The AWS Certified Security – Specialty (SCS-C03) is Amazon's advanced cloud security certification for professionals who design, implement, and troubleshoot security solutions on AWS. It validates expertise across threat detection, identity management, infrastructure security, data protection, logging, and governance — including generative AI security, added in the December 2025 SCS-C03 update.
TroyTec's SCS-C03 practice questions are built against the official exam guide — including the new GenAI domain content most platforms haven't yet added. Use our PDF question bank, test engine, and free AI Tutor to pass on your first attempt.
Exam Code: SCS-C03
Certification Level: Specialty
Total Questions: 65 (50 scored, 15 unscored)
Duration: 170 minutes
Passing Score: 750 / 1000 (scaled)
Exam Fee: $300 USD
Validity: 3 years
Retake Wait: 14 days
Delivery: Pearson VUE — online or in-person
Languages: English, Japanese, Korean, Portuguese (BR), Simplified Chinese, Spanish (LATAM)
Version Released: December 2, 2025
The AWS Certified Security – Specialty proves you can secure cloud environments at a specialist level — not just follow checklists, but architect security solutions, respond to incidents, and make risk tradeoffs that align security with business requirements.
The exam validates a candidate's ability to:
Apply specialized data classifications and AWS data protection mechanisms
Implement data-encryption methods and AWS encryption mechanisms
Implement AWS mechanisms to follow secure internet protocols
Use AWS security services and features to ensure secure production environments
Make decisions that account for tradeoffs between cost, security, and deployment complexity
Target experience: 3–5 years of IT security experience with at least 2 years of hands-on AWS workload security. This is not an entry-level certification.
Domain 1: Threat Detection & Incident Response- 14% Weight
Domain 2: Security Logging & Monitoring- 18% Weight
Domain 3: Infrastructure Security- 20% Weight
Domain 4: Identity & Access Management- 20% Weight
Domain 5: Data Protection- 14% Weight
Domain 6: Security Foundations & Governance- 14% Weight
Identity and Access Management and Infrastructure Security are jointly the heaviest domains at 20% each. IAM increased from 16% in SCS-C02 — identity is now the most tested topic on the exam, reflecting the reality that misconfigured IAM policies and overly permissive roles cause more breaches than network misconfigurations.
The SCS-C03 exam launched December 2, 2025 and replaced SCS-C02. Here is what changed:
IAM Domain Weight — Increased from 16% (SCS-C02) to 20% (SCS-C03), making Identity and Access Management the single heaviest domain on the exam.
Generative AI Security — Not covered in SCS-C02. SCS-C03 adds it under Domain 3, Skill 3.2.7, covering Amazon Bedrock guardrails, prompt injection protections, and SageMaker AI network isolation.
Question Formats — SCS-C02 used only multiple choice and multiple response. SCS-C03 adds Ordering questions (arrange steps in correct sequence) and Matching questions (pair all prompts to correct responses).
AI/ML Services in Scope — None in SCS-C02. SCS-C03 adds Amazon Bedrock, SageMaker AI, and Amazon Q to the in-scope services list.
Domain Structure — SCS-C02 used broader categories. SCS-C03 restructured into tighter, purpose-built domains with clearer task and skill breakdowns.
Release Date — SCS-C02: June 2023. SCS-C03: December 2, 2025.
If you hold SCS-C02, your certification remains valid until its 3-year expiry. You are not required to retake the exam early.
GuardDuty finding types: EC2, IAM, S3, Kubernetes, and RDS finding categories
Amazon Macie for sensitive data discovery in S3
Automated incident response with EventBridge rules and Lambda
CloudTrail organization trails and log file integrity validation
VPC Flow Logs, DNS query logs, and Load Balancer access logs
CloudWatch Logs agent configuration and metric filters
AWS WAF rules, rate limiting, and managed rule groups
AWS Shield Standard vs Shield Advanced
Amazon Inspector network reachability findings
NEW: Generative AI security — Amazon Bedrock guardrails, content filtering, prompt injection protections, SageMaker AI network isolation
IAM Roles Anywhere for hybrid environments
ABAC vs RBAC strategy design and implementation
Cross-account access patterns and confused-deputy prevention
Amazon Verified Permissions for application authorization
KMS customer managed keys, key policies, and grants
AWS Private Certificate Authority
Ransomware protection with AWS Backup and Amazon Data Lifecycle Manager
Encryption in transit: ACM, ELB TLS policies, MACsec
AWS Organizations: SCPs, RCPs, AI service opt-out policies, declarative policies
AWS Control Tower: landing zones, optional and custom controls
AWS Config conformance packs for continuous compliance
Delegated security service administration
The AWS Certified Security – Specialty is one of the highest-paying AWS certifications available. Holders earn an average of $158,594 annually, with experienced practitioners in financial services, healthcare, and government reaching $170,000–$204,000.
The SCS-C03 update — which added generative AI security coverage — has increased the credential's value further. Organizations running AI workloads on AWS are actively hiring professionals who understand how to secure Amazon Bedrock pipelines, and the talent pool is thin.
At $300 for the exam, the ROI is immediate for any professional already operating in an AWS security role.
Top hiring roles: Cloud Security Engineer, Cloud Security Architect, Security Operations Lead.
AWS does not mandate prerequisites to register. Attempting SCS-C03 without the following knowledge is a costly mistake:
Knowledge equivalent to AWS Certified Solutions Architect – Associate (understand VPCs, subnets, routing, and IAM fundamentals before you try to secure them)
2+ years of hands-on experience specifically securing AWS workloads
Familiarity with the AWS Shared Responsibility Model in production environments
Recommended path: AWS Certified Cloud Practitioner (CLF-C02) → AWS Solutions Architect – Associate (SAA-C03) → AWS Certified Security – Specialty (SCS-C03).
Study GuardDuty finding categories, Security Hub, and IAM trust policy patterns. Use TroyTec's AI Tutor for scenario questions: 'What GuardDuty finding type indicates compromised EC2 instance credentials?' Get instant explanations without searching documentation.
Cover CloudTrail organization trails, VPC Flow Logs, and log correlation with Athena and OpenSearch. Run TroyTec practice questions on logging architecture scenarios. Review every wrong answer explanation before moving on.
Study WAF, Network Firewall, VPC segmentation, and the new Bedrock and SageMaker AI security skills. SCS-C03 tests these — most prep resources skip GenAI security content entirely. TroyTec questions include it.
KMS key management, imported key material, Secrets Manager rotation strategies, certificate management with ACM and Private CA, and ransomware protection design patterns. Use the PDF question bank for focused, printable revision.
IAM Roles Anywhere, ABAC/RBAC design, Amazon Verified Permissions, cross-account patterns, and STS credential flows. This domain is 20% of your score — give it a full day.
Security Foundations: Organizations, SCPs, RCPs, AI opt-out policies, Control Tower. Then take a full-length timed mock on TroyTec's test engine. Score below 750? Flag every missed question for Day 7 review.
Drill flagged questions only. Re-read explanations on wrong answers. Confirm your Pearson VUE appointment, system requirements if testing online, and government-issued ID. Non-native English speakers: verify your 30-minute accommodation is approved before this point.
TroyTec questions are built against the official SCS-C03 exam guide domains — including the generative AI security content (Skill 3.2.7) that most platforms have not yet added. Questions are scenario-based, matching the format and difficulty of the real exam.
PDF Question Bank — download and study offline; annotate by domain; print for paper-based review
Test Engine — timed, section-based, and randomized modes with score tracking across attempts
AI Tutor — ask any SCS-C03 concept, get a clear explanation instantly; free to use with no account required
The AWS Certified Security – Specialty (SCS-C03) is an advanced AWS certification that validates expertise in securing AWS workloads. It covers threat detection, incident response, identity and access management, infrastructure security, data protection, logging, monitoring, and security governance. The SCS-C03 version, released December 2, 2025, is the current active exam and adds generative AI security coverage not present in earlier versions.
The SCS-C03 passing score is 750 on a scaled score of 100–1,000. The exam uses a compensatory scoring model — you do not need to pass each domain individually, only the overall exam. Scaled scoring accounts for slight difficulty variations across different exam pools.
The SCS-C03 exam has 65 total questions. 50 questions are scored and count toward your result. The remaining 15 are unscored pilot questions used by AWS to evaluate future exam content. You will not know which questions are unscored, so treat every question as if it counts.
The SCS-C03 exam costs $300 USD. AWS certification holders who pass certain qualifying exams earn a 50% discount voucher for their next exam, reducing the cost to $150. Schedule through Pearson VUE — online proctored or in-person at a test center.
SCS-C03 is one of AWS's most challenging certifications. It requires the ability to architect solutions, troubleshoot real-world scenarios, and evaluate security tradeoffs — not just recall service names. The new ordering and matching question formats increase difficulty beyond multiple-choice recall. Expect it to be significantly harder than any AWS associate-level exam. Most candidates with real AWS security experience recommend 4–8 weeks of dedicated preparation.
SCS-C03 (released December 2, 2025) restructured domains, increased IAM weighting from 16% to 20%, added generative AI security content covering Amazon Bedrock and SageMaker AI, and introduced new question formats — ordering and matching — in addition to traditional multiple choice. If you hold SCS-C02, it remains valid until its 3-year expiration; you are not required to retake the exam early.
The most common roles are Cloud Security Engineer, Cloud Security Architect, and Security Operations Lead. Financial services, healthcare, and government are the top industries hiring for this credential. Median salary for SCS-C03 holders reaches approximately $158,600 nationally, with experienced practitioners in high-compliance sectors reaching $170,000–$204,000.
No. Exam dumps are memorized question lists that frequently contain inaccurate answers, go stale after each AWS exam pool refresh, and violate AWS's certification agreement. AWS audits exam results and revokes credentials when dump usage is detected. Scenario-based practice questions — which test reasoning, not memorization — prepare you for how the real SCS-C03 is actually written and make the knowledge applicable to real cloud security work.
The AWS Certified Security – Specialty consistently ranks among the most in-demand AWS specialty certifications. With cloud security skills gaps widening, AI workloads increasing attack surfaces, and regulatory compliance requirements tightening across industries, demand for SCS-C03 holders is growing faster than the supply of qualified candidates.
Study anywhere with our portable PDF question bank
Simulate real exam conditions with our online engine
Everything you need to know about the AWS Certified Security - Specialty certification
Showing 5 of 20 FAQs
3,888 Students Downloaded this exam
Updated June 13, 2026
Stay current with frequently updated content
We're confident in our materials' quality