Skip to content
Four AWS security services changed in a single week. Here is what SAA-C03 and SCS-C03 candidates need to know.
news

Four AWS security services changed in a single week. Here is what SAA-C03 and SCS-C03 candidates need to know.

By ReadRoost TeamJuly 5, 2026
If you sat SAA-C03 in March or earlier, four of the AWS security services the exam tests you on now behave differently than your practice tests say they do. None of these are quiet back-end changes. They are visible new features that landed between 25 June and 02 July 2026, and a question writer building the next refresh has every reason to use one. I went through the AWS What's New feed and pulled the four launches that actually matter for SAA-C03 and SCS-C03 candidates, with the official links so you can verify them yourself. The short version: GuardDuty got three new findings with MITRE mapping, Security Hub CSPM picked up a 31-control AI Security standard, AWS Artifact shipped an AI assistant for compliance questionnaires, and Network Firewall added managed rules from a third-party threat-intel vendor.

GuardDuty Runtime Monitoring now catches three new file-modification findings

Announced 01 July 2026. GuardDuty Runtime Monitoring picked up three new threat-detection findings that fire when an attacker modifies critical files on an EC2 instance or on a workload running in EKS or ECS. The new finding names are Persistence:Runtime/SensitiveFileModified, PrivilegeEscalation:Runtime/SensitiveFileModified, and DefenseEvasion:Runtime/SensitiveFileModified. Each maps to a MITRE ATT&CK tactic and comes with a remediation recommendation.

What you actually need to remember for the exam: the findings are correlation-based (not raw command-line matches), they cover five file operations (open-for-write, rename, symlink, link and unlink), and they only appear once GuardDuty Runtime Monitoring is enabled on the relevant compute. A 30-day free trial is available if you have not turned it on yet.

If your study notes describe GuardDuty as a network- and account-anomaly service, that is now underselling it. For SCS-C03 specifically, expect a question that asks you to choose between GuardDuty, Security Hub and Detective for post-compromise file-modification detection. The right answer is GuardDuty Runtime Monitoring, and it has just got sharper.

Security Hub CSPM shipped an AI Security Best Practices standard

Announced 30 June 2026. Security Hub CSPM (the cloud security posture management side of Security Hub, not the aggregation side) now ships a new control standard called AI Security Best Practices, with 31 controls covering AI workloads. It is generally available in every AWS Region where Security Hub CSPM runs, including GovCloud and China, and the standard identifier is standards/ai-security-best-practices/v/1.0.0.

If you are sitting SAA-C03, the framing matters more than the controls. The exam blueprint now lists generative AI as a tested domain. A question like "which AWS service gives you continuous configuration checks against AI workload best practices" lands on Security Hub CSPM with this standard enabled. Before 30 June, the closest answer would have been Config rules. After 30 June, it is Security Hub.

SCS-C03 is where this lands hardest. The Security Specialty blueprint has been quietly tilting toward AI workload security for two exam refreshes. A specific AI Security standard with a documented control set is exactly the kind of thing an SCS-C03 question setter can build a scenario around. Read the standard page in the AWS docs the night before the exam, not on the morning of, and you will pick up the three or four control families (data access, model access, inference logging, training data isolation) that tend to show up.

AWS Artifact gained an AI assistant for compliance questionnaires

Announced 01 July 2026. AWS Artifact now includes Assurance Assistant, an AI-powered capability that answers security and compliance questions about AWS services with citations back to AWS compliance documentation. It supports single-question mode for on-screen answers and questionnaire-upload mode that processes XLSX files including CAIQ, SIG and custom DDQs.

For SAA-C03 the headline is the model: it is the same Bedrock-backed pattern you have seen in Q, Amazon Q for Business and the AWS DevOps Agent. If a question asks about a service that helps third-party risk teams complete vendor assessments faster, Artifact with Assurance Assistant is now a defensible answer alongside Audit Manager.

For SCS-C03, two new IAM managed policies land with the launch: AWSArtifactComplianceInquiriesReadOnlyAccess and AWSArtifactComplianceInquiriesFullAccess. If you get a least-privilege question that mentions compliance questionnaires, those policies are the specific lever to name.

Network Firewall added a third managed-rules vendor (VisionHeight)

Announced 25 June 2026. AWS Network Firewall now supports managed rule groups from VisionHeight, sold through AWS Marketplace. The two new groups are Zero-Day Threat Protection and Noisy Scanners and Tor Protection. VisionHeight joins an existing list that already includes Check Point, Fortinet, Infoblox, Lumen, Rapid7, ThreatSTOP and Trend Micro.

SAA-C03 question setters love "which AWS service supports managed rule groups from third-party vendors" questions. The right answer has been AWS Network Firewall for a while, and the vendor list keeps growing. Memorise the pattern, not the vendor list. The exam tests the architecture, not the specific vendors.

There was also a separate Network Firewall change on 22 June worth knowing about: the default stateful action for newly created firewall policies changed from "Application drop established (bidirectional)" to "Application drop established (server-directed only)". The old default could silently drop legitimate server-to-client TCP packets like window updates and keep-alives, which caused connection failures that were horrible to debug. If you are asked why a new Network Firewall policy behaves better than a six-month-old one, the default-action change is the answer.

What to do this week if you are sitting in the next 8 weeks

Run through your current notes for SAA-C03 Domain 3 (Security) and Domain 4 (Resilient Architectures), and for SCS-C03 Domain 2 (Security Logging and Monitoring) and Domain 5 (Data Protection). Anywhere the notes say "GuardDuty detects X" or "Security Hub standard Y exists", cross-check the AWS documentation page for that service. The four changes above are the only structural shifts in this period, but they sit on top of smaller updates that have shipped since the start of the year.

If you have a ReadRoost practice attempt booked this week, do it before you read this article. Then do another one after. The point of the second pass is to feel the difference between "I had to guess" and "I knew that one" on the AI Security Best Practices standard and the three new GuardDuty findings. That gap is the score lift you are chasing.

For SCS-C03 candidates who parked study last quarter: the SCS-C03 blueprint has been quietly refreshed twice this year. Pull the current exam guide PDF, compare it to the one you used to study from, and update anything tied to GuardDuty, Security Hub or Artifact first. Those three services moved. The rest of the blueprint is stable.

What to do if you are not sitting soon

If you are more than three months out from the exam, do not chase every AWS What's New post. Add a single monthly check to your study plan: open the AWS What's New feed, filter to Security, Identity and Compliance, and read the items published since your last check. Most of them will not affect your exam. The ones that do will surface quickly because they name a specific finding, standard or rule group, and that is what questions are built from.

AWS publishes a lot. Most of it is not your problem yet. The four changes above are your problem if you are sitting before September.

Frequently Asked Questions

Did the SAA-C03 blueprint change on 01 July 2026?

No. The SAA-C03 blueprint itself was not refreshed on this date. AWS added new features to existing services that the blueprint already references (GuardDuty, Security Hub, Artifact, Network Firewall), which is why these matter for candidates studying now. The blueprint typically refreshes once or twice a year.

Should I re-buy a study guide if my book is from 2025?

Not necessarily. The four changes above are all recent and most 2025 study guides will not cover them, but you can read the AWS documentation for each service and add notes. The exam blueprint itself has been stable enough through 2026 that older study material remains useful as long as you patch in current AWS feature news. ReadRoost updates its question bank when a feature shift like GuardDuty SensitiveFileModified or the AI Security Best Practices standard lands.

Is Security Hub CSPM the same service as AWS Security Hub?

Yes, mostly. AWS Security Hub is the umbrella service. CSPM (Cloud Security Posture Management) is the part that runs continuous configuration checks against standards. The new AI Security Best Practices standard is a CSPM standard. If a question asks about continuous compliance checks against best-practice controls, the answer is Security Hub CSPM.

What is the difference between GuardDuty Runtime Monitoring and the original GuardDuty?

Original GuardDuty watches AWS CloudTrail, VPC flow logs and DNS logs for account- and network-level anomalies. Runtime Monitoring is an opt-in add-on that watches system-level activity on EC2 instances and on containers running in EKS or ECS. The new file-modification findings are Runtime Monitoring findings. SAA-C03 typically asks about GuardDuty as a single service; SCS-C03 asks you to choose between Runtime Monitoring and account-level GuardDuty for specific scenarios.

Do I need to know the specific VisionHeight rule groups for the exam?

No. You need to know that Network Firewall supports managed rule groups from third-party vendors and that you can subscribe to them through AWS Marketplace. Vendor names appear in questions as "a vendor such as X" rather than "specifically this vendor". Memorise the architecture, not the catalogue.

Master Your Exams with ReadRoost

Practice questions, flashcards, and timed exams for 57 certifications.

Related Articles

AWS just put Terraform inside SageMaker Unified Studio. Here is what that means for DVA-C02 and AIF-C01.

Until this week, if you wanted to provision a SageMaker Unified Studio domain, you clicked through the console or hand-wrote some CloudFormation. AWS just shipped first-party Terraform support, with an open-source module on GitHub that handles the domain, the IAM roles, the blueprints, the project profiles and the projects themselves. The launch is dated 02 July 2026, the module is terraform-aws-sagemaker-unified-studio, and the integration goes through the Terraform AWS Cloud Control Provider rather than a hand-rolled provider. For DVA-C02 candidates who learnt the console-and-CLI flow, this is a quiet but high-yield update. For anyone weighing AIF-C01 (the AWS Certified AI Practitioner), it is also a signal about where AWS is pushing infrastructure-as-code in the ML space.

Why People Are Getting AWS Exams Voided at Home, and How to Make Sure You Are Not One of Them

If you spend any time in the AWS certification communities, you have probably seen the threads: someone sits an exam from home, answers a few questions, and the session gets paused or flagged. Worse, some people report passing and then having the result revoked days later after a review. The version doing the rounds lately, "banned after two questions", is more dramatic than what the evidence actually shows, but the underlying problem is real and worth taking seriously. Online proctoring is strict, it is partly automated, and a handful of completely innocent habits can get your exam thrown out. Here is what really triggers it, and how to set up your exam day so you never have to find out.

AWS will let you renew some certs without re-sitting the exam. Just not all of them yet.

If you hold an AWS certification, you already know the slightly deflating part of the deal: every three years, to keep it, you sit the exam again. AWS has just opened a second door. For some certifications you can now keep your credential current by working through curated training and hands-on labs instead of booking another exam. It is a genuinely good change. It is also in early beta and covers only a handful of certs so far, so it is worth knowing exactly what is on the table before you plan around it.

We improve our products and advertising by using Microsoft Clarity to see how you use our website. By using our site, you agree that we and Microsoft can collect and use this data. Our privacy policy has more details.