Ends in

Get up to $10 DISCOUNT on our AWS Solutions Architect Associate Reviewers!

AWS Certified Security – Specialty Exam Guide Study Path SCS-c01

The AWS Specialty certification exams are intended for people who handle more specific responsibilities in AWS Cloud. Since these responsibilities demand a more advanced skill set with prior experience from a person, these AWS specialty exams are built so that they could reinforce and validate a person’s eligibility for that role. There are no associate and professional levels in a specialty learning path, so the exams serve as the whole package already. And since they are made that way, expect no less from the specialty certification exams, as they will be as tough as the professional exams.

The name of the certificate immediately points out what to focus on — AWS Security. Although we mentioned earlier that specialty exams tackle more specific roles, security in AWS is very broad and extensive. There are a lot of topics involved when we speak about AWS security, whether it be native AWS services or other third-party tools. If you need a comprehensive review material for learning these topics then this study guide is for you.

SCS-C01 Study Materials

Having prior knowledge and experience in handling (cloud) security will allow you to understand the concepts and strategies that appear in AWS reference materials. You will also find it easier to comprehend scenario type questions in your exam. To know more about the AWS Security specialty exam, check out the official AWS Exam Blueprint here.

AWS documentations and whitepapers will be your best friends here. They are your primary source of information. We recommend reading the following papers:

  1. Introduction to AWS Security
  2. AWS: Overview of Security Processes
  3. AWS Well-Architected Framework
  4. Security Pillar – AWS Well-Architected Framework
  5. AWS Security Best Practices
  6. AWS Key Management Service Best Practices
  7. AWS Key Management Service Cryptographic Details
  8. Encrypting File Data with Amazon Elastic File System
  9. Secure Content Delivery with Amazon CloudFront
  10. Use AWS WAF to Mitigate OWASP’s Top 10 Web Application Vulnerabilities
  11. AWS Best Practices for DDoS Resiliency
  12. Security at Scale: Logging in AWS
  13. AWS Security Incident Response Guide
  14. Security at Scale: Governance in AWS

Add-On Compliance whitepapers:

  1. Security by Design
  2. AWS Risk & Compliance
  3. Architecting for HIPAA Security and Compliance on AWS
  4. Navigating GDPR Compliance on AWS
  5. Tutorials dojo strip
  6. Architecting for PCI DSS Scoping and Segmentation on AWS
  7. https://aws.amazon.com/compliance/fedramp/

Optional whitepaper for configuring AWS SSO + LDAP + Shibboleth

After you have studied the sources above, it would be wise to expose yourself with different scenarios and strategies in enforcing security in AWS. Re:Invent videos, AWS blogs, virtual classes, and even some AWS forums provide sample scenarios and strategies for you. The links below will redirect you to some of the references:

AWS Services to Focus On For the SCS-C01 exam

When we talk about security as a discipline, especially in the context of cloud, we are tackling it as a combination of different domains. AWS enumerates its catalog of services and features under different domains based on their purposes. In this section, we will try to do the same and group AWS services according to their domains.

Identity and Access Control

  • AWS Identity and Access Management – You must learn every detail of AWS IAM since this is AWS’ primary user management and access control service. Practice writing your own IAM policies.
  • Resource-Based Policies – Although resource-based policies fall under AWS IAM, they tend to be ignored compared to user-based policies. Take note of which services support this type of policy and how they are different from user-based policies.
  • S3 Presigned URLs – Know what is the purpose of S3 presigned URLs and how they differ from CloudFront signed URLs.
  • CloudFront Signed URLs – Know what is the purpose of CloudFront signed URLs and how they differ from S3 presigned URLs or CloudFront signed cookies.
  • Amazon Cognito – Read through the benefits of AWS Cognito and how to integrate it with web and mobile applications. Differentiate user pools from identity pools.
  • AWS Single Sign-On – Learn how you can use AWS SSO together with other authentication protocols to securely authenticate users in your environment. AWS SSO is commonly integrated with LDAP.
  • AWS Security Token Service – Know the purpose and use cases of Amazon STS. Try building a program that utilizes temporary tokens as credentials.
  • AWS Directory Service – Know the different options you have for AWS Directory Service. Each option solves a different requirement and it is up to you to figure out how you can get your directory to gain access to your users and other information.
  • AWS Organizations – AWS Organizations is a very helpful service when dealing with large scale enterprises with multiple AWS accounts. Know the benefits of using this service (like consolidated billing feature) and how to build an organization hierarchy with Organization Units and Service Control Policies.
  • AWS Resource Access Manager – AWS RAM allows you to securely share resources with other AWS accounts. Experiment with this service to know how to share your resources and what restrictions are involved.

Application and Infrastructure Security

  • EC2 key pairs – This goes without saying, but EC2 key pairs play a very important role in protecting your EC2 instances.
  • AWS Systems Manager – AWS SSM secures your applications through services like Patch Baselines, Run Command, Session Manager, and more. By utilizing automation and code, you run less risk in human error and unwanted/untracked changes to your application.
  • AWS WAF – AWS WAF is essential in protecting your applications from common exploits like SQL injection or XSS attacks. Differentiate WAF from Shield and Firewall Manager.
  • AWS Shield – AWS Shield complements AWS WAF since this service offers DDoS protection. Read what features are different between Shield Basic and Shield Advanced.
  • AWS Firewall Manager – This service simplifies administration overhead when setting up AWS WAF, AWS Shield and VPC security groups. Best to do a hands-on on the service.

Data Security

  • AWS KMS – Study the different types of KMS keys available and how you should manage them. Determine which AWS services support using AWS KMS for encryption.
  • Amazon CloudHSM – Know when to use AWS KMS vs CloudHSM for your encryption needs.
  • AWS SSM Parameter Store – It is important to know how AWS SSM Parameter Store can protect your referenceable information through SecureString
  • Amazon Secrets Manager – Secrets Manager is similar to Parameter Store wherein you can store and retrieve sensitive strings in AWS securely.
  • SSE-S3 Encryption – Read when it is better to use SSE-S3 keys or KMS keys for server-side encryption. Also read how your encrypted buckets and objects are handled during operations such as replication, deletion, etc.
  • S3 Glacier Vault Lock – Know the purpose of a Glacier Vault Lock and try implementing a policy yourself.
  • Amazon Macie – Read how Macie automatically classifies and protects your data. This is one of those services that you will just understand better if you try it out.
  • AWS Certificate Manager – Know which services integrate with your certificates stored in Certificate Manager. Try creating your own private CA and issue some custom certificates.

Network Security

  • Amazon VPC – Know everything on VPCs since they are basic building blocks for a protected AWS environment. Differentiate security groups vs network ACLs. Study VPC endpoints too.
  • Amazon CloudFront – Study how CloudFront protects your endpoints from being publicly accessible. Read on setting up Origin Access Identity with S3 buckets. Know which services integrate with CloudFront, such as API Gateway and WAF. CloudFront has a feature that allows content access to only selected locations.
  • AWS ELB – Study how ELB protects your web traffic and endpoints from malicious attacks. Understand how SSL certificates are being handled by ELB.
  • Amazon API Gateway – Similar to ELB, API Gateway also protects your endpoints from being exposed to the public internet. Commonly used in serverless applications, study how APIs can secure Lambda functions. Also know what services it integrates with, such as WAF.
  • AWS VPN – Although AWS VPN is fairly new, you should have an overview of what this service is and how to set it up in your AWS environment.
  • AWS Direct Connect – Read how a dedicated line from your network to AWS can protect your inbound and outbound traffic. A common way to secure your traffic in Direct Connect is by using an AWS Site to Site VPN.

Logging and Monitoring

  • Amazon CloudWatch – Know everything about Cloudwatch (Logs, Alarms, Events, Metrics)
  • Amazon CloudTrail – Know everything about CloudTrail, like how to store and encrypt your log files, how to monitor different regions and capture different types of data.
  • Service Logs (VPC, ELB, API Gateway, S3, CloudFront) – Multiple AWS services support logging which they forward to an S3 bucket. It would be good to have an idea of which services support logging. Logs are crucial when conducting incident response and analysis.
  • Amazon Route 53 – Study how Route 53 can quickly handle network issues by performing DNS and endpoint health checks. Route 53 also helps in making your environment more resilient by performing automatic failovers.

Threat Detection, Prevention, Response and Remediation

  • Amazon GuardDuty – Have an understanding of the use cases of Amazon GuardDuty.
  • Amazon Inspector – Have an understanding of the use cases of Amazon Inspector.
  • Amazon Detective – Know which services integrate with Amazon Detective. Also, have an understanding of the use cases of Amazon Detective.
  • AWS Security Hub – Have an understanding of the use cases of AWS Security Hub.

Risk and Compliance Management

  • AWS Artifact – Know the purpose of AWS Artifact and what kinds of reports it provides for you.
  • AWS Config – AWS Config is an important compliance monitoring tool that you should learn about. Study the concepts and how they work. Practice writing a Config rule of your own to have a better understanding of the service.

Lastly, as we have repeatedly talked about, specialty exams are intended for experienced individuals. Therefore, you should go try out the services above in your own AWS account. Also, do not limit yourself to the Management Console. Some implementations can only be done via AWS CLI or AWS SDK. Be comfortable with them all. 

Common Exam Scenarios for SCS-C01



AWS Config

A company requires a solution that will automatically detect and enable disabled VPC Flow Logs.

Create an AWS Config rule that will detect disabled VPC Flow Logs. Create a CloudWatch event based on that Config Rule to trigger a Lambda Function for enabling VPC Flow Logs.

Verify if EC2 instances are using approved AMI. Create a notification if non-compliant instances are detected.

Utilize the approved-amis-by-id managed rule in AWS Config to check if running instances are using an approved AMI. Use CloudWatch Alarms for notification.

A Security Analyst needs to remediate the risks of having security groups that allow inbound traffic for the CIDR range (Anywhere). The security group must only allow inbound traffic for the company’s firewall IP address.

Create an AWS Config rule that will automatically detect security groups that allow inbound traffic from the CIDR range. Associate a Lambda function in the Config rule to update the security group’s inbound rule with the company’s firewall IP address.

You need to build a solution that will allow the Security team to review the IAM policy assigned to an IAM user before and after a security incident has occurred.

Use AWS Config

Automatically detect and remediate an incident where API logging is disabled

Create an AWS Config rule to detect disabled CloudTrail settings. Configure the rule to use an AWS Systems Manager Automation document to automatically re-enable CloudTrail logs.

Detect if someone is using the AWS account’s root access in creating new API keys without proper approval.

Set up an AWS Config rule to track the usage of the create-api-key command by the root IAM user.


A company requires a CMK that automatically rotates every year.

Create a CMK with AWS generated key material.

A company needs to rotate a CMK with imported key material

Create a new CMK with the new imported key material and point the existing alias to the new CMK.

A company has to manage the access control for hundreds of CMKs without having to edit key policies

Use grants in AWS KMS.

A Security Specialist must use additional authenticated data (AAD) to prevent tampering against the ciphertext.

Add the kms:EncryptionContext condition when defining the key policy for the CMK.

A company needs to migrate AWS resources encrypted with KMS into another region.

Use a new CMK in the target region.


An application hosted on an EC2 instance needs protection from common web exploits. Also, the outgoing traffic from the instance should be restricted only to trusted URLs.

Use AWS WAF for common web exploits protection and use a third-party solution to whitelist URLs for outbound traffic.

A Security Specialist needs to block high-volume requests from specific user-agent HTTP header

Use AWS WAF rate-based rule to limit the number of requests.

Which AWS Services has direct integration with AWS WAF?

Amazon CloudFront & Application Load Balancer

A company is serving static content using Amazon CloudFront, Amazon S3, and Amazon Route53. They must respond to DDoS attacks at L7, L4, and L3.

Use AWS Shield Advanced

AWS CloudTrail

Protect CloudTrail Logs from tampering and un-authorized access

Enable the CloudTrail log file validation

Some AWS accounts can’t send CloudTrail logs in a centralized logging account. What are the steps to troubleshoot the issue?

  1. Check if the AWS Account IDs are included within the Central account’s S3 bucket policy.

  2. Check if the AWS Accounts are using the correct S3 bucket name for centralized logging.

  3. Check if all trails are active

A Security Specialist has updated the log file prefix for a trail but encountered a “There is a problem with the bucket policy.” error

First, update the new log file prefix in the S3 bucket policy, then specify the updated log file prefix in the CloudTrail Console.

A Security Engineer needs to review user activities from a specific access key within the past 3 months.

Review the user activities through the CloudTrail Console

Amazon CloudWatch

Some EC2 instances stop sending CloudWatch logs after a security incident. What are the steps to troubleshoot this issue?

  1. Check if CloudWatch Logs agent is active and running in the EC2 instances.

  2. Check if the EC2 instances have Internet access.

  3. Check the validity of the OS Log rotation rules.

After an update to IAM policy, an application stops sending custom metrics to AWS CloudWatch.

Add the cloudwatch:putMetricData permission in the IAM policy

A Security Engineer must build a near real-time logging solution to collect logs from different AWS Accounts.

Use the Amazon CloudWatch cross-account log data sharing with subscriptions. Use Amazon Kinesis Data Firehose to deliver the logs.

A company has set up a notification system using CloudWatch and CloudTrail that will alert a Security Team when new access keys are created. The team is not receiving notifications.

Make sure that the value of consecutive periods alarm threshold is equal to or greater than 1.

Amazon GuardDuty

A company needs a threat detection system for monitoring malicious activities in an AWS Account

Use Amazon GuardDuty

A company is using an Active Directory server to resolve DNS for EC2 instances in a VPC. A security engineer noticed that one of the instances is being used for command-and-control (C2C) operations but GuardDuty has failed to recognize it.

GuardDuty does not recognize DNS requests coming from third-party DNS servers.

A company wants to perform a network port scan against EC2 instances in VPC but does not want to get alerts for specific instances.

Add the EIP of the specific instances to the trusted IP lists in Amazon GuardDuty.

Infrastructure Security

A company has complex connectivity rules for Amazon EC2 instances. How should they manage these connection rules with no additional cost?

Implement the rules using the built-in host-based firewall such as iptables

A Security Engineer needs to inspect packet data.

  1. Use a proxy software hosted on an EC2 instance.

  2. Use a host-based agent on an EC2 instance. Note that you can only perform packet data analysis with third-party solutions.

A Security Engineer has a virtual security appliance. The Engineer is using a security group and NACL to comply with security requirements. How can he allow traffic through the virtual security appliance?

Disable the Source/Destination check of the Elastic Network Interface (ENI) associated with the virtual security appliance.

A Security Engineer needs to remediate the risk of users exploiting the instance metadata service to access AWS resources in other accounts.

Restrict the access to the instance metadata service using iptables.


Validate Your Knowledge for the SCS-C01

The virtual classrooms we listed in the Study Materials section often include short quizzes at the end of each video. They will serve as guides on how to look for key terminologies in your exam questions, as well as how to break down your options to determine the most suitable answer for the question. Another virtual lecture we recommend you attending after you finished reviewing for the exam is the Exam Readiness: AWS Certified Security – Specialty Course. They provide sample questions that you can follow along and answer.

AWS also provides a sample exam on the AWS Certified Security Specialty page, which you can find here. Although this sample exam is not on the same level of difficulty one might expect on the real exam, it is still a helpful resource for your reviews. Lastly, Tutorials Dojo also has a set of high-quality practice exams and study guide eBook for the AWS Security Specialty certification. The practice exams and study guide eBook will help boost your preparedness for the real exam, and it will also help you determine which areas you are weak in, so you can focus your efforts on studying those areas.


Sample Practice Test Questions for the SCS-C01 Exam:

Question 1

An organization is implementing a security policy in which their cloud-based users must be contained in a separate authentication domain and prevented from accessing on-premises systems. Their IT Operations team is launching and maintaining a number of Amazon RDS for SQL Server databases and EC2 instances. The organization also has an on-premises Active Directory service that contains the administrator accounts that must have access to the databases and EC2 instances.

How would the Security Engineer manage the AWS resources of the organization in the MOST secure manner? (Select TWO.)

  1. Using AWS Directory Service, set up an AWS Managed Microsoft AD to manage the RDS databases and EC2 instances.
  2. Set up and configure AWS Service Catalog to manage the RDS databases and EC2 instances.
  3. Set up a one-way incoming trust in the existing on-premises Active Directory and a one-way outgoing trust in the new Active Directory in AWS.
  4. AWS Exam Readiness Courses
  5. Set up a one-way incoming trust relationship in the new Active Directory in AWS and a one-way outgoing trust in the existing on-premises Active Directory.
  6. Set up a two-way trust relationship between the new Active Directory in AWS and the existing Active Directory service in the on-premises data center.

Correct Answer: 1,3

In Active Directory, trust relationships enable access to various resources that can be either one-way or two-way. A one-way trust is a unidirectional authentication path created between two domains. In a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain B can’t access resources in Domain A. Some one-way trusts can be either non-transitive or transitive depending on the type of trust being created.

You can configure one and two-way external and forest trust relationships between your AWS Directory Service for Microsoft Active Directory and on-premises directories, as well as between multiple AWS Managed Microsoft AD directories in the AWS cloud. AWS Managed Microsoft AD supports all three trust relationship directions: Incoming, Outgoing and Two-way (Bi-directional). When setting up trust relationships, you must ensure that your on-premises directory is and remains compatible with AWS Directory Services.

If you already have an AD infrastructure and want to use it when migrating AD-aware workloads to the AWS Cloud, AWS Managed Microsoft AD can help. You can use AD trusts to connect AWS Managed Microsoft AD to your existing AD. This means your users can access AD-aware and AWS applications with their on-premises AD credentials, without needing you to synchronize users, groups, or passwords.

For example, your users can sign in to the AWS Management Console and Amazon WorkSpaces by using their existing AD user names and passwords. Also, when you use AD-aware applications such as SharePoint with AWS Managed Microsoft AD, your logged-in Windows users can access these applications without needing to enter credentials again.

There are three trust relationship directions:

  1. One-way:incoming – Users in the specified realm will not be able to access any resources in this domain.
  2. One-way:outgoing – Users in this domain will not be able to access any resources in the specified realm.
  3. Two-way (Bi-directional) – Users in this domain and users in the specified realm will be able to access resources in either domain or realm.

Both sides of the trust relationship must be created before authentication traffic can begin flowing through the trust. For an instance, if you create a one-way incoming trust in Domain A, then a one-way outgoing trust should also be created in Domain B.

Hence, the correct answers are:

  • Using AWS Directory Service, set up an AWS Managed Microsoft AD to manage the RDS databases and EC2 instances.
  • Set up a one-way incoming trust in the existing on-premises Active Directory and a one-way outgoing trust in the new Active Directory in AWS.

The option that says: Set up and configure AWS Service Catalog to manage the RDS databases and EC2 instances is incorrect because AWS Service Catalog simply allows organizations to create and manage catalogs of IT services that are approved for use on AWS. You have to use AWS Directory Service instead.

The option that says: Set up a one-way incoming trust relationship in the new Active Directory in AWS and a one-way outgoing trust in the existing on-premises Active Directory is incorrect because it should be the other way around. The direction of access is the opposite of the direction of trust. Since we need to have users from the on-premises AD access resources in the AWS via Active Directory, the direction of access is from on-premises AD to AWS AD.

The option that says: Set up a two-way trust relationship between the new Active Directory in AWS and the existing Active Directory service in the on-premises data center is incorrect because it was explicitly stated in the scenario that the cloud-based users must be prevented from accessing on-premises systems. Hence, you have to use a one-way trust relationship only.


Check out this AWS Directory Service Cheat Sheet:

Question 2

A company is planning to migrate its on-premises application to AWS. The application will be hosted in Elastic Beanstalk, which uses an external RDS database and an S3 bucket configured to use Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C). In this configuration, Amazon S3 does not store the encryption key you provide but instead, stores a randomly salted hash-based message authentication code (HMAC) value of the encryption key in order to validate future requests. The Security Engineer was assigned to implement the required security measures for the application.

Which of the following is a valid consideration that the Engineer should keep in mind when implementing this architecture?

  1. The salted HMAC value can be used to derive the value of the encryption key.
  2. You will lose access to the S3 object if you lose the encryption key.
  3. The salted HMAC value can be used to decrypt the contents of the encrypted object.
  4. The salted HMAC value can be used to decrypt the S3 object in the event that you lose the encryption key.

Correct Answer: 2

Server-side encryption is about protecting data at rest. Using server-side encryption with customer-provided encryption keys (SSE-C) allows you to set your own encryption keys. With the encryption key you provide as part of your request, Amazon S3 manages both the encryption, as it writes to disks, and decryption, when you access your objects. Therefore, you don’t need to maintain any code to perform data encryption and decryption. The only thing you do is manage the encryption keys you provide.

When you upload an object, Amazon S3 uses the encryption key you provide to apply AES-256 encryption to your data and removes the encryption key from memory. It is important to note that Amazon S3 does not store the encryption key you provide. Instead, it is stored in a randomly salted HMAC value of the encryption key in order to validate future requests. The salted HMAC value cannot be used to derive the value of the encryption key or to decrypt the contents of the encrypted object. That means, if you lose the encryption key, you lose the object.

When you retrieve an object, you must provide the same encryption key as part of your request. Amazon S3 first verifies that the encryption key you provided matches, and then decrypts the object before returning the object data to you.

Hence, the valid consideration that the developer should keep in mind when implementing this architecture is: You will lose access to the S3 object if you lose the encryption key.

The option that says: The salted HMAC value can be used to derive the value of the encryption key is incorrect because the salted HMAC is just used to validate future encryption requests. It cannot be used to derive the value of the encryption key or to decrypt the contents of the encrypted object.

The option that says: The salted HMAC value can be used to decrypt the contents of the encrypted object is incorrect because just as mentioned above, the HMAC cannot be used to derive the value of the encryption key or to decrypt the contents of the encrypted object.

The option that says: The salted HMAC value can be used to decrypt the S3 object in the event that you lose the encryption key is incorrect because if you lose the encryption key, you will also lose access to that object. You cannot use the salted HMAC value to decrypt the object.


Check out these Amazon S3 and AWS KMS Cheat Sheets:

Click here for more AWS Certified Security Specialty practice exam questions.

Check out our other AWS practice test courses here:


With the growing number of security attacks each day, companies are now focusing their efforts in strengthening their digital security. This responsibility requires a team effort from both AWS engineers and industry professionals, which is why we have a shared responsibility model. Professionals will have to be equipped with the right tools and knowledge to protect what is valuable to them and to their company.

We hope that our guide has helped you achieve that goal, and we would love to hear back from you after your exam. Get some well-deserved rest, and we wish you the best of results.

Tutorials Dojo portal

FREE AWS Exam Readiness Digital Courses

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?