SCS-C02 cheat sheet

A one-page reference for the AWS Certified Security - Specialty exam: the format, how the domains are weighted, and the glossary terms for this exam.

Exam at a glance

Vendor
AWS
Level
Specialty
Questions
65
Time
170 min
Mock pass mark
75%
Domains
6
Practice Qs
184
Code
SCS-C02

Domain weightings

How much of the exam each domain covers. Spend your study time in proportion — the heavier the domain, the more questions you'll see.

Key terms

Amazon GuardDuty
Amazon GuardDuty is a threat-detection service that continuously analyzes CloudTrail, VPC Flow Logs, and DNS logs for malicious activity. SCS-C02 covers it as a primary detection source in the threat-detection and incident-response domain.
AWS Security Hub
AWS Security Hub is a service that aggregates and prioritizes security findings across accounts and checks them against standards such as CIS and AWS FSBP. SCS-C02 covers it for centralized security posture and governance.
Amazon Detective
Amazon Detective is a service that helps analyze and investigate the root cause of security findings by building linked data from logs. SCS-C02 covers it as an investigation tool alongside GuardDuty in incident response.
AWS CloudTrail
AWS CloudTrail is a service that records API activity across an AWS account for auditing and investigation. SCS-C02 covers it as the foundational audit log for the security logging and monitoring domain.
VPC Flow Logs
VPC Flow Logs capture information about IP traffic to and from network interfaces in a VPC. SCS-C02 covers them for network monitoring, detecting anomalies, and diagnosing whether traffic was accepted or rejected.
AWS Network Firewall
AWS Network Firewall is a managed, stateful network firewall and intrusion-prevention service for VPCs. SCS-C02 covers it alongside security groups, NACLs, WAF, and Shield in the infrastructure-security domain.
AWS WAF
AWS WAF is a web application firewall that filters HTTP(S) traffic to protect applications from common exploits such as SQL injection and cross-site scripting. SCS-C02 covers it with Shield and CloudFront for edge security.
AWS KMS
AWS Key Management Service (KMS) is a managed service that creates and controls the cryptographic keys used to encrypt data, with key policies, grants, and rotation. SCS-C02 covers it as the core of the data-protection domain.
AWS Secrets Manager
AWS Secrets Manager is a service that stores, retrieves, and automatically rotates secrets such as database credentials and API keys. SCS-C02 covers it for protecting sensitive data and removing hard-coded secrets.
AWS Certificate Manager
AWS Certificate Manager (ACM) is a service that provisions, manages, and renews TLS certificates for AWS services. SCS-C02 covers it for encryption in transit within the data-protection domain.
IAM Policy
An IAM policy is a JSON document that defines permissions and is evaluated (with explicit denies overriding allows) to authorize requests. SCS-C02 requires understanding IAM policy evaluation logic, boundaries, and least privilege.
Service Control Policy
A service control policy (SCP) is an AWS Organizations guardrail that limits the maximum permissions for member accounts. SCS-C02 covers SCPs for management and security governance across an organization.
AWS Config
AWS Config is a service that records resource configurations and evaluates them against rules and conformance packs for compliance. SCS-C02 covers it for continuous compliance auditing and governance.