AWS Certified Cloud Practitioner Exam

AWS CLF-C02 Domain 2: Security and Compliance

Posted on By Hiroko Nishimura

The second of the four domains in the AWS Certified Cloud Practitioner Exam (AWS CLF-C02) is “Security and Compliance.” This domain makes up 30% of the scored content.

If you want to follow along with my online course, “AWS Certified Cloud Practitioner (CLF-C02) Cert Prep,” you can access the course here: LinkedIn Learning.

Don’t forget to download my unofficial study guide, as well as AWS’s official study guide!

Security and Compliance

As you might imagine, security and compliance are important pillars to creating and maintaining a well-secured, safe, and functional IT infrastructure. The rules change a little bit when you have resources hosted on cloud computing platforms instead of on-site, which makes the security and compliance domain of the exam an important area to understand.

2.1: Understand the AWS Shared Responsibility Model

AWS Shared Responsibility Model

The AWS Shared Responsibility Model asserts that security and compliance on the AWS Cloud is a shared responsibility between AWS and the customer. “Who’s responsible for this part of your AWS infrastructure’s security?” is one of the common questions on the exam.

  • AWS is responsible for security OF the Cloud
  • Customer is responsible for security IN the Cloud
  • Responsibilities shift between AWS and customer depending on the services used
  • Both AWS and the customer are responsible for training and educating

2.2: Understand AWS Cloud security, governance, and compliance concepts

AWS Cloud Security, Governance, and Compliance Concepts

  • You need to encrypt data in transit (while it’s moving from one place to another) and at rest (while it’s residing in a location)
  • Governance is the process of creating and enforcing decisions within an organization
  • Compliance requirements vary depending on the AWS service being used, as well as on industries and geographic locations

Security in the Cloud

Security in the Cloud consists of concepts in the Security Pillar of the Well-Architected Framework that we learned about in Domain 1.

  • Identity and access management
  • Detective controls
  • Infrastructure protection
  • Data protection, and
  • Incident response

Services to Secure Resources on AWS

  • Amazon Inspector
  • AWS Security Hub
  • Amazon GuardDuty
  • AWS Shield

Services for Governance and Compliance:

  • Amazon CloudWatch
  • AWS CloudTrail
  • AWS Audit Manager
  • AWS Config
  • AWS Artifact

2.3: Identify AWS access management capabilities

Identity and Access Management (IAM)

Identity and Access Management (IAM) and IAM Identity Center provide granular control over permissions for identities, generally dealing with defining WHO has access to WHAT.

  • Access keys, password policies, credential storage (AWS Secrets Manager, AWS Systems Manager)

Authentication Methods in AWS

There are multiple ways to authenticate users/resources/etc. in AWS, such as:

  • MFA (Multi-Factor Authentication)
  • IAM Identity Center (AWS Single Sign-On)
  • Cross-account IAM roles
  • Federated Users

Root User Account

When you create an AWS account, that account is a root user account. This account should not be utilized unless absolutely necessary. Make sure you secure it with MFA, and learn what specific tasks you need the root account for.

Principle of Least Privilege

The Principle of Least Privilege asserts that you should only give the least amount of access for an entity to perform its tasks for maximum security. Basically, any bot, resource, or human should only be able to access what is absolutely necessary to complete their work, and no more or no less.

In AWS, you can utilize groups, users, custom policies, and manage policies in compliance with the Principle of Least Privilege.

2.4: Identify components and resources for security

Security-Related Documentation on AWS

You can find AWS’s security-related information and documentation at:

  • AWS Knowledge Center
  • AWS Security Center
  • AWS Security Blog

Security Services

AWS has many security services to help you protect your infstructure on the AWS Cloud.

  • AWS WAF
  • Amazon Inspector
  • AWS Shield
  • Amazon GuardDuty
  • AWS Firewall Manager
  • AWS Trusted Advisor

You can get started on learning about the security and compliance services on the AWS Security and Compliance Services page!

Next Domain: Cloud Technology and Services
Go back to AWS CLF-C02 Exam Guide

Exam Prep

Related Posts

Exam Prep aws services

AWS Security and Compliance Services

Posted on

AWS’s Security and Compliance services help protect and secure your IT infrastructure on the AWS Cloud. You can learn about these core security services in conjunction with reviewing AWS Certified Cloud Practitioner Exam’s Domain 2: Security and Compliance. AWS Artifact AWS Artifact helps you obtain audit reports, certifications, and legal…

Read More

Comments (2)

  1. Pingback: AWS CLF-C02 Domain 1: Cloud Concepts - awsnewbies.com
  2. Pingback: AWS Security and Compliance Services - awsnewbies.com

Leave a Reply

Your email address will not be published. Required fields are marked *