Content Domain 6: Security and Compliance - AWS Certification
Task Statement 6.1: Implement techniques for identity and access management at scale.Task Statement 6.2: Apply automation for security controls and data protection.Task Statement 6.3: Implement security monitoring and auditing solutions.

Content Domain 6: Security and Compliance

Task Statement 6.1: Implement techniques for identity and access management at scale.

Knowledge of:

  • Appropriate usage of different IAM entities for human and machine access (for example, users, groups, roles, identity providers, identity-based policies, resource-based policies, session policies)

  • Identity federation techniques (for example, using IAM identity providers and AWS IAM Identity Center)

  • Permission management delegation by using IAM permissions boundaries

  • Organizational SCPs

Skills in:

  • Designing policies to enforce least privilege access

  • Implementing role-based and attribute-based access control patterns

  • Automating credential rotation for machine identities (for example, AWS Secrets Manager)

  • Managing permissions to control access to human and machine identities (for example, enabling multi-factor authentication [MFA], AWS Security Token Service [AWS STS], IAM profiles)

Task Statement 6.2: Apply automation for security controls and data protection.

Knowledge of:

  • Network security components (for example, security groups, network ACLs, routing, AWS Network Firewall, AWS WAF, AWS Shield)

  • Certificates and public key infrastructure (PKI)

  • Data management (for example, data classification, encryption, key management, access controls)

Skills in:

  • Automating the application of security controls in multi-account and multi-Region environments (for example, AWS Security Hub, AWS Organizations, AWS Control Tower, AWS Systems Manager)

  • Combining security controls to apply defense in depth (for example, AWS Certificate Manager [ACM], AWS WAF, AWS Config, AWS Config rules, Security Hub, Amazon GuardDuty, security groups, network ACLs, Amazon Detective, Network Firewall)

  • Automating the discovery of sensitive data at scale (for example, Amazon Macie)

  • Encrypting data in transit and data at rest (for example, AWS Key Management Service [AWS KMS], AWS CloudHSM, ACM)

Task Statement 6.3: Implement security monitoring and auditing solutions.

Knowledge of:

  • Security auditing services and features (for example, AWS CloudTrail, AWS Config, VPC Flow Logs, AWS CloudFormation drift detection)

  • AWS services for identifying security vulnerabilities and events (for example, GuardDuty, Amazon Inspector, IAM Access Analyzer, AWS Config)

  • Common cloud security threats (for example, insecure web traffic, exposed AWS access keys, S3 buckets with public access enabled or encryption disabled)

Skills in:

  • Implementing robust security auditing

  • Configuring alerting based on unexpected or anomalous security events

  • Configuring service and application logging (for example, CloudTrail, Amazon CloudWatch Logs)

  • Analyzing logs, metrics, and security findings