AWS Certified Security Specialty Quick Facts (2025)

Exam Domain Breakdown

Domain 1: Threat Detection and Incident Response (14% of the exam)

Task Statement 1.1: Design and implement an incident response plan.

• AWS best practices for incident response
• Cloud incidents
• Roles and responsibilities in the incident response plan
• AWS Security Finding Format (ASFF)
• Implementing credential invalidation and rotation strategies in response to compromises (for example, by using AWS Identity and Access Management [IAM] and AWS Secrets Manager)
• Isolating AWS resources
• Designing and implementing playbooks and runbooks for responses to security incidents
• Deploying security services (for example, AWS Security Hub, Amazon Macie, Amazon GuardDuty, Amazon Inspector, AWS Config, Amazon Detective, AWS IAM Access Analyzer)
• Configuring integrations with native AWS services and third-party services (for example, by using Amazon EventBridge and the ASFF)

1.1 summary: Creating a strong incident response plan in AWS requires both preparation and automation. This section focuses on designing response strategies that assign clear roles and responsibilities while enabling rapid credential management, resource isolation, and log collection. You will explore how AWS services such as Security Hub, GuardDuty, and Detective integrate into workflows, along with the value of formats like the AWS Security Finding Format (ASFF) for consistent, actionable security event data.

The emphasis is on turning proactive planning into practical, operational playbooks and runbooks that simplify complex responses. By learning how to automate these patterns with Lambda, EventBridge, and other tools, you’ll be ready to not only contain threats quickly but also reduce recovery times while maintaining compliance and organizational confidence in your incident strategy.

Task Statement 1.2: Detect security threats and anomalies by using AWS services.

• AWS managed security services that detect threats
• Anomaly and correlation techniques to join data across services
• Visualizations to identify anomalies
• Strategies to centralize security findings
• Evaluating findings from security services (for example, GuardDuty, Security Hub, Macie, AWS Config, IAM Access Analyzer)
• Searching and correlating security threats across AWS services (for example, by using Detective)
• Performing queries to validate security events (for example, by using Amazon Athena)
• Creating metric filters and dashboards to detect anomalous activity (for example, by using Amazon CloudWatch)

1.2 summary: AWS offers a range of services that generate, centralize, and help analyze security findings. This section explores how tools like GuardDuty, Macie, and Config create actionable insights while Detective and Athena provide advanced query and investigation capabilities. You’ll also study the importance of visualizations and dashboards for identifying anomalies and trends.

A key takeaway is learning how to correlate data across multiple services to uncover hidden or complex attack patterns. By applying anomaly detection, filtering, and alerting strategies, you will improve visibility into cloud workloads and achieve a more comprehensive detection posture that is ready for enterprise operations.

Task Statement 1.3: Respond to compromised resources and workloads.

• AWS Security Incident Response Guide
• Resource isolation mechanisms
• Techniques for root cause analysis
• Data capture mechanisms
• Log analysis for event validation
• Automating remediation by using AWS services (for example, AWS Lambda, AWS Step Functions, EventBridge, AWS Systems Manager runbooks, Security Hub, AWS Config)
• Responding to compromised resources (for example, by isolating Amazon EC2 instances)
• Investigating and analyzing to conduct root cause analysis (for example, by using Detective)
• Capturing relevant forensics data from a compromised resource (for example, Amazon EBS volume snapshots, memory dump)
• Querying logs in Amazon S3 for contextual information related to security events (for example, by using Athena)
• Protecting and preserving forensic artifacts (for example, by using S3 Object Lock, isolated forensic accounts, S3 Lifecycle, and S3 replication)
• Preparing services for incidents and recovering services after incidents

1.3 summary: Responding to compromised AWS resources requires fast action combined with careful evidence collection for root cause analysis. This section teaches isolation techniques for services like EC2 and emphasizes structured investigation methods using Detective, log queries with Athena, and forensics data capture such as snapshots or memory dumps.

Just as important, you’ll explore how to ensure the preservation of forensic artifacts for compliance or analysis, with lifecycle policies and replication in S3. You’ll also learn how to automate remediation while preparing services for continued availability. The ultimate goal is designing workflows that contain threats quickly while maintaining forensic integrity and restoring operations smoothly.

Domain 2: Security Logging and Monitoring (18% of the exam)

Task Statement 2.1: Design and implement monitoring and alerting to address security events.

• AWS services that monitor events and provide alarms (for example, CloudWatch, EventBridge)
• AWS services that automate alerting (for example, Lambda, Amazon SNS, Security Hub)
• Tools that monitor metrics and baselines (for example, GuardDuty, Systems Manager)
• Analyzing architectures to identify monitoring requirements and sources of data for security monitoring
• Analyzing environments and workloads to determine monitoring requirements
• Designing environment monitoring and workload monitoring based on business and security requirements
• Setting up automated tools and scripts to perform regular audits (for example, by creating custom insights in Security Hub)
• Defining the metrics and thresholds that generate alerts

2.1 summary: Effective monitoring in AWS focuses on aligning alarms and metrics with both business security needs and technical architectures. This section introduces critical services such as CloudWatch, EventBridge, and Security Hub that deliver alerting and event visibility. You will learn to analyze workloads for monitoring requirements and identify the most relevant sources of data.

Beyond setup, emphasis is placed on automation, including creating insights and dashboards that reduce the need for manual oversight. By designing proactive thresholds and using scalable automation mechanisms like Lambda and SNS, security teams can stay ahead of issues while receiving timely, actionable alerts.

Task Statement 2.2: Troubleshoot security monitoring and alerting.

• Configuration of monitoring services (for example, Security Hub)
• Relevant data that indicates security events
• Analyzing the service functionality, permissions, and configuration of resources after an event that did not provide visibility or alerting
• Analyzing and remediating the configuration of a custom application that is not reporting its statistics
• Evaluating logging and monitoring services for alignment with security requirements

2.2 summary: Sometimes alerts do not appear as expected, and this section addresses how to troubleshoot monitoring systems for accuracy and reliability. Focus areas include properly configuring Security Hub and verifying that permissions and service roles allow logs and alerts to flow correctly. You’ll learn to identify gaps in visibility after an event and take steps to correct them.

The remediation process extends beyond AWS-managed services to include custom applications that may not be reporting statistics properly. By evaluating alignment with security requirements, you will ensure that monitoring coverage is comprehensive, reliable, and capable of scaling with workload requirements.

Task Statement 2.3: Design and implement a logging solution.

• AWS services and features that provide logging capabilities (for example, VPC Flow Logs, DNS logs, AWS CloudTrail, Amazon CloudWatch Logs)
• Attributes of logging capabilities (for example, log levels, type, verbosity)
• Log destinations and lifecycle management (for example, retention period)
• Configuring logging for services and applications
• Identifying logging requirements and sources for log ingestion
• Implementing log storage and lifecycle management according to AWS best practices and organizational requirements

2.3 summary: Logs form the foundation of strong security monitoring, and this section helps you design a solution tailored to workload and compliance requirements. You’ll learn to configure sources like VPC Flow Logs, DNS Logs, and CloudTrail, while managing log verbosity, frequency, and retention. From there, you’ll set destinations for reliable collection and analysis.

A second focus is lifecycle management. Implementing cost-effective and compliant retention strategies ensures the right logs are available when needed. By determining ingestion requirements and applying AWS best practices for log storage, organizations can maximize both visibility and operational efficiency while controlling costs.

Task Statement 2.4: Troubleshoot logging solutions.

• Capabilities and use cases of AWS services that provide data sources (for example, log level, type, verbosity, cadence, timeliness, immutability)
• AWS services and features that provide logging capabilities (for example, VPC Flow Logs, DNS logs, CloudTrail, CloudWatch Logs)
• Access permissions that are necessary for logging
• Identifying misconfiguration and determining remediation steps for absent access permissions that are necessary for logging (for example, by managing read/write permissions, S3 bucket permissions, public access, and integrity)
• Determining the cause of missing logs and performing remediation steps

2.4 summary: When logs are incomplete or missing, it is vital to troubleshoot configuration, permissions, and service functionality. This section highlights how AWS logging services operate and what access permissions are required. You’ll identify common misconfigurations such as public access to S3 log buckets or inappropriate write policies and learn structured ways to resolve them.

Additionally, you’ll develop skills to trace the cause of absent or partial logging across different services. Proper analysis of logging sources and permissions ensures not only compliance but also reliable data for incident investigations and proactive threat detection.

Task Statement 2.5: Design a log analysis solution.

• Services and tools to analyze captured logs (for example, Athena, CloudWatch Logs filter)
• Log analysis features of AWS services (for example, CloudWatch Logs Insights, CloudTrail Insights, Security Hub insights)
• Log format and components (for example, CloudTrail logs)
• Identifying patterns in logs to indicate anomalies and known threats
• Normalizing, parsing, and correlating logs

2.5 summary: Log analysis transforms raw data into security insights. This section covers services like Athena and CloudWatch Logs Insights that allow teams to query, visualize, and identify meaningful patterns. You’ll examine normal traffic alongside anomalous behaviors that might reflect a threat.

The focus also includes normalization, parsing, and correlation across multi-service logs. By integrating logs from services such as Security Hub and CloudTrail, you create contextualized insights that enrich investigations and boost early threat identification.