WS Certified Security Specialty Practice Exams

1 of 5 Free AWS Security Exams

10 Question Exam Certification Test — 10-question mock exam ribbon badge
25 Question Exam Free Certification — 25-question practice test ribbon badge
35 Question Exam Exam Objectives Test — 35-question questions & answers ribbon badge
50 Question Exam Certification Exams — 50-question timed practice set ribbon badge
55 Question Exam Free Certification — 55-question Q&A practice pack ribbon badge

AWS Security Specialty Exam Facts

  • 50 scored questions plus 15 unscored questions
  • Question types are multiple choice and multiple response
  • Scaled scoring 100–1000 with a passing score of 750
  • Target candidate: 3–5 years security design/implementation, 2+ years securing AWS workloads
  • Compensatory model — only overall exam score must pass

SCS-C02 Content Domains & Weighting

  • Domain 1: Threat Detection & Incident Response – 14%
  • Domain 2: Security Logging & Monitoring – 18%
  • Domain 3: Infrastructure Security – 20%
  • Domain 4: Identity & Access Management – 16%
  • Domain 5: Data Protection – 18%
  • Domain 6: Management & Security Governance – 14%

The Trick to IT Certification Success

Stop wasting time. Download this proven Certification Success Study Plan for free.

Practice

Do the practice tests

Prompt

AI driven training

The Perfect Study Plan for You
Perform

Learn by doing

Pass

Get certified in half the time

AWS Certified Security Specialty Exam Topics

Exam Basics

  • Format: 50 scored questions and 15 unscored questions
  • Question types: multiple choice and multiple response
  • Scoring: scaled 100–1000; passing score 750
  • Model: compensatory — section scores don’t need to pass individually
  • Target candidate: 3–5 years security experience; ≥2 years hands-on with AWS security services

Domain 1: Threat Detection & Incident Response (14%)

  • Design IR plans, roles, and playbooks using AWS best practices and ASFF
  • Deploy and integrate GuardDuty, Security Hub, Macie, Inspector, Detective, Config, IAM Access Analyzer
  • Automate remediation with Lambda, Step Functions, EventBridge, Systems Manager runbooks
  • Isolate resources (e.g., EC2), capture forensics (EBS snapshots, memory), preserve artifacts with S3 Object Lock

Domain 2: Security Logging & Monitoring (18%)

  • Design monitoring & alerting with CloudWatch, EventBridge, SNS; define metrics/thresholds
  • Centralize findings and build dashboards/insights; troubleshoot missing visibility and misconfigs
  • Implement logging (VPC Flow Logs, DNS logs, CloudTrail, CloudWatch Logs) with retention/lifecycle
  • Analyze logs with Logs Insights, CloudTrail Insights, Athena; normalize/correlate to detect anomalies

Domain 3: Infrastructure Security (20%)

  • Protect the edge with CloudFront, WAF, Shield, Route 53, and load balancers; address OWASP Top 10 & DDoS
  • Design network controls with SGs/NACLs/Network Firewall; keep traffic private via VPC endpoints/Transit Gateway
  • Plan on-prem connectivity and redundancy with VPN, Direct Connect (incl. MACsec)
  • Harden compute: AMIs, instance/service roles, patching, Inspector scans, host-based firewalls, secrets handling
  • Troubleshoot reachability using Reachability Analyzer/Inspector; analyze VPC Flow/WAF/Route 53 logs

Domain 4: Identity & Access Management (16%)

  • Implement authentication with federation, IdPs, IAM Identity Center (SSO), Cognito; MFA & STS
  • Authorize with identity-/resource-/inline/session policies; apply least privilege, SoD, ABAC & RBAC
  • Troubleshoot authN/Z using CloudTrail, Access Advisor, and the IAM policy simulator

Domain 5: Data Protection (18%)

  • Secure data in transit: TLS, VPN/IPsec, secure remote access (Session Manager), certs on CF/LBs/APIs
  • Secure data at rest: SSE/CSE, KMS, hashing/signatures, resource policies; block public access & public snapshots/AMIs
  • Integrity & retention: S3 Object Lock, Glacier Vault Lock, Backup Vault Lock; lifecycle & backup schedules
  • Secrets & keys: Secrets Manager, Parameter Store; CMKs, key policies, rotation, import/delete key material

Domain 6: Management & Security Governance (14%)

  • Operate multi-account at scale: Organizations, Control Tower, delegated admin, cross-account roles
  • Enforce guardrails with SCPs and Firewall Manager; protect root user
  • Deploy securely with IaC: CloudFormation hardening, drift detection, tagging, Service Catalog, RAM
  • Evaluate compliance with Config rules, Security Hub, Audit Manager; identify gaps with Well-Architected
  • Use cost/usage insights (e.g., Cost Explorer, Trusted Advisor) to spot anomalies and reduce attack surface

Out of Scope for the Exam

  • Developing software in a specific language (e.g., Python, Java)
  • Confirming regulatory compliance
  • Managing full SDLC processes
  • Designing network topologies or overall cloud architectures
  • Configuring storage for data residency (e.g., GDPR specifics)

How to Prepare

  • Study the official exam guide and domain task statements
  • Get hands-on with GuardDuty, Security Hub, Macie, Inspector, Detective, Config, IAM, KMS
  • Practice logging/monitoring setups (CloudTrail, VPC Flow Logs, DNS logs, CloudWatch Logs & Insights)
  • Drill incident response playbooks, automation with EventBridge/Lambda/SSM, and forensics workflows
  • Design network & edge protections (WAF, Shield, CloudFront, SGs/NACLs/Network Firewall) and IAM least-privilege