SCS-C02 exam domains
The SCS-C02 exam is weighted across 6 domains. Pick any domain below to drill it — or read the full breakdown in the FAQ.
| Exam domain | Exam weight | Practice |
|---|---|---|
| Threat Detection and Incident Response | 14% | Practice this topic |
| Security Logging and Monitoring | 18% | Practice this topic |
| Infrastructure Security | 20% | Practice this topic |
| Identity and Access Management | 16% | Practice this topic |
| Data Protection | 18% | Practice this topic |
| Management and Security Governance | 14% | Practice this topic |
Sample SCS-C02 questions
A sample of the SCS-C02 questions on this hub. Each links through to the full question, the correct answer, and an explanation of why every other option is wrong.
- A security team runs a public-facing web application behind an Application Load Balancer (ALB) that terminates TLS using a certificate provisioned by…View question
- A media company hosts a static website in an S3 bucket served through a CloudFront distribution. The web team, which operates primarily in the eu-west…View question
- A company runs a public-facing application behind an Application Load Balancer. The security team uses an SSL/TLS certificate that was issued by the c…View question
- A company runs a public-facing REST API behind an Application Load Balancer (ALB). Security requires that the TLS private key used to terminate connec…View question
- A financial services company runs a fleet of internal microservices on EC2 instances behind internal Application Load Balancers within a private VPC.…View question
- A security engineer stores several years of CloudTrail logs in an S3 bucket organized by the standard prefix pattern (AWSLogs/<account>/CloudTrail/<re…View question
- A healthcare company operates a public web application behind CloudFront and an Application Load Balancer. A form collects patients' credit card numbe…View question
- A media company streams licensed video content through Amazon CloudFront. Licensing agreements require that content be accessible only from viewers in…View question
- A company serves static content from a private S3 bucket through a CloudFront distribution. Security review reveals that the S3 objects can still be d…View question
- A media company serves video thumbnails and metadata through CloudFront backed by an Application Load Balancer in a single AWS Region. During viral tr…View question
Key SCS-C02 terms
Start with these terms, then explore the full glossary. Each links to a plain-English definition written for the SCS-C02 exam.
SCS-C02 frequently asked questions
What is the SCS-C02 certification?+
AWS positions the Security - Specialty as validating expertise in securing the AWS platform: data protection, incident response, IAM, infrastructure security, and monitoring. It expects deep knowledge of services like GuardDuty, Security Hub, KMS, IAM policy evaluation, and CloudTrail.
It is detail-heavy and judgment-based — you must know exactly how security services behave and choose the strongest control for a scenario, not just recognise the services.
What topics are on the SCS-C02 exam?+
The SCS-C02 exam is organised into six weighted domains. The percentages below are each domain’s share of scored content; Infrastructure Security, Data Protection, and Logging/Monitoring carry the most weight.
Threat Detection and Incident Response (14%)
Covers detecting threats with Amazon GuardDuty, Security Hub, and Detective, designing incident-response plans, automating response with EventBridge, Lambda, and Systems Manager, and forensics, containment, and recovery on AWS.
Security Logging and Monitoring (18%)
Covers CloudTrail, CloudWatch Logs, VPC Flow Logs, and AWS Config, designing monitoring and alerting, analyzing logs with Athena, and troubleshooting logging and monitoring configurations.
Infrastructure Security (20%)
One of the heaviest domains. It covers edge security (CloudFront, WAF, Shield), network security (security groups, NACLs, Network Firewall), VPC design and PrivateLink, securing hybrid connectivity, and host and service hardening.
Identity and Access Management (16%)
Covers IAM policies, roles, permission boundaries and evaluation logic, federation and IAM Identity Center, cross-account access and STS, resource-based policies, and enforcing least privilege at scale.
Data Protection (18%)
Covers encryption at rest and in transit, AWS KMS key policies, grants, and rotation, certificate management with ACM, secrets management, S3 data protection, and data classification.
Management and Security Governance (14%)
Covers governance at scale with AWS Organizations, SCPs, and Control Tower, Config rules and conformance packs, Security Hub standards, auditing, and managing the cost of security controls across accounts.
Is the SCS-C02 hard?+
SCS-C02 is a demanding specialty exam. It expects precise knowledge of how AWS security services behave — for example IAM policy evaluation order or KMS key-policy versus grant — not just what they do.
The difficulty is depth and detail across six security areas, plus scenario judgment. Hands-on security experience on AWS and heavy scenario practice are the most effective preparation.
How many questions are on the SCS-C02 exam and how long is it?+
The live SCS-C02 exam contains 65 questions to be answered in 170 minutes, delivered as multiple-choice and multiple-response items, with a subset unscored. Our full-length practice mock mirrors this with a 65-question, 170-minute timer.
You can sit the exam at a Pearson VUE test centre or online with proctoring from home.
What score do you need to pass the SCS-C02?+
AWS scores SCS-C02 on a scaled range of 100 to 1,000, and you need 750 to pass. The score is scaled rather than a simple percentage, and there are no per-domain pass marks — you need an overall 750. Our practice mock flags a pass at 75% to give you a comparable target.
How much does the SCS-C02 exam cost?+
The SCS-C02 exam costs 300 USD (prices vary by region), and the certification is valid for three years. Everything on this hub — questions, mock exams, glossary, and domain guides — is completely free.
Who should take the SCS-C02?+
The Security - Specialty is aimed at people in a security role who work on AWS — cloud security engineers, security architects, and security-focused SysOps and DevOps engineers.
AWS recommends three to five years of security experience and two or more years of hands-on AWS security experience. The Solutions Architect or SysOps associate credentials are helpful precursors.
What jobs and salaries can the SCS-C02 lead to?+
SCS-C02 is relevant to roles such as cloud security engineer, security architect, and security operations engineer, where securing AWS environments is the job. It is a highly regarded specialty credential.
How much any certification moves compensation depends heavily on geography, seniority, and experience, so treat any single salary figure with caution. SCS-C02 is best viewed as validation of AWS security depth rather than a guaranteed raise on its own.
How long does it take to study for the SCS-C02?+
Most candidates need two to three months of focused study. Learn the six domains while practising with the AWS security services, then commit heavily to full-length timed scenario practice.
A good rhythm is to study one domain at a time and drill its topic quiz immediately, then move to full-length mocks — reviewing every explanation, including for questions you answered correctly, because SCS-C02 distractors are built from plausible but weaker security controls.
How should you prepare for the SCS-C02?+
Study the six domains above, giving the most time to Infrastructure Security, Data Protection, and Logging/Monitoring, then drill practice questions domain by domain. Every MockAPI question reveals a full explanation and tells you why each wrong answer is wrong.
When your domain scores are solid, sit full-length timed mocks, and pair this with hands-on work in IAM, KMS, and the detection services. Use the glossary to nail terminology, and aim to score consistently above the pass mark before you book.
Can you take the SCS-C02 exam online?+
Yes. You can sit SCS-C02 at a Pearson VUE testing centre or online from home with OnVUE remote proctoring, which requires a quiet private room, a stable connection, a webcam, and government-issued photo ID.
If you do not pass, AWS lets you retake after a 14-day waiting period, with no limit on attempts, though each attempt requires a new paid registration. Results post to your AWS Certification account within a few business days.
What certification should you take after the SCS-C02?+
The Security - Specialty pairs naturally with the Solutions Architect - Professional and the Advanced Networking - Specialty, and complements associate credentials for a security-focused AWS profile.
Pairing it with hands-on AWS security work — IAM design, KMS, detection and response — is what turns the credential into practical capability.