SCS-C02 cheat sheet
A one-page reference for the AWS Certified Security - Specialty exam: the format, how the domains are weighted, and the glossary terms for this exam.
Exam at a glance
Vendor
AWS
Level
Specialty
Questions
65
Time
170 min
Mock pass mark
75%
Domains
6
Practice Qs
184
Code
SCS-C02
Domain weightings
How much of the exam each domain covers. Spend your study time in proportion — the heavier the domain, the more questions you'll see.
Key terms
- Amazon GuardDuty
- Amazon GuardDuty is a threat-detection service that continuously analyzes CloudTrail, VPC Flow Logs, and DNS logs for malicious activity. SCS-C02 covers it as a primary detection source in the threat-detection and incident-response domain.
- AWS Security Hub
- AWS Security Hub is a service that aggregates and prioritizes security findings across accounts and checks them against standards such as CIS and AWS FSBP. SCS-C02 covers it for centralized security posture and governance.
- Amazon Detective
- Amazon Detective is a service that helps analyze and investigate the root cause of security findings by building linked data from logs. SCS-C02 covers it as an investigation tool alongside GuardDuty in incident response.
- AWS CloudTrail
- AWS CloudTrail is a service that records API activity across an AWS account for auditing and investigation. SCS-C02 covers it as the foundational audit log for the security logging and monitoring domain.
- VPC Flow Logs
- VPC Flow Logs capture information about IP traffic to and from network interfaces in a VPC. SCS-C02 covers them for network monitoring, detecting anomalies, and diagnosing whether traffic was accepted or rejected.
- AWS Network Firewall
- AWS Network Firewall is a managed, stateful network firewall and intrusion-prevention service for VPCs. SCS-C02 covers it alongside security groups, NACLs, WAF, and Shield in the infrastructure-security domain.
- AWS WAF
- AWS WAF is a web application firewall that filters HTTP(S) traffic to protect applications from common exploits such as SQL injection and cross-site scripting. SCS-C02 covers it with Shield and CloudFront for edge security.
- AWS KMS
- AWS Key Management Service (KMS) is a managed service that creates and controls the cryptographic keys used to encrypt data, with key policies, grants, and rotation. SCS-C02 covers it as the core of the data-protection domain.
- AWS Secrets Manager
- AWS Secrets Manager is a service that stores, retrieves, and automatically rotates secrets such as database credentials and API keys. SCS-C02 covers it for protecting sensitive data and removing hard-coded secrets.
- AWS Certificate Manager
- AWS Certificate Manager (ACM) is a service that provisions, manages, and renews TLS certificates for AWS services. SCS-C02 covers it for encryption in transit within the data-protection domain.
- IAM Policy
- An IAM policy is a JSON document that defines permissions and is evaluated (with explicit denies overriding allows) to authorize requests. SCS-C02 requires understanding IAM policy evaluation logic, boundaries, and least privilege.
- Service Control Policy
- A service control policy (SCP) is an AWS Organizations guardrail that limits the maximum permissions for member accounts. SCS-C02 covers SCPs for management and security governance across an organization.
- AWS Config
- AWS Config is a service that records resource configurations and evaluates them against rules and conformance packs for compliance. SCS-C02 covers it for continuous compliance auditing and governance.