SCS-C03 exam domains
The SCS-C03 exam is weighted across 6 domains. Pick any domain below to drill it — or read the full breakdown in the FAQ.
| Exam domain | Exam weight | Practice |
|---|---|---|
| Detection | 16% | Practice this topic |
| Incident Response | 14% | Practice this topic |
| Infrastructure Security | 18% | Practice this topic |
| Identity and Access Management | 20% | Practice this topic |
| Data Protection | 18% | Practice this topic |
| Security Foundations and Governance | 14% | Practice this topic |
Sample SCS-C03 questions
A sample of the SCS-C03 questions on this hub. Each links through to the full question, the correct answer, and an explanation of why every other option is wrong.
- A company runs an internal microservices platform on EC2 behind an internal Application Load Balancer. Security requires all service-to-service traffi…View question
- A company operates 45 AWS accounts managed under AWS Organizations. The security team wants a centralized way to view and prioritize GuardDuty threat…View question
- A security engineer is performing root cause analysis for an incident that spanned three AWS accounts and two Regions. CloudTrail logs are delivered t…View question
- A healthcare company must ensure that its RDS, EFS, and DynamoDB backups cannot be deleted or shortened in retention by anyone—including the AWS accou…View question
- A media company serves static video assets from an S3 bucket through a CloudFront distribution. The security team discovers that users can bypass Clou…View question
- A security team operates a public web application served through Amazon CloudFront with an Application Load Balancer origin. A recent penetration test…View question
- A retail company serves its web application through Amazon CloudFront with an Application Load Balancer (ALB) origin. AWS WAF is associated with the C…View question
- During an incident investigation, a security engineer suspects that an attacker with administrative credentials may have altered or deleted CloudTrail…View question
- A financial services company runs a critical application on EC2 that writes structured application logs to Amazon CloudWatch Logs. The incident respon…View question
- A financial services company builds internal Lambda functions and shared libraries used across dozens of AWS accounts. Recent industry incidents invol…View question
Key SCS-C03 terms
Start with these terms, then explore the full glossary. Each links to a plain-English definition written for the SCS-C03 exam.
SCS-C03 frequently asked questions
What is the SCS-C03 certification?+
AWS positions the Security - Specialty as validating the ability to secure AWS products and services — data classification and protection, encryption, secure network design, identity at scale, detection, and incident response.
SCS-C03 restructures the previous exam into six domains, separating Detection and Incident Response and renaming the governance domain to Security Foundations and Governance. It expects deep, judgment-based knowledge rather than recall.
What topics are on the SCS-C03 exam?+
The SCS-C03 exam is organised into six weighted domains. The percentages below are AWS’s official weightings for scored content. Identity and access management carries the most weight, with infrastructure security and data protection close behind.
Detection (16%)
Covers designing detection strategies across accounts using Amazon GuardDuty, AWS Security Hub, Amazon Detective, and Amazon Inspector — aggregating and prioritizing findings and detecting threats and misconfigurations.
Incident Response (14%)
Covers designing and executing incident-response plans on AWS, automating response with EventBridge, Lambda, and Systems Manager Automation, and handling containment, eradication, recovery, forensics, and root cause analysis.
Infrastructure Security (18%)
Covers edge security (CloudFront, AWS WAF, AWS Shield), network security (security groups, NACLs, AWS Network Firewall), VPC design and PrivateLink, securing hybrid connectivity, and layer 3–7 firewall rules at scale.
Identity and Access Management (20%)
The heaviest domain. It covers IAM policies, roles, permission boundaries, and policy evaluation logic, federation and IAM Identity Center, cross-account access and AWS STS, and managing least privilege at scale.
Data Protection (18%)
Covers encryption at rest and in transit, AWS KMS key policies, grants, and rotation, certificate management with ACM, AWS Secrets Manager, S3 data protection, and backup and disaster-recovery controls.
Security Foundations and Governance (14%)
Covers AWS Organizations, service control policies, and Control Tower, AWS Config rules and conformance packs, Security Hub standards, multi-account governance, software supply chain risk, and managing security at scale.
Is the SCS-C03 hard?+
SCS-C03 is a specialty-level exam and one of AWS’s more demanding certifications. It expects both breadth across AWS security services and the judgment to combine them correctly, because a plausible-looking control can still leave a gap.
The difficulty comes from precise distinctions — IAM policy evaluation, KMS key policies versus grants, when to use Network Firewall versus security groups — and from scenarios that hinge on least privilege and blast-radius reduction. Practising scenarios until the right control is obvious is the key.
How many questions are on the SCS-C03 exam and how long is it?+
The live SCS-C03 exam contains 65 questions to be answered in 170 minutes — 50 scored plus 15 unscored questions AWS uses to trial future content — using a mix of question types: multiple choice, multiple response, ordering, and matching. Our full-length practice mock mirrors the length and timing with a 65-question, 170-minute timer.
Expect detailed scenario stems that describe an environment and a security goal, then ask for the best AWS-native way to detect, prevent, or respond.
What score do you need to pass the SCS-C03?+
AWS scores SCS-C03 on a scaled range of 100 to 1,000, and you need 750 to pass. The score is scaled rather than a simple percentage, and there are no per-domain pass marks — you need an overall 750. Our practice mock flags a pass at 75% to give you a comparable target.
How much does the SCS-C03 exam cost?+
The SCS-C03 exam costs 300 USD (prices vary by region), and the certification is valid for three years. Everything on this hub — questions, mock exams, glossary, and domain guides — is completely free.
Who should take the SCS-C03?+
The Security - Specialty is aimed at people with a security-focused role on AWS — cloud security engineers, security architects, and infrastructure engineers responsible for securing AWS workloads.
AWS recommends the equivalent of three to five years of experience securing cloud solutions, along with a strong grasp of the shared responsibility model, identity at scale, and data-encryption methods.
What jobs and salaries can the SCS-C03 lead to?+
SCS-C03 is relevant to roles such as cloud security engineer, security architect, and DevSecOps engineer, where securing AWS environments is core to the job. It is a well-regarded specialty credential.
How much any certification moves compensation depends heavily on geography, seniority, and hands-on experience, so treat any single salary figure with caution. SCS-C03 is best viewed as validation of AWS security depth rather than a guaranteed raise on its own.
How long does it take to study for the SCS-C03?+
Candidates with AWS security experience often need six to ten weeks; those newer to the breadth of AWS security should plan longer. The most efficient path is to study each domain while practising in a test account, then drill scenario questions that force control-selection decisions.
Spend the majority of your time on full-length timed mocks in the final stretch, reviewing every explanation — including for questions you answered correctly — because SCS-C03 distractors are usually valid controls that do not best fit the stated risk. Use the per-domain results here to find your weakest area.
How should you prepare for the SCS-C03?+
Study the six domains above, giving the most time to identity and access management, infrastructure security, and data protection, then drill scenario questions domain by domain. Every MockAPI question reveals a full explanation and tells you why each wrong answer is wrong — essential for security scenarios where the wrong option looks safe.
When you can answer scenarios comfortably, move to full-length timed mocks to rehearse pacing, ideally alongside hands-on practice with IAM, KMS, and GuardDuty. Use the glossary to keep the services straight, and aim to score consistently above the pass mark before you book.
Can you take the SCS-C03 exam online?+
Yes. AWS delivers SCS-C03 through Pearson VUE, both at test centers and online with remote proctoring (OnVUE). The online exam requires a private, quiet room, a clear workspace, a webcam and microphone, a stable connection, and government-issued photo ID, with a proctor monitoring you and a room scan before you start.
If you do not pass, AWS applies a 14-day waiting period before you can retake the exam, and each attempt needs its own registration and fee. There is no limit on lifetime attempts, but the waiting period applies between each.
What certification should you take after the SCS-C03?+
SCS-C03 pairs well with the Solutions Architect and Advanced Networking tracks for a broader AWS profile, and with vendor-neutral security credentials for defense-in-depth.
For many, the real next step is owning security for larger AWS environments. Pairing SCS-C03 with hands-on security experience is what turns the certificate into a career.