AWS Security Specialty Certification Updated for GenAI Era (SCS-C03)
The AWS Certified Security – Specialty exam has been refreshed to address 2025’s security landscape. The new SCS-C03 version includes generative AI security, machine learning security, and modern threat protection. Here’s what changed.
Key Changes in SCS-C03
| Topic | SCS-C02 | SCS-C03 |
|---|---|---|
| GenAI Security | Not covered | New domain |
| ML Model Security | Minimal | Expanded |
| Bedrock Guardrails | Not covered | Included |
| Container Security | Basic | Deeper coverage |
New Exam Domains
1. Threat Detection and Incident Response (30%)
- GuardDuty, Security Hub, Detective
- Automated remediation with EventBridge
- Forensics and incident investigation
2. Security Logging and Monitoring (20%)
- CloudTrail, VPC Flow Logs
- Centralized logging architectures
- SIEM integration
3. Infrastructure Security (20%)
- VPC security, NACLs, Security Groups
- WAF, Shield, Firewall Manager
- Container and serverless security
4. Identity and Access Management (15%)
- IAM policies, SCPs, permission boundaries
- Identity Center, Federation
- Cross-account access patterns
5. Data Protection (15%)
- KMS, encryption at rest/transit
- Secrets Manager, Parameter Store
- NEW: AI/ML data protection
GenAI Security Topics
# Bedrock Guardrails configuration
{
"contentPolicyConfig": {
"filtersConfig": [{
"type": "HATE",
"inputStrength": "HIGH",
"outputStrength": "HIGH"
}]
},
"topicPolicyConfig": {
"topicsConfig": [{
"name": "Financial Advice",
"type": "DENY"
}]
}
}
Study Recommendation
Focus on hands-on experience with Bedrock Guardrails, SageMaker security, and automated security response. These are the most significant additions from SCS-C02.
