Updates to the AWS Certified Security – Specialty (SCS-C02) Exam

AWS Certified Security Specialty

In April 2023, AWS announced that the current version of the AWS Certified Security – Specialty exam (SCS-C01) would be changing and that a new version, SCS-C02, will be available to sit beginning July 11, 2023. AWS frequently updates its exams to ensure they continue to validate your knowledge of current AWS service offerings, which are constantly evolving as AWS implements hundreds of updates across its platform every month.

Given that the current (SCS-C01) version of the exam has been around since 2019, this particular certification was certainly due for an update! In this blog post, I will review what has changed between the current (SCS-C01) and updated (SCS-C02) exam blueprints and offer some advice to anyone who may be studying to take this exam over the next several months.

The current SCS-C01 exam assesses your knowledge across 5 content domains, broken down as follows:

Domain% of Exam
Domain 1: Incident Response12%
Domain 2: Logging and Monitoring20%
Domain 3: Infrastructure Security26%
Domain 4: Identity and Access Management20%
Domain 5: Data Protection22%

The updated SCS-C02 exam guide now references the following 6 domains:

Domain% of Exam
Domain 1: Threat Detection and Incident Response14%
Domain 2: Security Logging and Monitoring18%
Domain 3: Infrastructure Security20%
Domain 4: Identity and Access Management16%
Domain 5: Data Protection18%
Domain 6: Management and Security Governance14%

It is fairly straightforward to map the content from each of the 5 domains in the SCS-C01 exam guide to the updated SCS-C02 exam guide. The updated exam also adds a new sixth domain, Management and Security Governance, which promises to test your knowledge of appropriate management and governance for everything from multi-account strategies to cross-account roles within an AWS Organization. A closer examination of the various task statements and lists of services and features in the current SCS-C01 exam guide reveals that the vast majority of content from the SCS-C01 exam is still fair game to be assessed on the SCS-C02 exam as well.

In fact, the only service that has been added to the list of in-scope services for the SCS-C02 exam that was not listed for the SCS-C01 exam is the Network Access Analyzer. Within the list of key tools, technologies, and concepts that might be covered on the SCS-C02 exam, the updated exam guide removes Network analysis tools (packet capture and flow captures), SSH/RDP, Signature Version 4, and TLS, and replaces them with Secure Remote Access.

AWS has also slightly tweaked the “target candidate description” included in the exam guide. The SCS-C01 exam guide states that target candidates “should have 5 years of IT security experience in designing and implementing security solutions” and “2 or more years of hands-on experience in securing AWS workloads.” The SCS-C02 exam guide states that target candidates “should have the equivalent of 3-5 years of experience in designing and implementing security solutions,” but continues to require “a minimum of 2 years of hands-on experience in securing AWS workloads.”

It goes without saying that an AWS Security specialty exam is going to thoroughly test your knowledge of AWS security services such as AWS Identity and Access Management (IAM), GuardDuty, Macie, AWS Certificate Manager (ACM), the AWS Key Management Service (KMS), and CloudHSM. But let’s quickly run through some of the other concepts and services you might be expected to know within each of the SCS-C02 exam’s 6 domains.

Domain 1: Threat Detection and Incident Response (14%)

This domain covers 14% of the exam content, so you can expect about 9 questions involving threat detection and incident response. This covers everything from understanding AWS best practices when responding to security incidents such as the discovery of compromised access credentials, a compromised EC2 instance, or a finding within the AWS Security Hub to configuring automation with managed AWS services such as EventBridge and Lambda to respond to and remediate security findings. This domain also covers the concepts of root cause analysis and data capture mechanisms to obtain forensic data when conducting security investigations.

Domain 2: Security Logging and Monitoring (18%)

This domain covers 18% of the exam content, so you can expect about 12 questions involving security logging and monitoring. This will require you to design, implement, and troubleshoot solutions involving logging and log analysis that leverage DNS logs, VPC flow logs, as well as CloudTrail and CloudWatch Logs. You should also know about the various insights offered within AWS managed services including CloudWatch Logs Insights, CloudTrail Insights, and Security Hub insights.

Domain 3: Infrastructure Security (20%)

This domain covers 20% of the exam content, so you can expect about 13 questions involving infrastructure security, including security features within services such as AWS WAF, Shield, and Route 53. You should also understand how to enable secure connectivity within an elastic load balanced environment, as well as how to use features and services such as VPC endpoints, security groups, and network ACLs to secure traffic within a VPC. You’ll also need to understand how to troubleshoot network connectivity issues using tools such as the VPC Reachability Analyzer.

Domain 4: Identity and Access Management (16%)

This domain covers 16% of the exam content, so you can expect about 10 questions involving identity and access management, or IAM. This includes designing, implementing, and troubleshooting both authentication and authorization for your AWS workloads leveraging services such as the AWS IAM Identity Center, Amazon Cognito user and identity pools, and the AWS Security Token Service, or STS. You’ll need to demonstrate your knowledge of best practices for creating and managing identities and access credentials, as well as know how to define, read, and interpret various IAM policy snippets.

Domain 5: Data Protection (18%)

This domain covers 18% of the exam content, so you can expect about 12 questions involving data protection. This will require you to design solutions for preserving data integrity by leveraging encryption in transit and at rest to secure data stored in services such as S3 and DynamoDB. You should also understand how to design and implement secure connectivity between on-premises networks and the AWS cloud using Direct Connect and site-to-site VPNs, as well as how to securely connect services within and between AWS accounts and regions.

Domain 6: Management and Security Governance (14%)

Finally, this brand new domain covers 14% of the exam content, so you can expect about 9 questions centered around the topics of management and security governance, including deployment and management strategies for AWS accounts using Organizations and Control Tower, as well as resources such as CloudFormation templates. You should also understand how to leverage services such as the AWS Audit Manager, Amazon Macie, and AWS Config to identify, evaluate, and remediate the presence of sensitive data or noncompliant resources within an AWS environment.

Are there any changes to the structure or passing score for the updated AWS Certified Security – Specialty certification exam?

Like the SCS-C01 exam, the SCS-C02 exam will consist of 65 multiple choice and multiple response questions. Most questions will have 4 possible answer options where you must select one correct answer, while others may have 5 or 6 answer options from which you must select two or three correct answers. Of these 65 questions, only 50 questions will count towards your overall score. The other 15 questions are used by AWS for evaluation purposes and do not affect your score in any way. There is no way to tell which questions are scored or unscored but there is also no penalty for guessing, so always be sure to answer every question, even if it’s just an educated guess! Just like its predecessor, the SCS-C02 exam will be scored on a scale from 100 to 1,000, with a minimum passing score of 750.

Advice to anyone studying for the AWS Certified Advanced Security – Specialty certification

We’ve seen AWS update a number of its certification exams over the past several months, including the Developer – Associate and DevOps Engineer – Professional exams, as well as the Solutions Architect – Professional and Solutions Architect – Associate exams. In all of these cases, the exam updates have been very incremental in nature, including some newly in-scope services but remaining otherwise largely unchanged in terms of structure, difficulty, and coverage.

Registration for the updated SCS-C02 exam does not open until June 13, 2023, so if you are currently registered or already planning to take the current SCS-C01 exam before its last day on July 10, 2023, you should still absolutely do so. Your certification will remain valid for three years from the date you pass the exam no matter which version of the exam you take, and I’ve yet to encounter an employer who has insisted that a candidate take a specific version of an AWS certification exam. However, if your timeline for obtaining this certification extends beyond July 10, 2023 for any reason, you should feel confident knowing that your efforts right now are still preparing you to take the updated SCS-C02 exam as well.

What will the questions be like on the exam?

I sat the current version (SCS-C01) of this exam last week, back on April 3, 2023. Since there is no beta exam available for the SCS-C02 update, I am left to speculate based on my recent experience sitting SCS-C01 along with the SCS-C02 exam guide that this exam update will also be similarly incremental to the other recent AWS certification exam updates we’ve seen over the past year and will not represent a complete overhaul of the exam content, structure, or difficulty.

Given that this is a Specialty exam, the questions tend to be longer and present more complicated scenarios than what you might expect from an Associate-level certification exam (and are much closer to what you might expect to see on a Professional-level certification exam instead). Most questions involve lengthy scenarios that are usually several sentences to a couple of paragraphs in length, and most answer choices will be several sentences long as well. Take your time as you’re reading through these longer questions and be sure to process every word and detail that you read. Be on the lookout for repeated sentences across all of the possible answers with just a word or two changed. Those one or two words can make all the difference when it comes to determining which answer is correct and which answer might be a distractor. Always do your best to eliminate these distractors as early as possible to allow you to focus more on the plausible answers and select the best possible answer (or answers) to each question.

Updates coming to the Cloud Academy AWS Advanced Security – Specialty Certification Preparation Learning Path

As soon as the AWS Certified Security – Specialty exam update was announced, we began assessing the content within our current Security – Specialty Certification Preparation for AWS learning path to ensure that we have fully covered all aspects spelled out within the updated SCS-C02 exam guide. Over the coming weeks and months, we will be refreshing this learning path to include new courses, hands-on labs, and assessments covering topics that are emphasized in the updated SCS-C02 exam such as management and security governance. We’ll have our updated learning path published on or before the GA date for the SCS-C02 exam, which is July 11, 2023!

To find out the latest information about this exam, as well as to learn more about updates to other AWS certification exams, you can visit the coming soon to AWS Certification page.

For training preparation covering all 12 AWS certifications, I encourage you read our coverage of all 12 AWS certifications.

If you have any questions, please feel free to reach out to me and I’ll be happy to help. Best of luck on your certification journey!


Cloud Academy