SCS-C02 Learning Path Introduction


Course Introduction
SCS-C02 Learning Path Introduction

This course introduces the SCS-C02 learning path, which has been designed to help you prepare for and pass the AWS Certified Security - Specialty certification exam. The certification itself is broken down into six distinct domains, which are covered through the learning path:

  1. Threat Detection and Incident Response (14%)
  2. Security Logging and Monitoring (18%)
  3. Infrastructure Security (20%)
  4. Identity and Access Management (16%)
  5. Data Protection (18%)
  6. Management and Security Governance (14%)

Hello, and welcome to this learning path that has been designed to help you prepare for and pass the AWS Certified Security - Specialty certification exam.

My name is Danny Jessee, and I am one of the trainers here at Cloud Academy, specializing in AWS–Amazon Web Services–and AWS certifications. Feel free to connect with me to ask any questions using the details shown on the screen. Alternatively, you can always get in touch with us here at Cloud Academy by sending an email to, where one of our cloud experts will reply to your question.

The AWS Certified Security - Specialty certification is one of six specialty-level AWS certifications and has been designed for anyone who performs a security role with AWS services. AWS recommends that candidates for this exam have at least 2 years of hands-on experience using AWS security services and features to protect and encrypt data in production environments. There are no prerequisites for taking this certification exam, but you may find it helpful to have already passed an associate-level AWS certification. This learning path will provide you with the knowledge you need when preparing to take the latest version of the AWS Certified Security - Specialty certification exam, SCS-C02, which was released in July 2023.

The certification itself is broken down into six distinct domains:

  1. Threat Detection and Incident Response (14%),

  2. Security Logging and Monitoring (18%),

  3. Infrastructure Security (20%),

  4. Identity and Access Management (16%),

  5. Data Protection (18%), and

  6. Management and Security Governance (14%).

Each of these domains carry a specific percentage weighting within the exam. Each domain also contains a series of task statements that call out specific required knowledge and skills. These are outlined in the official AWS exam guide, which is linked in the Course Material section for this course and can be found here []. Let’s start by taking a look at each of these domains in more detail to give you a better understanding of the topics that will be covered on the exam.

We’ll begin with Domain 1: Threat Detection and Incident Response. This domain accounts for 14% of the exam content and focuses on 3 key areas:

  • Design and implement an incident response plan,

  • Detect security threats and anomalies by using AWS services, and

  • Respond to compromised resources and workloads.

This domain is all about detecting and responding to security incidents. And these incidents could involve anything from an EC2 instance being compromised, to the discovery of sensitive data within your account, or even access keys and security credentials getting into the wrong hands. It’s important that you establish a comprehensive response plan before a security incident ever occurs, and be able to put that plan into action when necessary. To support this, you should understand how to use services like AWS Security Hub, Amazon GuardDuty, and AWS Config within your environment to do things like automate security best practice checks, continuously monitor your workloads for malicious activity, and track any changes to the configuration of your AWS resources. You should also understand how different AWS services detect security threats and centralize their findings. And when security incidents do occur, you should know how a service like Amazon Detective can be used to support a thorough investigation and root cause analysis to help you ensure a similar incident doesn’t happen again.

Next, we have Domain 2: Security Logging and Monitoring. This domain accounts for 18% of the exam content and focuses on 5 areas of interest:

  • Design and implement monitoring and alerting to address security events,

  • Troubleshoot security monitoring and alerting, 

  • Design and implement a logging solution, 

  • Troubleshoot logging solutions, and

  • Design a log analysis solution.

Building on the objectives from Domain 1, you should always have comprehensive logging and monitoring solutions in place for your applications and infrastructure. Logs are useful when security events occur because they enable you to query for information related to the event, as well as gain insight into what may have happened before and after the event. In addition to logs, you should always have proactive monitoring in place as well, leveraging services like AWS Systems Manager and Amazon GuardDuty to monitor and track metrics for your production baselines. And when it comes to logging, you should have a deep understanding of the logging capabilities provided by services such as Amazon CloudWatch and AWS CloudTrail. This includes knowing how to configure log sources and manage access permissions for log files, along with log storage and retention.

Moving on, we have Domain 3: Infrastructure Security. This domain accounts for 20% of the exam content and focuses on the following 4 items:

  • Design and implement security controls for edge services,

  • Design and implement network security controls,

  • Design and implement security controls for compute workloads, and

  • Troubleshoot network security.

This domain contains the largest overall percentage of the exam content, so you can expect to see a lot of questions that deal with infrastructure security. You should understand how to leverage services such as the AWS Web Application Firewall, or WAF, and AWS Shield to protect web applications and APIs from malicious attacks involving bots or other common exploits like SQL injection attacks. You should also be able to use AWS Network Firewall and AWS Firewall Manager to secure your VPC, allowing and denying traffic on specific ports and protocols based on your requirements and managing your network configurations over time. And when it comes to securing compute workloads, you should know how to keep your instances patched, how to configure host-based security, and how to scan your instances for known vulnerabilities.

After that, we have Domain 4: Identity and Access Management. This domain accounts for 16% of the exam content and will assess you in these 2 areas:

  • Design, implement, and troubleshoot authentication for AWS resources, and

  • Design, implement, and troubleshoot authorization for AWS resources.

As you can see, this domain boils down to two concepts: authentication and authorization in AWS. And given the name of this domain, it goes without saying that you’ll need to know the AWS Identity and Access Management, or IAM service, inside and out. This includes the new AWS IAM Identity Center, which allows you to create and manage what are known as workforce identities that represent the users who’ll be accessing AWS via single sign-on. You’ll also want to understand Amazon Cognito and its various use cases for web and mobile applications using Cognito user pools for authentication and identity pools for authorization.

Following that is Domain 5: Data Protection. This domain accounts for 18% of the exam content and focuses on 4 key areas:

  • Design and implement controls that provide confidentiality and integrity for data in transit,

  • Design and implement controls that provide confidentiality and integrity for data at rest,

  • Design and implement controls to manage the lifecycle of data at rest, and 

  • Design and implement controls to protect credentials, secrets, and cryptographic key materials.

This domain will test your knowledge of AWS services that are used to protect data, both in transit and at rest. This includes configuring encrypted connections between clients and web applications using Amazon CloudFront, as well as setting up secure, dedicated connections between on-premises environments and AWS using Direct Connect. And speaking of encryption, you’ll want to have a thorough understanding of the AWS Key Management Service, or KMS, and understand how it’s used to manage symmetric and asymmetric keys. You should also know how to use CloudHSM for scenarios that require dedicated hardware security modules in the cloud.

And finally, we have Domain 6: Management and Security Governance. While the other 5 domains we’ve discussed had already existed in some form in the previous SCS-C01 version of this exam, this domain is brand new for SCS-C02. It accounts for 14% of the exam content and will assess you in these 4 areas:

  • Develop a strategy to centrally deploy and manage AWS accounts,

  • Implement a secure and consistent deployment strategy for cloud resources,

  • Evaluate the compliance of AWS resources, and

  • Identify security gaps through architectural reviews and cost analysis.

This final domain will ensure you know how to thoughtfully structure the deployment of both your AWS accounts and your AWS resources across a large enterprise. In terms of multi-account deployments, you’ll want to know how to configure AWS Organizations, as well as when and how you should deploy AWS Control Tower to govern your multi-account environments. You might also see some questions that test your ability to securely share resources across accounts using the AWS Resource Access Manager. And when it comes to evaluating compliance, you should know how a service like Amazon Macie can be used to discover and identify potentially sensitive data, such as AWS access keys or credit card numbers.

Throughout this learning path, you’ll be guided through a series of courses, hands-on labs, hands-on lab challenges, and assessments that cover every element within the domains I just discussed. This will ensure that you have the required knowledge and sufficient hands-on experience to help you pass this certification exam.

Feedback on our learning paths here at Cloud Academy is valuable to both us as trainers and any students looking to take the same learning path in the future. If you have any feedback, positive or negative, or if you notice anything that needs to be updated or corrected for the next release cycle, it would be greatly appreciated if you could email

That brings me to the end of this introduction, now let’s dive in! Best of luck on your certification journey!

About the Author
Learning Paths

Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.

Covered Topics