AWS Certified Security Specialty: Exam Guide (SCS-C03)
What the AWS Certified Security Specialty (SCS-C03) covers: exam format, the six domains, cost, who it's for, and whether the cert is worth it.

The AWS Certified Security Specialty (exam code SCS-C03) is AWS's deep-dive security certification, aimed at people who already work in the cloud and want to prove they can secure it. It's a Specialty-level exam, which means it sits above the Associate certs and assumes you already know your way around AWS. AWS recommends 3 to 5 years of experience securing cloud workloads before you sit it.
The exam has 65 questions, runs 170 minutes, costs $300, and you pass with a scaled score of 750 out of 1000. It covers detection, incident response, infrastructure security, identity, data protection, and governance. If you do security work on AWS day to day and want a credential that backs it up, it's one of the strongest you can hold.
Want to see where you stand? Practice with realistic SCS-C03 questions and find out how ready you are.
What is the AWS Certified Security Specialty?
It's a single-topic certification focused entirely on securing AWS. Where the Solutions Architect exams ask you to design systems that happen to be secure, this one drills into security as the whole job: how you detect threats, lock down identity, protect data, respond to incidents, and govern an account at scale.
There are no mandatory prerequisites, so you can register without holding any other AWS cert. That said, AWS recommends 3 to 5 years of experience securing cloud solutions, and the exam reads like it. This is not a first certification. If you're newer to AWS, the Solutions Architect Associate is a better starting point, and the security domain you study there is good preparation for this exam later.
SCS-C03 exam details
| Metric | Details |
|---|---|
| Official name | AWS Certified Security - Specialty (SCS-C03) |
| Cost | $300 USD |
| Duration | 170 minutes |
| Questions | 65 (50 scored, 15 unscored) |
| Question types | Multiple choice, multiple response, ordering, matching |
| Passing score | 750/1000 |
| Certificate validity | 3 years |
| Delivery | Pearson VUE testing center or online proctored |
| Languages | English, Japanese, Korean, Portuguese (Brazil), Simplified Chinese, Spanish (Latin America) |
| Prerequisites | None required; 3 to 5 years securing cloud solutions recommended |
Three of those rows need unpacking.
Start with the question count: 15 of the 65 questions are unscored. AWS uses them to trial new content, and you won't know which ones they are, so treat every question as if it counts. The 50 scored questions are what determine your result.
The question types have shifted too. Older AWS exams were mostly multiple choice and multiple response; SCS-C03 also includes ordering and matching questions, where you arrange steps in sequence or pair items correctly. They test whether you understand a process end to end, not just whether you can recognize a service name.
Then there's scoring. AWS uses scaled scoring, so 750/1000 is not the same as answering 75% correctly. Each question carries different weight, and your raw score is converted onto a scaled score out of 1,000. There's no published per-domain pass mark either; you need 750 overall. As a working target, scoring consistently in the low 80s on solid practice questions puts you in a good position.
The six exam domains
The exam splits into six domains. The weightings tell you where the points are, so plan your study time around them.
| Domain | Weight |
|---|---|
| Identity and Access Management | 20% |
| Infrastructure Security | 18% |
| Data Protection | 18% |
| Detection | 16% |
| Incident Response | 14% |
| Security Foundations and Governance | 14% |
Identity and Access Management, at 20%, is the single largest domain: IAM policies, roles, permission boundaries, federation, cross-account access, and the difference between identity-based and resource-based policies. If you can't read a policy document and say exactly what it allows and denies, start here.
Infrastructure Security, at 18%, is network controls: security groups, network ACLs, VPC design, and edge protection. Think about how traffic moves and where you can stop it.
Data Protection, also 18%, covers encryption at rest and in transit, key management, and how you handle secrets. KMS sits at the center of this, so understand key policies and the difference between AWS-managed and customer-managed keys.
Detection, at 16%, is the monitoring and logging side: how you collect signals, spot something wrong, and get alerted before it spreads.
Incident Response, at 14%, is what you do once something has gone wrong: containment, investigation, and recovery, plus how you prepare so a real incident isn't the first time you practice the steps.
Security Foundations and Governance, the final 14%, is the account-level and multi-account view: guardrails, organization-wide controls, and keeping a large environment compliant and consistent.
Identity, infrastructure, and data protection together make up more than half the exam. If your time is tight, that's where it goes.
Who is the SCS-C03 for?
This cert fits people who are already doing the work and want it recognized. The clearest match is a cloud security engineer, but the same skills sit behind several titles: security architect, DevSecOps engineer, AWS security consultant, and security operations roles.
It's a poor fit as your first AWS exam. The questions assume you've felt the pain of a misconfigured IAM policy or a noisy logging setup, not just read about them. If that's not you yet, build the base first and come back to this one.
Is the AWS Security Specialty worth it?
Two things make the case: pay and demand.
On pay, the figures vary a lot by source, which is normal, so treat these as cited reference points rather than a single number. Payscale lists an average salary of about $136,485 per year for a cloud security engineer in the United States as of June 2026. Coursera cites a US range of roughly $96,974 to $152,773. Where you land depends on location, experience, and the rest of your skill set, not the cert alone.
On demand, security hiring has been strong. One industry source (thinkcloudly.com) reported that the AWS Certified Security Specialty saw a 73% demand surge in a single year through 2025. That's one publisher's figure, not an official AWS or government number, so read it as a signal of direction rather than a precise stat. The broader picture lines up with it: cloud security keeps showing up as one of the most-cited skills gaps on security teams.
A certification is a multiplier, not a magic ticket. If you already do security work on AWS, this cert makes that credible to people who haven't seen you work. If you're hoping it substitutes for experience, it won't, and the exam is hard enough that it's tough to pass without the experience anyway. For a wider take, see are cloud certifications worth it.
How to prepare
Lead with practice, not reading. Documentation tells you what a service does. Practice questions teach you how AWS frames a security decision and which option it considers best when several are technically valid. That gap is where most people lose points.
A few things that help on this exam specifically:
- Live in IAM. It's the biggest domain and the one most likely to appear inside other questions, so read policies until you can predict the outcome without guessing.
- Know KMS cold. Key policies, grants, and customer-managed versus AWS-managed keys come up across the data protection domain.
- Think in processes, not facts. The ordering and matching questions reward understanding a workflow end to end, like the steps of an incident response, so study the sequence, not just the service.
- Review wrong and right answers. For every practice question, ask why the correct option beats the others. The wrong options show you exactly what the exam tries to trip you on.
- Track weak domains. If detection or governance keeps catching you out, that's where the next study session goes.
When you book, you register through Pearson VUE (scheduled via aws.training) and can take it at a testing center or online with a proctor. If you go online, test your room and webcam setup ahead of time so logistics aren't a surprise on exam day.
Start practicing
The fastest way to find out whether you're ready is to answer exam-style questions and see where you fall short. Practice realistic SCS-C03 questions with full explanations of why each option is right or wrong, or browse every exam we cover if you're still deciding which certification to chase.
Ready to start practicing?
Drill realistic, exam-style questions with a written explanation for every option, so you walk in knowing the format and exactly where your weak spots are.
Practice SCS-C03 questions →Keep reading
AWS
7 min read
AWS Certified Developer Associate Study Guide (DVA-C02)
A real study plan for the AWS Certified Developer Associate (DVA-C02): exam domains, how long to prepare, what to focus on, and how to practice.
Jun 20, 2026
AWS
7 min read
AWS SysOps Certification Guide (Now CloudOps, SOA-C03)
The AWS SysOps certification is now the CloudOps Engineer exam (SOA-C03). What's on it, how it differs from SAA, and whether it's worth taking.
Jun 13, 2026