SCS-C03 — AWS Certified Security – Specialty Exam Blueprint

Last revised: June 29, 2026

Practical exam blueprint for AWS Certified Security – Specialty (SCS-C03) readiness across IAM, logging, data protection, infrastructure security, governance, and incident response.

How to Use This Exam Blueprint

Use this checklist as a practical study map for the AWS Certified Security – Specialty (SCS-C03) exam from AWS. It is designed to help you confirm whether you can apply AWS security concepts in realistic scenarios, not just recognize service names.

For each topic area:

Read the “ready means” column.
Check whether you can explain the decision path without notes.
Practice with scenarios where more than one AWS service looks plausible.
Revisit weak areas until you can justify the secure, least-privilege, operationally realistic choice.

This is an independent exam blueprint for SCS-C03 preparation. It does not claim affiliation with AWS and does not state official exam weights.

SCS-C03 readiness map

Readiness area	Ready means you can…	AWS services, controls, or artifacts to know	Practice prompts
Identity and access management	Design least-privilege access across users, roles, workloads, accounts, and federated identities	IAM, IAM roles, IAM policies, resource policies, permission boundaries, IAM Identity Center, STS, Organizations SCPs, session policies, MFA	Can you explain why an allowed IAM policy still fails because of an SCP, boundary, resource policy, or explicit deny?
Detection, logging, and monitoring	Choose the correct log source, detection service, alerting path, and investigation workflow	CloudTrail, CloudWatch Logs, CloudWatch metrics and alarms, EventBridge, AWS Config, Security Hub, GuardDuty, Detective, Inspector, Macie, VPC Flow Logs	Can you identify which service detects suspicious API use versus vulnerable software versus sensitive data exposure?
Infrastructure and network security	Secure VPCs, edge entry points, hybrid connectivity, endpoints, compute, containers, and serverless workloads	VPC security groups, network ACLs, route tables, VPC endpoints, PrivateLink, Network Firewall, WAF, Shield, Route 53 Resolver DNS Firewall, ELB, EC2, Lambda, ECS, EKS	Can you select the right control for north-south traffic, east-west traffic, DNS filtering, or application-layer inspection?
Data protection and cryptography	Protect data at rest and in transit, select key management patterns, and troubleshoot encryption access	KMS, KMS key policies, grants, aliases, encryption context, CloudHSM, ACM, Secrets Manager, S3 encryption, EBS, EFS, RDS, DynamoDB, backup and retention features	Can you diagnose why a principal can access an encrypted object but cannot decrypt it?
Multi-account governance	Apply preventive, detective, and responsive controls across accounts and organizational units	AWS Organizations, SCPs, delegated administration, Control Tower concepts, Config rules, conformance packs, Firewall Manager, Security Hub, IAM Access Analyzer	Can you decide what belongs in an SCP versus an IAM policy versus AWS Config remediation?
Incident response	Contain, investigate, preserve evidence, eradicate, recover, and improve controls after an event	CloudTrail, GuardDuty, Security Hub, Detective, Systems Manager, snapshots, isolation security groups, key rotation, credential deactivation, EventBridge automation	Can you outline safe first actions for a compromised access key, suspicious EC2 instance, or exposed S3 bucket?
Application and workload security	Secure deployment pipelines, runtime permissions, secrets, images, and workload identities	IAM roles for service workloads, Lambda execution roles, ECS task roles, EKS IAM integration concepts, Secrets Manager, Systems Manager, Inspector, ECR scanning concepts	Can you distinguish build-time scanning, runtime detection, and least-privilege execution roles?
Resilience and recovery security	Protect backups, logs, keys, and critical security tooling from tampering or deletion	Backup plans, vault access policies, S3 Object Lock concepts, CloudTrail log file validation, KMS key deletion safeguards, cross-account logging patterns	Can you design logging and backup controls that still work if a workload account is compromised?

Identity and access management checklist

Core IAM readiness

You should be able to reason through access decisions across multiple policy types.

Explain the difference between an IAM user, group, role, and federated identity.
Choose IAM roles over long-term access keys for workloads whenever possible.
Explain how STS temporary credentials are issued and used.
Compare identity-based policies and resource-based policies.
Identify when a trust policy is required and what it controls.
Distinguish a role trust policy from a role permissions policy.
Explain explicit deny precedence.
Explain how permission boundaries limit maximum permissions.
Explain how Organizations SCPs limit maximum permissions for accounts or organizational units.
Explain why SCPs do not grant permissions by themselves.
Use IAM policy conditions for source IP, VPC endpoint, principal ARN, organization ID, MFA, tags, or requested Region when appropriate.
Recognize when session policies or session tags affect access.
Identify when a resource policy is needed for cross-account access.
Troubleshoot “access denied” using all relevant policy layers, not just the visible IAM policy.

Policy evaluation decision path

    flowchart TD
	    A[Request made to AWS service] --> B{Any explicit deny?}
	    B -->|Yes| Z[Deny]
	    B -->|No| C{Allowed by identity or resource policy?}
	    C -->|No| Z
	    C -->|Yes| D{Within permission boundary if present?}
	    D -->|No| Z
	    D -->|Yes| E{Allowed by SCP or account guardrail?}
	    E -->|No| Z
	    E -->|Yes| F{Service-specific conditions satisfied?}
	    F -->|No| Z
	    F -->|Yes| G[Allow]

IAM decision checks

Scenario	Strong exam-ready reasoning
Developer needs access to one S3 prefix	Use least-privilege IAM and/or bucket policy conditions; scope actions, resources, and conditions tightly.
Application in EC2 needs DynamoDB access	Attach an IAM role to the instance profile; avoid embedded long-term credentials.
Third-party vendor needs cross-account access	Use a role with a trust policy, scoped permissions, and confused-deputy protections such as an external ID where appropriate.
Admins must sign in centrally	Understand IAM Identity Center and federation patterns rather than creating many standalone IAM users.
Workload needs access only from a private network path	Consider VPC endpoint policies, resource policy conditions, and network controls together.
Security team must audit many accounts	Use cross-account roles, delegated administration patterns, and centralized logging or findings aggregation.
Team has broad IAM allow but must never delete KMS keys	Use explicit deny, permission boundaries, SCPs, or service control guardrails depending on scope and ownership.

IAM artifacts you should be able to read

You do not need to memorize every condition key, but you should be comfortable interpreting common policy structure.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireTLS",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::example-bucket",
        "arn:aws:s3:::example-bucket/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

Can you identify:

The effect is an explicit deny.
The policy applies to both the bucket and objects.
The condition denies requests not using secure transport.
The statement does not grant access; it only blocks a risky path.

Logging, detection, and monitoring checklist

Logging source readiness

Need	Likely log or service	Be ready to explain
API activity investigation	CloudTrail	Management events, data events where enabled, event history, trails, log destinations, integrity concepts
Suspicious account or workload behavior	GuardDuty	Findings based on threat intelligence, CloudTrail, DNS, VPC Flow Logs, and other supported sources
Central log retention and search	CloudWatch Logs, S3, OpenSearch patterns	Collection, retention, metric filters, access controls, and query paths
Network metadata	VPC Flow Logs	Accepted/rejected traffic metadata, not full packet capture
Configuration drift	AWS Config	Resource configuration history, rules, aggregators, remediation concepts
Vulnerability findings	Inspector	Software vulnerability and exposure findings for supported workloads
Sensitive data discovery	Macie	S3 data discovery, classification, and findings
Security posture aggregation	Security Hub	Findings aggregation, standards, integrations, delegated administration concepts
Investigation context	Detective	Graph-based investigation and relationships among entities
Event-driven response	EventBridge	Match findings or state changes and trigger response workflows

Detection and monitoring tasks

Choose CloudTrail when the question asks “who called which AWS API, from where, and when.”
Distinguish CloudTrail management events from data events.
Know when S3 object-level activity or Lambda invocation activity may require data event logging.
Recognize that CloudTrail must be protected from tampering using restrictive access, encryption, validation, and ideally separate log archive patterns.
Use CloudWatch metric filters and alarms for near-real-time alerting from logs.
Use EventBridge rules to route findings or API events to automated response.
Use GuardDuty for managed threat detection, not as a firewall.
Use Inspector for vulnerability and exposure management, not for sensitive data classification.
Use Macie for sensitive data discovery in S3.
Use Security Hub to aggregate and prioritize findings across services and accounts.
Use AWS Config for compliance with configuration rules and historical state review.
Know when centralized logging should be cross-account to reduce risk from a compromised workload account.

“Can you investigate this?” prompts

Prompt	What you should check first	Follow-up decisions
Access key is calling APIs from an unusual location	CloudTrail, GuardDuty finding, IAM credential report or access information	Disable or rotate key, identify principal, review permissions, check persistence, add detection
S3 bucket became public	CloudTrail, S3 Block Public Access settings, bucket policy, ACL/object ownership posture, Access Analyzer	Block exposure, identify actor, assess data access, tighten guardrails
EC2 instance is communicating with suspicious IPs	GuardDuty, VPC Flow Logs, security groups, route paths, instance role activity	Isolate instance, preserve evidence, rotate credentials, rebuild from trusted image
Security group opened inbound access broadly	CloudTrail, AWS Config history, change management records	Revert change, alert owner, enforce Config rule or SCP/automation if needed
Sensitive files found in S3	Macie finding, bucket policy, object access logs or CloudTrail data events if available	Restrict access, classify impact, encrypt, apply lifecycle/retention controls

Infrastructure and network security checklist

VPC and network controls

Control	What it does	Exam-ready distinction
Security group	Stateful instance or ENI-level filtering	Commonly used for workload allow rules; return traffic is tracked.
Network ACL	Stateless subnet-level filtering	Requires inbound and outbound rule awareness; useful as an additional subnet guardrail.
Route table	Determines network path	Security controls fail if routing sends traffic around them.
VPC endpoint	Private access to supported AWS services	Endpoint policies can add another authorization layer.
Gateway endpoint	Private route-based access for supported services	Know common use with S3 and DynamoDB patterns.
Interface endpoint	ENI-based private service access	Often used with PrivateLink and many AWS service endpoints.
AWS PrivateLink	Private connectivity to services without public internet exposure	Useful for producer-consumer service access across VPCs/accounts.
NAT gateway / egress pattern	Outbound internet access for private subnets	Does not itself inspect application traffic.
Network Firewall	Managed network firewall for VPC traffic paths	Useful for traffic inspection and filtering when routing is designed correctly.
Route 53 Resolver DNS Firewall	DNS query filtering	Use when the control point is domain resolution.
WAF	Layer 7 web request filtering	Protects web applications from HTTP/S request patterns.
Shield	DDoS protection	Know where it fits relative to WAF and architecture resilience.
Firewall Manager	Central policy management	Useful across accounts for WAF, Shield, security groups, and firewall policies depending on use case.

Network scenario checks

Design private subnets that access AWS services without traversing the public internet when appropriate.
Explain when to use an S3 bucket policy condition to require access through a specific VPC endpoint.
Troubleshoot why a private workload cannot reach an AWS API: route table, DNS, endpoint policy, IAM policy, security group, NACL.
Choose WAF for HTTP request filtering and Network Firewall for VPC traffic inspection.
Choose Route 53 Resolver DNS Firewall for domain-based DNS filtering.
Explain that security groups are stateful and network ACLs are stateless.
Recognize that VPC Flow Logs show metadata, not packet payloads.
Secure load balancer front ends using TLS policies, certificates, WAF association, security groups, and logging where relevant.
Identify when hybrid connectivity requires coordinated controls across AWS and on-premises networks.
Protect administrative access using Systems Manager Session Manager patterns instead of broad inbound SSH/RDP exposure when appropriate.

Compute and workload security

Workload	Checklist
EC2	Use instance roles, restrict security groups, prefer IMDSv2, patch with Systems Manager, collect logs, protect AMIs and snapshots, avoid static credentials.
Lambda	Scope execution roles, protect environment variables and secrets, monitor invocations and errors, control resource-based permissions, review event source access.
ECS	Distinguish task roles from execution roles, protect images, secrets, network mode, logging, and service-to-service permissions.
EKS	Understand IAM integration concepts, pod/workload identity patterns, network policies, image security, secrets protection, and audit logging concepts.
Containers and images	Know the difference between image scanning, runtime detection, registry permissions, and deployment guardrails.
Databases	Enforce encryption, network isolation, IAM/database authentication where relevant, secrets rotation, backups, logging, and least-privilege access.

Data protection and cryptography checklist

KMS readiness

KMS is a frequent decision point because access depends on both identity permissions and key permissions.

Explain the role of a KMS key policy.
Recognize that IAM permission alone may not be enough if the key policy does not allow the access path.
Distinguish AWS managed keys, customer managed keys, and service-managed encryption patterns conceptually.
Know when to use customer managed keys for more control over policy, rotation settings, auditability, and separation of duties.
Explain KMS grants and why services may use them for delegated cryptographic operations.
Use aliases for operational reference, not as the security boundary.
Understand encryption context as additional authenticated context used in cryptographic operations.
Troubleshoot encrypted resource access failures involving the principal, resource policy, key policy, grants, and service integration.
Know when CloudHSM is a better fit for dedicated HSM control requirements.
Know when ACM is used for TLS certificates and where certificates are attached.

Data protection by service

Service or data store	Be ready to review
S3	Bucket policies, Block Public Access, object ownership/ACL posture, default encryption, SSE-S3, SSE-KMS, client-side encryption concepts, access points, Object Lock concepts, lifecycle, replication security, logging.
EBS	Volume and snapshot encryption, KMS key access, snapshot sharing controls, AMI implications.
EFS	Encryption at rest, encryption in transit, access points, file system policies, network controls.
RDS and Aurora	Encryption at rest, KMS key implications, snapshots, backups, parameter/security settings, network isolation, secrets rotation.
DynamoDB	Encryption at rest, IAM access control, point-in-time recovery concepts, VPC endpoint access patterns.
Redshift and analytics services	Encryption, audit logging, network access, IAM integration, data sharing boundaries.
Secrets Manager	Secret storage, rotation, resource policies, KMS encryption, cross-account access considerations.
Systems Manager Parameter Store	Secure parameters, KMS use, IAM access, operational configuration boundaries.
Backups	Backup access policies, vault controls, copy strategy, restore testing, protection from deletion or tampering.

Encryption troubleshooting prompts

Symptom	Likely causes to test
User can list an S3 object but cannot download it	Missing `s3:GetObject`, explicit deny, bucket policy condition, KMS decrypt permission missing, key policy does not allow principal, object ownership issue.
Cross-account role cannot decrypt data	Trust policy may allow role assumption, but KMS key policy or grant may not allow decrypt; resource policy may also be needed.
Service cannot write encrypted logs	Destination policy, service principal permissions, KMS key policy, encryption context conditions, or account/Region mismatch assumptions.
Snapshot sharing fails securely	Snapshot permissions, KMS key sharing constraints, destination account permissions, re-encryption requirements.
Secret rotation fails	Rotation Lambda role, secret resource policy, database/network access, KMS permissions, rotation configuration.

Governance, compliance, and multi-account security checklist

Preventive, detective, and responsive controls

Control type	Examples	Ready means
Preventive	SCPs, IAM policies, permission boundaries, resource policies, VPC endpoint policies, S3 Block Public Access	You can stop risky actions before they occur and understand scope.
Detective	CloudTrail, AWS Config, GuardDuty, Security Hub, Macie, Inspector, Access Analyzer	You can detect policy drift, suspicious activity, exposure, or vulnerabilities.
Responsive	EventBridge automation, Systems Manager Automation, Lambda remediation, incident playbooks	You can contain and remediate while preserving evidence.
Corrective	Config remediation, policy updates, key rotation, network rule rollback	You can reduce recurrence after an incident.

Multi-account readiness

Explain why security teams often centralize logging in a dedicated account.
Explain why workload accounts should not be able to alter central security logs.
Use AWS Organizations and organizational units conceptually to apply guardrails.
Know that SCPs limit maximum permissions but do not grant permissions.
Use delegated administrator patterns conceptually for services such as Security Hub, GuardDuty, Config, Macie, Inspector, or Firewall Manager where appropriate.
Understand how IAM Access Analyzer helps identify unintended external or cross-account access.
Use AWS Config aggregators or organization-level views to assess compliance across accounts.
Recognize when Control Tower concepts may be relevant to account governance and guardrails.
Choose resource policies carefully for cross-account access to S3, KMS, Secrets Manager, SNS, SQS, Lambda, or other resources.
Avoid solving every governance problem with IAM; use SCPs, Config, Security Hub, and service-specific controls where they fit better.

Incident response checklist

Response phases you should be able to apply

Phase	Candidate-ready actions
Prepare	Enable logs, centralize findings, define roles, prebuild isolation controls, document contacts, test automation, protect evidence stores.
Detect and analyze	Triage GuardDuty/Security Hub findings, review CloudTrail, inspect VPC Flow Logs, identify affected principals and resources.
Contain	Disable or rotate credentials, isolate instances, block public access, restrict policies, quarantine workloads, preserve snapshots.
Eradicate	Remove malicious artifacts, revoke persistence mechanisms, patch vulnerabilities, rebuild from trusted sources.
Recover	Restore services securely, validate permissions, monitor for recurrence, rotate secrets and keys as needed.
Improve	Add guardrails, detections, playbooks, tests, and ownership to prevent repeat incidents.

Incident scenario cues

Scenario	First safe moves	Avoid this trap
Compromised IAM access key	Disable key, identify CloudTrail activity, review created resources, rotate related secrets, check persistence.	Do not only delete the key and ignore resources created while it was active.
Suspicious EC2 instance	Isolate with security group or network controls, preserve snapshots/logs, inspect role activity, replace from known-good image.	Do not immediately terminate if evidence is needed.
Public S3 data exposure	Block public access, capture current policy/configuration, review access logs or CloudTrail data events if available, assess data sensitivity.	Do not assume encryption prevents unauthorized reads if the principal had decrypt access.
Root account activity	Verify legitimacy, check CloudTrail, ensure MFA, review account contacts and credentials, investigate new users/roles/keys.	Do not treat root activity as routine without validation.
Unauthorized KMS key policy change	Review CloudTrail, restore safe policy, check grants, review affected encrypted resources.	Do not focus only on IAM policies; KMS key policy may be the controlling artifact.
Malware or cryptomining alert	Review GuardDuty, isolate compute, inspect network flows and credentials, patch or rebuild, review image/source pipeline.	Do not leave the instance role active if credentials may be abused.

Service selection quick checks

If the question asks for…	Think first about…	Not primarily…
“Who made this API call?”	CloudTrail	VPC Flow Logs
“Which instance communicated with this IP?”	VPC Flow Logs, GuardDuty context	IAM credential report
“Which S3 buckets may expose sensitive data?”	Macie, S3 access analysis, bucket policies	Inspector
“Which EC2 instances have vulnerable packages?”	Inspector	Macie
“How do we aggregate security findings?”	Security Hub	CloudWatch metrics alone
“How do we detect suspicious behavior?”	GuardDuty	AWS Config alone
“How do we enforce configuration compliance?”	AWS Config rules and remediation	GuardDuty
“How do we restrict actions across accounts?”	SCPs, permission boundaries, IAM policies	CloudTrail
“How do we filter web attacks?”	WAF	Network ACLs alone
“How do we protect against DDoS?”	Shield, resilient architecture, WAF where applicable	KMS
“How do we centrally manage firewall policies?”	Firewall Manager	IAM Access Analyzer
“How do we find unintended external access?”	IAM Access Analyzer	Inspector

Configuration and artifact checks

IAM policy reading checklist

When reviewing a policy snippet, ask:

What is the principal?
Is this an identity policy, resource policy, trust policy, key policy, or SCP?
Is the statement allow or deny?
What actions are included?
What resources are included?
Are wildcards present, and are they justified?
Which conditions must match?
Are there organization, account, tag, MFA, source IP, VPC endpoint, or encryption-related conditions?
Is another policy layer likely to override or restrict this one?

CloudTrail investigation fields

Be able to interpret common fields conceptually:

Field or concept	Why it matters
Event name	Identifies the API action.
Event source	Identifies the AWS service.
User identity	Shows the principal type, assumed role, access key, or service principal context.
Source IP address	Helps identify origin, proxy, service, or suspicious location.
User agent	Can indicate console, CLI, SDK, automation, or unusual tooling.
Request parameters	Shows resource names, policy changes, or configuration values.
Error code	Helps distinguish denied attempts from successful changes.
Recipient account	Useful in cross-account scenarios.

Example CloudWatch Logs Insights-style investigation pattern

Use concise queries to narrow events. Exact fields depend on log format and destination.

fields @timestamp, eventSource, eventName, userIdentity.type, sourceIPAddress, errorCode
| filter eventSource = "iam.amazonaws.com"
| sort @timestamp desc
| limit 50

Can you explain what this query is trying to find and what you would do next?

Common weak areas and traps

Weak area	What to fix before exam day
Treating IAM allow as final	Always evaluate explicit deny, SCPs, permission boundaries, session policies, resource policies, and service-specific policies.
Confusing role trust and role permissions	Trust policy controls who can assume the role; permissions policy controls what the role can do.
Thinking SCPs grant permissions	SCPs set maximum permission boundaries for accounts/OUs; IAM or resource policies still grant access.
Ignoring KMS key policies	Encrypted data access often fails because the KMS key policy or grant is missing, even when data-resource permissions look correct.
Mixing up security services	GuardDuty detects threats; Inspector finds vulnerabilities; Macie finds sensitive data; Security Hub aggregates findings; Config evaluates configuration.
Overusing network ACLs	Security groups are often the primary workload firewall; NACLs are stateless subnet controls.
Assuming VPC Flow Logs are packet captures	They provide flow metadata, not full payload inspection.
Solving application-layer attacks with subnet rules	Use WAF for HTTP/S request filtering where applicable.
Forgetting endpoint policies	Private connectivity to AWS services does not automatically mean least privilege.
Not protecting logs	Centralized, immutable or tamper-resistant logging patterns are core security architecture concepts.
Rotating one credential only	Incidents may require rotating access keys, secrets, tokens, instance roles, database credentials, and reviewing persistence.
Deleting evidence too early	Incident response often requires preserving logs, snapshots, and configuration state before destructive remediation.
Missing cross-account implications	S3, KMS, IAM roles, SNS, SQS, Lambda, Secrets Manager, and logs often require permissions on both sides.
Confusing encryption in transit and at rest	TLS, ACM, service encryption, KMS, and client-side encryption solve different problems.
Ignoring operational ownership	Secure designs also need monitoring, remediation, alert routing, and maintainable permissions.

Final-week checklist

Knowledge review

Rebuild your own one-page matrix of AWS security services and their primary purpose.
Review IAM policy evaluation until you can troubleshoot access denied scenarios quickly.
Review KMS access paths, especially cross-account and service-integrated encryption.
Review CloudTrail, CloudWatch, Config, GuardDuty, Security Hub, Inspector, Macie, and Detective differences.
Review VPC security groups, NACLs, endpoints, WAF, Shield, Network Firewall, DNS Firewall, and Firewall Manager.
Review S3 security controls: Block Public Access, bucket policies, access points, object ownership, encryption, replication, and logging.
Review incident response playbooks for compromised keys, public buckets, suspicious compute, and unauthorized policy changes.
Review multi-account governance: Organizations, SCPs, delegated administration, central logging, and Config/Security Hub aggregation.

Scenario practice

For each missed practice question, write the reason in this format:

Prompt	Your note
What was the security objective?	Example: prevent public access, detect threat, encrypt data, preserve evidence.
Which service was the best fit?	Example: Macie for sensitive data discovery, not Inspector.
What made the distractor wrong?	Example: CloudTrail records API calls but does not classify sensitive data.
What policy layer mattered?	Example: SCP, key policy, resource policy, endpoint policy, permission boundary.
What would you verify operationally?	Example: alert routing, log retention, remediation owner, rollback path.

Exam-readiness self-test

You are close to ready when you can confidently answer “yes” to most of these:

Can I explain an AWS access decision from request to final allow or deny?
Can I choose the right AWS detection service from a short incident description?
Can I troubleshoot encrypted access involving S3 and KMS?
Can I design a secure cross-account access pattern?
Can I protect CloudTrail logs from tampering?
Can I decide between WAF, Shield, Network Firewall, DNS Firewall, and security groups?
Can I explain how to isolate a compromised EC2 instance without losing evidence?
Can I identify when a service needs a resource policy, key policy, or trust policy?
Can I explain why a private VPC endpoint still needs IAM and endpoint policy controls?
Can I map Security Hub, GuardDuty, Inspector, Macie, Config, and Detective to different operational needs?
Can I reason through least privilege without relying on broad wildcards?
Can I distinguish prevention, detection, response, and governance controls?

Practical next step

Use this checklist to drive a timed mixed-practice session for AWS Certified Security – Specialty (SCS-C03). After each question, do not only mark right or wrong: identify the AWS security objective, the controlling policy layer, the best-fit service, and the reason each close distractor fails. This is the fastest way to turn topic familiarity into exam-ready judgment.

Study Plan

Scenario Guide