The AWS Certified Security Specialty SCS-C03 exam is the toughest cloud security certification Amazon offers, and as of December 2025 it has a brand new blueprint. If you are searching for an AWS Security Specialty SCS-C03 study plan that reflects the current exam rather than the retired SCS-C02 version, this guide gives you a realistic 8-week schedule, the exact domain weightings, and the new generative AI security content that most older guides still miss.
The short answer to "how do I pass SCS-C03?" is this: give it eight focused weeks, study identity and access management first because it is now the heaviest domain, and back every concept with hands-on practice in a real AWS account. The rest of this post turns that into a day-by-day plan.
What Changed With SCS-C03 (And Why It Matters)
The last day to sit the old SCS-C02 exam was 1 December 2025. The new SCS-C03 version went live on 2 December 2025. If you started studying before that date with second-hand notes, some of your material is now out of date.
The headline changes are:
- Six domains instead of five. Detection and incident response are now separate domains, which mirrors how real security teams split monitoring from response.
- Identity and access management is now the single heaviest domain at 20 percent, up from 16 percent on SCS-C02.
- Generative AI and machine learning security is now examinable. You are expected to secure Amazon Bedrock workloads, apply guardrails to generative AI applications, protect model training data, and understand how Amazon GuardDuty detects suspicious AI and ML activity.
- New question formats. Alongside multiple choice and multiple response, SCS-C03 introduces ordering and matching questions, so you cannot rely on pure recognition.
Exam Tip: There is no separate "Domain 7" for AI security. The generative AI content lives inside Domain 3 (Infrastructure Security) as skill 3.2.7, "Implement protections and guardrails for generative AI applications." Do not skip Domain 3 thinking AI is a small bonus topic.
SCS-C03 Exam Facts at a Glance
Before you build a schedule, anchor yourself to the format you are training for. These are the current, exam-day facts for SCS-C03.
| Detail | SCS-C03 value |
|---|---|
| Number of questions | 65 (about 50 scored, the rest unscored) |
| Exam duration | 170 minutes |
| Passing score | 750 out of 1000 |
| Cost | 300 USD |
| Question formats | Multiple choice, multiple response, ordering, matching |
| Certification validity | 3 years |
| Recommended experience | 3 to 5 years of security experience, plus 2 years securing AWS workloads |
| Launched | 2 December 2025 |
The 750 out of 1000 pass mark is scaled, so you cannot translate it directly into "I need 75 percent right." Treat anything above 80 percent on quality practice exams as your green light to book.
The Six SCS-C03 Domains and Their Weightings
Your study time should follow the marks. Here is how the scored content breaks down on SCS-C03.
| Domain | Focus | Weight |
|---|---|---|
| 1. Detection | Continuous monitoring, telemetry, log analysis, visibility | 16% |
| 2. Incident Response | Investigate, contain and remediate security events | 14% |
| 3. Infrastructure Security | Network and compute security, including generative AI guardrails | 18% |
| 4. Identity and Access Management | IAM, federation, Entra and IAM Identity Center, permission boundaries | 20% |
| 5. Data Protection | Encryption, KMS, secrets, data lifecycle | 18% |
| 6. Security Foundations and Governance | Multi-account strategy, governance, compliance | 14% |
Where most people lose marks
Identity and access management at 20 percent is where the exam is won or lost. AWS loves layered permission questions: an IAM policy, a resource policy, an organisations service control policy, and a permission boundary all interacting at once. If you cannot work out the net effective permission in your head, you will haemorrhage marks across the whole paper, because IAM logic bleeds into every other domain.
Data protection and infrastructure security together add another 36 percent. Between those two and IAM, three domains decide 58 percent of your result.
The 8-Week SCS-C03 Study Plan
This plan assumes 8 to 12 hours of study per week. If you already hold the AWS Solutions Architect Associate (SAA-C03), you have a real head start on networking and IAM and can compress the early weeks. If you are coming in cold, treat eight weeks as the minimum and consider stretching to ten.
Week 1: Foundations and IAM core
Start with identity because everything in AWS security routes back to it. Cover IAM users, groups, roles, and the anatomy of a policy. Learn the evaluation logic: explicit deny beats everything, then explicit allow, then implicit deny. Spin up a fresh account and write three policies by hand.
Week 2: Advanced IAM and federation
Move to IAM Identity Center, cross-account roles, permission boundaries, and service control policies in AWS Organizations. Practise tracing effective permissions through a multi-account setup. This is the highest-value week on the whole plan.
Week 3: Infrastructure security
Cover VPC security, security groups versus network ACLs, AWS Network Firewall, AWS WAF, and AWS Shield. Then tackle the new content head-on: Amazon Bedrock security, guardrails for generative AI applications, and protecting model training data. Build a small Bedrock guardrail so the concept is concrete, not theoretical.
Week 4: Data protection
Focus on AWS Key Management Service (KMS), the difference between AWS managed and customer managed keys, envelope encryption, AWS Secrets Manager, AWS Certificate Manager, and S3 encryption options. Encrypt something, rotate a key, and read the resulting CloudTrail events.
Week 5: Detection
Now build your monitoring layer. Master Amazon GuardDuty (including its AI and ML threat detection), AWS Security Hub, Amazon Inspector, AWS Config, and Amazon Detective. Understand which service answers which question, because the exam tests service selection constantly.
Week 6: Incident response
Learn the response workflow: isolate a compromised instance, rotate exposed credentials, contain a leaked access key, and use automation with Amazon EventBridge and AWS Lambda. Walk through the AWS incident response runbooks so the steps are second nature.
Week 7: Governance and full review
Cover multi-account governance with AWS Control Tower, AWS Organizations, tagging strategy, and compliance reporting. Then loop back over weeks 1 to 6 and patch every weak spot you noted along the way.
Week 8: Practice exams and exam readiness
Sit at least three full-length, timed practice exams under real conditions. Review every wrong answer until you understand why the right option wins and the others fail. Book your real exam once you are consistently scoring above 80 percent.
Exam Tip: Watch for "NOT," "EXCEPT," and "LEAST" in the question stem and for "most cost-effective" or "least operational overhead" in the answer options. On a specialty exam, two answers are often technically correct and only one fits the constraint in the question.
Should You Take SCS-C03 Before You Sit the Associates?
AWS recommends real security experience for this exam, and that advice is sound. The Security Specialty assumes you already understand core AWS services. Most people who pass first time hold the Solutions Architect Associate already and have spent time in a live AWS environment.
If you are still early in your AWS journey, build the base first. Our 8-week AWS Solutions Architect Associate (SAA-C03) study plan is the natural prerequisite, and you can browse every AWS track on the CertCrush courses page.
Common SCS-C03 Mistakes to Avoid
- Studying SCS-C02 material. Domain weights and the AI content have changed. Confirm any guide or practice set is labelled SCS-C03.
- Treating AI security as optional. Generative AI guardrails are now in scope. Skipping Domain 3 to save time is a false economy.
- Reading instead of building. This exam rewards hands-on muscle memory. Every service you study should be a service you have actually clicked through.
- Ignoring the new question formats. Ordering and matching questions punish shallow recognition. Practise the workflow, not just the definition.
- Booking too early. A 750 scaled pass mark is unforgiving. Wait until your practice scores are steady above 80 percent.
How Long Does It Really Take to Pass SCS-C03?
Most candidates with associate-level AWS knowledge need six to twelve weeks of calendar time, which is why eight weeks at 8 to 12 hours per week is a sensible target. If you are securing AWS workloads in your day job already, you can move faster. If AWS security is new to you, give yourself the full ten weeks and do not rush the IAM and detection weeks.
The single biggest predictor of a first-time pass is hands-on time. People who only read books consistently underperform people who built, broke, and fixed things in a real account.
Ready to Start Practising?
The fastest way to find your weak domains is to test yourself under exam conditions, early and often. CertCrush gives you realistic SCS-C03 style practice questions with full explanations, so you learn why each answer is right or wrong rather than just memorising it.
Create your free CertCrush account and start practising for the AWS Certified Security Specialty today. Pair your practice with the SAA-C03 study plan if you still need the foundation, and explore the full range of AWS and cloud security tracks on the courses page.
Eight focused weeks, identity first, and constant hands-on practice. That is how you pass SCS-C03 in 2026.