A W S C E R T I F I C A T I O N
SCS C02 Security Specialty Practice Exam
Exam Number: 1212 | Last updated April 24, 2026 | 1050+ questions across 6 vendor-aligned objectives
The AWS SCS C02 Security Specialty targets security engineers, architects, and operations specialists responsible for protecting AWS workloads end to end. Candidates typically have three to five years of security experience, including two years of AWS-specific security work, and are comfortable with data protection, encryption key management, identity federation, threat detection, and incident response. The exam emphasizes scenario-based decisions across the AWS security service portfolio.
Identity and Access Management and Threat Detection and Incident Response carry the highest weights. Identity and Access Management (16%) covers AWS Identity and Access Management policies including resource-, session-, and condition-based policies, AWS IAM Identity Center, identity federation with SAML 2.0 and OpenID Connect, and Service Control Policies through AWS Organizations. Threat Detection and Incident Response (14%) covers Amazon GuardDuty, AWS Security Hub, Amazon Detective, AWS Config, AWS CloudTrail, and AWS Systems Manager Incident Manager.
The remaining domains cover the full security lifecycle. Security Logging and Monitoring (18%) covers Amazon CloudWatch Logs, Amazon Macie, AWS CloudTrail Lake, and centralized log aggregation patterns. Infrastructure Security (20%) covers Amazon VPC controls, AWS Web Application Firewall, AWS Shield Advanced, AWS Network Firewall, and edge protection. Data Protection (18%) covers AWS Key Management Service, AWS CloudHSM, AWS Certificate Manager, AWS Private Certificate Authority, and Amazon S3 encryption strategies. Management and Security Governance (14%) covers AWS Control Tower, AWS Organizations, AWS Audit Manager, and AWS Trusted Advisor security checks.
Every answer links to the source. Each explanation below includes a hyperlink to the exact AWS documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
264
practice exam users
92.8%
satisfied users
89.2%
passed the exam
4/5
quality rating
Test your SCS C02 Security Specialty knowledge
10 of 1050+ questions
Question #1 - Threat Detection and Incident Response
A security team needs continuous, ML-based threat detection across CloudTrail, VPC Flow Logs, and DNS logs without deploying agents.
Which service fits?
A) Amazon GuardDuty
B) Amazon Inspector
C) AWS Trusted Advisor
D) AWS WAF
Show solution
Correct answers: A – Explanation:
GuardDuty analyzes those exact data sources with managed ML threat models, no agents required. Inspector scans hosts/containers/Lambda for CVEs; Trusted Advisor offers best-practice checks; WAF is L7 web protection. Source: [Amazon GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html)
Question #2 - Security Logging and Monitoring
A compliance officer requires immutable, organization-wide audit logs of all API calls with cross-account aggregation.
Which configuration provides this?
A) Per-account CloudTrail trails with no S3 lock
B) An organization trail with logs sent to a central S3 bucket using S3 Object Lock
C) VPC Flow Logs only
D) CloudWatch Metrics dashboards
Show solution
Correct answers: B – Explanation:
An Organizations-level trail captures every account’s events; sending to a central bucket with Object Lock (compliance mode) satisfies the immutability requirement. Per-account un-locked trails can be modified or deleted; Flow Logs are network-only; Metrics aren’t audit logs. Source: [Organization trails and Object Lock](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html)
Question #3 - Identity and Access Management
A platform engineer must enforce that no IAM principal in the organization can disable CloudTrail logging, even an account admin.
Where should the control go?
A) IAM role policy in each account
B) AWS Config rule alone
C) Bucket policy on the CloudTrail bucket
D) A Service Control Policy (SCP) at the OU/root in AWS Organizations
Show solution
Correct answers: D – Explanation:
SCPs cap the maximum permissions for accounts and override account-level admin grants. IAM policies can be modified by account admins; bucket policies don’t stop StopLogging API calls; Config rules detect, not prevent. Source: [Service Control Policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html)
Question #4 - Infrastructure Security
An ALB-fronted application is being targeted by SQL-injection attempts and known malicious IPs.
Which combination of controls is most appropriate?
A) AWS WAF managed rules (SQLi) plus IP-set rules and AWS Shield Standard
B) Security groups only
C) Disable HTTPS
D) S3 Block Public Access
Show solution
Correct answers: A – Explanation:
WAF inspects HTTP(S) requests and blocks SQLi via managed rules; IP sets block known-bad IPs; Shield Standard handles common DDoS at no extra cost. Security groups are L3/L4; disabling HTTPS is harmful; Block Public Access is for S3, not ALB. Source: [AWS WAF managed rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups.html)
Question #5 - Data Protection
Sensitive data is stored in S3 and must be encrypted with customer-managed keys, with full key-rotation control and per-key access auditing.
Which key type meets the requirements?
A) S3-managed keys (SSE-S3)
B) AWS-managed KMS key (aws/s3)
C) Customer-managed KMS keys (CMK)
D) No encryption with strict bucket policy
Show solution
Correct answers: C – Explanation:
Customer-managed KMS keys give you control over key policies, automatic or on-demand rotation, and CloudTrail-audited per-key usage. SSE-S3 and aws/s3 are AWS-controlled; no encryption violates the requirement. Source: [SSE-KMS with customer-managed keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html)
Question #6 - Threat Detection and Incident Response
An EC2 instance is suspected of being compromised. The team must preserve forensic evidence and isolate it from the network.
Which steps are appropriate? (Choose two.)
A) Take an EBS snapshot of all volumes for forensic analysis
B) Replace its security groups with one that denies all ingress and egress (or move it to a quarantine SG)
C) Immediately terminate the instance
D) Disable CloudTrail logging on the account
Show solution
Correct answers: AB – Explanation:
Snapshotting volumes preserves disk evidence; isolating with a deny-all/quarantine SG stops further damage while preserving the running instance for memory/process forensics. Terminating destroys volatile evidence; disabling CloudTrail destroys audit trails — both are anti-patterns. Source: [Incident response in AWS](https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/welcome.html)
Question #7 - Identity and Access Management
A federated workforce uses a corporate IdP to access AWS. The security team wants short-lived credentials and centralized permission sets across many accounts.
Which service is purpose-built?
A) IAM users with long-lived access keys
B) Per-account root credentials
C) AWS IAM Identity Center (formerly AWS SSO)
D) Direct EC2 instance keypairs
Show solution
Correct answers: C – Explanation:
IAM Identity Center federates with the corporate IdP and assigns permission sets across Organization accounts, issuing short-lived credentials. IAM users with long keys are the opposite; root credentials must never be used; EC2 keypairs are for SSH, not console/AWS access. Source: [IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
Question #8 - Infrastructure Security
Outbound traffic from EC2 instances must be filtered by destination domain (e.g., allow only specific external SaaS hostnames).
Which service provides domain-name-aware egress filtering?
A) AWS Network Firewall with stateful domain rules
B) Network ACLs
C) Security groups
D) Internet Gateway flags
Show solution
Correct answers: A – Explanation:
Network Firewall supports stateful rule groups including domain-list filtering for HTTP(S) egress. Security groups and NACLs filter on IP/port, not hostnames; IGW has no filtering knobs. Source: [Network Firewall stateful rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-domain-names.html)
Question #9 - Data Protection
An application stores a database password and an API key for a third-party service. The security team requires automatic rotation.
Which service should they use?
A) AWS Systems Manager Parameter Store standard tier without rotation
B) AWS Secrets Manager with rotation Lambdas
C) Plaintext entries in environment variables
D) Embedded constants in source code
Show solution
Correct answers: B – Explanation:
Secrets Manager natively supports scheduled rotation via Lambda functions, including built-in rotation for RDS engines. Standard Parameter Store doesn’t rotate; env vars and source-code constants are insecure. Source: [Rotating AWS Secrets Manager secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html)
Question #10 - Security Logging and Monitoring
A centralized security tooling team wants near-real-time, normalized findings from GuardDuty, Inspector, Macie, and IAM Access Analyzer in one place.
Which service aggregates these?
A) AWS CloudTrail Lake only
B) Amazon QuickSight
C) AWS X-Ray
D) AWS Security Hub
Show solution
Correct answers: D – Explanation:
Security Hub aggregates and normalizes findings from native AWS security services and partner products in the AWS Security Finding Format (ASFF). QuickSight is BI; X-Ray is tracing; CloudTrail Lake is for queryable audit logs only. Source: [AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html)
Get 1050+ more questions with source-linked explanations
Every answer traces to the exact AWS documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated April 24, 2026
Learn more...
What the aws-security-specialty exam measures
- Threat Detection and Incident Response (14%) — Detect threats with Amazon GuardDuty and AWS Security Hub, investigate with Amazon Detective, and respond with AWS Systems Manager Incident Manager.
- Security Logging and Monitoring (18%) — Centralize logs in Amazon CloudWatch Logs and AWS CloudTrail Lake, classify sensitive data with Amazon Macie, and design enterprise log aggregation.
- Infrastructure Security (20%) — Protect Amazon VPC environments with security groups and network ACLs, deploy AWS Network Firewall and AWS WAF, and mitigate volumetric attacks with AWS Shield Advanced.
- Identity and Access Management (16%) — Author least-privilege AWS Identity and Access Management policies, federate identity with AWS IAM Identity Center, and govern multi-account access with Service Control Policies.
- Data Protection (18%) — Manage encryption keys with AWS Key Management Service and AWS CloudHSM, issue certificates with AWS Certificate Manager and AWS Private CA, and protect Amazon S3 with bucket policies and encryption.
- Management and Security Governance (14%) — Standardize landing zones with AWS Control Tower, organize accounts with AWS Organizations, audit with AWS Audit Manager, and review with AWS Trusted Advisor.
How to prepare for this exam
- Review the official AWS exam guide and confirm the latest domain weights and content scope before scheduling.
- Complete the matching learning plan on AWS Skill Builder, including the digital courses and exam prep modules.
- Build hands-on muscle memory in an AWS Free Tier account by deploying the services that appear in the Infrastructure Security domain.
- Apply your skills to a real-world project — workplace assignments, volunteer work, or open-source contributions where AWS services solve a concrete problem.
- Master one objective at a time, beginning with the highest-weighted domain so the score impact of each study session is maximized.
- Run PowerKram in Learn mode to read the explanations and follow every sourced documentation link until you can predict the right answer before reading the choices.
- Switch to PowerKram Exam mode across all objectives once your accuracy in Learn mode passes 85%, simulating the timed exam experience.
Career paths and salary outlook
The Security Specialty credential is one of the most consistently in-demand AWS certifications:
- Cloud Security Engineer — $135,000 to $205,000. Levels.fyi: Security Engineer Compensation
- Senior Security Architect — $160,000 to $235,000. Glassdoor: Cloud Security Architect Salaries
- DevSecOps Engineer — $140,000 to $215,000. BLS: Information Security Analysts Outlook
Official resources
Security exams reward broad whitepaper reading; budget time for both reference and console practice: