AWS SCS-C03 cheat sheet for detection, incident response, encryption, traps, and final review.
Use this cheat sheet for AWS Certified Security - Specialty (SCS-C03) after you know the basics but before you start a timed practice block. The goal is not to memorize a vendor catalog; the goal is to classify the scenario and reject attractive wrong answers quickly.
Use this when the question mixes identity, encryption, logging, and incident response.
flowchart TD
D["Security scenario"] --> I["Identity and access"]
I --> K["KMS / encryption / key policy"]
K --> L["Logging / detection / evidence"]
L --> R["Contain, isolate, and remediate"]
Use this when the stem mixes identity, keys, logs, and response actions.
flowchart TD
S["Scenario"] --> I["Identity and authorization"]
I --> K["Encryption and key policy"]
K --> L["Logs, findings, and evidence"]
L --> R["Contain and remediate"]
R --> V["Verify recovery and preserve audit trail"]
| Lane | Decision rule | Reject when |
|---|---|---|
| Identity and access | Resolve IAM policy, resource policy, SCP, permission boundary, session policy, and federation behavior. | Stopping at an Allow statement while an explicit deny, SCP, boundary, or key policy still blocks access. |
| Logging and detection | Use CloudTrail, CloudWatch, GuardDuty, Security Hub, Config, VPC Flow Logs, and alert routing. | Turning on logs without retention, analysis, notification, or response. |
| Data protection | Apply KMS, encryption, secrets, S3 controls, backup, retention, and classification requirements. | Forgetting KMS key policy or cross-account decrypt permissions. |
| Network and infrastructure security | Secure VPC paths, endpoints, security groups, NACLs, WAF, Shield, and private connectivity. | Using public paths when private endpoint or scoped network access is required. |
| Incident response and governance | Contain compromised credentials, isolate resources, preserve evidence, and automate remediation. | Destroying evidence or rotating the wrong credential first. |
| Trap | Better instinct |
|---|---|
| IAM answer without full policy evaluation | Check explicit deny, SCP, boundary, session policy, resource policy, and KMS key policy. |
| Encryption without key access | Encryption is not enough if principals cannot use the key or key policy is too broad. |
| Detection with no response | Prefer answers that route findings to owners or automation. |
| Public network by default | Prefer private endpoints, scoped security groups, and least exposed data paths when required. |
| If the stem says | Start with |
|---|---|
| least privilege, private access, compliance, or audit | identity scope, data boundary, policy enforcement, logging, and ownership |
| least operational effort | managed service, native integration, simple workflow, and fewer moving parts |
| high availability, recovery, or outage | failure domain, recovery objective, health check, rollback, and validation |
| performance, scale, or cost | bottleneck evidence, traffic pattern, sizing, caching, batching, and quotas |
| troubleshoot, diagnose, or investigate | symptom, recent change, logs, metrics, status, dependency, and smallest safe test |
Use IT Mastery for the exact product route, practice status, spaced review when available, and close-answer explanation practice as coverage expands.
Open the exact IT Mastery route here: SCS-C03 on MasteryExamPrep.
Security Specialty answers usually combine identity evaluation, data protection, telemetry, containment, and proof.