Content Domain 1: Design Secure Architectures - AWS Certification
Task 1.1: Design secure access to AWS resourcesTask 1.2: Design secure workloads and applicationsTask 1.3: Determine appropriate data security controls

Content Domain 1: Design Secure Architectures

Task 1.1: Design secure access to AWS resources

Knowledge of:

  • Access controls and management across multiple accounts

  • AWS federated access and identity services (for example, AWS Identity and Access Management [IAM], AWS IAM Identity Center [AWS Single Sign-On])

  • AWS global infrastructure (for example, Availability Zones, AWS Regions)

  • AWS security best practices (for example, the principle of least privilege)

  • The AWS shared responsibility model

Skills in:

  • Applying AWS security best practices to IAM users and root users (for example, multi-factor authentication [MFA])

  • Designing a flexible authorization model that includes IAM users, groups, roles, and policies

  • Designing a role-based access control strategy (for example, AWS Security Token Service [AWS STS], role switching, cross-account access)

  • Designing a security strategy for multiple AWS accounts (for example, AWS Control Tower, service control policies [SCPs])

  • Determining the appropriate use of resource policies for AWS services

  • Determining when to federate a directory service with IAM roles

Task 1.2: Design secure workloads and applications

Knowledge of:

  • Application configuration and credentials security

  • AWS service endpoints

  • Control ports, protocols, and network traffic on AWS

  • Secure application access

  • Security services with appropriate use cases (for example, AWS Cognito, AWS GuardDuty, AWS Macie)

  • Threat vectors external to AWS (for example, DDoS, SQL injection)

Skills in:

  • Designing VPC architectures with security components (for example, security groups, route tables, network ACLs, NAT gateways)

  • Determining network segmentation strategies (for example, using public subnets and private subnets)

  • Integrating AWS services to secure applications (for example, AWS Shield, AWS WAF, IAM Identity Center, AWS Secrets Manager)

  • Securing external network connections to and from the AWS Cloud (for example, VPN, AWS Direct Connect)

Task 1.3: Determine appropriate data security controls

Knowledge of:

  • Data access and governance

  • Data recovery

  • Data retention and classification

  • Encryption and appropriate key management

Skills in:

  • Aligning AWS technologies to meet compliance requirements

  • Encrypting data at rest (for example, AWS Key Management Service [AWS KMS])

  • Encrypting data in transit (for example, AWS Certificate Manager [ACM] using TLS)

  • Implementing access policies for encryption keys

  • Implementing data backups and replications

  • Implementing policies for data access, lifecycle, and protection

  • Rotating encryption keys and renewing certificates