AWS SCS-C03 glossary of detection, incident response, encryption terms, traps, and decision cues.
Use this glossary when AWS Certified Security - Specialty (SCS-C03) terms start to blur together. The goal is practical recognition, not encyclopedia coverage.
| Term | Exam meaning |
|---|---|
| SCP | Service control policy that sets account-level permission guardrails in AWS Organizations. |
| Permission boundary | IAM boundary that limits the maximum permissions an identity can receive. |
| KMS key policy | Resource policy controlling who can administer or use a KMS key. |
| GuardDuty | Threat detection service using AWS telemetry and intelligence. |
| Security Hub | Service for aggregating and prioritizing security findings. |
| VPC endpoint | Private path from a VPC to supported AWS services without public internet routing. |
| Pair | How to separate them |
|---|---|
| Identity and access vs Logging and detection | Ask which layer the scenario is testing, then match the answer to that layer only. |
| Control vs evidence | A control changes behavior; evidence proves behavior or supports investigation. |
| Managed service vs custom build | Managed services win for lower operational effort unless the requirement needs unsupported customization. |
| Prevention vs detection | Prevention blocks or reduces a bad event; detection finds or reports that it happened. |
Do not memorize terms in isolation. For each term, write one scenario where it is the best answer, one scenario where it is a distractor, and one signal that proves it worked.