AWS Security – Specialty Roadmap

The six AWS Certified Security – Specialty (SCS-C02) exam domains: threat detection & incident response, security logging & monitoring, infrastructure security, identity & access management, data protection, and management & security governance.

Not started In progress Completed

0%0/30

concepts mastered

Threat Detection & IR

0% · 0/5

Detecting threats with GuardDuty, Security Hub, Detective and Inspector, then responding with automated remediation, forensics and isolation (Domain 1 · 14%)

Logging & Monitoring

0% · 0/5

Capturing, centralising, validating and analysing logs - CloudTrail, CloudWatch Logs, VPC Flow Logs, Config and Athena (Domain 2 · 18%)

Infrastructure Security

0% · 0/5

Securing the network and edge - security groups, NACLs, Network Firewall, WAF, Shield, plus hardening, bastion-free access and patching (Domain 3 · 20%)

Identity & Access Management

0% · 0/4

Advanced IAM - policy evaluation logic, permission boundaries, SCPs, resource and cross-account policies, federation, Identity Center and ABAC (Domain 4 · 16%)

Data Protection

0% · 0/6

Protecting data with KMS key policies and grants, envelope encryption, rotation, CloudHSM, ACM, S3 encryption, Secrets Manager and Macie (Domain 5 · 18%)

Governance

0% · 0/5

Governing many accounts at scale - Organizations and SCPs, Control Tower, Config conformance packs, Audit Manager, Artifact and the economics of security (Domain 6 · 14%)

🏁

Finish line

AWS Security – Specialty Roadmap

Threat Detection & IR

Threat detection services

Incident response & automated remediation

Logging & Monitoring

AWS CloudTrail

CloudWatch Logs & VPC Flow Logs

AWS Config & log analysis

Infrastructure Security

VPC network security

Edge protection

Host security & patching

Identity & Access Management

Policy evaluation logic

Roles, federation & cross-account

Data Protection

AWS KMS deep dive

Data encryption in services

Governance

Multi-account governance

Compliance & audit

Cost & operational governance