

What you must know:

• IAM policy evaluation logic — the complete flow from explicit deny to organizational SCPs to resource-based policies to identity-based policies to permissions boundaries. Understand how these layers interact and when each one applies.
• IAM roles — cross-account access with sts:AssumeRole, service-linked roles, instance profiles, and the confused deputy problem.
• AWS Organizations and SCPs — how SCPs restrict permissions across member accounts, the difference between deny lists and allow lists, and how SCPs interact with IAM policies.
• AWS IAM Identity Center (SSO) — SAML 2.0 federation, SCIM provisioning, permission sets, and multi-account access.
• Amazon Cognito — user pools vs identity pools, authentication flows, custom authentication challenges, and securing API Gateway with Cognito authorizers.
• Permissions boundaries — how they limit the maximum permissions an IAM entity can have, and the common use case of delegated administration.
• Resource-based policies — S3 bucket policies, KMS key policies, Lambda resource policies, and how they differ from identity-based policies (especially for cross-account access).

Study tip: the exam loves policy evaluation questions. Practice reading JSON policies and determining what is allowed or denied. Pay special attention to condition keys like aws:SourceIp, aws:PrincipalOrgID, and aws:RequestedRegion.

Domain 5: Data Protection (22%)

Data protection carries the heaviest weight and covers encryption, key management, and data classification.

Key services and concepts:

• AWS KMS — this is the single most important service for this domain. Understand symmetric vs asymmetric keys, key policies, grants, key rotation (automatic and manual), imported key material, multi-Region keys, and the difference between AWS managed keys and customer managed keys. Know when to use KMS vs CloudHSM.
• AWS CloudHSM — dedicated hardware security modules, FIPS 140-2 Level 3 compliance, CloudHSM clusters, and integration with KMS custom key stores.
• Encryption at rest — S3 encryption options (SSE-S3, SSE-KMS, SSE-C, client-side encryption), EBS encryption, RDS encryption, DynamoDB encryption, and the default encryption behavior for each service.
• Encryption in transit — TLS/SSL, ACM certificate management, enforcing HTTPS with S3 bucket policies and CloudFront, and database connection encryption.
• AWS Secrets Manager — automatic secret rotation with Lambda, cross-account secret sharing, and the difference between Secrets Manager and Parameter Store.
• AWS Certificate Manager (ACM) — public vs private certificates, automatic renewal, and integration with ALB, CloudFront, and API Gateway.
• S3 security — bucket policies, access points, S3 Block Public Access, presigned URLs, and cross-Region replication with encryption.

The exam will test edge cases around KMS. For example, what happens when you try to use a KMS key from a different Region? How do you grant cross-account access to an encrypted S3 bucket? What is the difference between the key policy and IAM policy when controlling access to a KMS key?

Deep Dive: The Five Services That Appear on Every Exam

IAM: The Foundation

IAM appears in almost every question on the exam, whether explicitly or implicitly. You need to understand policy structure at a granular level: Effect, Action, Resource, Condition. Master the policy evaluation flowchart. Know the difference between identity-based policies, resource-based policies, permissions boundaries, SCPs, and session policies. Practice writing policies from scratch and debugging policies that do not work as expected.

KMS: The Encryption Backbone

KMS is the second most tested service. The exam expects you to know key types, key policies (including the default key policy that gives the root account full access), how grants work for temporary access, and the envelope encryption process. Understand how KMS integrates with every other AWS service that supports encryption at rest.

GuardDuty: The Threat Detective

GuardDuty is your primary threat detection service. Know its data sources (CloudTrail management events, CloudTrail S3 data events, VPC Flow Logs, DNS logs, EKS audit logs, and Lambda network activity logs). Understand how to enable it across an organization using delegated administrator, how to manage findings, and how to suppress false positives.

Security Hub: The Aggregator

Security Hub pulls findings from GuardDuty, Inspector, Macie, Firewall Manager, and third-party tools into a single dashboard. Understand how to enable security standards, how findings are normalized using AWS Security Finding Format (ASFF), and how to create custom actions with EventBridge.

WAF: The Application Shield

AWS WAF protects your web applications from common exploits. Know how to create web ACLs, use managed rule groups (like the AWS Managed Rules for common threats), write custom rules, and analyze WAF logs. Understand the integration points: CloudFront, ALB, API Gateway, and AppSync.

Building Your Study Plan

Prerequisites

Before starting your SCS-C02 preparation, you should have:

• AWS Solutions Architect Associate (SAA-C03) or equivalent knowledge
• Hands-on experience with IAM, VPC, S3, and CloudTrail
• Basic understanding of encryption concepts and networking

If you do not have these prerequisites, spend 2-3 weeks building your foundation first.

The 8-Week Study Plan

Weeks 1-2: Identity and Access Management Focus entirely on IAM. Read every page of the IAM documentation. Practice writing policies. Set up cross-account access with roles. Configure IAM Identity Center. Work through permissions boundaries and SCPs.

Weeks 3-4: Data Protection and Encryption Deep dive into KMS. Create customer managed keys, set up key rotation, practice cross-account key sharing. Implement encryption for S3, EBS, RDS, and DynamoDB. Set up Secrets Manager with automatic rotation.

Weeks 5-6: Infrastructure Security and Logging Configure VPC security layers. Set up WAF with custom rules. Deploy Network Firewall. Implement centralized logging with CloudTrail, VPC Flow Logs, and Config. Set up cross-account log delivery.

Weeks 7-8: Threat Detection, Review, and Practice Enable GuardDuty and Security Hub. Build automated incident response with EventBridge and Lambda. Take full-length practice exams. Review weak areas.

Daily Study Routine

Dedicate 1.5 to 2 hours per day:

• 30 minutes reading documentation or watching videos
• 30 minutes hands-on labs in your AWS account
• 30 minutes answering practice questions in StudyKits
• Review explanations for both correct and incorrect answers

Practice Question Strategy

Practice questions are the single most effective study tool for the SCS-C02 exam. The exam is scenario-based, and you need to develop the ability to quickly identify the key requirements in a scenario and map them to the right AWS services.

Use StudyKits to work through questions daily. Start with 20 questions per day in weeks 1-4, then increase to 40-50 questions per day in weeks 5-8. Pay close attention to the explanations — they often teach you nuances that documentation alone does not cover.

When you consistently score above 80% on practice questions across all five domains, you are ready to schedule your exam.

Exam Day Tips

• Read each question carefully. The SCS-C02 uses long scenario-based questions, and the correct answer often depends on a single detail in the scenario.
• Flag difficult questions and come back to them. You have 170 minutes, which is more generous than the associate exams.
• Eliminate obviously wrong answers first. Most questions have two clearly wrong options and two plausible options.
• When two answers seem correct, look for the one that is most secure AND most operationally efficient. AWS rarely wants you to choose the most complex solution.
• Watch for keywords like “least privilege,” “least operational overhead,” “most cost-effective,” and “automated” — these are hints about what AWS considers the best answer.

What Comes After SCS-C02?

The Security Specialty pairs well with other certifications. If you want to deepen your AWS expertise, consider the Solutions Architect Professional (SAP-C02) next. If you are interested in compliance and governance, look into the SysOps Administrator (SOA-C02).

For a complete view of how the Security Specialty fits into your certification journey, check out our AWS Certification Path 2026 guide.

Start Studying Today

The AWS Security Specialty is challenging, but it is absolutely passable with the right preparation. Use this guide as your roadmap, practice consistently with StudyKits, and build hands-on experience with every service covered in the exam. The demand for cloud security professionals continues to grow, and SCS-C02 is one of the best ways to prove your skills.

Download StudyKits and start practicing with hundreds of SCS-C02 questions designed to match the difficulty and format of the real exam.