The AWS Specialty certification exams are intended for people who handle more specific responsibilities in AWS Cloud. Since these responsibilities demand a more advanced skill set with prior experience from a person, these AWS specialty exams are built so that they could reinforce and validate a person’s eligibility for that role. There are no associate and professional levels in a specialty learning path, so the exams serve as the whole package already. And since they are made that way, expect no less from the specialty certification exams, as they will be as tough as the professional exams.

The name of the certificate immediately points out what to focus on — AWS Security. Although we mentioned earlier that specialty exams tackle more specific roles, security in AWS is very broad and extensive. There are a lot of topics involved when we speak about AWS security, whether it be native AWS services or other third-party tools. If you need a comprehensive review material for learning these topics then this study guide is for you.

SCS-C02 Study Materials

Having prior knowledge and experience in handling (cloud) security will allow you to understand the concepts and strategies that appear in AWS reference materials. You will also find it easier to comprehend scenario type questions in your exam. To know more about the AWS Security specialty exam, check out the official AWS Exam Blueprint here.

AWS documentations and whitepapers will be your best friends here. They are your primary source of information. We recommend reading the following papers:

1. Introduction to AWS Security
2. AWS Security Documentation
3. AWS Well-Architected Framework
4. Security Pillar – AWS Well-Architected Framework
5. AWS Security Best Practices
6. AWS Key Management Service Best Practices
7. AWS Key Management Service Cryptographic Details
8. Encrypting File Data with Amazon Elastic File System
9. Secure Content Delivery with Amazon CloudFront
10. Guidelines for Implementing AWS WAF
11. AWS Best Practices for DDoS Resiliency
12. Security at Scale: Logging in AWS
13. AWS Security Incident Response Guide
14. Implementing Security Controls on AWS

Add-On Compliance whitepapers:

1. Security by Design
2. AWS Risk & Compliance
3. Architecting for HIPAA Security and Compliance on AWS

4. Navigating GDPR Compliance on AWS
5. Payment Card Industry Data Security Standard (PCI DSS) 3.2.1 on AWS
6. FedRAMP Compliance

Optional whitepaper for configuring Windows ADFS + EC2

• Single Sign-on to Amazon EC2-Based .NET Applications from an OnPremises Windows Domain

After you have studied the sources above, it would be wise to expose yourself with different scenarios and strategies in enforcing security in AWS. Re:Invent videos, AWS blogs, virtual classes, and even some AWS forums provide sample scenarios and strategies for you. The links below will redirect you to some of the references:

• AWS Security Fundamentals (Second Edition)
• AWS Security Essentials virtual classroom
• Architecting on AWS virtual classroom
• Security Engineering on AWS virtual classroom
• AWS Security Governance at Scale virtual classroom
• AWS Security blogs
• AWS Re:Invent 2022 security sessions

AWS Services to Focus On For the SCS-C02 exam

When we talk about security as a discipline, especially in the context of cloud, we are tackling it as a combination of different domains. AWS enumerates its catalog of services and features under different domains based on their purposes. In this section, we will try to do the same and group AWS services according to their domains.

Identity and Access Control

• AWS Identity and Access Management – You must learn every detail of AWS IAM since this is AWS’ primary user management and access control service. Practice writing your own IAM policies.
• Resource-Based Policies – Although resource-based policies fall under AWS IAM, they tend to be ignored compared to user-based policies. Take note of which services support this type of policy and how they are different from user-based policies.
• S3 Presigned URLs – Know what is the purpose of S3 presigned URLs and how they differ from CloudFront signed URLs.
• CloudFront Signed URLs – Know what is the purpose of CloudFront signed URLs and how they differ from S3 presigned URLs or CloudFront signed cookies.
• Amazon Cognito – Read through the benefits of AWS Cognito and how to integrate it with web and mobile applications. Differentiate user pools from identity pools.
• AWS IAM Identity Center – Learn how you can use AWS IAM Identity Center together with other authentication protocols to securely authenticate users in your environment. 
• AWS Security Token Service – Know the purpose and use cases of Amazon STS. Try building a program that utilizes temporary tokens as credentials.
• AWS Directory Service – Know the different options you have for AWS Directory Service. Each option solves a different requirement and it is up to you to figure out how you can get your directory to gain access to your users and other information.
• AWS Organizations – AWS Organizations is a very helpful service when dealing with large scale enterprises with multiple AWS accounts. Know the benefits of using this service (like consolidated billing feature) and how to build an organization hierarchy with Organization Units and Service Control Policies.
• AWS Resource Access Manager – AWS RAM allows you to securely share resources with other AWS accounts. Experiment with this service to know how to share your resources and what restrictions are involved.

Application and Infrastructure Security

• EC2 key pairs – This goes without saying, but EC2 key pairs play a very important role in protecting your EC2 instances.
• AWS Systems Manager – AWS SSM secures your applications through services like Patch Baselines, Run Command, Session Manager, and more. By utilizing automation and code, you run less risk in human error and unwanted/untracked changes to your application.
• AWS WAF – AWS WAF is essential in protecting your applications from common exploits like SQL injection or XSS attacks. Differentiate WAF from Shield and Firewall Manager.
• AWS Shield – AWS Shield complements AWS WAF since this service offers DDoS protection. Read what features are different between Shield Basic and Shield Advanced.
• AWS Firewall Manager – This service simplifies administration overhead when setting up AWS WAF, AWS Shield and VPC security groups. Best to do a hands-on on the service.

Data Security

• AWS KMS – Study the different types of KMS keys available and how you should manage them. Determine which AWS services support using AWS KMS for encryption.
• Amazon CloudHSM – Know when to use AWS KMS vs CloudHSM for your encryption needs.
• AWS SSM Parameter Store – It is important to know how AWS SSM Parameter Store can protect your referenceable information through SecureString. 
• Amazon Secrets Manager – Secrets Manager is similar to Parameter Store wherein you can store and retrieve sensitive strings in AWS securely.
• SSE-S3 Encryption – Read when it is better to use SSE-S3 keys or KMS keys for server-side encryption. Also read how your encrypted buckets and objects are handled during operations such as replication, deletion, etc.
• S3 Glacier Vault Lock – Know the purpose of a Glacier Vault Lock and try implementing a policy yourself.
• Amazon Macie – Read how Macie automatically classifies and protects your data. This is one of those services that you will just understand better if you try it out.
• AWS Certificate Manager – Know which services integrate with your certificates stored in Certificate Manager. Try creating your own private CA and issue some custom certificates.

Network Security

• Amazon VPC – Know everything on VPCs since they are basic building blocks for a protected AWS environment. Differentiate security groups vs network ACLs. Study VPC endpoints too.
• Amazon CloudFront – Study how CloudFront protects your endpoints from being publicly accessible. Read on setting up Origin Access Identity with S3 buckets. Know which services integrate with CloudFront, such as API Gateway and WAF. CloudFront has a feature that allows content access to only selected locations.
• AWS ELB – Study how ELB protects your web traffic and endpoints from malicious attacks. Understand how SSL certificates are being handled by ELB.
• Amazon API Gateway – Similar to ELB, API Gateway also protects your endpoints from being exposed to the public internet. Commonly used in serverless applications, study how APIs can secure Lambda functions. Also know what services it integrates with, such as WAF.
• AWS VPN – Although AWS VPN is fairly new, you should have an overview of what this service is and how to set it up in your AWS environment.
• AWS Direct Connect – Read how a dedicated line from your network to AWS can protect your inbound and outbound traffic. A common way to secure your traffic in Direct Connect is by using an AWS Site to Site VPN.

Logging and Monitoring

• Amazon CloudWatch – Know everything about Cloudwatch (Logs, Alarms, Events, Metrics)
• Amazon CloudTrail – Know everything about CloudTrail, like how to store and encrypt your log files, how to monitor different regions and capture different types of data.
• Service Logs (VPC, ELB, API Gateway, S3, CloudFront) – Multiple AWS services support logging which they forward to an S3 bucket. It would be good to have an idea of which services support logging. Logs are crucial when conducting incident response and analysis.
• Amazon Route 53 – Study how Route 53 can quickly handle network issues by performing DNS and endpoint health checks. Route 53 also helps in making your environment more resilient by performing automatic failovers.

Threat Detection, Prevention, Response and Remediation

• Amazon GuardDuty – Have an understanding of the use cases of Amazon GuardDuty.
• Amazon Inspector – Have an understanding of the use cases of Amazon Inspector.
• Amazon Detective – Know which services integrate with Amazon Detective. Also, have an understanding of the use cases of Amazon Detective.
• AWS Security Hub – Have an understanding of the use cases of AWS Security Hub.

Risk and Compliance Management

• AWS Artifact – Know the purpose of AWS Artifact and what kinds of reports it provides for you.
• AWS Config – AWS Config is an important compliance monitoring tool that you should learn about. Study the concepts and how they work. Practice writing a Config rule of your own to have a better understanding of the service.

Lastly, as we have repeatedly talked about, specialty exams are intended for experienced individuals. Therefore, you should go try out the services above in your own AWS account. Also, do not limit yourself to the Management Console. Some implementations can only be done via AWS CLI or AWS SDK. Be comfortable with them all. 

Common Exam Scenarios for SCS-C02

Validate Your Knowledge for the SCS-C02 AWS Security Specialty Exam

The virtual classrooms we listed in the Study Materials section often include short quizzes at the end of each video. They will serve as guides on how to look for key terminologies in your exam questions, as well as how to break down your options to determine the most suitable answer for the question. Another virtual lecture we recommend you attending after you finished reviewing for the exam is the Exam Readiness: AWS Certified Security – Specialty Course. They provide sample questions that you can follow along and answer.

AWS also provides a sample exam on the AWS Certified Security Specialty page, which you can find here. Although this sample exam is not on the same level of difficulty one might expect on the real exam, it is still a helpful resource for your reviews. Lastly, Tutorials Dojo also has a set of high-quality practice exams and study guide eBook for the AWS Security Specialty certification. The practice exams and study guide eBook will help boost your preparedness for the real exam, and it will also help you determine which areas you are weak in, so you can focus your efforts on studying those areas.

Sample Exam Questions for the SCS-C02 Exam:

Question 1

A leading hospital has a web application hosted in AWS that will store sensitive Personally Identifiable Information (PII) of its patients in an Amazon S3 bucket. Both the master keys and the unencrypted data should never be sent to AWS to comply with the strict compliance and regulatory requirements of the company.

Which S3 encryption technique should the Security Engineer implement?

1. Implement an Amazon S3 client-side encryption with a KMS key.
2. Implement an Amazon S3 client-side encryption with a client-side master key.
3. Implement an Amazon S3 server-side encryption with a KMS-managed key.
4. Implement an Amazon S3 server-side encryption with a customer-provided key.

Question 2

1. Use Amazon S3 Glacier to store the audit logs and apply a Vault Lock policy.
2. Use Amazon EBS Volumes to store the audit logs and take automated EBS snapshots every month using Amazon Data Lifecycle Manager.
3. Use Amazon S3 to store the audit logs and enable Multi-Factor Authentication Delete (MFA Delete) for additional protection.
4. Use Amazon EFS to store the audit logs and enable Network File System version 4 (NFSv4) file-locking mechanism.

Click here for more AWS Certified Security Specialty practice exam questions.

Check out our other AWS practice test courses here:

With the growing number of security attacks each day, companies are now focusing their efforts in strengthening their digital security. This responsibility requires a team effort from both AWS engineers and industry professionals, which is why we have a shared responsibility model. Professionals will have to be equipped with the right tools and knowledge to protect what is valuable to them and to their company.

We hope that our guide has helped you achieve that goal, and we would love to hear back from you after your exam. Get some well-deserved rest, and we wish you the best of results.