SCS-C03 — AWS Certified Security – Specialty Study Plan
A practical study plan for AWS Certified Security – Specialty (SCS-C03), with 7-day, 14-day, 30-day, and 60/90-day preparation paths.
Orientation
This study plan is for candidates preparing for the AWS Certified Security – Specialty (SCS-C03) exam. It is designed for practical scheduling: what to review, when to practice, when to take timed mocks, and how to use missed questions to improve.
Use the official AWS exam guide for SCS-C03 as your objective list. This page is an independent study planning resource and does not claim affiliation with AWS.
The strongest SCS-C03 preparation usually combines:
- Scenario-based practice questions
- IAM and policy evaluation review
- AWS security service selection drills
- Logging, detection, and incident response workflows
- Network and infrastructure security review
- Data protection, encryption, and key management practice
- Timed mock exams with detailed review
Which plan should you use?
| Time until exam | Best plan | Use this if | Main goal |
|---|---|---|---|
| 7 days | Final review sprint | You have already studied most topics or cannot move the date | Stabilize weak areas and avoid late overload |
| 14 days | Focused plan | You know AWS basics but need structured security review | Cover high-value SCS-C03 topics and practice daily |
| 30 days | Balanced plan | You can study most days and want a realistic full review | Build knowledge, practice, mock, and revise |
| 60 days | Full preparation path | You need deeper AWS security review | Learn, apply, test, and remediate weak areas |
| 90 days | Full preparation with spacing | You are starting early or have limited weekly time | Add repetition, labs, and multiple mock cycles |
If you have fewer than 14 days and have not worked with AWS security concepts before, focus on triage rather than attempting to learn every service in depth.
Core SCS-C03 topic rotation
Use these topic clusters throughout the plan. They are not a substitute for the AWS exam guide, but they give you a practical study structure.
| Topic cluster | What to practice |
|---|---|
| Identity and access | IAM policies, resource policies, roles, trust policies, permissions boundaries, session policies, federation, cross-account access, AWS Organizations, SCPs |
| Logging and monitoring | CloudTrail, CloudWatch, AWS Config, VPC Flow Logs, centralized logging, log integrity, alerting patterns |
| Threat detection and incident response | GuardDuty, Security Hub, Detective, Inspector, EventBridge-driven response, containment, credential compromise workflows |
| Infrastructure security | VPC design, security groups, network ACLs, route tables, VPC endpoints, PrivateLink, AWS Network Firewall, load balancer and edge protections |
| Data protection | KMS, key policies, encryption at rest and in transit, S3 security, Secrets Manager, Certificate Manager, data classification patterns |
| Governance and compliance operations | AWS Organizations, delegated administration, Config rules, conformance packs, control monitoring, multi-account security architecture |
| Scenario decision-making | Choosing the least disruptive, most secure, operationally appropriate AWS control for a described requirement |
Daily practice rhythm
Use this rhythm on most study days. Adjust the time blocks to your available schedule.
| Time block | Action | Output |
|---|---|---|
| 5 minutes | Pick one SCS-C03 objective or weak-area tag | Clear focus for the session |
| 20-30 minutes | Review notes, AWS documentation, or architecture diagrams | Short topic summary |
| 30-45 minutes | Answer scenario-based practice questions | Mark confidence before checking answers |
| 20-30 minutes | Review every missed or guessed question | Updated error log |
| 10-20 minutes | Do one hands-on or architecture review task | Diagram, command output, or decision notes |
| 5 minutes | Write tomorrow’s target topic | Reduced decision fatigue |
For weekend or long sessions, do two cycles with a break between them. Do not spend an entire session only reading; SCS-C03 readiness depends heavily on applying concepts in scenarios.
Start with a diagnostic
Before choosing what to study first, take a diagnostic practice set under light time pressure.
| Step | What to do | Why it matters |
|---|---|---|
| 1 | Take a mixed SCS-C03 practice set before heavy review | Reveals your real weak areas |
| 2 | Mark each question as confident, uncertain, or guessed | Separates knowledge from test-taking luck |
| 3 | Review missed and guessed questions together | Guessed-correct questions are still risks |
| 4 | Tag each miss by topic | Creates your study order |
| 5 | Choose the top 3 weak tags for the next 3 study days | Keeps review focused |
Use the diagnostic result as a planning tool, not as a prediction of your exam result.
Missed-question review method
A missed question is useful only if you extract the reason you missed it.
Error log fields
| Field | What to write |
|---|---|
| Topic tag | IAM, KMS, logging, GuardDuty, VPC, S3, Organizations, incident response, etc. |
| Scenario trigger | What requirement drove the answer? Least privilege, central logging, encryption, isolation, detection, audit, cost-aware operations |
| My wrong choice | The option you selected or almost selected |
| Correct choice | The best answer and the AWS service/control involved |
| Why correct | The exact reason it satisfies the scenario |
| Why wrong answers fail | Missing requirement, wrong scope, insecure, too manual, not operationally suitable |
| Rule to remember | One sentence you can reuse on future questions |
| Retest date | When you will attempt similar questions again |
Common SCS-C03 miss patterns
| Miss pattern | Fix |
|---|---|
| Confusing SCPs with IAM permissions | Remember: SCPs set maximum available permissions; they do not grant access by themselves |
| Choosing a detection service for a prevention requirement | Identify whether the question asks to prevent, detect, respond, or audit |
| Ignoring resource policy requirements | For cross-account access, evaluate identity policy, resource policy, trust policy, and explicit denies |
| Overlooking explicit deny | Explicit deny overrides allows in AWS policy evaluation |
| Mixing up security groups and network ACLs | Review stateful vs stateless behavior and where each control applies |
| Treating KMS as only an encryption checkbox | Review key policies, grants, IAM permissions, rotation, and service integration |
| Picking manual response when automation is required | Look for EventBridge, Lambda, Systems Manager, Security Hub automation, or containment workflows |
| Missing the account scope | Decide whether the answer applies to one account, many accounts, an organization, or delegated admin model |
7-day final review sprint
Use this if the exam is one week away. This is not a full learning plan; it is a stabilization plan.
| Day | Focus | Study actions | Practice target |
|---|---|---|---|
| 7 | Diagnostic and planning | Take a mixed timed set. Build your top 3 weak-area list. Review the SCS-C03 exam guide objectives. | Mixed diagnostic |
| 6 | IAM and policy evaluation | Review IAM policies, resource policies, trust policies, permissions boundaries, SCPs, cross-account roles, explicit deny. | Identity-focused questions |
| 5 | Logging, monitoring, and detection | Review CloudTrail, CloudWatch, AWS Config, GuardDuty, Security Hub, Detective, VPC Flow Logs, centralized logging. | Logging and detection questions |
| 4 | Infrastructure security | Review VPC controls, security groups, network ACLs, route tables, endpoints, PrivateLink, Network Firewall, WAF, Shield, CloudFront patterns. | Network and infrastructure questions |
| 3 | Data protection | Review KMS, S3 security, Secrets Manager, ACM, encryption in transit, encryption at rest, key policies, access to encrypted data. | Data protection questions |
| 2 | Full timed mock | Take one full timed mock. Spend at least the same amount of time reviewing it. | Full mock plus review |
| 1 | Final consolidation | Review only your error log, service-selection notes, and high-risk diagrams. Do not add major new material. | Light mixed set only |
Final 24 hours
Do:
- Review your error log.
- Revisit questions you missed twice.
- Memorize decision rules, not answer letters.
- Sleep and preserve exam focus.
Do not:
- Start a new course.
- Attempt multiple full mocks back to back.
- Cram obscure service details without scenario context.
- Rewrite your entire note set.
14-day focused plan
Use this if you have two weeks and can study most days. The plan assumes you already understand basic AWS services and now need security-specialty focus.
| Day | Focus | Primary work | Practice work |
|---|---|---|---|
| 1 | Baseline | Diagnostic set, objective review, build weak-area tracker | Mixed questions |
| 2 | IAM policy basics | Identity policies, resource policies, explicit deny, condition keys, least privilege | IAM questions |
| 3 | Advanced access scenarios | Cross-account roles, trust policies, permissions boundaries, SCPs, federation, temporary credentials | Policy scenario drills |
| 4 | Logging architecture | CloudTrail, CloudWatch Logs, AWS Config, VPC Flow Logs, central log accounts | Logging questions |
| 5 | Detection and response | GuardDuty, Security Hub, Detective, Inspector, EventBridge response patterns | Incident response questions |
| 6 | Data protection | KMS, key policies, grants, encryption patterns, S3 access controls, Secrets Manager | Encryption questions |
| 7 | Review checkpoint | Retest Days 2-6 weak areas. Update service-selection notes. | Timed mixed set |
| 8 | Network security | VPC routing, security groups, network ACLs, VPC endpoints, PrivateLink, Network Firewall | Network scenario questions |
| 9 | Edge and application protection | WAF, Shield, CloudFront security patterns, load balancer controls, certificate handling | Edge security questions |
| 10 | Governance | AWS Organizations, SCPs, delegated administration, Config, Security Hub, account structure | Governance questions |
| 11 | Incident runbooks | Credential compromise, exposed S3 bucket, suspicious instance, malware finding, exfiltration indicators | Response workflow drills |
| 12 | Mixed scenario day | Practice mixed questions in timed blocks. Review all guessed answers. | Timed mixed blocks |
| 13 | Full timed mock | Take one full mock. Review deeply and tag every miss. | Full mock |
| 14 | Final review | Error log, weak-area retest, decision rules, light review only | Short mixed set |
Stop adding new major topics after Day 12 unless a repeated miss shows a fundamental gap.
30-day balanced plan
Use this if you want enough time for learning, practice, and correction without cramming.
Weekly structure
| Week | Main goal | End-of-week checkpoint |
|---|---|---|
| 1 | Establish baseline and master IAM/security foundations | You can explain AWS policy evaluation and access scope |
| 2 | Build logging, monitoring, detection, and response workflows | You can choose the right AWS service for detect/respond scenarios |
| 3 | Cover infrastructure security and data protection deeply | You can reason through VPC, KMS, S3, and encryption scenarios |
| 4 | Timed practice, governance review, and weak-area sprint | You are stable on mixed timed questions |
30-day schedule
| Days | Focus | Actions |
|---|---|---|
| 1 | Diagnostic | Take a mixed diagnostic. Create your error log and weak-area tags. |
| 2-3 | IAM fundamentals | Review identity policies, resource policies, explicit deny, conditions, roles, trust policies. |
| 4-5 | Cross-account and organization access | Study SCPs, permissions boundaries, delegated access, federation, account boundaries. |
| 6 | IAM practice day | Timed identity-focused question block. Review every miss. |
| 7 | Weekly review | Rewrite your IAM decision rules from memory. |
| 8-9 | Logging and audit | Review CloudTrail, CloudWatch, AWS Config, log aggregation, audit trails. |
| 10-11 | Detection services | Review GuardDuty, Security Hub, Detective, Inspector, Macie, finding workflows. |
| 12 | Incident response | Practice containment, credential compromise, instance isolation, evidence preservation. |
| 13 | Timed mixed set | Mix IAM, logging, detection, and incident response questions. |
| 14 | Weekly review | Retest all Week 2 misses. |
| 15-16 | Network security | Review VPC security groups, network ACLs, routing, endpoints, PrivateLink, Network Firewall. |
| 17 | Edge and application security | Review WAF, Shield, CloudFront, load balancer security, certificate patterns. |
| 18-19 | Data protection | Review KMS, key policies, grants, S3 security, Secrets Manager, encryption choices. |
| 20 | Scenario diagrams | Draw network and encryption flows for common scenarios. |
| 21 | Weekly review | Timed mixed set across Weeks 1-3. |
| 22 | Governance | Review Organizations, SCP strategy, delegated admin, Config, Security Hub, central security accounts. |
| 23 | Full timed mock 1 | Take a full timed mock. Do not study during the mock. |
| 24 | Mock review | Spend the session only reviewing the mock and updating the error log. |
| 25-26 | Weak-area sprint | Study the top two weak tags from the mock. |
| 27 | Full timed mock 2 or long timed set | Use a fresh set if available. Review guessed-correct answers too. |
| 28 | Final remediation | Retest repeated misses. Consolidate decision rules. |
| 29 | Light mixed review | Short timed set, no heavy new material. |
| 30 | Final review | Error log, service-selection notes, exam logistics, rest. |
60/90-day full preparation path
Use this if you are starting earlier, changing roles, or need hands-on AWS security reinforcement.
60-day path
| Phase | Days | Focus | Deliverables |
|---|---|---|---|
| Baseline | 1-5 | Diagnostic, exam guide mapping, AWS security vocabulary | Error log, study calendar |
| IAM foundation | 6-15 | IAM policy evaluation, roles, trust, cross-account access, SCPs, boundaries | Policy decision notes |
| Governance and accounts | 16-22 | AWS Organizations, delegated administration, account structure, Config, Security Hub | Multi-account security diagram |
| Logging and monitoring | 23-31 | CloudTrail, CloudWatch, VPC Flow Logs, Config, centralized logging | Logging architecture notes |
| Detection and response | 32-39 | GuardDuty, Detective, Inspector, Macie, EventBridge workflows, containment | Incident response runbooks |
| Infrastructure security | 40-47 | VPC controls, endpoints, Network Firewall, WAF, Shield, CloudFront, load balancing | Network security diagrams |
| Data protection | 48-53 | KMS, S3, Secrets Manager, ACM, encryption choices, key policy scenarios | Encryption decision notes |
| Mock and remediation | 54-58 | Full timed mock, review, weak-area retest | Updated error log |
| Final review | 59-60 | Light review, decision rules, exam readiness check | Final checklist |
90-day path
For 90 days, keep the same topic order but add spacing and repetition.
| Extra time | How to use it |
|---|---|
| Add 1 hands-on review day per week | Build or inspect a sandbox configuration, then write what each control does |
| Add spaced repetition | Retest old missed questions 3, 7, and 14 days later |
| Add a second mock cycle | Use one mock around the two-thirds point and another near the final week |
| Add architecture practice | Draw multi-account logging, cross-account access, encrypted data flow, and incident response diagrams |
| Add service comparison drills | Compare services that appear similar but solve different security problems |
A 90-day plan should not mean 90 days of passive reading. Keep weekly practice active.
Hands-on concept review
If you have access to a safe AWS sandbox, use hands-on review to reinforce concepts. Avoid experimenting in production accounts.
| Scenario | What to inspect or build | What you should be able to explain |
|---|---|---|
| IAM policy evaluation | Compare an identity policy, resource policy, permissions boundary, and SCP in a sample access decision | Which policy grants, which policy limits, and where explicit deny applies |
| Cross-account access | Trace a role assumption from Account A to Account B | Trust policy vs permissions policy vs caller permissions |
| Centralized logging | Sketch organization-level CloudTrail and log delivery to a security account | Who owns logs, who can modify them, and how alerts are triggered |
| GuardDuty finding response | Map finding to EventBridge rule, notification, and containment action | Difference between detection, investigation, and response |
| S3 data protection | Review bucket policy, Block Public Access, encryption settings, access points, and logging | How public exposure and unauthorized access are prevented |
| KMS key use | Inspect key policy, IAM permissions, grants, and service integration | Why access to the key and access to the data are separate concerns |
| VPC endpoint security | Compare public service access with VPC endpoint access | How routing, endpoint policies, and private connectivity affect exposure |
| Edge protection | Compare CloudFront, WAF, Shield, and load balancer controls | Which layer each service protects |
Optional read-oriented AWS CLI checks can help you connect exam concepts to real configurations:
aws sts get-caller-identity
aws iam get-policy --policy-arn <policy-arn>
aws kms get-key-policy --key-id <key-id> --policy-name default
aws s3api get-public-access-block --bucket <bucket-name>
aws cloudtrail describe-trails
aws guardduty list-detectors
Use commands only in accounts where you are authorized to inspect resources.
Service-selection drills
SCS-C03 questions often test whether you choose the right AWS control for the requirement.
| Requirement in scenario | Think first about |
|---|---|
| Prevent an account or OU from using a service | AWS Organizations SCPs |
| Grant cross-account access to a resource | Role trust, identity policy, and resource policy requirements |
| Detect suspicious activity | GuardDuty, Security Hub, CloudTrail, VPC Flow Logs, Detective |
| Preserve audit history | CloudTrail, centralized logging, log protection, Config history |
| Respond automatically to findings | EventBridge, Lambda, Systems Manager, Security Hub automation patterns |
| Encrypt application data | KMS integration, key policy, IAM permissions, data service encryption options |
| Protect secrets | Secrets Manager, rotation patterns, IAM access, audit logging |
| Reduce public network exposure | VPC endpoints, PrivateLink, security groups, route design, WAF or CloudFront where appropriate |
| Monitor configuration drift | AWS Config rules, aggregators, conformance packs |
| Govern many accounts | AWS Organizations, delegated administrator, central security tooling |
Timed mock exam strategy
Timed mocks are most useful after you have reviewed enough material to understand the explanations.
| Plan length | When to use timed mocks |
|---|---|
| 7 days | One full timed mock around Day 2 before the exam, then deep review |
| 14 days | One full timed mock on Day 13, with timed mixed sets earlier |
| 30 days | Full mocks around Days 23 and 27 if fresh questions are available |
| 60 days | One mock around the final 1-2 weeks, plus timed blocks during the plan |
| 90 days | One mid-plan mock and one final-week mock, plus weekly timed blocks |
Mock review rules
After every mock:
- Review all wrong answers.
- Review all guessed-correct answers.
- Tag each miss by topic and cause.
- Identify repeated errors.
- Spend the next study session on the top weak tag.
- Retest with fresh questions later.
Do not take multiple full mocks in a row without review. The improvement comes from analysis, not from accumulating scores.
Practice readiness checks
Practice scores are not official AWS passing standards, but they can help you decide whether your preparation is stable.
You are trending ready when you can:
- Complete timed mixed sets without rushing the final questions.
- Explain why the correct answer is best and why the distractors are weaker.
- Handle IAM policy evaluation questions consistently.
- Choose between SCPs, IAM policies, permissions boundaries, and resource policies.
- Identify the right logging source for an investigation.
- Match detection findings to response actions.
- Reason through VPC exposure and traffic flow.
- Explain KMS access requirements without guessing.
- Solve multi-account governance scenarios.
- Avoid repeating the same error-log tags.
If your misses are scattered but explanations make sense, focus on timed practice. If your misses cluster around one topic, pause mixed practice and repair that topic first.
Final-week rules
| Rule | Reason |
|---|---|
| Stop adding major new material 2-3 days before the exam | Late overload creates confusion |
| Review the error log daily | Repeated misses are the highest-value fixes |
| Use short timed sets, not marathon sessions | Keeps recall sharp without fatigue |
| Revisit IAM, KMS, logging, and incident response | These are common security-specialty decision areas |
| Practice reading the final sentence of each question first | Helps identify the actual requirement |
| Sleep before the exam | Security scenario questions require careful reasoning |
Exam-day question approach
For each scenario, use a consistent process:
- Identify the goal: prevent, detect, respond, recover, audit, encrypt, or govern.
- Identify the scope: user, role, resource, account, OU, organization, VPC, region, or workload.
- Eliminate answers that solve the wrong goal.
- Check whether the answer is operationally realistic.
- Watch for least privilege, centralized control, automation, and evidence preservation.
- If stuck, mark and move on; return after easier questions are complete.
Practical next step
Start with a mixed diagnostic practice set for AWS Certified Security – Specialty (SCS-C03). Build an error log from that result, choose the 7-day, 14-day, 30-day, or 60/90-day path above, and schedule your next three study sessions by weak area rather than by guesswork.