In April 2023, AWS made an announcement regarding the upcoming changes to the AWS Certified Security – Specialty exam (SCS-C01). They introduced a new version, SCS-C02, which would be available for candidates to take starting from July 11, 2023. AWS frequently updates their exams to ensure that they remain relevant and assess the knowledge of candidates in line with the evolving AWS service offerings. With hundreds of updates being implemented on the AWS platform each month, it was only fitting that the current (SCS-C01) version of the exam, which has been in place since 2019, received an update. This blog post aims to provide an overview of the modifications made between the current (SCS-C01) and updated AWS Certified Security – Specialty (SCS-C02) exam versions.
About the new AWS Certified Security – Specialty (SCS-C02) exam
The AWS Certified Security – Specialty (SCS-C02) exam targets individuals in security roles and assesses their proficiency in safeguarding the AWS platform. This examination evaluates candidates based on their capacity to demonstrate knowledge in the following areas:
- Specialized data classifications and the corresponding AWS data protection mechanisms
- Data encryption techniques and their implementation through AWS mechanisms
- Secure internet protocols and how AWS implements them
- Utilization of AWS security services and features to establish a secure production environment
- Practical experience with AWS security services and features gained from at least two years of production deployment
- The ability to make informed decisions that balance cost, security, and deployment complexity to meet application requirements
- Familiarity with security operations and an understanding of associated risks
Who should take the exam?
To be eligible, candidates should possess the expertise necessary to design and implement security solutions, with an experience equivalent to 3–5 years. Moreover, they should have a minimum of 2 years of practical experience in securing AWS workloads.
The preferred AWS knowledge for the target candidate includes the following:
- Understanding and application of the AWS shared responsibility model
- Familiarity with AWS services and proficiency in deploying cloud solutions
- Implementation of security controls for AWS environments and workloads
- Strategies for logging and monitoring in AWS
- Knowledge of vulnerability management and proficiency in security automation
- Integration of AWS security services with third-party tools
- Mastery of disaster recovery controls, including backup strategies
- Understanding of cryptography and key management
- Proficiency in AWS Identity and Access Management (IAM)
- Knowledge of data retention and lifecycle management
- Troubleshooting skills for security issues
- Expertise in multi-account governance and organizational compliance
- Strategies for threat detection and incident response
Now let us move to the main point where we will compare both the exams.
SCS-C01 vs the new SCS-C02
Here’s a table comparing the content domains and their respective percentages for the current SCS-C01 exam and the updated AWS Certified Security – Specialty (SCS-C02) exam –
| Domain | SCS-C01 Exam (%) | SCS-C02 Exam (%) |
|---|---|---|
| Domain 1: Incident Response | 12% | 14% |
| Domain 2: Logging and Monitoring | 20% | 18% |
| Domain 3: Infrastructure Security | 26% | 20% |
| Domain 4: Identity and Access Management | 20% | 16% |
| Domain 5: Data Protection | 22% | 18% |
| Domain 6: Management and Security Governance | N/A | 14% |
| Total | 100% | 100% |
Please note that Domain 6: Management and Security Governance is a new addition in the updated SCS-C02 exam, hence it is not applicable for the SCS-C01 exam.
Comparing the content between the SCS-C01 and updated SCS-C02 exam guides reveals a straightforward mapping of the domains. The SCS-C02 exam introduces a new domain, Management and Security Governance, which evaluates knowledge of effective management and governance practices, including multi-account strategies and cross-account roles within an AWS Organization. Upon closer examination of task statements and lists of services and features in the SCS-C01 guide, it becomes evident that most of the SCS-C01 content remains relevant and can still be assessed in the SCS-C02 exam. The only additional service included in the SCS-C02 exam is the Network Access Analyzer. Notably, the updated exam guide removes Network analysis tools, SSH/RDP, Signature Version 4, and TLS from the list of key tools, technologies, and concepts, replacing them with Secure Remote Access.
AWS has made slight modifications to the “target candidate description” in the exam guide. While the SCS-C01 guide requires “5 years of IT security experience in designing and implementing security solutions” and “2 or more years of hands-on experience in securing AWS workloads,” the SCS-C02 guide now specifies the equivalent of “3-5 years of experience in designing and implementing security solutions” while maintaining the requirement of “a minimum of 2 years of hands-on experience in securing AWS workloads.”
Naturally, an AWS Security specialty exam extensively evaluates knowledge of AWS security services, such as AWS Identity and Access Management (IAM), GuardDuty, Macie, AWS Certificate Manager (ACM), the AWS Key Management Service (KMS), and CloudHSM. Let’s now quickly review some other concepts and services that may be covered within each of the six domains in the SCS-C02 exam.
Domain 1: Threat Detection and Incident Response (14%)
This domain constitutes 14% of the exam and encompasses approximately 9 questions focused on threat detection and incident response. It includes a range of topics, such as implementing AWS best practices for responding to security incidents like compromised access credentials, compromised EC2 instances, or findings within the AWS Security Hub. Additionally, it covers the configuration of automation using managed AWS services like EventBridge and Lambda to effectively respond to and mitigate security findings. This domain also addresses the principles of root cause analysis and the utilization of data capture mechanisms for gathering forensic data during security investigations.
Domain 2: Security Logging and Monitoring (18%)
Accounting for 18% of the exam, this domain encompasses approximately 12 questions related to security logging and monitoring. Your expertise will be tested in designing, implementing, and resolving issues with logging and log analysis solutions, utilizing DNS logs, VPC flow logs, CloudTrail, and CloudWatch Logs. Familiarity with AWS managed services, including CloudWatch Logs Insights, CloudTrail Insights, and Security Hub insights, is essential for this domain.
Domain 3: Infrastructure Security (20%)
Comprising 20% of the exam, this domain includes around 13 questions focusing on infrastructure security. It evaluates your knowledge of security features within services like AWS WAF, Shield, and Route 53. Understanding secure connectivity implementation in elastic load balanced environments and utilizing features like VPC endpoints, security groups, and network ACLs to secure traffic within a VPC is vital. Additionally, you should possess the ability to troubleshoot network connectivity issues using tools such as the VPC Reachability Analyzer.
Domain 4: Identity and Access Management (16%)
Constituting 16% of the exam, this domain includes approximately 10 questions focused on identity and access management (IAM). Your proficiency in designing, implementing, and troubleshooting authentication and authorization for AWS workloads will be evaluated. This entails leveraging services like the AWS IAM Identity Center, Amazon Cognito user and identity pools, and the AWS Security Token Service (STS). Demonstrating knowledge of best practices in creating and managing identities and access credentials, as well as the ability to define, read, and interpret various IAM policy snippets, is crucial for this domain.
Domain 5: Data Protection (18%)
Covering 18% of the exam, this domain involves around 12 questions related to data protection. You will be required to design solutions for maintaining data integrity through the use of encryption in transit and at rest to secure data stored in services such as S3 and DynamoDB. Understanding the design and implementation of secure connectivity between on-premises networks and the AWS cloud using Direct Connect and site-to-site VPNs is important. Moreover, you should possess knowledge of securely connecting services within and between AWS accounts and regions.
Domain 6: Management and Security Governance (14%)
Introducing a new domain, this section accounts for 14% of the exam and consists of approximately 9 questions focusing on management and security governance. It evaluates your knowledge of deployment and management strategies for AWS accounts utilizing Organizations and Control Tower, along with resources like CloudFormation templates. Understanding the utilization of services such as AWS Audit Manager, Amazon Macie, and AWS Config is essential for identifying, assessing, and resolving sensitive data or noncompliant resources within an AWS environment.
AWS Certified Security Specialty (SCS-C01) Online Course
Structural Changes
Similar to the SCS-C01 exam, the SCS-C02 exam will comprise a total of 65 multiple-choice and multiple-response questions. Most questions will present 4 answer options, requiring selection of one correct answer, while a few may offer 5 or 6 options, with a requirement to choose two or three correct answers. Out of these 65 questions, only 50 will contribute to your final score. The remaining 15 questions serve as evaluation items for AWS and have no impact on your score. It is not possible to distinguish between scored and unscored questions, but there is no penalty for guessing. Therefore, it is advisable to answer every question, even if you are making an educated guess. As with the previous exam, the SCS-C02 is scored on a scale of 100 to 1,000, with a minimum passing score of 750.
What type of questions to expect?
As this is a Specialty exam, it is important to note that the questions are generally more extensive and present complex scenarios compared to Associate-level certification exams. They closely resemble the level of difficulty typically encountered in Professional-level certification exams. The questions often involve detailed scenarios spanning several sentences or even paragraphs, while the answer choices are also lengthy. It is crucial to allocate sufficient time to read these longer questions carefully and ensure that you comprehend every word and detail presented.
Pay close attention to any sentences that are repeated across the answer choices, with only slight variations of a word or two. These subtle differences can significantly impact the correctness of an answer choice and help distinguish between the correct answer and potential distractors. Your strategy should involve promptly eliminating these distractors to narrow down your focus on the plausible answer choices. By doing so, you can dedicate more attention to identifying the best possible answer or answers for each question.
Out of Scope Topics
The following list outlines several job tasks that are considered out of scope for the exam and are not expected to be performed by the target candidate. Please note that this is not an exhaustive list:
- Implementing DevOps and SysOps practices
- Demonstrating programming skills in specific languages, such as Python or Java
- Handling regulatory compliance matters
- Managing the software development lifecycle
- Ensuring privacy control of data
- Designing network topologies
- Addressing data residency concerns, such as GDPR compliance
- Architecting the overall cloud deployment
Expert Corner
Here are some technical tips to help you prepare for the AWS Certified Security – Specialty (SCS-C02) exam:
- Understand the Exam Domains: Familiarize yourself with the exam domains and their respective weightage. Make sure you have a solid understanding of the topics covered in each domain to effectively allocate your study time.
- Review AWS Shared Responsibility Model: Understand the AWS Shared Responsibility Model and how it applies to different AWS services. This model outlines the security responsibilities shared between AWS and the customer, which is crucial knowledge for the exam.
- Gain Hands-on Experience: Obtain hands-on experience in securing AWS workloads. The exam expects you to have at least two years of practical experience, so make sure to gain real-world exposure by working on security-related projects in AWS.
- Study AWS Security Services: Develop a comprehensive understanding of various AWS security services such as AWS Identity and Access Management (IAM), AWS CloudTrail, AWS WAF, Amazon GuardDuty, AWS KMS, etc. Learn how to configure and utilize these services effectively.
- Master Logging and Monitoring: Study different logging and monitoring strategies in AWS. Understand how to configure CloudTrail for auditing and how to leverage services like Amazon CloudWatch and AWS Config for monitoring and alerting purposes.
- Focus on Data Protection: Data protection is a significant aspect of the exam. Dive deep into topics such as encryption, key management, secure storage options (Amazon S3, EBS, etc.), and data lifecycle management in AWS.
- Practice Incident Response: Gain knowledge of incident response procedures in AWS. Familiarize yourself with AWS services that aid in incident detection and response, such as AWS CloudFormation, AWS Lambda, and AWS Systems Manager.
- Understand Infrastructure Security: Study techniques to secure AWS infrastructure components like VPCs, subnets, security groups, and network ACLs. Learn about AWS Config rules, AWS Inspector, and AWS Shield for maintaining a secure infrastructure.
- Review Security Best Practices: Stay updated with AWS security best practices, including security compliance frameworks like HIPAA, PCI DSS, and GDPR. Understand the recommended security controls and configurations for different AWS services.
- Practice Sample Questions: Utilize practice exams and sample questions to assess your knowledge and familiarize yourself with the exam format. This will help you identify any knowledge gaps and improve your time management skills during the actual exam.
Remember to refer to official AWS documentation, whitepapers, and online training resources to supplement your preparation. Dedicate enough time for studying, hands-on practice, and revision to ensure a successful outcome on the SCS-C02 exam. Good luck!
