TL;DR: AWS replaced SCS-C02 with SCS-C03 on December 2, 2025. The core security knowledge is ~85% the same, but SCS-C03 restructures domains, increases IAM weight to 20%, adds a new Governance domain (14%), introduces AI/ML security coverage, and includes new question types (ordering and matching). If you studied for C02, you're mostly ready for C03 with some targeted additions.
If you've been studying for the AWS Certified Security Specialty or are deciding when to take the exam, the version change from SCS-C02 to SCS-C03 is critical to understand. SCS-C02 retired on December 1, 2025, and SCS-C03 is now the only available version. Here's exactly what changed and what it means for your preparation.
Timeline
- SCS-C02 retired: December 1, 2025
- SCS-C03 launched: December 2, 2025
- Current version: SCS-C03 (the only version available for registration)
If you previously failed SCS-C02, you must now take SCS-C03. Your study material is still ~85% relevant.
Domain Structure: Side-by-Side Comparison
The most visible change is the domain restructuring. SCS-C02 had 5 domains; SCS-C03 has 6 domains with redistributed weights.
Domain Weight Comparison: SCS-C02 vs SCS-C03
| Domain Area | SCS-C02 | SCS-C03 | Change |
|---|---|---|---|
| Threat Detection & Incident Response | 14% | 16% | +2% |
| Security Logging & Monitoring | 22% | 18% | -4% |
| Infrastructure Security | 26% | 18% | -8% |
| Identity & Access Management | 16% | 20% | +4% |
| Data Protection | 22% | 18% | -4% |
| Management & Security Governance | N/A (new) | 14% | +14% |
Biggest Impact
Infrastructure Security dropped 8 percentage points (26% to 18%), while IAM jumped 4 points (16% to 20%) and a brand-new Governance domain appeared at 14%. This means you should reallocate study time significantly: spend less time on network minutiae and more on IAM policy evaluation, Organizations, SCPs/RCPs, and governance frameworks.
Preparing for SCS-C03? Practice with 455+ exam questions
What's New in SCS-C03
These topics were not on SCS-C02 and are now testable on SCS-C03:
1. Resource Control Policies (RCPs)
RCPs are a newer AWS Organizations policy type that complements Service Control Policies. While SCPs restrict what principals can do, RCPs restrict which principals can access resources—regardless of their identity-based policies.
SCP vs RCP
SCPs set maximum permissions for IAM principals in member accounts. They restrict what actions can be performed.
RCPs set maximum permissions for resources in member accounts. They restrict which principals can access resources.
Permission boundaries limit what an identity-based policy can grant to a single IAM entity.
Session policies further restrict a role session beyond what identity and resource policies allow.
Know all four and how they interact for the exam.
2. AWS Security Lake & OCSF
Security Lake is a purpose-built data lake that centralizes security data from AWS services, SaaS providers, and third-party sources into the Open Cybersecurity Schema Framework (OCSF) format. This replaces the fragmented logging approach tested in SCS-C02.
Key concepts to know:
- Security Lake automatically normalizes logs into OCSF format
- Sources include CloudTrail, VPC Flow Logs, Route 53 DNS logs, Security Hub findings, and third-party data
- Subscribers can query data using Athena, OpenSearch, or third-party SIEM tools
- Supports cross-account and cross-Region aggregation
3. Generative AI & Machine Learning Security
SCS-C03 adds coverage of securing AI/ML workloads, particularly Amazon Bedrock:
Topics tested:
- Amazon Bedrock guardrails for content filtering and topic avoidance
- Model access controls and permissions
- Protecting model training data
- GuardDuty detection for AI/ML activities
- GenAI OWASP Top 10 for LLM Applications (prompt injection, data poisoning, etc.)
Don't Over-Study AI/ML
While AI/ML security is new and exciting, it's estimated to represent only 3-5% of exam questions. Focus on the fundamentals: what Bedrock guardrails do, how to control model access with IAM, and the GenAI OWASP Top 10 concepts. Don't spend weeks on SageMaker internals.
4. New Question Types
SCS-C03 introduces two new question formats beyond traditional multiple choice:
Ordering Questions: Arrange security steps in the correct sequence. For example, ordering the steps to set up Security Hub cross-account aggregation or the correct incident response procedure.
Matching Questions: Pair AWS services or concepts to their descriptions. For example, matching policy types (SCP, RCP, permission boundary, session policy) to their correct purposes.
5. Enhanced Governance Coverage
Governance was scattered across other domains in SCS-C02. In SCS-C03, it's a standalone domain covering:
- AWS Control Tower and landing zone configuration
- Tag policies and resource compliance
- AWS Audit Manager for SOC 2, PCI DSS, HIPAA readiness
- Service Catalog for approved resource provisioning
- Multi-account strategy and organizational design
What Was Removed or De-emphasized
Not everything got bigger. Some SCS-C02 topics were reduced:
Topics Reduced in SCS-C03
| Topic | SCS-C02 Coverage | SCS-C03 Coverage |
|---|---|---|
| Network ACL deep configuration | Heavy (part of 26% infra) | Moderate (part of 18% infra) |
| Custom VPN configuration details | Tested frequently | Reduced emphasis |
| Manual log parsing techniques | Tested frequently | Replaced by Security Lake/OCSF focus |
| Individual service-level security (per-service minutiae) | Broad coverage | Consolidated into domain-level concepts |
| On-premises to cloud security migration | Moderate coverage | Minimal coverage |
Good News for C02 Studyers
If you already studied for SCS-C02, the vast majority of your knowledge transfers directly. The core services (GuardDuty, Security Hub, KMS, IAM, CloudTrail, Config, WAF, etc.) are all still heavily tested. You mainly need to add RCPs, Security Lake, AI/ML security, and governance concepts to your preparation.
Exam Format Comparison
Exam Format: SCS-C02 vs SCS-C03
| Aspect | SCS-C02 | SCS-C03 |
|---|---|---|
| Question Count | 65 (50 scored + 15 unscored) | 65 (50 scored + 15 unscored) |
| Duration | 170 minutes | 170 minutes |
| Passing Score | 750/1000 | 750/1000 |
| Cost | $300 USD | $300 USD |
| Question Types | Multiple choice, Multiple response | Multiple choice, Multiple response, Ordering, Matching |
| Languages | EN, JA, KO, ZH-CN | EN, JA, KO, PT-BR, ZH-CN, ES-LATAM |
| Validity | 3 years | 3 years |
| Delivery | Pearson VUE / Online | Pearson VUE / Online |
The format is nearly identical except for two changes: new question types (ordering and matching) and additional language options (Portuguese and Spanish added).
Master These Concepts with Practice
Our SCS-C03 practice bundle includes:
- 7 full practice exams (455+ questions)
- Detailed explanations for every answer
- Domain-by-domain performance tracking
30-day money-back guarantee
How to Update Your Study Plan
If you were preparing for SCS-C02, here's what to add to your preparation:
SCS-C02 to SCS-C03 Update Checklist
0/10 completedEstimated Additional Study Time
If you were already prepared for SCS-C02, plan 2-3 additional weeks to cover the new SCS-C03 content. Focus on:
- Week 1: RCPs, Security Lake, OCSF, governance domain
- Week 2: AI/ML security, Bedrock guardrails, GenAI OWASP Top 10
- Week 3: Practice exams with ordering and matching question types
New Services to Know for SCS-C03
Here are AWS services that are new or significantly more prominent in SCS-C03:
| Service | What It Does | Why It's on SCS-C03 |
|---|---|---|
| AWS Security Lake | Centralizes security data in OCSF format | Replaces fragmented logging approaches |
| Resource Control Policies | Restrict which principals can access resources | New policy type alongside SCPs |
| Amazon Bedrock Guardrails | Content filtering for generative AI | AI/ML security is a new topic area |
| AWS Audit Manager | Automated evidence collection for audits | Governance domain formalization |
| AWS Control Tower | Multi-account landing zone setup | Governance domain formalization |
| IAM Access Analyzer | Identifies unintended resource access | Enhanced IAM coverage |
| Amazon Detective | Investigates security findings with ML | Stronger detection emphasis |
Study Resources for SCS-C03
If You Studied for C02
2-3 Weeks- •Review RCPs and how they interact with SCPs and permission boundaries
- •Study Security Lake, OCSF, and centralized logging architecture
- •Learn Bedrock guardrails and GenAI OWASP Top 10
- •Review Control Tower, Audit Manager, and governance concepts
- •Complete 3-4 practice exams with ordering and matching questions
If Starting Fresh
10-12 Weeks- •Follow the complete SCS-C03 study guide (linked below)
- •Prioritize IAM (20%) and Infrastructure Security (18%)
- •Build hands-on labs for GuardDuty, Security Hub, KMS, and Organizations
- •Study all six domains with emphasis on weightings
- •Complete all 7 Preporato practice exams including new question types
Recommended Resources:
- Preporato SCS-C03 Practice Exams — 7 full-length exams with 455+ questions including ordering and matching types, detailed explanations, and domain analytics
- AWS Skill Builder — Official exam prep course (free with AWS account)
- AWS Security Blog — Stay current on new security features and best practices
- AWS re:Inforce recordings — Annual security conference sessions available on YouTube
- AWS Well-Architected Security Pillar — Official whitepaper covering security best practices
Bottom Line
Key Takeaway
SCS-C03 is an evolution, not a revolution. If you have SCS-C02 study material, 85% of it still applies. Add RCPs, Security Lake, AI security, and governance to your preparation, practice the new question types, and you'll be well-positioned to pass. If you're starting fresh, the restructured domains and clearer organization of SCS-C03 actually make it a more logical exam to study for than its predecessor.
Frequently Asked Questions
Ready to Pass the SCS-C03 Exam?
Join thousands who passed with Preporato practice tests