Cybersecurity cert-prep add-on

AWS Certified Security - Specialty Exam Prep Add-On

Convert Cloud Security Fundamentals into an AWS Security Specialty ramp in 60 hours.

$147 add-on60h additional studyTarget exam: AWS Security SpecialtyExam fee: $300

What the add-on ships

++Six domain reviews mapped to the official AWS Certified Security - Specialty exam guide
++Three full-length 65-question mock exams scored against the AWS scaled-score model
++Hands-on labs runnable on the AWS free tier covering IAM, KMS, GuardDuty, Security Hub, and CloudTrail patterns
++Exam-day checklist covering time-per-question pacing and the AWS scenario-question format
++Direct link to the official AWS exam guide as the canonical reference

Built on the parent course

++Cloud Security Fundamentals eight-module curriculum aligned to NIST SP 800-204, CSA Cloud Controls Matrix
++AWS shared-responsibility model, IAM, network segmentation, data protection, and posture management practice from the parent course

Parent course: cloud security fundamentals

Best for

++Cloud Security Engineers consolidating two years of AWS security experience into a senior credential
++Architects with a security-heavy customer portfolio targeting AWS specialty recognition
++Practitioners moving from a generalist DevOps role into AWS-focused security engineering

Practice surface

++Three 65-question mock exams with AWS-style scenarios
++Hands-on lab environments runnable on the AWS free tier
++Targeted weak-area question drilling per AWS domain weighting

Buy the add-on

$147 on top of the cloud security fundamentals parent course. Lifetime access to the practice materials, mock exams, and exam-day worksheets.

See the parent course

Exam summary

AWS Certified Security - Specialty (SCS-C02) is AWS's senior-tier security credential. Covers identity and access, infrastructure security, data protection, incident response, threat detection and logging, and management and security governance. 170 minutes, 65 questions, scaled passing score approximately 750/1000.

Domain reviews

Threat Detection and Incident Response

14%

Detecting, investigating, and responding to security events in AWS.

++Amazon GuardDuty (threat detection across VPC Flow Logs, DNS, CloudTrail)
++AWS Security Hub (centralized findings + compliance posture)
++Amazon Detective (investigation graphs)
++AWS Config rules for compliance + remediation actions
++Incident response: SSM, EC2 Instance Connect, snapshot-based forensics, EventBridge automation

Primary sources:

Security Logging and Monitoring

18%

Logging architecture for security telemetry: CloudTrail, VPC Flow Logs, CloudWatch.

++CloudTrail event categories: management, data, insight, network activity
++CloudTrail Lake for SQL-queryable trails
++VPC Flow Logs at the VPC, subnet, and ENI level
++CloudWatch Logs, metric filters, Logs Insights
++Encryption of logs (KMS), log integrity validation (CloudTrail digest files)

Primary sources:

AWS CloudTrail user guide

Infrastructure Security

20%

Network controls and edge protection in AWS.

++VPC design: subnets, route tables, NACLs, security groups, NAT, VPC endpoints
++AWS Network Firewall, WAF, Shield (Standard and Advanced)
++VPC Lattice and PrivateLink for private service-to-service
++Edge protection: CloudFront, Route 53, Global Accelerator with security policies
++Hybrid: Direct Connect, Site-to-Site VPN, Transit Gateway

Primary sources:

AWS Network Firewall docs

Identity and Access Management

16%

IAM in depth, plus AWS SSO, Cognito, federation.

++IAM principals, policies, permission boundaries, SCPs (Service Control Policies in Organizations)
++AWS IAM Identity Center (formerly SSO), permission sets
++Federation: SAML, OIDC, AWS STS, role chaining
++Cognito user pools and identity pools
++Least-privilege design with Access Analyzer and IAM Access Advisor

Primary sources:

AWS IAM user guide

Data Protection

18%

Encrypting, classifying, and protecting data in AWS.

++AWS KMS: customer managed keys, AWS managed keys, key policies, grants, multi-region keys
++Encryption: at rest (S3 SSE-S3, SSE-KMS, SSE-C), in transit (TLS), client-side
++Macie for sensitive-data discovery
++Secrets Manager and Systems Manager Parameter Store
++Data classification, S3 bucket policies, S3 Block Public Access, S3 Object Lock

Primary sources:

Management and Security Governance

14%

Multi-account governance, organization-wide security, audit.

++AWS Organizations: SCPs, delegated administration
++AWS Control Tower and account factory
++Conformance packs in AWS Config
++Tag policies and resource sharing (RAM)
++Audit: AWS Audit Manager, prebuilt frameworks

Primary sources:

Practice scenarios (6)

Practice scenarios are scenario-based learning, not exam-question mimicry. Each scenario maps to a specific exam domain and includes a worked explanation plus a primary-source citation. Reproducing actual exam items would violate the cert body's NDA; the format here exercises the same underlying concepts under different surface phrasing.

Preview scenario 1 of 6 · Threat Detection and Incident Responsefree preview

A security engineer needs continuous threat detection across CloudTrail, VPC Flow Logs, DNS logs, and EKS audit logs in a multi-account AWS Organization, with findings centralized in a security account. Which combination is the canonical AWS-native fit?

A. Manually parse logs in Athena and write custom detection rules
B. Enable Amazon GuardDuty across the Organization with the security account designated as the delegated administrator; aggregate findings in Security Hub
C. Subscribe to a third-party SIEM and disable GuardDuty
D. Install antivirus on every EC2 instance

Answer: B

GuardDuty with delegated-administrator across the Organization plus Security Hub for centralized findings is the AWS-native pattern for organization-wide threat detection. Manual Athena parsing is not the canonical answer; third-party SIEMs can layer on but do not replace GuardDuty in the AWS-canonical answer; antivirus is unrelated to threat detection across AWS event sources.

Reference: GuardDuty multi-account architecture

Unlock the rest

5 more practice scenarios with full explanations and primary-source citations

The remaining scenarios cover every exam domain at the same depth as the preview above. Includes the exam-day strategy guide and additional study resources. $147 one-time, lifetime access.

Exam-day strategy

++Identify which exam domain the question targets (Identity, Infrastructure, Data, Logging, Threat Detection, Governance). The right answer often resolves by domain.
++Watch for distractors that propose custom code where an AWS managed service exists for the use case.
++On IAM questions, look for the specific policy construct (identity policy, resource policy, trust policy, permission boundary, SCP). The exam tests the distinction.
++On KMS questions, identify whether the scenario calls for AWS managed keys, customer managed keys, or grants. Cross-account scenarios usually require customer managed keys.
++Pace at roughly 2 minutes 30 seconds per question. 170 minutes for 65 questions is moderate.

Additional resources

Sources

Official AWS Security Specialty exam page (certifying body)

Exam fee and blueprint last verified 2026-05-22. Confirm current values with the certifying body before scheduling the exam.

What the add-on ships

++Six domain reviews mapped to the official AWS Certified Security - Specialty exam guide

++Three full-length 65-question mock exams scored against the AWS scaled-score model

++Hands-on labs runnable on the AWS free tier covering IAM, KMS, GuardDuty, Security Hub, and CloudTrail patterns

++Exam-day checklist covering time-per-question pacing and the AWS scenario-question format

++Direct link to the official AWS exam guide as the canonical reference

Exam summary

Domain reviews

Threat Detection and Incident Response

14%

Detecting, investigating, and responding to security events in AWS.

++Amazon GuardDuty (threat detection across VPC Flow Logs, DNS, CloudTrail)
++AWS Security Hub (centralized findings + compliance posture)
++Amazon Detective (investigation graphs)
++AWS Config rules for compliance + remediation actions
++Incident response: SSM, EC2 Instance Connect, snapshot-based forensics, EventBridge automation

Primary sources:

Security Logging and Monitoring

18%

Logging architecture for security telemetry: CloudTrail, VPC Flow Logs, CloudWatch.

++CloudTrail event categories: management, data, insight, network activity
++CloudTrail Lake for SQL-queryable trails
++VPC Flow Logs at the VPC, subnet, and ENI level
++CloudWatch Logs, metric filters, Logs Insights
++Encryption of logs (KMS), log integrity validation (CloudTrail digest files)

Primary sources:

AWS CloudTrail user guide

Infrastructure Security

20%

Network controls and edge protection in AWS.

++VPC design: subnets, route tables, NACLs, security groups, NAT, VPC endpoints
++AWS Network Firewall, WAF, Shield (Standard and Advanced)
++VPC Lattice and PrivateLink for private service-to-service
++Edge protection: CloudFront, Route 53, Global Accelerator with security policies
++Hybrid: Direct Connect, Site-to-Site VPN, Transit Gateway

Primary sources:

AWS Network Firewall docs

Identity and Access Management

16%

IAM in depth, plus AWS SSO, Cognito, federation.

++IAM principals, policies, permission boundaries, SCPs (Service Control Policies in Organizations)
++AWS IAM Identity Center (formerly SSO), permission sets
++Federation: SAML, OIDC, AWS STS, role chaining
++Cognito user pools and identity pools
++Least-privilege design with Access Analyzer and IAM Access Advisor

Primary sources:

AWS IAM user guide

Data Protection

18%

Encrypting, classifying, and protecting data in AWS.

++AWS KMS: customer managed keys, AWS managed keys, key policies, grants, multi-region keys
++Encryption: at rest (S3 SSE-S3, SSE-KMS, SSE-C), in transit (TLS), client-side
++Macie for sensitive-data discovery
++Secrets Manager and Systems Manager Parameter Store
++Data classification, S3 bucket policies, S3 Block Public Access, S3 Object Lock

Primary sources:

Management and Security Governance

14%

Multi-account governance, organization-wide security, audit.

++AWS Organizations: SCPs, delegated administration
++AWS Control Tower and account factory
++Conformance packs in AWS Config
++Tag policies and resource sharing (RAM)
++Audit: AWS Audit Manager, prebuilt frameworks

Primary sources:

Practice scenarios (6)

Preview scenario 1 of 6 · Threat Detection and Incident Responsefree preview

A. Manually parse logs in Athena and write custom detection rules
B. Enable Amazon GuardDuty across the Organization with the security account designated as the delegated administrator; aggregate findings in Security Hub
C. Subscribe to a third-party SIEM and disable GuardDuty
D. Install antivirus on every EC2 instance

Answer: B

Reference: GuardDuty multi-account architecture

Unlock the rest

5 more practice scenarios with full explanations and primary-source citations

The remaining scenarios cover every exam domain at the same depth as the preview above. Includes the exam-day strategy guide and additional study resources. $147 one-time, lifetime access.

Exam-day strategy

++Identify which exam domain the question targets (Identity, Infrastructure, Data, Logging, Threat Detection, Governance). The right answer often resolves by domain.

++Watch for distractors that propose custom code where an AWS managed service exists for the use case.

++On IAM questions, look for the specific policy construct (identity policy, resource policy, trust policy, permission boundary, SCP). The exam tests the distinction.

++On KMS questions, identify whether the scenario calls for AWS managed keys, customer managed keys, or grants. Cross-account scenarios usually require customer managed keys.

++Pace at roughly 2 minutes 30 seconds per question. 170 minutes for 65 questions is moderate.