AWS Certified Security Specialty (SCS-C02)

Complete study library — 17 guides covering the full exam domain map. Each guide follows the same structure: Overview → Core Services → Exam Logic → Integrations → Costs & Limits → Best Practices & Traps → Flashcards → Quiz.

Study Guides

~296

Flashcards

~159

Scenario Questions

Services Covered

Contains 2025–2026 fresh material Standalone service Bundled cluster

★

Detection-to-Remediation Orchestration

Cross-cutting — read this before/alongside the rest

EventBridge · SNS/SQS · Lambda · SSM Automation · Config Remediation · Step Functions · Security Hub Custom Actions vs Automation Rules 16 cards · 9 Q

The direct answer to "does a finding auto-execute, or does it need wiring?" No detective service fixes anything by default — this guide is the orchestration layer connecting every finding-generating service in this library to an actual remediation action. Built around a Preventive → Detective → Responsive → Remediation framework.

Start hereSecurity Hub Automation Rules vs Custom Actions, rule-overlap trap

Detection & Response

Threat Detection & Incident Response

Amazon GuardDuty 20 cards · 10 Q

ML threat detection across CloudTrail/VPC Flow Logs/DNS/runtime. Extended Threat Detection attack sequences, protection plans, Critical severity.

StandaloneETD, EC2 Runtime Monitoring

Amazon Inspector 16 cards · 10 Q

Vulnerability management — hybrid agent/agentless EC2 scanning, ECR image scanning, Code Security (SAST/SCA/IaC), risk scoring beyond raw CVSS.

StandaloneVM Scanner, Windows KB findings

Amazon Macie 16 cards · 10 Q

Sensitive data discovery in S3 — automated vs targeted discovery, bucket posture evaluation, managed/custom identifiers, S3-only scope.

Standalone

Amazon Detective 14 cards · 10 Q

Investigation/forensics layer — behavior graph, finding groups, GenAI summaries. Investigates findings; never generates new ones itself.

StandaloneGenAI finding group summaries

AWS Security Hub 16 cards · 10 Q

Security Hub CSPM (compliance standards) vs the new enhanced Security Hub (cross-service exposure findings correlating GuardDuty + Inspector + Macie + CSPM).

StandaloneCSPM rebrand, exposure findings

Logging & Auditing

Security Logging & Monitoring

AWS CloudTrail (incl. Insights) 16 cards · 10 Q

Management/data/network activity events, Insights' statistical anomaly detection vs GuardDuty's ML, CloudTrail Lake's new-customer cutoff.

StandaloneNetwork Activity Events, Lake closing to new customers

AWS Config 16 cards · 9 Q

Detective vs proactive evaluation mode, conformance packs, remediation actions. Proactive mode is the one path where Config genuinely blocks deployment.

Standalone75 new managed rules (Mar 2026)

VPC Security Bundle

Infrastructure Security

SGs/NACLs · Flow Logs · Peering · PrivateLink · Transit Gateway · Traffic Mirroring · Network Firewall · Verified Access · RAM 24 cards · 12 Q

9 services in one file. Layered network defense — basic filtering through deep packet inspection through zero-trust app access through cross-account sharing.

BundleNetwork Firewall + TGW native attach, Verified Access non-HTTP(S)

Identity Clusters

Identity & Access Management

SAML · OIDC · Cognito · IAM Identity Center · Trusted Identity Propagation 17 cards · 8 Q

Match the population to the protocol — workforce vs customer-facing vs machine/CI-CD. Trusted Token Issuer now accepts any OIDC-compliant source.

BundleTrusted Token Issuer broadened 2026

IAM · Access Analyzer · Organizations · SCPs · RCPs · Control Tower 19 cards · 9 Q

SCPs cap identities; RCPs cap resources. Centralized Root Access Management, Control Tower's Controls Dedicated experience.

BundleRCPs (2024+), Centralized Root Access (Nov 2025)

Cross-Account Patterns · IMDSv2 · Session Manager · STS Mechanics 18 cards · 9 Q

The boundary layer — confused deputy/ExternalId, SSRF-to-credential-theft chains, role chaining caps, source identity tracking.

BundleOrg Declarative Policies for IMDSv2

Encryption & Key Management Bundle

Data Protection

KMS · Multi-Region Keys · CloudHSM · Secrets Manager · Certificate Manager 18 cards · 9 Q

Managed multi-tenant vs dedicated single-tenant hardware. Post-quantum cryptography (ML-KEM/ML-DSA) rolling out across KMS, ACM, Secrets Manager.

BundlePost-quantum TLS, ACM 198-day certs (Mar 2026)

Compute & Container Security Bundle

Infrastructure Security

Lambda Security · EKS Security · Container Security (ECR/ECS/Fargate) 16 cards · 9 Q

SnapStart's two hazards (stale secrets, repeated uniqueness). Pod Identity vs IRSA — the central EKS workload-identity distinction.

BundlePod Identity cross-account chaining (Jun 2025)

Resilience Bundle

Data Protection / Incident Response

AWS Backup · Vault Lock · Logically Air-Gapped Vaults · Multi-Party Approval · AWS DRS 16 cards · 9 Q

Does your backup survive the same incident that took down production? Cross-account isolation as the real ransomware-resilience answer.

BundleLAG vault CMK support, single-step DB copy (2026)

WAF & Shield Bundle

Infrastructure Security

AWS WAF · Bot Control · Fraud Control (ATP/ACFP) · Shield Standard/Advanced · Network Security Director 16 cards · 9 Q

WAF filters request content (L7); Shield absorbs volumetric floods (L3/4 + L7). Shield Advanced's auto-mitigation actually deploys WAF rules.

BundleAnti-DDoS AMR default (Mar 2026), network security director

Detective Tooling Bundle

Security Logging & Monitoring

Amazon CloudWatch · AWS Trusted Advisor 15 cards · 8 Q

The generic substrate underneath every other detective service. CloudWatch Logs anomaly detection, Trusted Advisor's support-plan-gated checks.

BundleInfrequent Access full Insights support (2026)

Note: IAM Access Analyzer lives in the IAM & Governance Bundle, not here.

Service Hardening Depth Bundle

Data Protection

S3 Security Depth · RDS/Aurora Specifics · KMS Grants 18 cards · 9 Q

Mechanism-level detail beneath the service name: Object Lock modes, IAM DB auth precedence, Database Activity Streams, grant eventual consistency.

BundleSSE-C disabled by default (Apr 2026)

How to use this library

Keep all 19 files (this index + 18 guides) in the same folder — the links above are relative paths and only work that way.
Every guide follows the same tab structure: Overview → Core Services → Exam Logic → Integrations → Costs & Limits → Best Practices & Traps → Flashcards → Quiz.
Bundled files have a sub-tab switcher inside Core Services — each underlying service gets its own deep-dive pane.
The red dot tags above flag genuinely new 2025–2026 material most third-party prep resources won't yet cover.
Quiz questions run Easy → Medium → Hard → Specialty; the Specialty tier is written to test multi-service reasoning, not single-fact recall.
The Orchestration guide (★) at the top is the one file that cuts across every other guide — it's worth reading once early, since "Finding → EventBridge → Target → Fix" is the architecture every other module's "Integrations" section assumes you already understand.