AWS · Specialty

AWS Certified Security - Specialty (SCS-C02) practice exam & study guide

The AWS Certified Security - Specialty (SCS-C02) is AWS’s specialty certification for cloud security. It validates deep skills in threat detection and incident response, security logging and monitoring, infrastructure security, identity and access management, data protection, and security governance on AWS.

SCS-C02 is a specialty exam for security-focused practitioners. It is deep rather than broad, drilling into how to secure, monitor, and govern AWS environments, and questions are scenario-driven.

This free hub gives you a syllabus breakdown by domain, realistic scenario questions with teacher-style explanations, a glossary of the AWS security services the exam relies on, and full-length timed mock exams that mirror the real testing experience.

65
Questions
170 min
Time limit
75%
Mock pass %
6
Domains

Start studying SCS-C02

New here? Follow the three steps below in order. Everything is free and needs no account.

  1. 1
    Learn the plan

    See all 6 domains in exam-weight order.

    Open study path
  2. 2
    Drill by domain

    Practice one topic at a time with explained answers.

    Start with the first domain
  3. 3
    Sit a timed mock

    65 questions · 170 min · 75% to pass our mock.

    Take the mock exam

All SCS-C02 study resources

SCS-C02 exam domains

The SCS-C02 exam is weighted across 6 domains. Pick any domain below to drill it — or read the full breakdown in the FAQ.

Exam domainExam weightPractice
Threat Detection and Incident Response14%Practice this topic
Security Logging and Monitoring18%Practice this topic
Infrastructure Security20%Practice this topic
Identity and Access Management16%Practice this topic
Data Protection18%Practice this topic
Management and Security Governance14%Practice this topic

Sample SCS-C02 questions

A sample of the SCS-C02 questions on this hub. Each links through to the full question, the correct answer, and an explanation of why every other option is wrong.

Key SCS-C02 terms

Start with these terms, then explore the full glossary. Each links to a plain-English definition written for the SCS-C02 exam.

SCS-C02 frequently asked questions

What is the SCS-C02 certification?+

AWS positions the Security - Specialty as validating expertise in securing the AWS platform: data protection, incident response, IAM, infrastructure security, and monitoring. It expects deep knowledge of services like GuardDuty, Security Hub, KMS, IAM policy evaluation, and CloudTrail.

It is detail-heavy and judgment-based — you must know exactly how security services behave and choose the strongest control for a scenario, not just recognise the services.

What topics are on the SCS-C02 exam?+

The SCS-C02 exam is organised into six weighted domains. The percentages below are each domain’s share of scored content; Infrastructure Security, Data Protection, and Logging/Monitoring carry the most weight.

Threat Detection and Incident Response (14%)

Covers detecting threats with Amazon GuardDuty, Security Hub, and Detective, designing incident-response plans, automating response with EventBridge, Lambda, and Systems Manager, and forensics, containment, and recovery on AWS.

Security Logging and Monitoring (18%)

Covers CloudTrail, CloudWatch Logs, VPC Flow Logs, and AWS Config, designing monitoring and alerting, analyzing logs with Athena, and troubleshooting logging and monitoring configurations.

Infrastructure Security (20%)

One of the heaviest domains. It covers edge security (CloudFront, WAF, Shield), network security (security groups, NACLs, Network Firewall), VPC design and PrivateLink, securing hybrid connectivity, and host and service hardening.

Identity and Access Management (16%)

Covers IAM policies, roles, permission boundaries and evaluation logic, federation and IAM Identity Center, cross-account access and STS, resource-based policies, and enforcing least privilege at scale.

Data Protection (18%)

Covers encryption at rest and in transit, AWS KMS key policies, grants, and rotation, certificate management with ACM, secrets management, S3 data protection, and data classification.

Management and Security Governance (14%)

Covers governance at scale with AWS Organizations, SCPs, and Control Tower, Config rules and conformance packs, Security Hub standards, auditing, and managing the cost of security controls across accounts.

Is the SCS-C02 hard?+

SCS-C02 is a demanding specialty exam. It expects precise knowledge of how AWS security services behave — for example IAM policy evaluation order or KMS key-policy versus grant — not just what they do.

The difficulty is depth and detail across six security areas, plus scenario judgment. Hands-on security experience on AWS and heavy scenario practice are the most effective preparation.

How many questions are on the SCS-C02 exam and how long is it?+

The live SCS-C02 exam contains 65 questions to be answered in 170 minutes, delivered as multiple-choice and multiple-response items, with a subset unscored. Our full-length practice mock mirrors this with a 65-question, 170-minute timer.

You can sit the exam at a Pearson VUE test centre or online with proctoring from home.

What score do you need to pass the SCS-C02?+

AWS scores SCS-C02 on a scaled range of 100 to 1,000, and you need 750 to pass. The score is scaled rather than a simple percentage, and there are no per-domain pass marks — you need an overall 750. Our practice mock flags a pass at 75% to give you a comparable target.

How much does the SCS-C02 exam cost?+

The SCS-C02 exam costs 300 USD (prices vary by region), and the certification is valid for three years. Everything on this hub — questions, mock exams, glossary, and domain guides — is completely free.

Who should take the SCS-C02?+

The Security - Specialty is aimed at people in a security role who work on AWS — cloud security engineers, security architects, and security-focused SysOps and DevOps engineers.

AWS recommends three to five years of security experience and two or more years of hands-on AWS security experience. The Solutions Architect or SysOps associate credentials are helpful precursors.

What jobs and salaries can the SCS-C02 lead to?+

SCS-C02 is relevant to roles such as cloud security engineer, security architect, and security operations engineer, where securing AWS environments is the job. It is a highly regarded specialty credential.

How much any certification moves compensation depends heavily on geography, seniority, and experience, so treat any single salary figure with caution. SCS-C02 is best viewed as validation of AWS security depth rather than a guaranteed raise on its own.

How long does it take to study for the SCS-C02?+

Most candidates need two to three months of focused study. Learn the six domains while practising with the AWS security services, then commit heavily to full-length timed scenario practice.

A good rhythm is to study one domain at a time and drill its topic quiz immediately, then move to full-length mocks — reviewing every explanation, including for questions you answered correctly, because SCS-C02 distractors are built from plausible but weaker security controls.

How should you prepare for the SCS-C02?+

Study the six domains above, giving the most time to Infrastructure Security, Data Protection, and Logging/Monitoring, then drill practice questions domain by domain. Every MockAPI question reveals a full explanation and tells you why each wrong answer is wrong.

When your domain scores are solid, sit full-length timed mocks, and pair this with hands-on work in IAM, KMS, and the detection services. Use the glossary to nail terminology, and aim to score consistently above the pass mark before you book.

Can you take the SCS-C02 exam online?+

Yes. You can sit SCS-C02 at a Pearson VUE testing centre or online from home with OnVUE remote proctoring, which requires a quiet private room, a stable connection, a webcam, and government-issued photo ID.

If you do not pass, AWS lets you retake after a 14-day waiting period, with no limit on attempts, though each attempt requires a new paid registration. Results post to your AWS Certification account within a few business days.

What certification should you take after the SCS-C02?+

The Security - Specialty pairs naturally with the Solutions Architect - Professional and the Advanced Networking - Specialty, and complements associate credentials for a security-focused AWS profile.

Pairing it with hands-on AWS security work — IAM design, KMS, detection and response — is what turns the credential into practical capability.