🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
SCS-C02
SCS-C02 Amazon Web Services

Security Specialty

The course equips security professionals with the skills to design, implement, and manage AWS security controls across multi‑account environments, focusing on threat detection, logging, infrastructure hardening, IAM, and data protection.

170
Minutes
65
Questions
750/1000
Passing Score
$300
Exam Cost
4
Languages

Who Should Take This

Ideal candidates are senior security engineers, architects, or consultants with at least five years of IT security experience and two years of hands‑on AWS security work. They seek to validate expertise in advanced AWS security practices and lead governance for complex, regulated workloads.

What's Covered

1 Design and implement incident response plans, detect security threats using GuardDuty, Security Hub, and Detective, and automate threat remediation.
2 Design and implement logging solutions using CloudTrail, VPC Flow Logs, and CloudWatch, and monitor security events across multi-account environments.
3 Design edge security, network segmentation, and compute protection strategies using VPC, WAF, Shield, and Network Firewall.
4 Design and implement authentication and authorization strategies using IAM, Organizations SCPs, and identity federation.
5 Design data encryption strategies using KMS and CloudHSM, implement key management policies, and protect data at rest and in transit.
6 Develop governance strategies using AWS Config, Audit Manager, and Organizations, and implement compliance automation and security standards.

Exam Structure

Question Types

  • Multiple Choice
  • Multiple Response

Scoring Method

Scaled scoring from 100 to 1000, minimum passing score of 750

Delivery Method

Pearson VUE testing center or online proctored

Recertification

Recertify every 3 years by passing the current exam or earning a higher-level AWS certification.

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

76 learning goals
1 Domain 1: Threat Detection and Incident Response
2 topics

Design and implement threat detection strategies

  • Identify AWS threat detection services and explain how GuardDuty, Security Hub, Inspector, Macie, and Detective provide complementary detection capabilities across accounts, workloads, and data stores.
  • Implement GuardDuty threat detection with multi-account delegation, S3 protection, EKS audit log monitoring, RDS login monitoring, Lambda network activity monitoring, and suppression rules for expected findings.
  • Implement Security Hub aggregation with multi-account and multi-Region enablement, standards enablement (CIS, PCI DSS, AWS Foundational), custom insights, and automated finding ingestion from GuardDuty, Inspector, and Macie.
  • Implement Inspector vulnerability scanning with EC2 agent-based and agentless scanning, Lambda code scanning, ECR container image scanning, and Software Bill of Materials (SBOM) export.
  • Analyze detection coverage gaps across a multi-account environment and tune GuardDuty, Security Hub, and Inspector configurations to improve fidelity while reducing alert fatigue and false positives.

Design and implement incident response procedures

  • Identify AWS incident response components and explain how automated remediation via EventBridge rules, Lambda functions, Systems Manager Automation, and Step Functions compose an incident response workflow.
  • Implement automated incident response playbooks that isolate compromised EC2 instances by modifying security groups, revoking IAM credentials, creating EBS snapshots for forensic analysis, and notifying stakeholders via SNS.
  • Implement forensic evidence collection workflows that capture memory dumps, disk images, VPC flow logs, CloudTrail logs, and DNS query logs with chain-of-custody integrity using S3 Object Lock and cross-account isolation.
  • Analyze an active security incident to determine blast radius, coordinate containment across accounts, and design post-incident remediation and improvement actions using Detective investigation graphs and root cause analysis.
2 Domain 2: Security Logging and Monitoring
3 topics

Design and implement logging solutions

  • Identify AWS logging services and explain how CloudTrail (management events, data events, Insights events), VPC Flow Logs, S3 access logs, ELB access logs, Route 53 query logs, and CloudWatch Logs capture security-relevant telemetry.
  • Implement CloudTrail organization trail with multi-Region logging, S3 log delivery with SSE-KMS encryption, CloudWatch Logs integration, log file validation, and CloudTrail Lake for SQL-based event querying.
  • Implement centralized log aggregation using a dedicated logging account with cross-account S3 delivery, CloudWatch Logs subscription filters, Kinesis Data Firehose, and OpenSearch Service for security analytics.
  • Implement log integrity and immutability controls using CloudTrail log file validation, S3 Object Lock (Governance and Compliance modes), bucket versioning, and MFA Delete to prevent tampering.
  • Analyze logging architecture tradeoffs for coverage completeness, storage costs, query latency, and retention requirements across CloudTrail, VPC Flow Logs, and CloudWatch Logs to optimize security visibility.

Design and implement security monitoring and alerting

  • Identify CloudWatch monitoring capabilities and explain how CloudWatch Alarms, metric filters, anomaly detection, and CloudWatch Logs Insights support security event monitoring and investigation.
  • Implement CloudWatch metric filters and alarms for security-critical events including root account usage, unauthorized API calls, IAM policy changes, console sign-in failures, and security group modifications.
  • Implement EventBridge rules to route Security Hub findings and GuardDuty alerts to automated response targets including Lambda functions, SNS topics, Step Functions, and third-party SIEM integrations.
  • Analyze security monitoring outputs using CloudWatch Logs Insights queries, Athena queries against CloudTrail logs, and Detective investigation graphs to validate alert quality, determine root cause, and assess response actionability.

Design and implement AWS Config for compliance monitoring

  • Identify AWS Config capabilities and explain how configuration recording, managed rules, custom rules, conformance packs, and aggregators provide continuous compliance monitoring across multi-account environments.
  • Implement AWS Config rules for security compliance monitoring including encrypted-volumes, restricted-ssh, root-account-mfa-enabled, s3-bucket-public-read-prohibited, and custom Lambda-based rules for organization-specific policies.
  • Implement AWS Config automatic remediation using Systems Manager Automation documents to auto-remediate non-compliant resources such as enabling S3 encryption, restricting security group rules, and enabling CloudTrail logging.
  • Analyze AWS Config compliance posture across an organization using Config aggregators and conformance packs to identify systemic non-compliance patterns and prioritize remediation by risk severity.
3 Domain 3: Infrastructure Security
4 topics

Design and implement VPC network security

  • Identify VPC security components and explain how security groups (stateful), NACLs (stateless), route tables, internet gateways, NAT gateways, and VPC peering control network traffic flow and isolation.
  • Implement multi-tier VPC architecture with public, private, and isolated subnets, layered security group rules, restrictive NACLs, and NAT gateway routing for secure outbound-only internet access.
  • Implement VPC Flow Logs with custom log formats, cross-account delivery to a centralized S3 bucket, and Athena-based query analysis for network traffic forensics and anomaly investigation.
  • Analyze VPC network security configurations to identify misconfigured ingress and egress rules, overly permissive security groups, missing flow log coverage, and unnecessary internet exposure for workloads.

Design and implement network connectivity and edge security

  • Identify AWS network connectivity and edge services and explain how VPC endpoints (gateway and interface), PrivateLink, Transit Gateway, Direct Connect, VPN, and AWS Network Firewall provide secure connectivity options.
  • Implement VPC endpoints and PrivateLink to eliminate internet traversal for S3, DynamoDB, KMS, and other AWS service API calls with endpoint policies restricting access to specific resources and actions.
  • Implement Transit Gateway with centralized inspection VPC, Network Firewall stateful rule groups, and route table segmentation for hub-and-spoke multi-account network architectures.
  • Implement site-to-site VPN with redundant tunnels, BGP routing, and certificate-based authentication for encrypted hybrid connectivity between on-premises networks and AWS VPCs.
  • Analyze network connectivity design tradeoffs between VPC peering, Transit Gateway, PrivateLink, and VPN to determine optimal connectivity architecture for security isolation, cost, and scalability requirements.

Design and implement edge protection and DDoS mitigation

  • Identify AWS edge protection services and explain how AWS WAF, Shield Standard, Shield Advanced, CloudFront, and Route 53 provide layered DDoS mitigation and application-layer protection.
  • Implement AWS WAF web ACLs with managed rule groups (Core Rule Set, SQL injection, known bad inputs), rate-based rules, geo-match conditions, IP reputation lists, and custom regex rules attached to CloudFront and ALB.
  • Implement Shield Advanced protection with proactive engagement, health-based detection, automatic application-layer DDoS mitigation, and cost protection for protected resources across CloudFront, ALB, and Elastic IP.
  • Implement Firewall Manager policies to enforce WAF rules, Shield Advanced protections, security group policies, and Network Firewall rules across all accounts in an AWS Organization.
  • Analyze WAF rule effectiveness using WAF logging, sampled requests, and CloudWatch metrics to tune rules for precision, reduce false positives, and improve detection of evolving application-layer attacks.

Secure compute workloads

  • Implement EC2 instance security hardening using Systems Manager Patch Manager, State Manager, Session Manager (no SSH bastion needed), and Amazon Inspector for vulnerability management and compliance.
  • Implement container security controls for ECS and EKS including ECR image scanning, task role segregation, Fargate runtime isolation, pod security policies, and secrets injection from Secrets Manager.
  • Implement Lambda function security including execution role least-privilege, VPC placement for private resource access, reserved concurrency limits, code signing, and environment variable encryption with KMS.
4 Domain 4: Identity and Access Management
3 topics

Design and implement IAM policies and roles

  • Identify IAM policy types and explain how identity-based policies, resource-based policies, permissions boundaries, service control policies, and session policies interact to determine effective permissions through the policy evaluation logic.
  • Implement fine-grained IAM policies using condition keys (aws:SourceIp, aws:PrincipalOrgID, aws:RequestedRegion, kms:ViaService), tag-based access control (ABAC), and resource-level permissions for least-privilege enforcement.
  • Implement IAM roles for service-to-service access with trust policies, cross-account role assumption via STS AssumeRole, external ID for confused deputy prevention, and session duration limits.
  • Implement permissions boundaries to delegate IAM administration safely, allowing developers to create roles without exceeding a defined privilege ceiling enforced by the boundary policy.
  • Analyze IAM policy evaluation logic to diagnose access denied errors, identify unintended privilege escalation paths, and determine effective permissions when multiple policy types interact.

Design and implement identity federation and SSO

  • Identify AWS federation mechanisms and explain how SAML 2.0, OpenID Connect, IAM Identity Center (AWS SSO), Amazon Cognito, and custom identity brokers provide authentication for human and application identities.
  • Implement IAM Identity Center with SAML-based identity provider integration, permission sets, account assignments, and attribute-based access control for centralized multi-account workforce access.
  • Implement Cognito user pools with MFA enforcement, custom authentication flows using Lambda triggers (pre-authentication, post-confirmation, token generation), and identity pools for temporary AWS credential vending.
  • Analyze federation architecture choices to select appropriate identity solutions balancing user experience, assurance levels, token lifecycle management, and regulatory requirements across enterprise and consumer access scenarios.

Design and implement multi-account access governance

  • Implement service control policies to enforce security guardrails across an AWS Organization including denying root account usage, restricting Regions, preventing disabling of security services, and requiring encryption.
  • Implement IAM Access Analyzer to identify resources shared externally, validate policies against best practices, and generate least-privilege policies from CloudTrail access activity.
  • Analyze cross-account resource sharing risks using IAM Access Analyzer findings, resource-based policy audits, and SCP enforcement gaps to minimize unintended external access across the organization.
5 Domain 5: Data Protection
3 topics

Design and implement key management

  • Identify KMS key types and explain the differences between AWS managed keys, customer managed keys (symmetric and asymmetric), data keys, key policies, grants, and the envelope encryption pattern used by AWS services.
  • Implement KMS key policies with key administrators, key users, and grants to control who can manage and use keys, including cross-account key sharing using key policy conditions and kms:ViaService restrictions.
  • Implement KMS key rotation (automatic annual rotation for symmetric keys, manual rotation for asymmetric keys), key aliasing, multi-Region keys, and imported key material lifecycle management.
  • Implement CloudHSM cluster deployment with high availability, key management using PKCS#11 and JCE providers, and integration with KMS custom key store for FIPS 140-2 Level 3 compliance requirements.
  • Analyze cryptographic architecture choices for key custody, rotation strategy, cross-account access, cost, and compliance requirements to determine when to use KMS managed keys, customer managed keys, CloudHSM, or imported key material.

Design and implement data encryption at rest and in transit

  • Identify encryption-at-rest options for AWS storage services and explain the differences between SSE-S3, SSE-KMS, SSE-C for S3, and default encryption behaviors for EBS, RDS, DynamoDB, and EFS.
  • Implement S3 encryption enforcement using bucket policies that deny PutObject without server-side encryption headers, default bucket encryption with SSE-KMS, and S3 Bucket Keys for cost optimization.
  • Implement encryption in transit using ACM-managed TLS certificates, ALB/CloudFront HTTPS enforcement, TLS policies for RDS and ElastiCache, and VPN/Direct Connect encryption for hybrid connectivity.
  • Analyze encryption design decisions across storage and transport layers to satisfy compliance frameworks (PCI DSS, HIPAA, GDPR), minimize KMS API costs, and ensure complete coverage with no unencrypted data paths.

Design and implement secrets and sensitive data management

  • Identify AWS secrets management services and explain the differences between Secrets Manager (automatic rotation, cross-account sharing), Systems Manager Parameter Store (SecureString, hierarchies), and ACM (certificate lifecycle).
  • Implement Secrets Manager with automatic rotation using Lambda rotation functions for RDS, Redshift, and DocumentDB credentials, cross-account secret sharing via resource policies, and versioning for safe rotation.
  • Implement ACM certificate provisioning with DNS validation, automatic renewal, and deployment to CloudFront distributions, ALBs, and API Gateway custom domains for TLS endpoint management.
  • Implement Macie sensitive data discovery to scan S3 buckets for PII, PHI, and financial data using managed and custom data identifiers, and configure automated alerting and remediation for sensitive data exposure.
  • Analyze sensitive data exposure risks across storage, logging, and transport pathways and determine remediation strategies including Macie findings triage, log sanitization, encryption enforcement, and access auditing.
6 Domain 6: Management and Security Governance
3 topics

Design and implement multi-account security governance

  • Identify AWS multi-account governance services and explain how AWS Organizations, Control Tower, Service Catalog, and CloudFormation StackSets enable centralized security baseline management across accounts.
  • Implement AWS Organizations with organizational unit structure, SCPs for preventive guardrails, delegated administrator accounts for security services, and tag policies for resource governance.
  • Implement Control Tower with landing zone configuration, mandatory and strongly recommended guardrails, account factory for standardized provisioning, and drift detection for governance baseline compliance.
  • Implement CloudFormation StackSets to deploy security baseline resources (Config rules, CloudTrail, GuardDuty enablement, IAM roles) across all accounts in an organization automatically.
  • Analyze organizational governance effectiveness by evaluating SCP enforcement gaps, Control Tower drift findings, Config compliance rates, and delegated administrator coverage to prioritize governance improvements.

Design and implement compliance and audit readiness

  • Identify AWS compliance services and explain how AWS Artifact, Audit Manager, Security Hub compliance standards, and Config conformance packs support regulatory compliance evidence collection and reporting.
  • Implement Audit Manager assessments with pre-built frameworks (PCI DSS, SOC 2, HIPAA) to collect automated evidence from Config, CloudTrail, and Security Hub for continuous audit readiness.
  • Analyze compliance posture across regulatory frameworks to identify control gaps, map AWS service configurations to specific compliance requirements, and develop remediation plans prioritized by audit risk.

Design and implement security automation and continuous improvement

  • Implement security automation pipelines using EventBridge rules, Lambda remediation functions, and Step Functions workflows to automatically respond to Security Hub findings, Config rule violations, and GuardDuty alerts.
  • Implement security-focused CI/CD pipeline controls including CodePipeline approval gates, SAST/DAST integration, container image vulnerability scanning in CodeBuild, and infrastructure-as-code security validation with cfn-guard.
  • Analyze security metrics and operational data to evaluate the effectiveness of automated remediation, measure mean-time-to-remediate trends, and define continuous improvement plans for the security program.

Hands-On Labs

25 labs ~585 min total Console Simulator

Practice in a simulated cloud console or Python code sandbox — no account needed. Each lab runs entirely in your browser.

Certification Benefits

Salary Impact

$165,000
Average Salary

Related Job Roles

Cloud Security Engineer Security Architect Security Operations Analyst Information Security Manager Compliance Engineer

Industry Recognition

The AWS Security Specialty is recognized as one of the top-paying technical certifications globally and is consistently ranked in the Skillsoft IT Skills and Salary survey as a premium credential. It validates deep cloud security expertise that is critical as organizations migrate sensitive workloads to AWS.

Scope

Included Topics

  • All domains and task statements in the AWS Certified Security - Specialty (SCS-C02) exam guide: Domain 1 Threat Detection and Incident Response (14%), Domain 2 Security Logging and Monitoring (18%), Domain 3 Infrastructure Security (20%), Domain 4 Identity and Access Management (16%), Domain 5 Data Protection (18%), and Domain 6 Management and Security Governance (14%).
  • Specialty-level AWS cloud security design and operations including threat detection, incident response, logging pipelines, network security, identity architecture, encryption key management, and governance automation.
  • Key AWS security services: IAM, AWS Organizations, SCP, KMS, CloudHSM, CloudTrail, GuardDuty, Security Hub, AWS Config, WAF, Shield, Macie, Detective, Inspector, VPC (security groups, NACLs, flow logs), Secrets Manager, ACM, Systems Manager, Firewall Manager, Network Firewall, PrivateLink, Transit Gateway, Route 53 DNSSEC, Lambda (security automation), EventBridge, SNS, CloudWatch, Athena, S3 (access controls, encryption), EBS/RDS/DynamoDB encryption, and AWS Audit Manager.
  • Scenario-driven security decisions requiring balancing prevention, detection, response, compliance, and operational practicality across multi-account AWS environments.

Not Covered

  • General software development practices that do not directly affect AWS security architecture or security operations outcomes.
  • Non-AWS product-specific administration detail unless needed to reason about integrations at the AWS security control boundary.
  • Research-only cryptography proofs and formal methods outside practical implementation and governance decisions expected in the exam.
  • Short-lived pricing values and rapidly changing commercial terms that are not durable knowledge for a long-lived domain specification.
  • AWS CLI command-level syntax memorization and SDK version-specific API signatures.

Official Exam Page

Learn more at Amazon Web Services

Visit

Ready to master SCS-C02?

Adaptive learning that maps your knowledge and closes your gaps.

Subscribe to Access

Trademark Notice

AWS, Amazon Web Services, and all related names, logos, product and service names, designs and slogans are trademarks of Amazon.com, Inc. or its affiliates. Amazon does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.