Introduction to AWS certifications
First things first, lets understand what the AWS Security Specialty certification is and where it fits in the AWS certification ecosystem.
AWS certifications are divided into levels, each one targeting a different stage of your journey:
- Practitioner
- Associate
- Professional
- Specialty
The practitioner level is where most people start.
It focuses on foundational cloud concepts and basic AWS knowledge.
As of today, there are two certifications at this level:
- AWS Cloud Practitioner
- AWS AI Practitioner
The Cloud Practitioner covers core concepts like IAM, security, availability, pricing, and general cloud architecture.
The AI Practitioner follows a similar structure, but focused on AI concepts and AWS AI services.
The associate level is where things start to get more practical.
At this level, you are expected to understand how to design and build solutions using AWS services.
Some well-known certifications here are:
- Solutions Architect Associate
- Developer Associate
- CloudOps Engineer Associate (formerly SysOps Administrator)
- Data Engineer Associate
- Machine Learning Engineer Associate
The professional level goes much deeper.
Here, you are expected to design complex architectures, handle trade offs, and make decisions based on real world constraints.
The main certifications are:
- Solutions Architect Professional
- DevOps Engineer Professional
- Generative AI Developer Professional
Finally, we have the specialty certifications.
These are focused on specific domains and require deep knowledge in a particular area.
Examples include:
- Security Specialty
- Machine Learning Specialty (Retired)
- Advanced Networking Specialty
And this is exactly where things start to get serious.
At this level, AWS is no longer testing if you understand the services.
It's testing if you can actually apply them in complex, real world scenarios.
What it is and who this certification is for
The AWS Security Specialty is one of the most difficult certifications in your AWS journey.
This exam expects that you already know the basics and are comfortable with complex and long detailed scenarios that you often come across when designing and securing AWS workloads.
So the exam will not ask you what GuardDuty is or what WAF is.
Instead, it will present you with a detailed scenario, and you, as a security engineer, will have to find the solution that best fits the situation.
Just like in the real world, a single service will not solve your need.
It's a combination of services and configurations tailored to your scenario.
Because of that, you need to have a solutions architect mindset with an additional layer SysOps and of course deep security expertise.
Without this knowledge, you won't be able to come up with a solution.
It's highly recommended that you have already passed the Solutions Architect certification before attempting the Security Specialty.
Although this is not a hard prerequisite, it is strongly recommended.
The AWS Security Specialty is intended for experienced security professionals who work mainly securing AWS environments.
AWS recommends that you have at least 3 to 5 years of hands on experience with AWS security, plus strong knowledge of vendor neutral security principles that can be applied to any cloud provider or application. That's where certifications like CompTIA Security+ and CCSP comes in to give you a solid and agnostic knowledge.
This is a Specialty level certification, which means you are expected to have deep knowledge of security and securing AWS workloads at an enterprise level.
The questions are scenario based, usually long, with long and very similar answer options. But only one answer will satisfy the scenario, which my result in you flagging a lot of questions to review later on.
Be prepared for a mental endurance test that will chalenge not only your technical knowledge, but also your ability to maintain focus for up to 3 hours of long scenario based questions (or 3h30 if you are not a native english speaker and apply for the ESL extra time).
How to prepare for the exam
Before you try the Security Specialty, you need to have both security foundational and advanced knowledge and AWS foundational and advanced knowledge.
For security knowledge, there are many ways you can achieve it.
I highly recommend that you study for CompTIA Security+, which will give you very solid, vendor neutral security knowledge that you can apply in any environment or application.
You will learn concepts like:
- least privilege
- cryptography
- authentication and authorization
- defense in depth
- Threat vectors
There are also many foundational, intermediate, and advanced courses available on AWS Skill Builder.
Some of them are paid, but most are free, and you can also earn badges to show on your LinkedIn profile.
But remember, this does not replace the necessary hands on experience.
Many courses offer guided labs, but the best way to learn is by actually building something, applying the security concepts, breaking things, fixing things, and testing different approaches.
You should also build your portfolio, which will help you gain experience, increase your confidence, and improve your attractiveness for job opportunities.
Here's a list of courses and materials I do recommend for your security journey:
- AWS Security Fundamentals
- Ultimate AWS Certified Security Specialty SCS-C03 By Stephane Mareek (This is a must have course)
- AWS Skill Builder Exam Prep Plan Security - Specialty (SCS-C03)
Extras:
- Foundations of Cybersecurity by Google
- CompTIA SY0-701 Security+ Free Training Course - Professor Messer
My journey to AWS Security Specialty
As a cloud security engineer, I already have extensive knowledge about cybersecurity and solutions architecture, which helped me a lot in my journey to the Security Specialty. But that doesn't mean it was easy.
It does help, but the exam explores many AWS services that you might not have much familiarity with in your daily work. That's why you really need to practice in the AWS console and also take as many practice exams as you can.
My first attempt was back in August 2024, after studying for more than six months. I almost passed on my first try. I scored 718 points, which is very close to the passing score.
I became really frustrated because I missed it by just a few questions, and I knew how much effort and time I had put into my preparation. I knew I had the necessary knowledge, but it wasn't enough.
After the exam, I tried to remember some of the questions I was unsure about and started researching the AWS documentation to check if my understanding was correct.
Then I outlined what wasn't clear yet so I could better prepare for a second attempt.
I identified some services and details that weren't clear in my head, like S3 retention modes and some tricky details about SCP in AWS Organizations.
And one important lesson:
Do not underestimate any service. Even the ones you think might not appear in your exam will show up. You need to understand the details of everything outlined in the exam guide.
My second attempt
My second attempt was almost two years later, in February 2026, after studying for about a month and a half.
During this time, I:
- Reviewed Stephane Maarek's course
- Completed Tutorials Dojo practice exams
- Reviewed my previous notes
- Added new notes for topics that were still unclear
Once I started consistently scoring above 800 in practice exams, I knew I was ready. At that point, I realized that waiting longer would only make me more anxious.
During the exam, I felt that it was slightly less complicated than my first attempt. In many questions, I felt very confident about my answers, but I stayed calm and focused.
I finished the exam with about 20 minutes left (with ESL extra time). I reviewed the questions I wasn't so sure about, but I kept my original answers.
In my first attempt, I realized that I probably lost points because I changed answers that were already correct when I was reviewing, so watch out for that.
So this time, I trusted my reasoning. I finished the exam knowing that I had done my best.
The final result arrived one day later.
I passed with a score of 804.
How I studied for the Security Specialty and how the exam felt
When preparing for an AWS exam, I always start with Stephane Maarek's courses. They are my go to recommendation for anyone studying for AWS certifications.
Neal Davis courses are also a great option, but I see them more as a complement to gain deeper understanding.
Another must have resource is Tutorials Dojo. Their practice exams are very well crafted, with detailed explanations that help you identify and close knowledge gaps.
Once you consistently score above the passing score, you know you are ready to take the exam.
AWS Skill Builder is also a good complementary resource. It provides practice exams created by AWS, which are closer to the real exam experience.
One thing that helped me a lot was creating mental acronyms and references to remember concepts and details. Because even if you are an experienced security professional, it's almost impossible to remember every detail of every AWS service in depth. And for this exam, you need depth.
Not only in security services, but also in services like:
- CloudWatch
- Lambda
- S3
- EC2
- KMS
- Organizations
This level of depth is what separates a passing score from a failing score.
Mental models and tricks I used during the exam
Before anything, one important clarification:
During the exam, you are not allowed to consult anything.
No notes, no documentation, no external resources.
**Everything you need must already be inside your head.**
These mental models and shortcuts are not something you will create during the exam. They are something you need to study, practice and internalize beforehand. If you rely on memorizing during the exam, you’re already too late.
These are some of my personal notes and mental shortcuts that helped me recall concepts quickly during the exam. You should create your's and use this as an starting point of what you should expect. And remember, if you only take notes but doesnt understand what they mean and how every service and configuration works in AWS, then you are studying the wrong way, and this is a recipe for failing any exam you take.
Security Group vs NACL
Security Group = "Security with memory" (stateful)
Imagine a security guard at a private party:
- Entry: You show your invitation and get in
- Exit: The guard remembers you and lets you leave
If inbound is allowed, outbound response is automatically allowed.
NACL = "Security with amnesia" (stateless)
Imagine a guard that forgets everything:
- Entry works normally
- Exit requires a new check
You must explicitly allow outbound traffic.
NACL works at subnet level.
Inspector vs Detective vs Audit Manager
Inspector = Find vulnerabilities before attackers
Detective = Understand what happened after an event
Audit Manager = Build compliance reports continuously
Endpoint types
Gateway Endpoint = S3 and DynamoDB
Interface Endpoint = almost everything else
Audit tools comparison
Audit Manager = compliance evidence
Config = configuration tracking
Inspector = vulnerabilities
Detective = investigation
KMS
- Cannot delete immediately
- Minimum 7 days
- Default 30 days
- Keys are regional
Remediation patterns
Config → EventBridge → Lambda
Trusted Advisor → EventBridge → Lambda
GuardDuty → EventBridge → Step Functions
Security Hub → EventBridge → Step Functions
Config → SSM Document
S3 retention
Governance = flexible
Compliance = cannot be disabled
Legal Hold = independent
Versioning must be enabled
SCP
Management Account is not restricted
Management Account = SCP immune
Secrets
Parameter Store = simple
Secrets Manager = advanced
ACM = certificates
Security Hub
Needs AWS Config
Organizations only for multi account
Networking
NAT Gateway = outbound only
Internet Gateway = inbound and outbound
IAM Access Analyzer
- Finds external access
- Works on resource policies
- Regional
Load balancers
ALB = Layer 7
NLB = Layer 4
GWLB = inspection
Endpoints summary
Gateway Endpoint
- S3 and Dynamo
- Free
Interface Endpoint
- Most services
- Paid
Final thoughts
This certification was one of the most challenging steps in my AWS journey. Not only because of the difficulty, but because it forced me to think differently.
It's not about memorizing services. It's about understanding how to combine them to solve real problems.
And more importantly, it's about making decisions under pressure, with incomplete information, just like in real world scenarios.
Failing my first attempt was frustrating, but it was also necessary. It showed me that knowing is not the same as being ready.
The second attempt was different. Not because the exam was easier, but because my mindset was.
If you are preparing for this exam, focus on:
- understanding the "why" behind each service
- practicing real scenarios
- identifying your weak points early
- and building confidence through repetition
- And make sure to practice with hands on in AWS, not just theory
And one important thing:
You won't pass this exam by luck. And you definitely won't pass it by just watching courses.
You need real hands on practice.
- Build things in AWS.
- Break them.
- Fix them.
- Test different approaches.
That's where the concepts actually become clear.
You pass when your reasoning becomes natural.
When you stop thinking "which service is this" and start thinking "what problem am I solving". That's when everything clicks.