AWS Certified Security Specialty (SCS-C02) — My Experience & Preparation Guide

by

Context

One day I got a project which heavily utilizes AWS as an infrastructure backbone. My role was to design, implement, deliver, support the application as well as optimize the cost of infrastructure associated with it. I was aware of AWS and had very basic knowledge at the time of project start, but at very most I was able to deploy a bunch of EC2s into a VPC, not more than that.

It was crucial for me to gain extensive knowledge about AWS to provide professional service to the customer I was working with. At that time, I decided to start with the AWS Solution Architect Associate Certification and eventually I got it.

However, I wanted to continue my journey into AWS, obtain more knowledge, and showcase that skill on my resume to simplify future job interviews. At that time, I was debating between an AI-related certification (which was on the hype those days) and a Security one. Simultaneously, I started to be given multiple security-related tasks on my project. Considering that security will be a must-have skill forever for every developer, and with the growing AI toolset the number of threats will grow, thus the need for Security engineers as well as Solutions Architects and developers with security knowledge will grow as well. That helped me to stand on a path towards Security-related certification.

Preparation Plan

At the beginning, I started with very mild efforts by only watching the materials while doing sports exercises. It appeared to be a really efficient and unexhaustive way to do brain exercises and body ones. I was watching videos while doing indoor cycling, rowing, and elliptical, though I prefer jogging outdoors, so that didn’t work out. It became a habit to do this rhythm for a couple of months and this way I was able to fully watch “Ultimate AWS Certified Security Specialty SCS-C02” by Stephane Maarek one time. I was spending not more than 1.5 hours per week for it.

Later, I needed to switch a project and had a month mostly free of work. That allowed me to focus on the certification preparation. But I felt that the lectures from Stephane were not enough for successful preparation, and then I found “AWS Certified Security – Specialty” by Adrian Cantrill. That was exactly what I was looking for, with deep refreshing materials about networks, DNS, etc. Additionally, my company can cover certification expenses, but for that you need to provide preparation completion artifacts from AWS Skills Builder. So, I had to go through it as well.

All of that took me a month more and then I felt ready to proceed to the next preparation phase.

Tests Drill

As a part of my preparation, I left drilling into test questions closer to the exam. As Adrian mentioned in his preparation videos, you are ready for the exam when you pass 90% of the tests. So, I started looking into different resources and was lucky to find these resources with a lot of exam questions for free:

Exam Scheduling

There was nothing special — exactly the same as mentioned in some preparation videos and guides.

Due to my active AWS Solutions Architect Associate Certificate, I got a 50% discount, so instead of 300 USD I had to pay only 150 USD. After currency conversion and other fees and taxes, I paid 247 CAD.

The Exam Day

I had the exam scheduled at 4pm, so I had the whole day to drill into the test questions. Eventually, I was pleasantly surprised that I got several questions which I studied during preparation and I remembered the solution for them.

The Exam Sign In

I started connecting at 3:30pm. Passed most of the checks and then had a call with a technician to show my ID and my space. I cleared my table beforehand, just left some wires sticking out between the table and a wall and left my orange 3D printed laptop holder/stand. Funny enough, the technician didn’t ask about the wires, but asked to show and explain what’s that orange thingy. But she was quickly satisfied with a quick explanation of what that is.

I don’t remember exactly when, but right before jumping into questions and locking yourself out in front of the camera, I decided to visit the washroom for the last time. I had a backup plan and put some jar under the desk on my desktop PC in case of emergency 🙂 And thanks to me visiting the washroom right before the exam, the backup plan wasn’t needed, but it was a close call. So, I think that still was a good idea.

The Exam

Then I started the exam. As recommended, I was answering all the questions I knew for sure and which didn’t require too much time, and leaving alone confusing questions. Plus, marking the questions where I wasn’t really sure for a double check and leaving comments about my thoughts to all of them. I was able to go through all of the questions and had a couple of hours left for the unanswered and to-be-reviewed ones.

For those, I used a strategy to strike through the answers which wouldn’t work for sure and then choose the most probable ones. I think that was the deal breaker to get a better result than I had for AWS Solutions Architect Associate Certification before. Also, I decided for myself that if something that I’m not aware about is in the answer, it’s likely invalid and too good to be true. And as always, I checked that all the conditions in the question are fulfilled by the answer. For the multiselect options, where you need to choose 3 out of 6 and the answers are in pairs, it was a good approach first to choose inside of pairs and then verify that the three chosen options can work together and fulfill the whole question.

As I felt the need and was very exhausted like a squeezed lemon, I did not review all the answers once again, plus I felt sure about the initial answers. I submitted the test about 40 minutes before time.

The Results

I got my result the next day at 11:20 AM, so it was quicker than the promised 24h. I got a score of 862, which is higher than the required 750 and higher than the 793 I got for the SA one.

Specialty

  • AWS Certified Security – Specialty (SCS)
    • Active Date: 2025-04-11
    • Expiration Date: 2028-04-11
    • Candidate Score: 862
    • The AWS Certified Security – Specialty (SCS-C02) has a scaled score between 100 and 1,000. The scaled score needed to pass the exam is 750.

Associate

  • AWS Certified Solutions Architect – Associate (SAA)
    • Active Date: 2023-12-17
    • Expiration Date: 2026-12-17
    • Candidate Score: 793
    • The AWS Certified Solutions Architect – Associate (SAA-C03) has a scaled score between 100 and 1,000. The scaled score needed to pass the exam is 720.

Would I Do It Again?

Short answer — most likely yes. The preparation provided a very structured way to cover all the key security aspects developers need throughout their careers. By preparing for this AWS Security Specialty, I learned not only about securing infrastructure in AWS, but also about core security concepts and architectures that apply to any project. Since AWS is a leader in IT solutions, this certification gave me direct access to industry best practices, saving me years of trial and error.

If I could give advice to myself at the start, I would recommend not spreading the preparation over several months. Instead, dedicate one or two months to focused study, as a longer preparation period leads to forgetting earlier material.

What’s Next?

Recently, I changed projects at work, and my new customer uses Azure Cloud instead of AWS. With the current focus on AI, I believe every developer should be familiar with AI tools and their capabilities. So, I have started preparing for the following Azure certifications:

  • Microsoft Azure Fundamentals (AZ-900)
  • Microsoft Azure AI Fundamentals (AI-900)
  • Microsoft Azure AI Engineer Associate (AI-102)

A Comprehensive List of Services and References

Below is a list of AWS services and related documentation I used during my exam preparation. The sheer size of this list reflects the exam’s complexity and the breadth of knowledge required to pass.

The most important services for me were SecurityHub, GuardDuty, Inspector, CloudFormation, and EventBridge. However, the exam covers all topics broadly, so it’s best not to prioritize one over another.

  • Organizations
  • Control Tower, GuardRails, Service Catalog, Portfolio
  • Account Factory, Marketplace
    • https://docs.aws.amazon.com/servicecatalog/latest/adminguide/getstarted-CFN.html
    • https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inheritance_auth.html
    • https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
    • https://aws.amazon.com/blogs/security/visualizing-amazon-guardduty-findings/
    • https://docs.aws.amazon.com/prescriptive-guidance/latest/migration-aws-environment/building-landing-zones.html
    • https://www.youtube.com/watch?v=wocz0drq8-8&list=PLhr1KZpdzukdxMfo6QBkWOqBlHWhP7bG6
  • AWS GuardDuty
  • AWS Inspector, Network Reachability
    • https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html
    • https://docs.aws.amazon.com/inspector/latest/user/securityhub-integration.html
    • https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html
  • Detective
  • Athena
  • Macie
    • https://docs.aws.amazon.com/macie/latest/user/allow-lists.html
  • Security Lake
  • AWS Systems Manager Patch Manager, Inventory, Session Manager vs Instance connect, Incidents Manager
    • https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager.html
    • https://aws.amazon.com/about-aws/whats-new/2023/06/amazon-ec2-instance-connect-ssh-rdp-public-ip-address/
    • https://aws.amazon.com/blogs/compute/secure-connectivity-from-public-to-private-introducing-ec2-instance-connect-endpoint-june-13-2023/
    • https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html
    • https://docs.aws.amazon.com/incident-manager/latest/userguide/what-is-incident-manager.html
    • https://docs.aws.amazon.com/incident-manager/latest/userguide/runbooks.html
    • https://aws.amazon.com/blogs/aws/new-session-manager/
    • https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-patch-now-on-demand.html
  • Config
    • https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-config.html
  • Security Hub
    • https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-insights.html
    • https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html
    • https://docs.aws.amazon.com/securityhub/latest/userguide/asff-required-attributes.html
    • https://aws.amazon.com/blogs/architecture/visualize-aws-security-hub-findings-using-analytics-and-business-intelligence-tools/
  • AWS Trusted Advisor
  • AWS Firewall Manager
  • AWS Network Firewall
  • AWS WAF
    • https://docs.aws.amazon.com/waf/latest/developerguide/waf-captcha-and-challenge.html
    • https://docs.aws.amazon.com/waf/latest/developerguide/working-with-policies.html
  • AWS Shield
  • Certificates Manager (ACM)
    • https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html
  • Private CA
    • https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html
  • AWS CloudFormation
    • https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html
    • https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html
    • https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-guide.html
    • https://docs.aws.amazon.com/cfn-guard/latest/ug/setting-up.html
  • CloudTrail
  • Basic vs advanced event selectors for trails
  • Lake
    • https://aws.amazon.com/blogs/security/using-cloudtrail-to-identify-unexpected-behaviors-in-individual-workloads/
    • https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html#cloudtrail-add-change-or-remove-a-bucket-prefix
    • https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html
    • https://aws.amazon.com/blogs/mt/monitor-changes-and-auto-enable-logging-in-aws-cloudtrail/
    • https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-re-enable-aws-cloudtrail-by-using-a-custom-remediation-rule-in-aws-config.html
  • CloudWatch, Synthetics Canaries, ServiceLens
    • https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html
    • https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Anomaly_Detection.html
    • https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AgentReference.html
  • ELB, ALB, NLB, Logs
  • VPC FlowLogs, Reachability Analyzer, Traffic Mirroring
    • https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
    • https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html
    • https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteEndpoints.html
    • https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html
    • https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck
    • https://aws.amazon.com/blogs/aws/elastic-load-balancing-perfect-forward-secrecy-and-other-security-enhancements/
  • PrivateLink
  • Site-to-Site VPN
  • Direct Connect
    • https://docs.aws.amazon.com/directconnect/latest/UserGuide/MACsec.html
    • https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect-site-to-site-vpn.html
    • https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/hybrid-connectivity.html
    • https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/direct-connect.html
  • Transit Gateway
    • https://docs.aws.amazon.com/network-manager/latest/tgwnm/what-are-global-networks.html
    • https://aws.amazon.com/blogs/networking-and-content-delivery/building-a-global-network-using-aws-transit-gateway-inter-region-peering/
    • https://aws.amazon.com/premiumsupport/knowledge-center/create-vpn-direct-connect/
  • EBS
    • https://docs.aws.amazon.com/ebs/latest/userguide/what-is-ebs.html
    • https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
  • Resource Access Manager (RAM) — helps you securely share your resources across AWS accounts, within your organization or organizational units (OUs)
  • Audit Manager
    • https://docs.aws.amazon.com/audit-manager/latest/userguide/evidence-finder.html#understanding-evidence-finder
  • Cost Explorer
  • Network Access Analyzer
  • CloudFront
    • https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-overview.html#forward-custom-headers-restrict-access
    • https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html
  • Global Accelerator
  • Route 53 Flow logs
  • XRay
  • EventBridge
  • OpenSearch
    • https://aws.amazon.com/solutions/implementations/centralized-logging-with-opensearch/
  • Secrets Manager
  • KMS
    • https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
    • https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
    • https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
    • https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars-encryption.html
    • https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-replicate.html
    • https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html
    • https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-import-key-material.html#reimport-key-material
    • https://aws.amazon.com/kms/features/
  • CloudHSM
  • Parameter Store
  • IoT Core
  • IoT Device Defender
  • Directory Service
  • Managed Microsoft AD
  • AD Connector
  • STS
  • Cognito IdPs, user vs identity pool, enhanced vs basic flow
  • IAM Access Analyzer, Policy Simulator, Identity Center
    • https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
    • https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
    • https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_rename.html
    • https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html
    • https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html
    • https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
    • https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html
    • https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_access-denied.html
    • https://aws.amazon.com/iam/access-analyzer/
    • https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html
    • https://repost.aws/knowledge-center/config-credential-report
    • https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
    • https://docs.aws.amazon.com/singlesignon/latest/userguide/rotatesamlcert.html
    • https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html
    • https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html#user-pool-waf-setting-up
  • AWS Well-Architected Framework
    • https://docs.aws.amazon.com/whitepapers/latest/overview-aws-cloud-adoption-framework/security-perspective.html
    • https://docs.aws.amazon.com/wellarchitected/latest/framework/security.html
    • https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html
    • https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/governance.html
    • https://explore.skillbuilder.aws/learn/courses/108/aws-well-architected-foundations/lessons
    • https://aws.amazon.com/solutions/guidance/baseline-security-assessment-on-aws/#:~:text=Use%20the%20provided%20AWS%20CloudFormation,how%20to%20resolve%20the%20issues.
  • DDoS
    • https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-resiliency/aws-best-practices-ddos-resiliency.html
    • https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-resiliency/mitigation-techniques.html
    • https://d0.awsstatic.com/aws-answers/AWS_DDoS_Attack_Mitigation.pdf
    • https://aws.amazon.com/blogs/security/how-to-protect-dynamic-web-applications-against-ddos-attacks-by-using-amazon-cloudfront-and-amazon-route-53/
  • Incident Response Plan (IRP)
    • https://docs.aws.amazon.com/security-ir/latest/userguide/introduction.html
    • https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/playbooks-1.html
    • https://wa.aws.amazon.com/wellarchitected/2020-07-02T19-33-23/wat.concept.runbook.en.html
  • Encryption
    • https://docs.aws.amazon.com/whitepapers/latest/logical-separation/encrypting-data-at-rest-and–in-transit.html
    • https://docs.aws.amazon.com/pdfs/prescriptive-guidance/latest/encryption-best-practices/encryption-best-practices.pdf
  • S3, Lifecycle, Replication, Object Locking
    • https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
    • https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html#object-lock-overview
    • https://docs.aws.amazon.com/aws-backup/latest/devguide/about-backup-plans.html
    • https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-managing.html#object-lock-managing-replication
  • EC2 Enclave
    • https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html
    • https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2rw-cli.html
    • https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html#policy-example-cmk-cross-account-access

Exam Questions

Below is a list of sources where I found example exam question sets:

Tutorials Dojo and Whizlabs are also good resources for practice questions.

Conclusion

Preparing for the AWS Certified Security Specialty was a challenging but rewarding journey. The process not only deepened my understanding of AWS security services but also strengthened my grasp of fundamental security principles applicable to any cloud or on-premises environment. If you are considering this certification, focus your preparation, leverage the best resources, and remember that the breadth of knowledge you gain will benefit your career far beyond the exam itself.

Good luck to everyone on their certification path!

Leave a Comment