SCS-C03 cheat sheet

A one-page reference for the AWS Certified Security - Specialty exam: the format, how the domains are weighted, and the glossary terms for this exam.

Exam at a glance

Vendor
AWS
Level
Specialty
Questions
65
Time
170 min
Mock pass mark
75%
Domains
6
Practice Qs
157
Code
SCS-C03

Domain weightings

How much of the exam each domain covers. Spend your study time in proportion — the heavier the domain, the more questions you'll see.

Key terms

Amazon GuardDuty
Amazon GuardDuty is a threat-detection service that continuously analyzes CloudTrail, VPC Flow Logs, and DNS logs for malicious activity. SCS-C03 covers it as a primary source in the Detection domain.
AWS Security Hub
AWS Security Hub is a service that aggregates and prioritizes security findings across accounts and checks them against standards such as CIS and AWS FSBP. SCS-C03 covers it for detection and security governance.
Amazon Detective
Amazon Detective is a service that helps analyze and investigate the root cause of security findings by building linked data from logs. SCS-C03 covers it as an investigation tool in the Detection and Incident Response domains.
AWS CloudTrail
AWS CloudTrail is a service that records API activity across an AWS account for auditing and investigation. SCS-C03 covers it as the foundational audit log for detection and incident response.
Amazon Inspector
Amazon Inspector is an automated vulnerability-management service that scans workloads such as EC2 instances and container images for software vulnerabilities. SCS-C03 covers it in the Detection domain.
VPC Flow Logs
VPC Flow Logs capture information about IP traffic to and from network interfaces in a VPC. SCS-C03 covers them for detecting anomalies and diagnosing whether traffic was accepted or rejected.
AWS Network Firewall
AWS Network Firewall is a managed, stateful network firewall and intrusion-prevention service for VPCs. SCS-C03 covers it alongside security groups, NACLs, WAF, and Shield in the Infrastructure Security domain.
AWS WAF
AWS WAF is a web application firewall that filters HTTP(S) traffic to protect applications from common exploits such as SQL injection and cross-site scripting. SCS-C03 covers it with Shield and CloudFront for edge security.
AWS KMS
AWS Key Management Service (KMS) is a managed service that creates and controls the cryptographic keys used to encrypt data, with key policies, grants, and rotation. SCS-C03 covers it as the core of the Data Protection domain.
AWS Secrets Manager
AWS Secrets Manager is a service that stores, retrieves, and automatically rotates secrets such as database credentials and API keys. SCS-C03 covers it for protecting sensitive data and removing hard-coded secrets.
AWS Certificate Manager
AWS Certificate Manager (ACM) is a service that provisions, manages, and renews TLS certificates for AWS services. SCS-C03 covers it for encryption in transit within the Data Protection domain.
IAM Policy
An IAM policy is a JSON document that defines permissions and is evaluated (with explicit denies overriding allows) to authorize requests. SCS-C03 requires understanding IAM policy evaluation logic, boundaries, and least privilege.
Service Control Policy
A service control policy (SCP) is an AWS Organizations guardrail that limits the maximum permissions for member accounts. SCS-C03 covers SCPs in the Security Foundations and Governance domain.
AWS Config
AWS Config is a service that records resource configurations and evaluates them against rules and conformance packs for compliance. SCS-C03 covers it for continuous compliance auditing and governance.