AWS · Specialty

AWS Certified Security - Specialty (SCS-C03) practice exam & study guide

The AWS Certified Security - Specialty (SCS-C03) is AWS’s specialty certification for cloud security. It validates the ability to secure AWS workloads across detection, incident response, infrastructure security, identity and access management, data protection, and security governance.

SCS-C03 is the current version of the AWS security specialty exam, replacing SCS-C02. It is deep and scenario-driven: questions describe a security requirement and ask which AWS control or design best meets it.

This free hub gives you everything you need to prepare: a syllabus breakdown by exam domain, realistic scenario-style practice questions with teacher-style explanations, a glossary of the AWS security services the exam relies on, and full-length timed mock exams that mirror the real testing experience.

65
Questions
170 min
Time limit
75%
Mock pass %
6
Domains

Start studying SCS-C03

New here? Follow the three steps below in order. Everything is free and needs no account.

  1. 1
    Learn the plan

    See all 6 domains in exam-weight order.

    Open study path
  2. 2
    Drill by domain

    Practice one topic at a time with explained answers.

    Start with the first domain
  3. 3
    Sit a timed mock

    65 questions · 170 min · 75% to pass our mock.

    Take the mock exam

All SCS-C03 study resources

SCS-C03 exam domains

The SCS-C03 exam is weighted across 6 domains. Pick any domain below to drill it — or read the full breakdown in the FAQ.

Exam domainExam weightPractice
Detection16%Practice this topic
Incident Response14%Practice this topic
Infrastructure Security18%Practice this topic
Identity and Access Management20%Practice this topic
Data Protection18%Practice this topic
Security Foundations and Governance14%Practice this topic

Sample SCS-C03 questions

A sample of the SCS-C03 questions on this hub. Each links through to the full question, the correct answer, and an explanation of why every other option is wrong.

Key SCS-C03 terms

Start with these terms, then explore the full glossary. Each links to a plain-English definition written for the SCS-C03 exam.

SCS-C03 frequently asked questions

What is the SCS-C03 certification?+

AWS positions the Security - Specialty as validating the ability to secure AWS products and services — data classification and protection, encryption, secure network design, identity at scale, detection, and incident response.

SCS-C03 restructures the previous exam into six domains, separating Detection and Incident Response and renaming the governance domain to Security Foundations and Governance. It expects deep, judgment-based knowledge rather than recall.

What topics are on the SCS-C03 exam?+

The SCS-C03 exam is organised into six weighted domains. The percentages below are AWS’s official weightings for scored content. Identity and access management carries the most weight, with infrastructure security and data protection close behind.

Detection (16%)

Covers designing detection strategies across accounts using Amazon GuardDuty, AWS Security Hub, Amazon Detective, and Amazon Inspector — aggregating and prioritizing findings and detecting threats and misconfigurations.

Incident Response (14%)

Covers designing and executing incident-response plans on AWS, automating response with EventBridge, Lambda, and Systems Manager Automation, and handling containment, eradication, recovery, forensics, and root cause analysis.

Infrastructure Security (18%)

Covers edge security (CloudFront, AWS WAF, AWS Shield), network security (security groups, NACLs, AWS Network Firewall), VPC design and PrivateLink, securing hybrid connectivity, and layer 3–7 firewall rules at scale.

Identity and Access Management (20%)

The heaviest domain. It covers IAM policies, roles, permission boundaries, and policy evaluation logic, federation and IAM Identity Center, cross-account access and AWS STS, and managing least privilege at scale.

Data Protection (18%)

Covers encryption at rest and in transit, AWS KMS key policies, grants, and rotation, certificate management with ACM, AWS Secrets Manager, S3 data protection, and backup and disaster-recovery controls.

Security Foundations and Governance (14%)

Covers AWS Organizations, service control policies, and Control Tower, AWS Config rules and conformance packs, Security Hub standards, multi-account governance, software supply chain risk, and managing security at scale.

Is the SCS-C03 hard?+

SCS-C03 is a specialty-level exam and one of AWS’s more demanding certifications. It expects both breadth across AWS security services and the judgment to combine them correctly, because a plausible-looking control can still leave a gap.

The difficulty comes from precise distinctions — IAM policy evaluation, KMS key policies versus grants, when to use Network Firewall versus security groups — and from scenarios that hinge on least privilege and blast-radius reduction. Practising scenarios until the right control is obvious is the key.

How many questions are on the SCS-C03 exam and how long is it?+

The live SCS-C03 exam contains 65 questions to be answered in 170 minutes — 50 scored plus 15 unscored questions AWS uses to trial future content — using a mix of question types: multiple choice, multiple response, ordering, and matching. Our full-length practice mock mirrors the length and timing with a 65-question, 170-minute timer.

Expect detailed scenario stems that describe an environment and a security goal, then ask for the best AWS-native way to detect, prevent, or respond.

What score do you need to pass the SCS-C03?+

AWS scores SCS-C03 on a scaled range of 100 to 1,000, and you need 750 to pass. The score is scaled rather than a simple percentage, and there are no per-domain pass marks — you need an overall 750. Our practice mock flags a pass at 75% to give you a comparable target.

How much does the SCS-C03 exam cost?+

The SCS-C03 exam costs 300 USD (prices vary by region), and the certification is valid for three years. Everything on this hub — questions, mock exams, glossary, and domain guides — is completely free.

Who should take the SCS-C03?+

The Security - Specialty is aimed at people with a security-focused role on AWS — cloud security engineers, security architects, and infrastructure engineers responsible for securing AWS workloads.

AWS recommends the equivalent of three to five years of experience securing cloud solutions, along with a strong grasp of the shared responsibility model, identity at scale, and data-encryption methods.

What jobs and salaries can the SCS-C03 lead to?+

SCS-C03 is relevant to roles such as cloud security engineer, security architect, and DevSecOps engineer, where securing AWS environments is core to the job. It is a well-regarded specialty credential.

How much any certification moves compensation depends heavily on geography, seniority, and hands-on experience, so treat any single salary figure with caution. SCS-C03 is best viewed as validation of AWS security depth rather than a guaranteed raise on its own.

How long does it take to study for the SCS-C03?+

Candidates with AWS security experience often need six to ten weeks; those newer to the breadth of AWS security should plan longer. The most efficient path is to study each domain while practising in a test account, then drill scenario questions that force control-selection decisions.

Spend the majority of your time on full-length timed mocks in the final stretch, reviewing every explanation — including for questions you answered correctly — because SCS-C03 distractors are usually valid controls that do not best fit the stated risk. Use the per-domain results here to find your weakest area.

How should you prepare for the SCS-C03?+

Study the six domains above, giving the most time to identity and access management, infrastructure security, and data protection, then drill scenario questions domain by domain. Every MockAPI question reveals a full explanation and tells you why each wrong answer is wrong — essential for security scenarios where the wrong option looks safe.

When you can answer scenarios comfortably, move to full-length timed mocks to rehearse pacing, ideally alongside hands-on practice with IAM, KMS, and GuardDuty. Use the glossary to keep the services straight, and aim to score consistently above the pass mark before you book.

Can you take the SCS-C03 exam online?+

Yes. AWS delivers SCS-C03 through Pearson VUE, both at test centers and online with remote proctoring (OnVUE). The online exam requires a private, quiet room, a clear workspace, a webcam and microphone, a stable connection, and government-issued photo ID, with a proctor monitoring you and a room scan before you start.

If you do not pass, AWS applies a 14-day waiting period before you can retake the exam, and each attempt needs its own registration and fee. There is no limit on lifetime attempts, but the waiting period applies between each.

What certification should you take after the SCS-C03?+

SCS-C03 pairs well with the Solutions Architect and Advanced Networking tracks for a broader AWS profile, and with vendor-neutral security credentials for defense-in-depth.

For many, the real next step is owning security for larger AWS environments. Pairing SCS-C03 with hands-on security experience is what turns the certificate into a career.