The second of the four domains in the AWS Certified Cloud Practitioner Exam (AWS CLF-C02) is “Security and Compliance.” This domain makes up 30% of the scored content.
If you want to follow along with my online course, “AWS Certified Cloud Practitioner (CLF-C02) Cert Prep,” you can access the course here: LinkedIn Learning.
Don’t forget to download my unofficial study guide, as well as AWS’s official study guide!
Security and Compliance
2.1: Understand the AWS Shared Responsibility Model
AWS Shared Responsibility Model (source):
- AWS is responsible for security OF the Cloud
- Customer is responsible for security IN the Cloud
- Responsibilities shift between AWS and customer depending on the services used
- Both AWS and the customer are responsible for training and educating
2.2: Understand AWS Cloud security, governance, and compliance concepts
- Compliance requirements change depending on industries and geographic locations, which AWS accounts for with dozens of compliance programs (source)
- You need to encrypt data in transit (while it’s moving from one place to another) and at rest (while it’s residing in a location)
- Governance is process of creating and enforcing decisions within an organization
- Security in the Cloud is composed of identity and access management, detective controls, infrastructure protection, data protection, and incident response (Security Pillar of the Well-Architected Framework)
- There are many services to help you secure resources on AWS, like Amazon Inspector, AWS Security Hub, Amazon GuardDuty, AWS Shield
- AWS Artifact helps you locate on-demand compliance information relevant to your IT infrastructure
- There are many services that aid in governance and compliance like Amazon CloudWatch, AWS CloudTrail, AWS Audit Manager, and AWS Config
- Compliance requirements varies depending on the AWS service being used
2.3: Identity AWS access management capabilities
- Identity and Access Management (IAM) and IAM Identity Center provide granular control over permissions for identities, generally dealing with defining WHO has access to WHAT
- Principle of Least Privilege (source): give only the least amount of access for an entity to do perform its tasks
- Utilize groups, users, custom policies, and manage policies in compliance with the Principle of Least Privilege
- There are multiple ways of authentication in AWS such as MFA, IAM Identity Center, cross-account IAM roles, federated users
- When you create an AWS account, that account is a root user account, which should not be utilized unless absolutely necessary (make sure to secure it with MFA); know how to secure it, and what specific tasks you need the root account for
- Access keys, password policies, credential storage (AWS Secrets Manager, AWS Systems Manager)
2.4: Identify components and resources for security
- You can utilize network access control lists (NACLs) and security groups to control the traffic coming in and out of your resources (compare NACLs vs security groups)
- There are many security services that help you protect your infrastructure, like AWS WAF, Amazon Inspector, AWS Shield, and Amazon GuardDuty
- There are third-party security products (provided by other companies) on the AWS Marketplace
- You can find AWS security-related information in AWS Knowledge Center, AWS Security Center, AWS Security Blog, etc.
- You can utilize AWS Trusted Advisor to identify security issues
Next Domain: Cloud Technology and Services
Go back to AWS CLF-C02 Exam Guide
Comment