AWS Certified Security SCS‑C03: The Ultimate 2026 Guide
If you’re aiming to become the go-to cloud security expert on your team, the AWS Certified Security – Specialty (SCS‑C03) is a powerful way to prove it. This exam validates that you can protect data, design guardrails across many AWS accounts, detect and respond to threats, and guide governance at scale. SCS‑C03 launched in December 2025 with updated domains and topics that reflect today’s security realities—from OCSF-aligned logging to guardrails for generative AI. Let’s break down how to prepare confidently, what’s changed, and the smartest way to practice so you walk into test day ready to win. [0†source] [1†source]
What Is the AWS Certified Security – Specialty (SCS‑C03)?
The AWS Certified Security – Specialty (SCS‑C03) is an advanced certification that demonstrates your ability to secure workloads and architectures on AWS. It proves you can design least‑privilege access, protect data at scale, centralize detection, respond to incidents, and align teams with governance best practices. Candidates typically have several years of security experience and meaningful hands‑on time with AWS, but there are no formal prerequisites to take the exam. [0†source] [2†source]
Actionable takeaway:
Decide your “why.” Write one sentence about what this certification will help you do in the next 12 months (e.g., land a Cloud Security Engineer role, lead incident response, or level up to a security architect). Keep this visible on your study tracker.
SCS‑C02 vs SCS‑C03: What Changed and Why It Matters
On December 2, 2025, AWS released SCS‑C03; the older SCS‑C02 was available through December 1, 2025. The new version reorganizes domains and includes modern topics you’ll face in the field today. Here are the highlights: [1†source]
A clearer split between Detection and Incident Response (previously blended), emphasizing triage/verification, signal quality, and response orchestration. [1†source]
Expanded focus on integrations with third‑party tools and OCSF (Open Cybersecurity Schema Framework) for normalized security data, a big deal when scaling analytics across many sources. [1†source]
Generative AI guardrails aligned with the OWASP Top 10 for LLMs—because real teams now protect AI apps and data flows. [1†source]
Deeper coverage of inter‑resource encryption in transit (e.g., for EKS/EMR/Nitro), imported vs. AWS‑generated KMS keys, certificate/key management across Regions, and data masking in logs and messaging. [1†source]
The Governance domain is renamed Security Foundations and Governance to reflect broader, practical guardrailing across accounts. [1†source]
Actionable takeaway:
Use the SCS‑C03 appendix as your “delta guide.” If you studied for C02 or hold it already, review what’s new and create a gap list (e.g., OCSF, AI guardrails, inter‑resource TLS). [1†source]
Exam Basics: Format, Scoring, Languages, and Cost
Before building your study plan, lock down the logistics:
Questions and time: 65 total questions in 170 minutes; 50 scored and 15 unscored. Items include multiple‑choice, multiple‑response, plus newer types like ordering and matching. [2†source]
Scoring: Scaled 100–1000 with a minimum passing score of 750. AWS uses a compensatory scoring model—strong performance in some areas can balance others. [0†source]
Delivery: Pearson VUE testing centers or online proctoring. [2†source]
Languages: English, Japanese, Korean, Portuguese (Brazil), Simplified Chinese, Spanish (Latin America). [2†source]
Price: USD 300; reschedule or cancel up to 24 hours before your appointment. [2†source]
Actionable takeaway:
Set a target date 6–10 weeks from now. Backward plan using the 8‑week study plan later in this guide, leaving buffer days for a final practice set.
Who Should Take SCS‑C03 (and What You Should Already Know)
There’s no required prerequisite certification. Many successful candidates have 3–5 years of experience securing cloud solutions, with at least a couple of years focused on AWS workloads. If you can design multi‑account guardrails, automate incident response, and reason about encryption trade‑offs, you’re on the right track. [0†source] [2†source]
Actionable takeaway:
If you’re newer to AWS security, pair this guide with a foundational path (e.g., AWS Certified Cloud Practitioner or Solutions Architect Associate) while you build hands‑on labs. It’s not required—but it can reduce ramp‑up time.
The Official Blueprint: SCS‑C03 Domains and Weights
Knowing the domains (and their weight) helps you prioritize time:
Detection – 16%
Incident Response – 14%
Infrastructure Security – 18%
Identity and Access Management – 20%
Data Protection – 18%
Security Foundations and Governance – 14% [0†source]
Here’s how to think about each domain:
Detection: You’ll centralize logs, normalize security events (OCSF awareness helps), validate findings, and tune signal quality so you catch what matters without drowning in noise. [0†source]
Incident Response: Examine the response phases, automate containment (EventBridge + Lambda + SSM is a common pattern), and document playbooks that respect least privilege and blast‑radius controls. [4†source]
Infrastructure Security: VPC segmentation, security groups vs. NACLs, edge protections (WAF, Shield, Network Firewall), DNS‑layer controls, and service‑to‑service encryption. [0†source]
Identity and Access Management: Cross‑account access, permission boundaries, session policies, SCPs, role assumptions, and secure patterns with modern AWS services. [0†source]
Data Protection: Encryption by default patterns, KMS key policy design, grants, imported vs. AWS‑generated keys, envelope encryption, certificate and secret life cycles, masking sensitive data. [1†source]
Security Foundations and Governance: Multi‑account setup (Organizations/Control Tower), conformance packs, centralized guardrails, evidence capture for compliance, and risk‑based prioritization. [0†source]
Actionable takeaway:
Weight your study time by percentage. For example, IAM (20%) + Data Protection (18%) + Infrastructure (18%) equals 56% of the exam. Master these early.
The Services to Master (and Why)
You won’t pass SCS‑C03 by studying in isolation. Think in end‑to‑end designs. The exam guide lists in‑scope/out‑of‑scope services—use it to focus. Priorities include: [0†source]
Identity and access: IAM, STS, Organizations, SCPs, IAM Identity Center patterns.
Detection and analytics: CloudTrail, Config, Security Hub, GuardDuty, Detective, Security Lake (and OCSF awareness).
Network and edge: VPC, Security Groups, NACLs, AWS WAF, AWS Shield, AWS Network Firewall, Route 53 Resolver DNS Firewall, edge integrations for third‑party tools.
Data protection: KMS (key policies, grants, rotation), Secrets Manager, ACM/ACM PCA, inter‑resource encryption in transit.
Discovery and vulnerability: Amazon Macie (sensitive data discovery), Amazon Inspector (vulnerability management).
Governance at scale: Control Tower and Organizations for account vending, baselines, and centralized guardrails.
Actionable takeaway:
Build one “security platform” lab that ties these together: multi‑account with central logging, Security Hub standards enabled, GuardDuty/Detective triage, KMS‑based encryption patterns, and at least one WAF/Network Firewall scenario.
Official Prep Resources That Actually Help
Cut the noise. Start with AWS’s official resources:
Exam Guide: Read end‑to‑end for domains, item types, and in‑scope services. It’s your study contract. [0†source]
Certification Page: Quick access to scheduling, languages, cost, official practice question set, and the new Official Pretest. [2†source]
Security Engineering on AWS (classroom): A 3‑day course that maps directly to the exam’s services and real architectures. [6†source]
Well‑Architected Security Pillar: Opinionated best practices for building secure workloads at scale; use it as your design checklist. [3†source]
AWS Security Incident Response Guide: Structure your IR playbooks and automation with guidance aligned to AWS services. [4†source]
Actionable takeaway:
Put the Well‑Architected Security design principles into flashcards. If a question describes a trade‑off, quickly recall which principle applies (least privilege, traceability, protect data, automate security best practices, etc.). [3†source]
Hands‑On: Low‑Cost Labs That Map to the Exam
Build muscle memory without breaking the bank:
Threat detection and validation
Turn on GuardDuty (30‑day trial) and centralize to a security account. Practice filtering by threat type and validating with Detective and CloudTrail. [7†source]
Connect Security Hub, enable relevant standards (e.g., CIS, Foundational Security Best Practices), and tune to reduce noise.
Vulnerability and data discovery
Run Amazon Inspector (15‑day trial) on EC2/ECR/Lambda, fix issues, and verify remediation. [9†source]
Use Amazon Macie (30‑day trial) to discover sensitive data in S3; set up findings‑based remediation workflows. [8†source]
Data protection and encryption
Create KMS keys with explicit key policies and grants. Compare imported key material to AWS‑generated keys. Implement envelope encryption for S3 objects and application secrets. [1†source]
Build a private CA with ACM PCA; issue and rotate certs; enforce TLS for inter‑service traffic. [1†source]
Governance and guardrails
Use Control Tower to establish a landing zone, set guardrails, and vend a sandbox account. Attach SCPs that enforce preventive controls at the OU level.
Actionable takeaway:
Track every lab in a “security notebook”: objective, steps, screenshots/CLI commands, results, and a one‑line lesson learned. This will be your pre‑exam revision pack.
8‑Week Study Plan (Battle‑Tested)
Here’s a practical, student‑friendly approach you can adapt:
Weeks 1–2: Orientation and detection
Read the exam guide cover‑to‑cover; extract every domain objective into a checklist. [0†source]
Stand up your multi‑account lab or a single sandbox with clear tagging and budgets.
Enable GuardDuty, Security Hub, Detective, central logging; explore findings end‑to‑end. [7†source]
Weeks 3–4: IAM and incident response
Deep dive IAM: cross‑account roles, permission boundaries, session policies, and SCPs.
Build response automation: EventBridge → Lambda → SSM runbooks to isolate EC2, quarantine IAM access, or block IPs at the edge.
Skim the AWS Security Incident Response Guide and implement one full playbook. [4†source]
Weeks 5–6: Data protection and infrastructure security
KMS keys, grants, imported material, envelope encryption, secrets and cert lifecycle (ACM/ACM PCA). [1†source]
Macie for S3 discovery (trial) and Amazon Inspector (trial) for vulnerabilities; integrate those findings into Security Hub. [8†source] [9†source]
Network controls: WAF vs. Shield vs. Network Firewall vs. DNS Firewall—practice when and why to use each.
Week 7: Governance and Well‑Architected
Control Tower/Organizations guardrails; Config conformance packs; Security Lake for analytics.
Revisit Well‑Architected Security Pillar; align labs to its design principles. [3†source]
Week 8: Final prep
Take the Official Practice Question Set and at least one full mock exam; analyze errors and re‑lab weak areas. [2†source]
Taper the last 48 hours (light review only). Sleep well before test day.
Actionable takeaway:
Use “domain days.” Dedicate one day per domain in Weeks 2, 4, and 6 to re‑test everything you built. This repetition hardens recall for scenario questions.
Exam‑Day Strategy You Can Trust
Pace yourself: ~2.6 minutes per question. First pass: answer what you know, flag long scenarios. Second pass: return to flagged items.
Eliminate aggressively: If the requirement is “block Layer 7 attacks,” prefer WAF over Network Firewall; for DDoS, think Shield; for egress filtering, consider Network Firewall or VPC controls.
Choose the minimal‑privilege design: Between two workable options, the one with tighter blast radius and clearer governance is usually right.
Don’t leave blanks: There’s no penalty for guessing. [0†source]
Actionable takeaway:
Pre‑write two heuristics you’ll apply under time pressure (e.g., “Prefer managed, centralized security services for scale” and “Choose least‑privilege cross‑account access with explicit trust conditions”). Tape them near your monitor for test‑day focus.
Policies You Should Know (Retakes, Results, Validity)
Results and timing: Scores post to your AWS Certification Account within five business days. [5†source]
Retake policy: If you don’t pass, wait 14 days to retake; unlimited attempts; you pay each time. [5†source]
Validity and discount: Certifications are valid for three years. If you hold any active AWS Certification, you receive a 50% voucher toward a future exam. [10†source]
Scheduling and languages: Book through Pearson VUE; online or in‑person; exam offered in English, Japanese, Korean, Portuguese (BR), Simplified Chinese, and Spanish (LatAm). [2†source]
Accommodations: You can request exam accommodations (including extended time for ESL in certain cases) before scheduling your exam. [11†source]
Actionable takeaway:
Put a calendar reminder 30 months from your pass date to begin recert prep. That gives you a six‑month runway before expiration. [10†source]
Career Value: Why This Cert Has Real Impact
SCS‑C03 signals that you can secure real AWS environments, not just recite theory. AWS highlights that job listings referencing this certification increased 73% year‑over‑year in an earlier analysis, and independent salary research frequently ranks it among the top‑paying IT certifications in the U.S. (use all salary numbers directionally since methods and samples vary). [2†source] [12†source] [13†source]
Roles this certification can accelerate:
Cloud Security Engineer or Architect
DevSecOps Engineer
Detection and Response Lead
Governance, Risk, and Compliance specialist for AWS environments
Actionable takeaway:
Convert your study labs into portfolio assets: Publish short write‑ups (e.g., “Automating EC2 Isolation with EventBridge + SSM”) with sanitized screenshots. Share on LinkedIn or GitHub to show practical skill.
Real‑World Scenarios (Practice Like the Exam)
Multi‑account governance at scale
Scenario: A regulated company needs strong separation between dev, test, and prod in dozens of accounts.
Approach: Use Control Tower for account vending and guardrails; manage SCPs for preventive controls; centralize Security Hub/GuardDuty/Detective in a security account; stream to Security Lake; use cross‑account IAM roles with permission boundaries. [6†source]Incident response under pressure
Scenario: A suspicious IAM activity triggers an alert at 2 a.m.
Approach: Validate the finding, scope with Detective and CloudTrail, contain via SSM automation, rotate affected credentials, update IAM trust conditions, and document lessons learned per the AWS Incident Response Guide. [4†source]Data protection with KMS and masking
Scenario: You must protect PII in logs and S3 while enabling analytics.
Approach: Apply encryption with KMS (choose between imported vs AWS‑generated keys), enforce key policies and grants, use structured logging with masking, and apply Macie to monitor for policy drift. [1†source]
Actionable takeaway:
Write a one‑page decision tree for “Which edge control do I choose?” and another for “Which encryption pattern fits this workload?” These are your fast‑thinking tools on exam day.
Common Pitfalls (And How to Avoid Them)
Treating each service as a silo: The exam favors integrated designs. Practice end‑to‑end workflows from detection through response and governance.
Weak IAM fundamentals: Permission boundaries, session policies, and SCPs frequently separate correct from almost‑correct answers.
Underestimating governance: Account baselines and centralized controls are often the “best” solution at scale, even if ad‑hoc per‑account settings also work.
Memorizing over doing: Scenario questions reward hands‑on experience—build labs until you can implement from memory.
Actionable takeaway:
For every concept, write “How would I prove it works?” If you can’t demo it in the console or CLI, schedule a lab to close the gap.
FAQs
Q1: How many questions are on SCS‑C03, and how much time do I get?
A1: 65 total questions (50 scored + 15 unscored) and 170 minutes. [2†source]
Q2: What’s the passing score and scoring model?
A2: Exams are scaled from 100 to 1000; you need 750 to pass. AWS uses a compensatory model—your overall score matters more than any single domain. [0†source]
Q3: How is SCS‑C03 different from SCS‑C02?
A3: The domains are reorganized; Detection and Incident Response are split, and Security Foundations and Governance is the new name for Domain 6. New content includes OCSF‑aligned integrations, generative‑AI guardrails (OWASP LLM Top 10), inter‑resource encryption in transit, and key material nuances. [1†source]
Q4: How much does the exam cost, and what languages are available?
A4: USD 300. Languages include English, Japanese, Korean, Portuguese (Brazil), Simplified Chinese, and Spanish (LatAm). Test with Pearson VUE online or at a center. [2†source]
Q5: What if I fail—when can I retake, and how long are results/validity?
A5: Results typically appear within five business days. If you fail, you can retake after 14 days; certifications are valid for three years. If you already hold any AWS Certification, you also receive a 50% voucher for a future exam. [5†source] [10†source]
Conclusion:
You don’t need to be a unicorn to pass SCS‑C03—you need a plan, practice, and the discipline to turn concepts into working controls. Focus on IAM, data protection, and infrastructure security, then layer in detection/response and governance at scale. Build a real lab, rehearse incident playbooks, and keep the Well‑Architected Security principles close at hand. If you stay consistent for 6–10 weeks and practice hands‑on, you’ll not only pass—you’ll become the person your team calls when security matters most.
Optional next step for students: Tell me your target exam date and current experience level (beginner, intermediate, or advanced). I’ll generate a personalized 6–10 week plan with exact labs, weekly goals, and a final‑week cram schedule.