AWS SCS-C03 Study Guide

ℹ️ EXAM INFO Exam Overview & Strategy ▼

Detail	Info
Exam Code	SCS-C03 (current — C02 retired Dec 1 2025)
Questions	65 total (50 scored + 15 unscored)
Duration	170 minutes
Passing Score	750 / 1000 (scaled)
Question Types	Multiple choice, multiple select, scenario-based
Experience	3–5 years designing AWS security solutions

Priority order: IAM (20%) + Infrastructure (18%) + Data Protection (18%) = 56% of the exam. Master these three first.

Domain	Weight	~Questions
1. Detection	16%	~8
2. Incident Response	14%	~7
3. Infrastructure Security	18%	~9
4. Identity & Access Management	20%	~10
5. Data Protection	18%	~9
6. Security Foundations & Governance	14%	~7

D1 Detection 16% ▼

Core Services

GuardDuty · CloudTrail · CloudWatch · Security Hub · Detective · VPC Flow Logs

CloudTrail

Management events: ON by default. Data events (S3 object-level, Lambda invoke): opt-in only
Enable multi-region trail + log file validation + deliver to S3 + CloudWatch Logs
CloudTrail Insights: detects unusual API call rates (anomaly detection)
CloudTrail Lake: SQL-queryable, long-term investigation store
Protect logs: S3 MFA delete + restrictive bucket policy + log file validation

GuardDuty

Analyzes CloudTrail, VPC Flow Logs, DNS logs automatically — no agents
EKS audit log protection: must be explicitly enabled
Member accounts: enable via Organizations for all accounts/regions at once
Finding categories: Recon, Backdoor, CryptoCurrency, UnauthorizedAccess, Trojan
Suppression rules: filter noise from known-safe activity

Security Hub

Aggregates findings in ASFF (Amazon Security Finding Format)
Standards: CIS AWS Foundations, AWS FSBP, PCI-DSS, NIST
Delegated admin account receives findings from all member accounts
Custom insights: filter/group findings by criteria

Amazon Detective

Used for post-incident investigation, NOT alerting
Builds behavior graph from GuardDuty, CloudTrail, VPC Flow Logs
Use when: "investigate WHY a GuardDuty finding fired"

CloudWatch Alarms

Metric filter on CloudTrail log group → alarm → SNS
Key alerts: root login, console failures, SG changes, CloudTrail stopped

Exam traps: CloudTrail does NOT log data events by default. GuardDuty does NOT analyze EKS by default. VPC Flow Logs capture metadata only — no packet content.

Common Question Patterns

"Detect unauthorized API calls" → CloudTrail + CloudWatch metric filter + alarm
"Centralize findings across 50 accounts" → Security Hub + delegated admin
"Investigate network flows after GuardDuty alert" → Amazon Detective
"Prevent CloudTrail log deletion" → S3 MFA delete + bucket policy + log file validation

D2 Incident Response 14% ▼

Core Services

Systems Manager · EventBridge · Lambda · Step Functions · EC2

Compromised EC2 — Memorize This Flow

1. Capture instance metadata + memory snapshot
2. Isolate: swap security group → quarantine SG (no inbound/outbound)
3. EBS snapshot(s) for forensic copy
4. Create forensic AMI if needed
5. Mount EBS snapshot read-only in isolated forensic instance
❌ Never "clean" and return to production

Compromised IAM Credentials — Memorize This Flow

1. Disable the access key immediately
2. Attach explicit deny policy with aws:TokenIssueTime condition (revokes active sessions)
3. Rotate all other credentials
4. Review CloudTrail for actions taken with that key
5. Check for new IAM users, roles, access keys created

Automated IR Pattern

GuardDuty finding → EventBridge rule → Lambda → (modify SG, disable key, notify SNS)
Complex workflows → Step Functions (retry logic, parallel actions)
Standardized runbooks → SSM Automation documents
Ticket tracking → OpsCenter

Forensics Best Practices

Cross-account snapshot sharing → forensic account
Preserve chain of custody: hash EBS snapshots (SHA-256)
Mount as read-only: never write to forensic volume
CloudTrail Lake for SQL-based historical investigation

Exam traps: "First step when key is exposed in GitHub" → disable the key (NOT rotate — rotation creates a new key but the old one still works until disabled)

D3 Infrastructure Security 18% ▼

Security Groups vs. NACLs

Feature	Security Groups	NACLs
Level	ENI (instance)	Subnet
State	Stateful	Stateless
Rules	Allow only	Allow AND Deny
Evaluation	All rules evaluated	Lowest number first
Default	Deny all inbound	Allow all

VPC Endpoints

Type	Services	Cost	Mechanism
Gateway	S3 + DynamoDB only	Free	Route table entry
Interface (PrivateLink)	All other AWS services	$/hr + data	ENI in subnet

Force private S3 access: endpoint policy + bucket policy with aws:SourceVpce condition

WAF Attachment Points

Application Load Balancer (ALB)
CloudFront distribution
API Gateway (REST + HTTP)
AppSync GraphQL API
Cognito User Pool

Shield Standard vs. Advanced

Feature	Standard	Advanced
Cost	Free	$3,000/month
Protection	L3/L4 auto	L3/L4/L7 + SRT
DDoS cost protection	No	Yes
WAF included	No	Yes (for L7)

Session Manager (No SSH!)

No open ports. No key pairs. IAM-controlled. Full audit trail to S3/CloudWatch. Works through NAT/private subnets. Always choose over bastion host.

IMDSv2 vs. IMDSv1

IMDSv2 requires PUT request for session token before GET — mitigates SSRF attacks
Enforce via instance metadata options: HttpTokens=required
Exam: "prevent SSRF from accessing instance metadata" → enforce IMDSv2

Common Question Patterns

"Block SQL injection, minimal management" → WAF + AWS managed SQLi rule group
"Private S3 access, no internet" → Gateway VPC endpoint + bucket policy with SourceVpce
"SSH with full audit, no open ports" → Systems Manager Session Manager
"Centrally manage WAF rules across org" → AWS Firewall Manager
"Deep packet inspection in VPC" → AWS Network Firewall (Suricata rules)

D4 Identity & Access Management 20% ⭐ ▼

Policy Evaluation Logic — MEMORIZE THIS

1. Explicit DENY anywhere → DENY (always wins)
2. SCP doesn't allow → DENY
3. Resource-based policy grants (same account) → ALLOW
4. Identity-based policy grants → ALLOW
5. Permission Boundary denies → DENY
6. Session Policy denies → DENY
7. Default → DENY

Cross-account: BOTH must allow: role trust policy in target account AND IAM policy in source account (or resource-based policy alone for S3/KMS)

Policy Types Reference

Type	Attached To	Can Grant	Can Deny
Identity policy	User/Group/Role	Yes	Yes
Resource policy	S3, KMS, SQS…	Yes	Yes
SCP	OU/Account	No	Yes
Permission Boundary	User/Role	No	Yes
Session Policy	STS Session	No	Yes

ABAC vs. RBAC

RBAC: roles map to job functions — scales poorly with many teams
ABAC: tags as attributes — aws:ResourceTag/Project == aws:PrincipalTag/Project
ABAC scales better for large orgs; requires consistent tagging discipline

Cognito

Pool Type	Purpose	Returns
User Pool	Authentication (sign in)	JWT tokens
Identity Pool	Authorization	AWS credentials (via STS)

Flow: User → IdP → Cognito User Pool (JWT) → Identity Pool → STS → AWS credentials

IAM Access Analyzer

Finds resources shared outside zone of trust (account or org)
Analyzes: S3, IAM roles, KMS keys, Lambda, SQS, Secrets Manager
Policy validation: checks policies for errors before deploy
Unused access: identifies over-privileged roles (rightsizing)
No finding = resource IS private (not a problem)

IAM Identity Center (SSO)

Workforce access to multiple AWS accounts from one place
Connects to: Active Directory, Okta, Azure AD via SAML/OIDC
Permission sets = IAM policies applied to account assignments
SCIM: automatic user provisioning from IdP

Common Question Patterns

"Users can only access resources with their team's tag" → ABAC with tag conditions
"SCP allows Admin but IAM user can't access" → check permission boundary or session policy
"Never disable CloudTrail in any member account" → SCP Deny cloudtrail:StopLogging at OU root
"Mobile app users access DynamoDB with their own permissions" → Cognito Identity Pool → IAM roles
"Permission boundary on role with AdministratorAccess" → boundary is the effective limit

D5 Data Protection 18% ▼

Envelope Encryption — MEMORIZE THIS

1. AWS generates data key (plaintext + encrypted copy)
2. App uses plaintext data key to encrypt data locally
3. App stores encrypted data key alongside ciphertext
4. Delete plaintext data key from memory
5. To decrypt: call KMS to decrypt encrypted data key → decrypt data

KMS Key Types

Type	Cost	Rotation	Control
AWS-managed	Free	Auto (1yr)	None
Customer-managed CMK	$1/month	Manual or auto	Full
AWS-owned	Free	AWS manages	Not visible

Key policy MUST include root account to prevent lockout
Cross-account: add external principal to key policy + IAM policy in target account (both)
kms:ViaService: restrict key use to specific AWS services only
KMS deletion: 7–30 day waiting period — cancellable

KMS vs. CloudHSM

Feature	KMS	CloudHSM
FIPS level	140-2 Level 2	140-2 Level 3
Tenancy	Multi-tenant	Single-tenant dedicated
Management	AWS	You
Use case	Most workloads	Strict compliance, custom crypto

S3 Encryption Options

Type	Key Managed By	CloudTrail	Extra Cost
SSE-S3	AWS (AES-256)	No	No
SSE-KMS	KMS CMK	Yes	KMS API calls
SSE-C	Customer (per request)	No	No
CSE	Customer (client-side)	No	No

Reject unencrypted S3 uploads: bucket policy Deny if s3:x-amz-server-side-encryption header is absent
Reduce KMS costs: enable S3 Bucket Keys

Secrets Manager vs. Parameter Store

Feature	Secrets Manager	Parameter Store
Cost	~$0.40/secret/mo	Free (standard)
Auto-rotation	Yes, native	No (custom only)
Use case	DB passwords, API keys	Config + basic secrets

ACM Certificates

Public certs: free, auto-renew, cannot be exported
Deploy to: CloudFront, ALB, API Gateway, Elastic Beanstalk only
NOT deployable directly to EC2 — use ACM Private CA + export, or self-managed cert
Private CA: for internal PKI, mTLS, custom certificate issuance

Common Question Patterns

"Lambda decrypts 10k/sec, KMS costs high" → envelope encryption + cache data key
"RDS password rotation without app downtime" → Secrets Manager auto-rotation
"FIPS 140-2 Level 3 required" → CloudHSM
"Find PII in S3 buckets across accounts" → Amazon Macie
"ACM cert on EC2" → Not supported — use Private CA or import own cert

D6 Security Foundations & Governance 14% ▼

SCP Rules — MEMORIZE

• SCPs RESTRICT — they NEVER grant permissions
• SCPs do NOT apply to the management account
• SCPs do NOT affect service-linked roles
• Effective permission = intersection of all SCPs in parent OUs
• FullAWSAccess must be explicitly attached — not default

Control Tower Guardrail Types

Type	Implementation	Effect
Preventive	SCP	Blocks the action
Detective	Config rule	Alerts on violation
Proactive	CloudFormation hooks	Checks before creation

Multi-Account Architecture

Management account: Org root only — no workloads ever
Security Tooling account: GuardDuty admin, Security Hub admin, delegated services
Log Archive account: immutable CloudTrail + Config logs (restrict delete)
Network account: Transit Gateway, shared VPC services

Compliance Services

Service	Use Case
AWS Config	Continuous config drift detection, remediation
Audit Manager	Auto-collect evidence for compliance frameworks (HIPAA, SOC2, PCI)
AWS Artifact	Download AWS compliance reports (SOC, ISO, PCI) for auditors
Security Hub	Aggregate findings + run CIS/PCI-DSS/NIST compliance checks
Macie	S3 sensitive data classification (PII detection) — NOT threat detection

NEW: GenAI Security (SCS-C03 Only)

Bedrock guardrails: content filters, denied topics, PII redaction, word filters
IAM conditions to restrict which foundation models users can invoke
Bedrock does NOT use customer data to train base models by default
Model invocation logging: log to S3/CloudWatch for audit trail
SageMaker: VPC isolation, encryption at rest/transit, IAM roles for endpoints
Prompt injection: validate + sanitize inputs before sending to foundation models

Common Question Patterns

"Prevent disabling GuardDuty in all member accounts" → SCP Deny guardduty:DeleteDetector
"Config data across 100 accounts in one place" → Config aggregator + delegated admin
"Auditor needs SOC 2 report" → AWS Artifact
"Auto PCI-DSS evidence collection" → AWS Audit Manager with PCI-DSS framework
"New account auto-gets security baseline" → Control Tower Account Factory + mandatory guardrails

⚠️ TRAPS Common Trick Questions ▼

The Trap	The Real Answer
MFA on root account	Hardware MFA — virtual MFA not enough for exam scenarios
SCP allows Admin but user blocked	Check permission boundary or session policy
KMS key deleted, data gone?	7–30 day deletion window — cancel if within window
CloudTrail not logging S3 object access	Data events must be explicitly enabled
New account, GuardDuty not detecting	Must be enabled per region OR use Organizations auto-enable
Access Analyzer shows no findings	Resource IS private — only shows external access
Shield Advanced SRT can help	Only if pre-authorized AND subscribed to Advanced
ACM cert on EC2 directly	Not supported — ACM public certs for integrated services only
Deny in SCP for management account	SCPs do NOT apply to management account
AdministratorAccess + permission boundary	Boundary is the effective limit — Admin is capped
First step when key exposed in GitHub	DISABLE the key (not rotate — old key still works until disabled)
Revoke active IAM role sessions	Attach deny policy with aws:TokenIssueTime condition

🔍 GuardDuty Finding Types

🔑 KMS Key Policy Rules

🏛️ SCP Rules

🌐 WAF Attachment Points

🔐 S3 Encryption

👤 Cognito

🛡️ Shield

📋 Compliance Quick Picks

🔄 IR Automation Pattern

🔗 VPC Endpoints

🔓 ACM Certs

⚙️ Control Tower

⚔️ SECURITY ARENA