Content Domain 4: Data Security and Governance - AWS Certification
Task 4.1: Apply authentication mechanismsTask 4.2: Apply authorization mechanismsTask 4.3: Ensure data encryption and maskingTask 4.4: Prepare logs for auditTask 4.5: Understand data privacy and governance

Content Domain 4: Data Security and Governance

Task 4.1: Apply authentication mechanisms

  • Skill 4.1.1: Update VPC security groups.

  • Skill 4.1.2: Create and update AWS Identity and Access Management (IAM) groups, roles, endpoints, and services.

  • Skill 4.1.3: Create and rotate credentials for password management (for example, AWS Secrets Manager).

  • Skill 4.1.4: Set up IAM roles for access (for example, AWS Lambda, Amazon API Gateway, AWS CLI, AWS CloudFormation).

  • Skill 4.1.5: Apply IAM policies to roles, endpoints, and services (for example, S3 Access Points, AWS PrivateLink).

  • Skill 4.1.6: Describe the differences between managed services and unmanaged services.

  • Skill 4.1.7: Use domain, domain units, and projects for SageMaker Unified Studio.

Task 4.2: Apply authorization mechanisms

  • Skill 4.2.1: Create custom IAM policies when a managed policy does not meet the needs.

  • Skill 4.2.2: Store application and database credentials (for example, Secrets Manager, AWS Systems Manager Parameter Store).

  • Skill 4.2.3: Provide database users, groups, and roles access and authority in a database (for example, for Amazon Redshift).

  • Skill 4.2.4: Manage permissions through AWS Lake Formation (for Amazon Redshift, Amazon EMR, Amazon Athena, and Amazon S3).

  • Skill 4.2.5: Apply authorization methods that address business needs (role-based, tag-based, and attribute-based).

  • Skill 4.2.6: Construct custom policies that meet the principle of least privilege.

Task 4.3: Ensure data encryption and masking

  • Skill 4.3.1: Apply data masking and anonymization according to compliance laws or company policies.

  • Skill 4.3.2: Use encryption keys to encrypt or decrypt data (for example, AWS Key Management Service [AWS KMS]).

  • Skill 4.3.3: Configure encryption across AWS account boundaries.

  • Skill 4.3.4: Enable encryption in transit or before transit for data.

Task 4.4: Prepare logs for audit

  • Skill 4.4.1: Use AWS CloudTrail to track API calls.

  • Skill 4.4.2: Use Amazon CloudWatch Logs to store application logs.

  • Skill 4.4.3: Use AWS CloudTrail Lake for centralized logging queries.

  • Skill 4.4.4: Analyze logs by using AWS services (for example, Athena, CloudWatch Logs Insights, Amazon OpenSearch Service).

  • Skill 4.4.5: Integrate various AWS services to perform logging (for example, Amazon EMR in cases of large volumes of log data).

Task 4.5: Understand data privacy and governance

  • Skill 4.5.1: Grant permissions for data sharing (for example, data sharing for Amazon Redshift).

  • Skill 4.5.2: Implement PII identification (for example, Amazon Macie with Lake Formation).

  • Skill 4.5.3: Implement data privacy strategies to prevent backups or replications of data to disallowed AWS Regions.

  • Skill 4.5.4: Viewing configuration changes that have occurred in an account (for example, AWS Config).

  • Skill 4.5.5: Maintain data sovereignty.

  • Skill 4.5.6: Manage data access through Amazon SageMaker Catalog projects.

  • Skill 4.5.7: Describe governance data framework and data sharing patterns.