Content Domain 2: Security and Compliance - AWS Certification
Task Statement 2.1: Understand the AWS shared responsibility model.Task Statement 2.2: Understand AWS Cloud security, governance, and compliance concepts.Task Statement 2.3: Identify AWS access management capabilities.Task Statement 2.4: Identify components and resources for security.

Content Domain 2: Security and Compliance

Domain 2 covers Security and Compliance and represents 30% of the scored content on the exam.

Task Statement 2.1: Understand the AWS shared responsibility model.

Knowledge of:

  • AWS shared responsibility model

Skills in:

  • Recognizing the components of the AWS shared responsibility model

  • Describing the customer's responsibilities on AWS

  • Describing AWS responsibilities

  • Describing responsibilities that the customer and AWS share

  • Describing how AWS responsibilities and customer responsibilities can shift, depending on the service used (for example, Amazon RDS, AWS Lambda, Amazon EC2)

Task Statement 2.2: Understand AWS Cloud security, governance, and compliance concepts.

Knowledge of:

  • AWS compliance and governance concepts

  • Benefits of cloud security (for example, encryption)

  • Where to capture and locate logs that are associated with cloud security

Skills in:

  • Identifying where to find AWS compliance information (for example, AWS Artifact)

  • Understanding compliance needs among geographic locations or industries (for example, AWS compliance)

  • Describing how customers secure resources on AWS (for example, Amazon Inspector, AWS Security Hub, Amazon GuardDuty, AWS Shield)

  • Identifying encryption options (for example, encryption in transit, encryption at rest)

  • Recognizing services that aid in governance and compliance (for example, monitoring with Amazon CloudWatch; auditing with AWS CloudTrail, AWS Audit Manager, and AWS Config; reporting with access reports)

  • Recognizing compliance requirements that vary among AWS services

Task Statement 2.3: Identify AWS access management capabilities.

Knowledge of:

  • Identity and access management (for example, AWS Identity and Access Management [IAM])

  • Importance of protecting the AWS root user account

  • Principle of least privilege

  • AWS IAM Identity Center (AWS Single Sign-On)

Skills in:

  • Understanding access keys, password policies, and credential storage (for example, AWS Secrets Manager, AWS Systems Manager)

  • Identifying authentication methods in AWS (for example, multi-factor authentication [MFA], IAM Identity Center, cross-account IAM roles)

  • Defining groups, users, custom policies, and managed policies in compliance with the principle of least privilege

  • Identifying tasks that only the account root user can perform

  • Understanding which methods can achieve root user protection

  • Understanding the types of identity management (for example, federated)

Task Statement 2.4: Identify components and resources for security.

Knowledge of:

  • Security capabilities that AWS provides

  • Security-related documentation that AWS provides

Skills in:

  • Describing AWS security features and services (for example, AWS WAF, AWS Firewall Manager, AWS Shield, Amazon GuardDuty)

  • Understanding that third-party security products are available from AWS Marketplace

  • Identifying where AWS security information is available (for example, AWS Knowledge Center, AWS Security Center, AWS Security Blog)

  • Understanding the use of AWS services for identifying security issues (for example, AWS Trusted Advisor)