aws-security-specialtylisted

# AWS Certified Security – Specialty (SCS-C03) — Skills Reference ## Overview Operational playbook for AWS security work. Each section states the rule to apply: decision criteria, concrete limits, anti-patterns, and verification steps. **Verify against the live account** — effective permissions result from combining multiple policy types, and a single missing allow or extra deny changes the outcome. Benchmarked against AWS Security – Specialty (SCS-C03, December 2025). > **Load this skill when…** designing or reviewing IAM policies, permission boundaries, SCPs, or RCPs; configuring threat detection (GuardDuty, Security Hub CSPM, Detective, Security Lake); implementing KMS encryption strategy or Secrets Manager rotation; auditing network defenses (WAF, Shield, PrivateLink, NACLs) or building IR/containment automation. > **Not this skill:** pipeline/IaC delivery → see `aws-devops-engineer-professional`; enterprise architecture trade-offs → see `aws-solutions-architect-professional`. > **Study resources, SCS-C02→SCS-C03 changes, and credential logistics:** [references/study-resources.md](references/study-resources.md). > **Verify steps** — use your project's MCP/automation, the AWS CLI (`aws`) or CloudShell, or the Console, in that order. --- ## Uncertainty & Escalation - **Always re-verify live — volatile facts:** Shield Advanced pricing `[volatile — verify live]`, GuardDuty finding type catalog (new finding families added quarterly) `[volatile — verify live]`, IAM Acce