The AWS Certified Security - Specialty (SCS-C02) exam is intended for individuals who perform a security role. The exam validates a candidate’s ability to effectively demonstrate knowledge about securing AWS products and services.
The exam also validates whether a candidate has the following:
- An understanding of specialized data classifications and AWS data protection mechanisms
- An understanding of data-encryption methods and AWS mechanisms to implement them
- An understanding of secure internet protocols and AWS mechanisms to implement them
- A working knowledge of AWS security services and features of services to provide a secure production environment
- Competency from 2 or more years of production deployment experience in using AWS security services and features
- The ability to make tradeoff decisions regarding cost, security, and deployment complexity to meet a set of application requirements
- An understanding of security operations and risks
AWS Certified Security – Specialty is intended for individuals who perform a security role and have at least two years of hands-on experience securing AWS workloads. Before you take this exam, we recommend you have:
- Five years of IT security experience in designing and implementing security solutions and at least two years of hands-on experience in securing AWS workloads
- Working knowledge of AWS security services and features of services to provide a secure production environment and an understanding of security operations and risks
- Knowledge of the AWS shared responsibility model and its application; security controls for workloads on AWS; logging and monitoring strategies; cloud security threat models; patch management and security automation; ways to enhance AWS security services with third-party tools and services; and disaster recovery controls, including BCP and backups, encryption, access control, and data retention
- Understanding of specialized data classifications and AWS data protection mechanisms, data-encryption methods and AWS mechanisms to implement them, and secure internet protocols and AWS mechanisms to implement them
- Ability to make tradeoff decisions with regard to cost, security, and deployment complexity to meet a set of application requirements
Target candidate
The target candidate should have the equivalent of 3–5 years of experience in designing and implementing security solutions. Additionally, the target candidate should have a minimum of 2 years of hands-on experience in securing AWS workloads.
Recommended AWS knowledge
The target candidate should have the following knowledge:
- The AWS shared responsibility model and its application
- General knowledge of AWS services and deploying cloud solutions
- Security controls for AWS environments and workloads
- Logging and monitoring strategies
- Vulnerability management and security automation
- Ways to integrate AWS security services with third-party tools
- Disaster recovery controls, including backup strategies
- Cryptography and key management
- Identity access management
- Data retention and lifecycle management
- How to troubleshoot security issues
- Multi-account governance and organizational compliance
- Threat detection and incident response strategies
Domains & Competencies
Domain 1: Threat Detection and Incident Response
Domain 2: Security Logging and Monitoring
Domain 3: Infrastructure Security
Domain 4: Identity and Access Management
Domain 5: Data Protection
Domain 6: Management and Security Governance
Detailed described domains, list of specific tools and technologies that might be covered on the exam, as well as lists of in-scope AWS services https://d1.awsstatic.com/training-and-certification/docs-security-spec/AWS-Certified-Security-Specialty_Exam-Guide.pdf
Exam overview
Level: Specialty
Length: 170 minutes to complete the exam
Cost: 300 USD (*when purchasing directly from AWS)
Visit Exam pricing for additional cost information.
Format: 65 questions; either multiple choice or multiple response.
Delivery method: Pearson VUE testing center or online proctored exam.