AWS Certified Security - Specialty (SCS-C03) Domain 6
Security Foundations and Governance
Official Exam Guide: Domain 6: Security Foundations and Governance
Skill Builder: AWS Certified Security - Specialty Exam Prep
Domain Overview
Domain 6 (14%) focuses on centralized account management, secure deployment strategies, and compliance evaluation.
Task 6.1: Develop strategy for centralized account deployment and management
Key Skills:
- Deploy and configure AWS Organizations
- Implement and manage AWS Control Tower
- Implement organization policies (SCPs, RCPs, AI opt-out)
- Centrally manage security services
- Manage root user credentials
Essential Documentation:
- AWS Organizations User Guide
- AWS Control Tower User Guide
- Service Control Policies (SCPs)
- Resource Control Policies (RCPs)
Task 6.2: Implement secure and consistent deployment strategy
Key Skills:
- Use IaC to deploy resources securely
- Use tags to organize AWS resources
- Deploy and enforce policies from central source
- Securely share resources across accounts
Essential Documentation:
- AWS CloudFormation User Guide
- CloudFormation StackSets
- CloudFormation Guard
- AWS Firewall Manager
- AWS Service Catalog
- AWS Resource Access Manager
Task 6.3: Evaluate compliance of AWS resources
Key Skills:
- Create rules to detect and remediate non-compliant resources
- Use audit services to collect evidence
- Evaluate architecture for compliance
Essential Documentation:
- AWS Config Developer Guide
- AWS Config Conformance Packs
- AWS Security Hub User Guide
- AWS Audit Manager User Guide
- AWS Artifact User Guide
- AWS Well-Architected Tool
AWS Service FAQs
Study Tips
-
Master multi-account strategy - Organizations OUs, SCPs for guardrails, delegated administrators, consolidated billing, RCPs for resources.
-
Learn Control Tower - Landing zones, Account Factory, guardrails (preventive/detective), baseline controls, customizations.
-
Understand compliance automation - Config rules and conformance packs, Security Hub standards (CIS, PCI-DSS, NIST), Audit Manager frameworks.
-
Practice IaC security - CloudFormation Guard for policy-as-code, StackSets for multi-account deployment, cfn-lint for validation.
-
Study centralized security - Security Hub as aggregator, GuardDuty delegated administrator, Firewall Manager for WAF/Shield policies.
Complete Exam Summary
Exam Format:
- 65 questions (50 scored + 15 unscored)
- Multiple choice, Multiple response, Ordering, Matching
- Passing score: 750/1000
- 170 minutes
Domain Weightings:
- Domain 1: Detection (16%)
- Domain 2: Incident Response (14%)
- Domain 3: Infrastructure Security (18%)
- Domain 4: Identity and Access Management (20%)
- Domain 5: Data Protection (18%)
- Domain 6: Security Foundations and Governance (14%)
Target Candidate:
- 3-5 years experience securing cloud solutions
- Knowledge of AWS shared responsibility model
- Multi-account governance experience
- Incident response and forensics knowledge
Key AWS Security Services:
- Detection: GuardDuty, Security Hub, Macie, Inspector, Detective
- IAM: IAM, IAM Identity Center, Cognito, STS, Directory Service
- Network: WAF, Shield, Network Firewall, VPC, PrivateLink
- Encryption: KMS, CloudHSM, ACM, Secrets Manager
- Logging: CloudTrail, CloudWatch, VPC Flow Logs, Security Lake
- Compliance: Config, Control Tower, Organizations, Audit Manager
- Compute Security: Systems Manager, EC2 Image Builder
- Governance: Organizations, SCPs, RCPs, Firewall Manager
Key Security Concepts:
- Defense in depth (multiple security layers)
- Least privilege access (IAM policies, SCPs, permissions boundaries)
- Encryption (at rest and in transit)
- Threat detection and response
- Compliance and governance
- Network segmentation
- Identity federation
- Secrets management
- Patch management
- Incident response lifecycle
Study Resources:
- Security Pillar - Well-Architected Framework
- AWS Security & Compliance Architecture
- AWS Security Whitepapers
Good luck with your AWS Certified Security - Specialty certification!
Note: This is Domain 6 of 6, representing 14% of exam content.