The new AWS Certified Security – Specialty (SCS-C03): What to expect

The AWS Certified Security – Specialty exam got a significant overhaul on December 2, 2025. If you're studying for the Security Specialty certification right now, you're taking the SCS-C03, which is a restructured exam that:

• Elevates identity management to the top priority

• Introduces generative AI security

• Adds entirely new question formats (Bye-bye plain old multiple choice questions, hello ordering and matching questions!)

Whether you passed SCS-C02 and are curious what changed, or you're starting fresh with SCS-C03, this guide breaks down every meaningful difference between the two versions and gives you a clear path to passing the new exam.

The Security Specialty remains one of AWS's most challenging certifications, typically recommended for professionals with 3–5 years of experience securing cloud solutions. The core mechanics haven't changed; there are 65 questions, you are given 170 minutes, and you need a score of 750 out of 1,000 to pass. Oh yeah, did we mention that it comes with a $300 USD price tag? There’s that as well.

But what AWS tests you on and how it tests you? That's where SCS-C03 gets interesting.

The SCS-C02 vs SCS-C03: What's the difference?

The domain restructuring tells a story about where cloud security is heading. Both SCS-C02 and SCS-C03 contain six scored domains; the same number, but with very different organization. AWS didn't just rename a few headings: it restructured the first two domains entirely and shifted weight toward identity management, signaling where modern cloud security battles are actually won and lost.

Here's the side-by-side comparison of the previous exam and the current offering:

SCS-C02 Domain	Weight	SCS-C03 Domain	Weight	Shift
Threat Detection and Incident Response	14%	Detection	16%	+2%
Security Logging and Monitoring	18%	Incident Response	14%	−4%
Infrastructure Security	20%	Infrastructure Security	18%	−2%
Identity and Access Management	16%	Identity and Access Management	20%	+4%
Data Protection	18%	Data Protection	18%	—
Management and Security Governance	14%	Security Foundations and Governance	14%	—

The biggest story here is IAM jumping from 16% to 20%, making it the single heaviest domain on the exam. This isn't surprising if you've been working in AWS security because identity is the new perimeter. Misconfigured IAM policies, overly permissive roles, and confused-deputy vulnerabilities cause more breaches than network misconfigurations do.

The second major restructuring split SCS-C02's first two domains into cleaner categories. The old "Threat Detection and Incident Response" and "Security Logging and Monitoring" domains had overlapping concerns. SCS-C03 reorganizes these into two parts:

• Detection: Monitoring, logging, alerting, log analysis
• Incident Response: Response plans, forensics, automated remediation.

This mirrors how modern Security Operations Centers actually work. Detection teams and incident response teams really are distinct roles with distinct skill sets.

Domain 6 got a subtle but meaningful rename from "Management and Security Governance" to "Security Foundations and Governance," reflecting expanded coverage of organizational controls like Resource Control Policies (RCPs), AI service opt-out policies, and declarative policies. Most of which are governance tools that didn't exist when SCS-C02 originally launched.

New exam content: Generative AI security (But don't panic!)

The headline addition in SCS-C03 is that generative AI security content has entered the exam. But here's a critical detail that several third-party study guides get wrong: there is no separate "Domain 7" for AI/ML security. The official AWS exam guide defines exactly six domains. GenAI security content lives inside Domain 3 (Infrastructure Security) as Skill 3.2.7: "Implement protections and guardrails for generative AI applications."

That said, AI/ML touches the exam more broadly than one skill listing suggests. AWS added an entirely new Machine Learning category to the in-scope services list, covering five services that weren't on SCS-C02 at all:

• Amazon Bedrock — foundation model security, access controls, guardrails, content filtering, and CloudTrail logging of API calls

• Amazon SageMaker AI — network isolation, encryption, IAM roles for training jobs, inter-node encryption

• Amazon Q Business — permission scoping and data source access controls

• Amazon Q Developer — security scanning in development workflows, pipeline vulnerability remediation

• Amazon CodeGuru Security — code security scanning within CI/CD pipelines

Real-world exam takers, including myself, report that AI questions tend to focus on practical IAM controls (who can invoke which models, what resource-based policies govern access) rather than deep ML theory. 

The takeaway: Study AI security concepts, but don't let GenAI panic distract you from mastering IAM and KMS, which still dominate the exam!

New question types: Ordering and matching questions

SCS-C02 used only two question formats: multiple choice (pick one from four) and multiple response (pick two or more from five or more). SCS-C03 introduces two additional formats: ordering questions and matching questions.

Ordering questions

These questions ask you to select 3–5 responses and arrange them in the correct sequence. Think: "Place these incident response steps in the correct order." This tests procedural knowledge rather than just recognition. What this means is that you need to understand workflows, not just individual services.

Matching questions

These present 3–7 prompts that you match to corresponding responses. Think: "Match each security service to its primary function." This format tests breadth of knowledge across related services and forces you to distinguish between similar tools like GuardDuty, Inspector, Security Hub, Detective, and Macie.

These new formats mean pure memorization is less effective

With odering and matching questions, you need to understand how services relate to each other and what order operations happen in, not just what each service does in isolation.

Now, with all that being said, I have to be honest and say that, when I took this exam, I didn't run into any of the new question formats. Zero. None. Zilch. Of course, that doesn't mean you shouldn't be prepared to run into them yourself, but I just wanted to share my personal experience.

The full list of new AWS services to know to pass the SCS-C03

Beyond the five ML services, SCS-C03 added roughly 15 additional services to the in-scope list. Here are the most important new additions, in my opinion, grouped by what they do:

• Detection and monitoring: Amazon Security Lake (centralized security data lake using OCSF format), AWS CloudTrail Lake (advanced log querying), Amazon Managed Grafana (security monitoring dashboards and log visualization), and AWS User Notifications (centralized notification management).
• Incident response and resilience: Automated Forensics Orchestrator for Amazon EC2 (automated forensic collection), AWS Fault Injection Service (chaos engineering to test incident response plans), AWS Resilience Hub (validating response effectiveness), and Amazon Application Recovery Controller (automated recovery orchestration).
• Identity and authorization: Amazon Verified Permissions (fine-grained authorization using the Cedar policy language) and AWS Verified Access (zero-trust network access that can replace traditional VPN for some scenarios).
• Data protection and storage: AWS DataSync (secure data replication) and Amazon FSx for Lustre (storage backup policies).
• Governance concepts: Resource Control Policies (RCPs), AI service opt-out policies, and declarative policies. Declarative policies, if you are unsure what they are, are newer organizational policy types that complement the well-established Service Control Policies (SCPs).

The addition of the Open Cybersecurity Schema Framework (OCSF) is also notable. SCS-C03 expects candidates to understand how to normalize and correlate security data across sources using OCSF, reflecting the real-world push toward interoperable security tooling. Amazon Security Lake is the primary service for this.

What topics AWS has removed from the SCS-C03 exam

SCS-C03 didn't just add content. It also removed several topics that appeared on SCS-C02, suggesting AWS expects candidates to already have foundational knowledge in these areas rather than testing them explicitly.

Here are the concepts AWS now considers table stakes, aka. you are expected to know them by default:

• Host-based security fundamentals (firewalls, hardening)
• Basic TLS concepts
• Components of IAM policies (Principal, Action, Resource, Condition)
• Cross-Region networking using private and public VIFs
• S3 static website hosting configuration
• VPC Reachability Analyzer
• Security gap identification through cost analysis.

I cannot stress enough the concept of knowing advanced IAM policy notation and syntax! If you cannot read and understand complex policies, then you need to spend some time learning this.

This streamlining makes room for the new GenAI and advanced encryption content, while raising the assumed baseline.

How to pass the SCS-C03: A battle-tested study strategy

The exam rewards connected thinking. A misconfigured IAM policy simultaneously affects data protection, detection, and incident response; and the scenario-based questions (easily 60% of the exam) test your ability to synthesize across domains.

Here's what works, based on guidance from AWS, exam prep providers, and people who've already passed (including me :D).

1. Weight your study time by domain percentage

IAM (20%) + Data Protection (18%) + Infrastructure Security (18%) = 56% of your score. Master these three domains first. Detection (16%) + Incident Response (14%) + Governance (14%) fill the remaining 44%.

2. Master IAM and KMS before anything else

These two services appear across every single domain. IAM policy evaluation logic, like understanding how identity-based policies, resource-based policies, SCPs, RCPs, and permissions boundaries interact, is the single most common area where candidates struggle. KMS key policies, grants, key rotation, and the differences between customer-managed keys, AWS-managed keys, imported key material, and external key stores are heavily tested. Learn to love both of these services.

3. Read these AWS whitepapers (they're free!)

• The AWS Well-Architected Framework Security Pillar
• The AWS Security Best Practices whitepaper
• The AWS Security Incident Response Guide

The Security Pillar whitepaper in particular maps almost directly to the exam's domain structure.

4. Build hands-on experience with at least these core services

• IAM (write and debug policies, implement SCPs and RCPs, set up cross-account roles)
• KMS (create customer-managed keys, write key policies, practice key rotation)
• GuardDuty (enable, analyze findings, set up automated responses via EventBridge)
• Security Hub (enable security standards, correlate findings)
• CloudTrail (configure organization trails, query with CloudTrail Lake)
• Amazon Bedrock (understand guardrails, model access controls, invocation logging).

5. Aim for 80–85% consistently on practice exams before scheduling your real exam date

Typical preparation takes 8–16 weeks at 1–2 hours per day, though experienced AWS security professionals can compress this to 4–6 weeks.

A caveat: The best approach is the one that fits you

Of course, you need to find the study methodology that works best for you and take that approach. These are just recommended strategies based on experienced individuals and AWS guidance, and are not meant to be overly prescriptive.

Want to build hands-on experience in AWS with expert-level guidance and without the risk of setting up your own testing environment? Check out Pluralsight's hands-on labs and cloud sandboxes, which can help you get the experience you need to pass the SCS-C03.

An eight-week study plan for the SCS-C03 (following domain weights)

Week	Focus Area	Exam Weight
1–2	IAM deep dive: policies, SCPs, RCPs, Identity Center, cross-account access, Verified Permissions, IAM Access Analyzer	20%
3–4	Data Protection + Infrastructure Security: KMS, Secrets Manager, ACM, Macie, VPC security, WAF, Shield, Network Firewall	36% combined
5–6	Detection + Incident Response: GuardDuty, Security Hub, Detective, CloudTrail, CloudWatch, Config, automated response workflows	30% combined
7	Governance + AI/ML Security: Control Tower, Audit Manager, Organizations policies, Bedrock security, SageMaker security	14% + GenAI
8	Practice exams, review weak areas, re-read whitepapers, final review	Full exam simulation

For a prioritized "crunch time" approach, if you're short on time:

1. Complete the Pluralsight exam prep plan
2. Read IAM and KMS documentation thoroughly
3. Review GuardDuty and Security Hub documentation
4. Take as many practice exams as possible. 

The last point is especially important. The more practice you get the better, because it takes repetitions to truly master something.

Advice for those who were preparing for the SCS-C02

The core security knowledge that made SCS-C02 challenging is still the backbone of the new exam. If you were preparing for SCS-C02 when it retired, you're already 85–90% prepared for SCS-C03. Focus your remaining study time on the following

• IAM's expanded weight
• Amazon Bedrock and AI guardrails
• Resource Control Policies
• Amazon Security Lake and OCSF
• The new ordering and matching question formats
• Inter-resource encryption concepts

Advice for people who are new to SCS-C03 prep

For everyone who's just started their exam prep, the expanded IAM coverage and GenAI security additions make this exam more relevant to real-world cloud security than any previous version. Identity and data protection dominate modern breach patterns, and SCS-C03 reflects that reality. The new question types also push the exam away from memorization and toward genuine operational understanding, which, frankly, makes the certification more valuable once you earn it.

Conclusion: SCS-C03 isn't a revolution, it's a modernization

The Security Specialty remains one of the most respected credentials in cloud security. AWS announced it alongside updates to their broader AI certification portfolio late 2025, signaling that security expertise is only becoming more critical as organizations adopt generative AI workloads.

Whether you're defending against prompt injection attacks on Bedrock models, locking down cross-account IAM roles, or preparing for battle against the future onslaught of AI-powered robots, this certification proves you can do all the above.