Content Domain 4: Network Security, Compliance, and Governance - AWS Certification
Task 4.1: Implement and maintain network features to meet security and compliance needs and requirementsTask 4.2: Validate and audit security by using network monitoring and logging servicesTask 4.3: Implement and maintain confidentiality of data and communications of the network

Content Domain 4: Network Security, Compliance, and Governance

Task 4.1: Implement and maintain network features to meet security and compliance needs and requirements

Knowledge of:

  • Different threat models based on application architecture

  • Common security threats

  • Mechanisms to secure different application flows

  • AWS network architecture that meets security and compliance requirements

Skills in:

  • Securing inbound traffic flows into AWS (for example, AWS WAF, AWS Shield, Network Firewall)

  • Securing outbound traffic flows from AWS (for example, Network Firewall, proxies, Gateway Load Balancers)

  • Securing inter-VPC traffic within an account or across multiple accounts (for example, security groups, network ACLs, VPC endpoint policies)

  • Implementing an AWS network architecture to meet security and compliance requirements (for example, untrusted network, perimeter VPC, three-tier architecture)

  • Developing a threat model and identifying appropriate mitigation strategies for a given network architecture

  • Testing compliance with the initial requirements (for example, failover test, resiliency)

  • Automating security incident reporting and alerting using AWS

Task 4.2: Validate and audit security by using network monitoring and logging services

Knowledge of:

  • Network monitoring and logging services that are available in AWS (for example, CloudWatch, AWS CloudTrail, VPC Traffic Mirroring, VPC Flow Logs, Transit Gateway Network Manager)

  • Alert mechanisms (for example, CloudWatch alarms)

  • Log creation in different AWS services (for example, VPC flow logs, load balancer access logs, CloudFront access logs)

  • Log delivery mechanisms (for example, Amazon Kinesis, Route 53, CloudWatch)

  • Mechanisms to audit network security configurations (for example, security groups, AWS Firewall Manager, AWS Trusted Advisor)

Skills in:

  • Creating and analyzing a VPC flow log (including base and extended fields of flow logs)

  • Creating and analyzing network traffic mirroring (for example, using VPC Traffic Mirroring)

  • Implementing automated alarms by using CloudWatch

  • Implementing customized metrics by using CloudWatch

  • Correlating and analyzing information across single or multiple AWS log sources

  • Implementing log delivery solutions

  • Implementing a network audit strategy across single or multiple AWS network services and accounts (for example, Firewall Manager, security groups, network ACLs)

Task 4.3: Implement and maintain confidentiality of data and communications of the network

Knowledge of:

  • Network encryption options that are available on AWS

  • VPN connectivity over Direct Connect

  • Encryption methods for data in transit (for example, IPsec)

  • Network encryption under the AWS shared responsibility model

  • Security methods for DNS communications (for example, DNSSEC)

Skills in:

  • Implementing network encryption methods to meet application compliance requirements (for example, IPsec, TLS)

  • Implementing encryption solutions to secure data in transit (for example, CloudFront, Application Load Balancers and Network Load Balancers, VPN over Direct Connect, AWS managed databases, Amazon S3, custom solutions on Amazon EC2, Transit Gateway)

  • Implementing a certificate management solution by using a certificate authority (for example, ACM, AWS Private Certificate Authority [ACM PCA])

  • Implementing secure DNS communications