The cloud is where the money is. It’s also where most of the misconfiguration lives, the IAM sprawl runs unchecked, and the attack surface has grown faster than most organizations can track. If you’re doing offensive or defensive cloud security work in 2026, the AWS Certified Security Specialty (SCS-C02) is one of the few certifications that actually reflects what the job looks like.
This is a full honest review — what the exam covers, how hard it is, what it costs, and whether it belongs in your cert stack.
What Is the AWS Certified Security Specialty?
The AWS Certified Security Specialty, currently on exam version SCS-C02, is Amazon’s advanced-level security certification. It’s positioned above Solutions Architect Associate/Professional in the security track and targets practitioners who design, implement, and troubleshoot security controls in AWS environments.
This isn’t a “check the compliance box” cert. The SCS-C02 expects you to understand threat detection, incident response in AWS, IAM policy mechanics, encryption key management, and how to architect secure AWS environments under real constraints.
For cloud pentesters and red teamers who’ve worked through AWS attack techniques — IAM privilege escalation, S3 misconfigs, metadata service abuse, cross-account trust exploitation — the SCS-C02 forces you to understand the other side of the table. That’s where it gets interesting.
Who Should Take It
SCS-C02 is right for you if:
- You’re a cloud security engineer or architect responsible for AWS environments
- You’re a red teamer or cloud pentester who wants the defensive context to complement attack skills
- You’re targeting Cloud Security Engineer, Cloud Architect, or CISO-track roles at AWS-heavy organizations
- You already have AWS Solutions Architect Associate or equivalent experience
- You’ve done cloud pentesting work and want a recognized credential that validates cloud security depth
SCS-C02 is not right for you if:
- You’re new to AWS — this is a specialty cert, not an entry point
- You’ve never worked with IAM policies, VPC security groups, or CloudTrail in a real environment
- You’re looking for a cert that will teach you cloud attack techniques (the cert is defensive-framed)
Minimum realistic baseline: AWS Solutions Architect Associate and at least 1-2 years working hands-on with AWS in a security or DevOps capacity. AWS recommends 5 years of IT security experience and 2 years securing AWS workloads — that’s aspirational language, but the exam does assume you’ve seen real environments.
Exam Domain Breakdown (SCS-C02)
The SCS-C02 is organized around five domains:
| Domain | Weight |
|---|---|
| Threat Detection and Incident Response | 14% |
| Security Logging and Monitoring | 18% |
| Infrastructure Security | 20% |
| Identity and Access Management | 16% |
| Data Protection | 18% |
| Management and Security Governance | 14% |
A few things worth noting about these weights:
Security Logging and Monitoring (18%) is the heaviest single domain and covers CloudTrail, CloudWatch, GuardDuty, Security Hub, AWS Config, and Detective. If you understand how defenders use these services to detect attacks, this maps directly to red team operational security awareness — knowing what you’re generating in logs is half of real OPSEC.
Infrastructure Security (20%) is the broadest domain. VPC design, security groups, NACLs, WAF, Shield, Firewall Manager, Systems Manager, EC2 instance hardening. This is where defenders build the controls that pentesters look for gaps in.
IAM (16%) might be underweighted relative to its real-world importance, but the questions are dense. Permission boundaries, SCP design, resource-based vs identity-based policies, cross-account role assumption, federation — this is where cloud security gets complex and where most real-world breaches originate.
Data Protection (18%) covers KMS, CloudHSM, Certificate Manager, encryption at rest and in transit, S3 encryption options, and secrets management with Secrets Manager and Parameter Store.
Threat Detection and Incident Response (14%) is the most practical domain for practitioners — GuardDuty findings, automated remediation with Lambda, incident playbooks, forensic data collection in AWS, compromised instance response.
Exam Format and Logistics
- Questions: 65 (combination of multiple choice and multiple response)
- Duration: 170 minutes
- Passing score: 750/1000
- Format: Pearson VUE or PSI, online or in-person testing center
- Price: $300 USD
- Validity: 3 years (recertified through retake or continuing education)
- Prerequisite: None formal — but realistically, you need AWS experience
The multiple-response questions (select two or three correct answers) are where most candidates drop points. The distractors are often partially correct, which forces you to understand the reasoning behind each option rather than pattern-matching to a single right answer.
One thing AWS does well: the scenario questions are grounded in realistic architectural decisions. You’re not memorizing isolated facts — you’re picking between options like “GuardDuty vs Macie vs Inspector for this specific detection scenario.” That requires understanding what each service actually does.
Difficulty
Honest calibration: harder than Solutions Architect Professional for anyone who hasn’t specifically worked in cloud security operations. Easier than people expect if you have hands-on AWS security experience.
The exam trips up candidates who’ve studied conceptually but haven’t actually configured KMS key policies, written SCPs, or debugged IAM permission denials in a live environment. The questions are specific. “KMS key policy doesn’t allow cross-account access even with correct IAM policy — why?” If you’ve hit that exact scenario in the real world, you answer it in 30 seconds. If you’ve only read about it, you’re guessing.
Where candidates fail:
- IAM mechanics — the interaction between resource-based policies, identity-based policies, SCPs, and permission boundaries trips up even experienced AWS users
- Service selection — GuardDuty vs Security Hub vs Macie vs Inspector is a frequent source of wrong answers; they overlap and the exam tests precise scope
- Incident response procedures — the specific steps for forensic isolation, evidence collection, and automated remediation in AWS follow a logical pattern that needs to be internalized
What’s actually manageable: the encryption domains (KMS, CloudHSM, ACM) are well-documented and consistent. If you’ve used these services, this section is predictable. Same with VPC security design — the concepts are layered but not ambiguous.
Cost and Renewal
- Exam fee: $300 USD
- Practice exam (AWS official): $40 USD — worth it
- Study materials: variable (see below)
- Renewal: Every 3 years by retake or AWS continuing education credits
If you hold other current AWS certifications, you can get a 50% discount voucher on the practice exam. Check your AWS Certification account for available benefits.
The 3-year validity window is reasonable. AWS services evolve quickly but the security fundamentals — IAM design patterns, encryption models, logging strategy — are stable enough that knowledge doesn’t expire as fast as you’d expect.
Preparation Strategy
AWS Documentation First
The official AWS documentation is genuinely good. The IAM User Guide, KMS Developer Guide, and Security Hub documentation are dense but authoritative. If you’re going to prep seriously, read the docs for each service that appears in the domain breakdown — don’t just watch courses.
Hands-On Labs
You cannot pass this exam on theory alone. Set up a personal AWS account and work through:
- KMS key creation, key policies, and cross-account access
- IAM permission boundaries (set them up, watch them block things)
- GuardDuty with simulated findings
- CloudTrail + CloudWatch Logs + metric filter alerts
- S3 bucket policies across multiple accounts
- VPC security group and NACL interactions
If you’ve done cloud pentesting work — IAM privilege escalation, S3 enumeration, metadata service abuse — replicate those attacks against your own environment and then implement the detections and remediations the exam expects.
Recommended Study Resources
AWS Certified Security Specialty Exam Guide by Tracy Pierce
The most comprehensive dedicated study guide for SCS-C02. Covers all five domains with practice questions at the end of each chapter. Pierce’s background in AWS security operations shows in how she explains IAM mechanics and incident response procedures — less hand-wavy than generic AWS overview books.
Hacking the Cloud: AWS Red Team Techniques (eBook)
If you’re coming at SCS-C02 from an offensive background, this is the right complement. Understanding how IAM escalation attacks work is the fastest path to understanding why defensive IAM controls are designed the way they are. The exam doesn’t ask you about attacks directly — but the understanding transfers to security architecture questions.
AWS Security Best Practices Whitepaper
Free. The AWS Security Incident Response Guide is exam-relevant and worth a full read. The incident response domain questions align closely with the frameworks and procedures described here.
Practice Exams
Take the official AWS practice exam ($40) after you’ve studied. It’s the most accurate signal of exam readiness you’ll get. Third-party question banks (Tutorials Dojo / Jon Bonso is the community favorite) are useful for volume practice but skew toward memorization — use them to identify gaps, not as your primary prep.
SCS-C02 vs Other Cloud Security Certs
| Cert | Focus | Price | Difficulty | Validity |
|---|---|---|---|---|
| AWS Security Specialty | AWS-specific, broad | $300 | High | 3 years |
| CCSP (ISC²) | Multi-cloud, governance | $599 | High | 3 years |
| AZ-500 | Azure-specific | $165 | Medium-High | 1 year |
| GCP Professional Cloud Security | GCP-specific | $200 | Medium-High | 2 years |
| PNPT | Cloud-adjacent pentesting | $499 | Medium | None |
SCS-C02 vs CCSP: CCSP is vendor-neutral and governance-heavy. It validates understanding of cloud security architecture across providers and is the correct cert for consultants and CISOs who need to speak to cloud risk in broad terms. SCS-C02 is operationally deeper on AWS. If you work in an AWS environment day-to-day, SCS-C02 is more directly useful. If you’re targeting enterprise CISO or advisory roles, CCSP carries more weight in compliance-oriented conversations.
SCS-C02 vs AZ-500: These are platform-specific equivalents. Pick based on where you actually work. If your organization is multi-cloud, both is not unreasonable — AZ-500 is cheaper and has faster renewal cycles.
SCS-C02 for red teamers: The cert is defensively framed, but that’s exactly why it’s valuable for offensive practitioners. The exam forces you to understand detection, logging, and response in a way that informs better OPSEC and more complete security assessments. You’ll write better reports and design better attack scenarios if you understand what GuardDuty flags, how CloudTrail captures API calls, and what a defender sees when you hit the metadata service.
Is SCS-C02 Worth It in 2026?
Yes — if AWS is your primary environment.
Cloud security roles at AWS-heavy organizations increasingly list it as preferred or required. The exam is rigorous enough that it signals genuine cloud security depth — not just familiarity. And at $300 with a 3-year window, it’s reasonably priced for the market recognition it provides.
The realistic take: SCS-C02 won’t make you a cloud pentester. It won’t teach you to attack cloud infrastructure. What it does is validate that you understand how AWS security is designed to work — the IAM mechanics, the detection services, the encryption models, the networking controls. For practitioners who already have offensive skills, that understanding rounds out the picture significantly.
For career trajectory: If you’re targeting cloud security engineering, cloud architect, or CISO-track roles at organizations running significant AWS workloads, SCS-C02 is worth having. If you’re a pure red teamer who works AWS environments, it’s a useful complement to hands-on attack skill sets — and it signals to blue team clients that you understand their environment.
If you’ve been working through the cloud series on this site — AWS pentesting, IAM privilege escalation, S3 misconfigs, GCP attacks — SCS-C02 is a logical next step. You already understand the attack surface. The certification validates you understand the defense as well.
Next steps:
- AWS Certified Security Specialty – Official exam page
- Already done cloud attacks? Start here: AWS IAM Privilege Escalation Guide
- Broader cloud context: AWS Pentesting Guide 2026
- Considering multi-cloud? AZ-500 review coming next week
Recommended Books
All affiliate links — we may earn a small commission at no extra cost to you.
AWS Certified Security Specialty Exam Guide by Tracy Pierce
The most focused SCS-C02 study guide available. Covers all domains with exam-aligned practice questions.
Hacking the Cloud: AWS Red Team Techniques
Attack-side AWS book that complements the defensive cert prep — useful for understanding why the controls exist.
AWS Security Cookbook by Heartin Kanikathottu
Practical recipes for AWS security implementations — IAM, KMS, VPC, logging, and compliance. Good hands-on companion for lab work.
Written by a certified security professional (CISSP, OSCP) with 14+ years in offensive security and security leadership.
Need Cybersecurity Content Written by Practitioners?
RedTeamGuide is powered by CipherWrite — a cybersecurity content service run by OSCP and CISSP-certified practitioners with 14+ years in offensive security and security leadership.
If your company needs blog articles, whitepapers, or LinkedIn content written by someone who’s actually done the work — not a generalist writer with a SEO checklist — check out CipherWrite on Fiverr .