AWS Security Specialty C03 vs C02: What Actually Changed

AWS Security Specialty C02 to C03 migration

By the time you are reading this, the C02 version of the AWS Security Specialty exam is no longer available. It has been replaced by the SCS-C03. Here is what changed and what you need to know before you take the new exam.

Here’s a visual cheat sheet for reference:

New response types in C03

AWS added two response formats that were not included in C02:

  • Ordering: You are given a list of 3 to 5 actions and must select the correct ones and put them in the correct order.
  • Matching: You are given a list of prompts and a list of possible responses. You must match all pairs correctly to get credit.

This means the exam is no longer entirely multiple choice. You will see a mix of multiple choice, ordering, and matching questions. AWS does not publish what percentage of the test uses each format. The total number of scored questions remains 50, plus 15 unscored pilot questions.

Changes to the exam domains

The domains stayed mostly the same, but AWS shifted the weighting. Threat detection, incident response, and infrastructure security have slightly less weight (-2% each). Identity and Access Management gained +4 percent.

Before (C02):

  • Domain 1: Threat Detection and Incident Response (14% of scored content)
  • Domain 2: Security Logging and Monitoring (18% of scored content)
  • Domain 3: Infrastructure Security (20% of scored content)
  • Domain 4: Identity and Access Management (16% of scored content)
  • Domain 5: Data Protection (18% of scored content)
  • Domain 6: Management and Security Governance (14% of scored content)

After (C03):

  • Content Domain 1: Detection (16% of scored content)
  • Content Domain 2: Incident Response (14% of scored content)
  • Content Domain 3: Infrastructure Security (18% of scored content)
  • Content Domain 4: Identity and Access Management (20% of scored content)
  • Content Domain 5: Data Protection (18% of scored content)
  • Content Domain 6: Security Foundations and Governance (14% of scored content)

These percentages are helpful for a high level picture, but the domains alone do not tell the full story. The real changes are inside the task and skill statements.

Change in format of the expected skills

While similar, they slightly changed the format of their exam guide. You can get the official exam guide here to see what I mean.

Example from C03:

  • Content Domain 1: Detection
    • Task 1.1: Design and implement monitoring and alerting solutions for an AWS account or organization.
      • Skill 1.1.1: Analyze workloads to determine monitoring requirements.
      • Skill 1.1.2: Design and implement workload monitoring strategies (for example, by configuring resource health checks).
      • Skill 1.1.3: Aggregate security and monitoring events.
      • Skill 1.1.4: Create metrics, alerts, and dashboards to detect anomalous data and events (for example, Amazon GuardDuty, Amazon Security Lake, AWS Security Hub, Amazon Macie).
      • Skill 1.1.5: Create and manage automations to perform regular assessments and investigations (for example, by deploying AWS Config conformance packs, Security Hub, AWS Systems Manager State Manager).

Versus the prior C02 format:

  • Domain 1: Threat Detection and Incident Response
    • Task Statement 1.1: Design and implement an incident response plan.
      • Knowledge of:
        • AWS best practices for incident response
        • Cloud incidents
        • Roles and responsibilities in the incident response plan
        • AWS Security Finding Format (ASFF)
      • Skills in:
        • Implementing credential invalidation and rotation strategies in response to compromises (for example, by using AWS Identity and Access Management [IAM] and AWS Secrets Manager)
        • Isolating AWS resources
        • Designing and implementing playbooks and runbooks for responses to security incidents
        • Deploying security services (for example, AWS Security Hub, Amazon Macie, Amazon GuardDuty, Amazon Inspector, AWS Config, Amazon Detective, AWS Identity and Access Management Access Analyzer)
        • Configuring integrations with native AWS services and third-party services (for example, by using Amazon EventBridge and the ASFF)

To me, the new format breaks responsibilities into smaller skills, which makes it easier to understand what you need to study.

New AI security skill requirement

For the first time, the exam includes a GenAI security skill:

Skill 3.2.7: Implement protections and guardrails for generative AI applications (for example, by applying GenAI OWASP Top 10 for LLM Applications protections).

I don’t expect this to be a large focus since it’s only one skill, but make sure you review the GenAI OWASP Top 10 for LLM Applications list and understand how it applies in AWS.

How much did the content actually change?

The short answer: not much. Most differences are reorganizations or small additions. If you have been preparing for C02, you are already very close to being prepared for C03.

Topics removed

AWS removed a few items:

  • Identify security gaps through architectural reviews and cost analysis
  • AWS Security Finding Format (ASFF)
  • AWS Security Incident Response Guide
  • Log format and components (for example, CloudTrail logs)
  • Host-based security (for example, firewalls, hardening)
  • Activating host-based security mechanisms (for example, host-based firewalls)
  • How to analyze reachability (for example, by using VPC Reachability Analyzer and Amazon Inspector)
  • Fundamental TCP/IP networking concepts (for example, UDP compared with TCP, ports, Open Systems Interconnection [OSI] model, network operating system utilities)
  • Identifying, interpreting, and prioritizing problems in network connectivity (for example, by using Amazon Inspector Network Reachability)
  • Components and impact of a policy (for example, Principal, Action, Resource, Condition)
  • TLS concepts
  • Designing cross-Region networking by using private VIFs and public VIFs
  • Configure S3 static website hosting

Topics added

They added the following:

  • 2.2.3 Validate findings from AWS security services to assess the scope and impact of an event
  • 3.1.4 Configure integrations with AWS edge services and third-party services (for example, by ingesting data in Open Cybersecurity Schema Framework [OCSF] format, by using third-party WAF rules).
  • 3.2.7 Implement protections and guardrails for generative AI applications (for example, by applying GenAI OWASP Top 10 for LLM Applications protections).
  • 5.1.3 Design and configure inter-resource encryption in-transit (for example, inter-node encryption configurations for Amazon EMR, Amazon Elastic Kubernetes Service [Amazon EKS], SageMaker AI, Nitro encryption).
  • 5.3.3 Describe the differences between imported key material and AWS generated key material.
  • 5.3.4 Mask sensitive data (for example, CloudWatch Logs data protection policies, Amazon Simple Notification Service [Amazon SNS] message data protection).
  • 5.3.5 Create and manage encryption keys and certificates across a single AWS Region or multiple Regions (for example, AWS KMS customer managed AWS KMS keys, AWS Private Certificate Authority).

As you can see, these are all relatively small additions. None of them fundamentally change the exam.

Final thoughts

If you have been studying for C02, you are in great shape for C03. The new exam includes a few small additions, a clearer structure, and a bit more weight on IAM. You do not need to overhaul your study plan.

If you want help preparing, you can get started with our free, high quality AWS Security Specialty course.

Get ready to pass the AWS Security Specialty Certification exam with our FREE, high quality course

Related Articles

Responses

Your email address will not be published. Required fields are marked *

  1. I am scheduled for a test on the end of December. aws skill builder (official and only ) exam does not include any ML/AI material. I also did not see “Verfied access” service questions, nor “declarative policies” which is already in GA.
    Do you think some material will be added till then? you will be the only course actually saying C02->C03 and publishing some content, unlike other courses which titled “C03” without any reference to the new domain structure, needless to say actual related content 🙁

    1. Yes, we’re working on adding more to our course to keep up with all the changes, but also keep in mind that you don’t have to know absolutely everything to pass this exam. If you are worried about not knowing enough regarding verified access, declarative policies, or genAI security, spend a few days reading through the docs and using the feature/service in the AWS console. That will be plenty. I would not expect to get very many questions regarding those topics on your exam.

  2. Thank you for your response.
    Exam date approaches 🙁 I agree that not much will change in the exam , comparing to what I am seeing in the official aws builder exam.
    Question.
    Since your course scs-c0x is conceptually very new (comparing to udemy greatest hits and adrain cantrill’s material), I was wondering.
    1. Content wise, there isn’t any difference between premium to free scs-c0x?
    The differences are in the extras?
    2. Are you planning to non security aws content? (I am interested about ai, and of course, ai security)
    3. Can you point out major differences between cybr aws labs to aws builder security labs?
    Thank you very much for being attentive.
    Uri.

    1. Uri, the free version of our course is designed to give you the content you need to pass the exam, while the premium version includes more labs, scenarios, and quizzes to help with additional practice and to provide more practical experience you can then directly apply on the job. If you see similar labs/quizzes/scenarios listed in both syllabuses, it’s just that way because the free version links to the paid for those lessons to make it easier to go back and forth between both versions (for those with a premium memberships). The content itself is not duplicated. Hope that makes sense. In terms of major differences between our labs and theirs, I would encourage you to look at our library of labs (either just for this cert course in our premium course syllabus or more broadly speaking here: cybr.com/labs) so you can see what we have to offer!

    2. For your second question – we have started to add AI security content and are planning on continuing to do so! As of now our primary focus is security, but if there’s enough demand we could consider expanding into non-security content as well