DEV Community

ExamCert.App
ExamCert.App

Posted on

5 SCS-C02 Traps That Catch Almost Everyone (I Failed on Two of Them)

AWS Certified Security - Specialty

5 SCS-C02 Traps That Catch Almost Everyone (I Failed on Two of Them)

I passed the AWS Certified Security - Specialty exam on my second attempt. First attempt, I walked out knowing I'd blown it before the results even loaded — not because I didn't know AWS security, but because the exam is built to punish people who know AWS security in general but haven't sat down and mapped out exactly where each service's responsibility ends and the next one begins.

SCS-C02 has six domains: Threat Detection and Incident Response (~14%), Security Logging and Monitoring (~18%), Infrastructure Security (~20%), Identity and Access Management (~16%), Data Protection (~18%), and Management and Security Governance (~14%). Sixty-five questions, 170 minutes, passing score is 750 out of 1000, and it costs $300 to sit. Nothing about that format tells you where the pain actually is. The pain is in five specific traps that show up over and over in different costumes. Before I get into them, if you want to see how these traps actually look in question form, run through the free SCS-C02 practice test on ExamCert — it's the fastest way to feel the difference between "I know this service" and "I can pick the right service under exam pressure."

Trap 1: GuardDuty vs. Security Hub vs. Detective vs. Macie

This is the single most common source of wrong answers I've seen people report, and I got bit by it too. All four sound like "the security dashboard thing" if you're going in soft.

  • GuardDuty is a threat detection engine. It analyzes VPC Flow Logs, DNS logs, and CloudTrail events, then generates findings — compromised credentials, crypto-mining, unusual API calls.
  • Security Hub is an aggregator and compliance checker. It pulls findings from GuardDuty, Macie, Inspector, and third-party tools into one place, and runs automated checks against standards like CIS AWS Foundations Benchmark or PCI DSS.
  • Detective is for investigation after a finding exists. It builds a graph of API calls, resource interactions, and behavior over time so you can figure out how an incident unfolded.
  • Macie is scoped narrowly to S3 — it uses machine learning to find sensitive data (PII, credentials, financial data) sitting in your buckets.

The exam question pattern: "A finding indicates unusual behavior. What service should you use to determine the full scope of the incident?" If you answer GuardDuty (the thing that made the finding), you're wrong. That's Detective's job.

Trap 2: KMS Key Policies vs. IAM Policies vs. Grants

Encryption questions on this exam aren't really about encryption — they're about permissions layering, and KMS has three ways to grant access that behave differently.

A KMS key's key policy is the root document of trust — without an explicit statement (or a policy that delegates to IAM), nothing can use that key, period, even if an IAM policy says otherwise. IAM policies only work if the key policy allows IAM to govern access (usually via the "Enable IAM User Permissions" statement most keys get by default). Grants are for temporary, programmatic delegation — think an application that needs another principal to use a key for one operation, revocable without touching the key policy.

The trap: a question describes a cross-account scenario where Account B can't decrypt an object encrypted with Account A's KMS key, even though Account B's IAM role has kms:Decrypt in its policy. The fix almost always requires editing the key policy in Account A to add a statement allowing the specific principal from Account B — IAM policies alone can never grant cross-account KMS access. I missed this exact pattern on my first attempt.

Trap 3: Security Groups vs. NACLs (Stateful vs. Stateless)

Everyone "knows" security groups are stateful and NACLs are stateless. The trap is applying that knowledge under time pressure when a question describes asymmetric traffic behavior — inbound works, outbound response doesn't, or vice versa.

Remember: security groups automatically allow return traffic for anything you explicitly allowed in. NACLs do not — you need explicit inbound and outbound rules, including high ephemeral port ranges (1024-65535) for anything initiating a connection from outside the subnet. When a scenario says "clients can connect but never receive a response, and security groups look correct," the answer is almost always a missing NACL ephemeral port rule. This shows up in Infrastructure Security domain questions constantly.

Trap 4: SCPs vs. Permission Boundaries vs. Identity Policies

This is the "effective permissions" trap, and it's brutal because all three mechanisms look similar on paper but operate at completely different scopes.

  • Service Control Policies (SCPs) live in AWS Organizations and set the maximum available permissions for every principal in an account or OU — they never grant anything, only restrict.
  • Permission boundaries are attached to a specific IAM user or role and cap what that identity can do, regardless of what its identity policy says.
  • Identity policies (and resource policies) are the actual grant.

Effective permissions are the intersection of all three. A question will show an IAM policy that clearly allows an action, then ask why the action still fails — the answer is buried in an SCP or a permission boundary the question mentions almost in passing. Read every word of these scenarios; the exam hides the SCP reference in one throwaway sentence.

Trap 5: Incident Response Order of Operations

The Threat Detection and Incident Response domain loves scenarios where a compromised EC2 instance needs handling, and the wrong-but-tempting answer is always "terminate the instance immediately." Don't. The correct sequence, in almost every AWS-flavored incident response question:

  1. Isolate — move the instance to a quarantine security group with no inbound/outbound rules (or a highly restrictive one), preserving network isolation without killing the instance.
  2. Preserve evidence — snapshot the EBS volume and, if needed, capture memory before anything else touches the box.
  3. Investigate — use CloudTrail, VPC Flow Logs, and Detective to reconstruct what happened.
  4. Remediate and rotate — revoke credentials, rotate keys, patch the root cause.
  5. Terminate — only after evidence is preserved.

Terminating first destroys forensic evidence you may need for root-cause analysis or a compliance investigation. The exam rewards the answer that isolates and preserves before anything else.

Where This Actually Gets You

None of these traps require more AWS knowledge than you probably already have. They require slowing down and mapping scope — which service, which policy layer, which order — instead of pattern-matching to the first plausible answer. That's genuinely the hardest adjustment coming from associate-level exams, where the "obviously correct" answer usually is correct.

If you want to pressure-test yourself against scenarios built around exactly these five traps, ExamCert has a full SCS-C02 question bank that's worth running through before you book the real thing. Better to get burned by a practice question than by the $300 real one.

Top comments (0)