AWS Certified Security — Specialty (SCS-C03) Complete Study Guide [165 Minute Read]

A First-Principles Approach to AWS Cloud Security

Welcome to your comprehensive guide for the AWS Certified Security — Specialty (SCS-C03) exam. This guide doesn't just teach you what AWS security services do — it builds the mental model for why each security control exists and when to apply it. By understanding first principles, you'll be able to reason through unfamiliar scenarios on the exam and in your career, even when they involve services you haven't explicitly memorized.

📋 Official Exam Objectives: AWS Certified Security - Specialty (SCS-C03) Exam Guide

Exam Style: The SCS-C03 emphasizes complex, multi-service scenario questions that test your ability to design, implement, and troubleshoot security architectures. Approximately 60% of questions are application-level, requiring you to synthesize knowledge across multiple domains. The exam also introduces ordering and matching question types alongside traditional multiple-choice and multiple-response formats.

Exam Details:

Prerequisites: This guide assumes foundational AWS knowledge equivalent to the Solutions Architect Associate certification. You should be comfortable with core AWS services (EC2, S3, VPC, IAM) and basic networking concepts.

Exam Domain Weights

Identity and Access Management carries the highest weight at 20%, reflecting the exam's emphasis on granular access control, federation, and advanced authorization patterns. Infrastructure Security and Data Protection are tied at 18% each, followed by Detection at 16%. Incident Response and Governance each carry 14%.

---

(Table of Contents - For Reference)

• Phase 1: First Principles of Cloud Security

  • 1.1. Understanding the AWS SCS-C03 Exam
    • 1.1.1. Exam Structure, Question Types, and Scoring
    • 1.1.2. Navigating This Study Guide
  • 1.2. Core Cloud Security First Principles
    • 1.2.1. Defense-in-Depth and Least Privilege
    • 1.2.2. Zero Trust and Assume Breach
    • 1.2.3. Security Automation and Continuous Validation
  • 1.3. AWS Shared Responsibility Model
    • 1.3.1. AWS's Security Responsibilities (Security OF the Cloud)
    • 1.3.2. Customer's Security Responsibilities (Security IN the Cloud)
  • 1.4. AWS Global Infrastructure and Security Implications
    • 1.4.1. Regions, Availability Zones, and Data Residency
    • 1.4.2. Edge Locations and Global vs. Regional Services
  • 1.5. Phase 1 Reflection Checkpoint

• Phase 2: Detection (16%)

  • 2.1. Monitoring and Alerting Solutions
    • 2.1.1. Workload Monitoring Requirements and Strategies
    • 2.1.2. Aggregating Security Events
    • 2.1.3. Metrics, Alerts, and Dashboards for Anomaly Detection
    • 2.1.4. Automated Assessments and Investigations
  • 2.2. Logging Solutions
    • 2.2.1. Log Sources, Ingestion, and Storage
    • 2.2.2. Configuring Logging for AWS Services
    • 2.2.3. Log Storage, Data Lakes, and Third-Party Integration
    • 2.2.4. Analyzing Logs with AWS Services
    • 2.2.5. Normalizing, Parsing, and Correlating Logs
    • 2.2.6. Network-Based Log Sources
  • 2.3. Troubleshooting Monitoring and Logging
    • 2.3.1. Analyzing Resource Configuration and Permissions
    • 2.3.2. Remediating Logging Misconfigurations
  • 2.4. Phase 2 Reflection Checkpoint

• Phase 3: Incident Response (14%)

  • 3.1. Designing and Testing Incident Response Plans
    • 3.1.1. Response Plans and Runbooks
    • 3.1.2. Preparing Services for Incidents
    • 3.1.3. Testing and Validating IR Plans
    • 3.1.4. Automated Incident Remediation
  • 3.2. Responding to Security Events
    • 3.2.1. Capturing Forensic Artifacts
    • 3.2.2. Searching and Correlating Logs for Events
    • 3.2.3. Validating and Assessing Security Findings
    • 3.2.4. Containment, Eradication, and Recovery
    • 3.2.5. Root Cause Analysis
  • 3.3. Phase 3 Reflection Checkpoint

• Phase 4: Infrastructure Security (18%)

  • 4.1. Network Edge Security
    • 4.1.1. Edge Security Strategies and Threat Modeling
    • 4.1.2. Network Edge Protection (CloudFront, WAF, Shield)
    • 4.1.3. Edge Controls and Rules (Geo, Rate Limiting, Fingerprinting)
    • 4.1.4. Edge Service Integrations and OCSF
  • 4.2. Compute Workload Security
    • 4.2.1. Hardened AMIs and Container Images
    • 4.2.2. Instance Profiles, Service Roles, and Execution Roles
    • 4.2.3. Vulnerability Scanning for Compute Resources
    • 4.2.4. Automated Patching and Continuous Validation
    • 4.2.5. Secure Administrative Access
    • 4.2.6. Pipeline Security and Code Scanning
    • 4.2.7. Generative AI Application Security
  • 4.3. Network Security Controls
    • 4.3.1. Security Groups, NACLs, and Network Firewall
    • 4.3.2. Hybrid and Multi-Cloud Connectivity Security
    • 4.3.3. Zero-Trust Network Access with Verified Access
    • 4.3.4. Network Segmentation and Traffic Protection
    • 4.3.5. Identifying Unnecessary Network Access
  • 4.4. Phase 4 Reflection Checkpoint

• Phase 5: Identity and Access Management (20%)

  • 5.1. Authentication Strategies
    • 5.1.1. Identity Solutions (IAM Identity Center, Cognito, MFA)
    • 5.1.2. Temporary Credentials and Token Mechanisms
    • 5.1.3. Troubleshooting Authentication Issues
  • 5.2. Authorization Strategies
    • 5.2.1. Authorization Controls and Verified Permissions
    • 5.2.2. ABAC and RBAC Strategies
    • 5.2.3. IAM Policies and Least Privilege
    • 5.2.4. Analyzing Authorization Failures
    • 5.2.5. Investigating Unintended Permissions
  • 5.3. Phase 5 Reflection Checkpoint

• Phase 6: Data Protection (18%)

  • 6.1. Data in Transit
    • 6.1.1. Encryption Requirements for Resource Connections
    • 6.1.2. Secure and Private Access Mechanisms
    • 6.1.3. Inter-Resource Encryption in Transit
  • 6.2. Data at Rest
    • 6.2.1. Data Encryption at Rest (KMS, CloudHSM)
    • 6.2.2. Data Integrity Mechanisms
    • 6.2.3. Lifecycle Management and Retention
    • 6.2.4. Secure Replication and Backup
  • 6.3. Confidential Data, Secrets, and Key Materials
    • 6.3.1. Credential and Secret Management and Rotation
    • 6.3.2. Imported vs. AWS-Generated Key Material
    • 6.3.3. Sensitive Data Masking
    • 6.3.4. Multi-Region Key and Certificate Management
  • 6.4. Phase 6 Reflection Checkpoint

• Phase 7: Security Foundations and Governance (14%)

  • 7.1. Centralized Account Management
    • 7.1.1. AWS Organizations Deployment and Configuration
    • 7.1.2. AWS Control Tower Implementation
    • 7.1.3. Organization Policies (SCPs, RCPs, Declarative Policies)
    • 7.1.4. Centralized Security Service Management
    • 7.1.5. Root User Credential Management
  • 7.2. Secure Resource Deployment
    • 7.2.1. Infrastructure as Code Security
    • 7.2.2. Resource Tagging Strategies
    • 7.2.3. Centralized Policy Enforcement
    • 7.2.4. Cross-Account Resource Sharing
  • 7.3. Compliance Evaluation
    • 7.3.1. Compliance Detection and Remediation
    • 7.3.2. Audit Evidence Collection
    • 7.3.3. Architecture Compliance with Best Practices
  • 7.4. Phase 7 Reflection Checkpoint

• Phase 8: Exam Readiness and Beyond

  • 8.1. Exam Preparation Strategies
    • 8.1.1. Exam Structure and Time Management
    • 8.1.2. Tackling Scenario-Based Questions
  • 8.2. Continuous Learning and Community
  • 8.3. Glossary of Key AWS Security Services and Concepts
  • 8.4. Phase 8 Reflection Checkpoint

---