Courses/CLF-C02/Domain 2: Security and Compliance
Practice questions →
AWSCLF-C02

Domain 2: Security and Compliance

Topic 2 of 4 · Study notes

AWS Certified Cloud Practitioner (CLF-C02) — Domain 2: Security and Compliance

Exam Code: CLF-C02  |  Level: Foundational
Domain Weight: 30%  |  Total Domains: 4  |  Passing Score: 700 / 1000

Table of Contents

  1. The Shared Responsibility Model
  2. AWS Identity and Access Management (IAM)
  3. AWS Organizations
  4. AWS Security Services
  5. Data Protection and Encryption
  6. Network Security
  7. Logging, Monitoring, and Auditing
  8. Compliance and Governance
  9. Exam Tips and Quick Reference

1. The Shared Responsibility Model

1.1 Core Division

The Shared Responsibility Model defines what AWS secures versus what the customer secures. It is the single most tested concept in this domain.

AWS is responsible for — "Security OF the Cloud"

AWS Manages Examples
Physical data center security Biometric access, 24/7 guards, cameras, perimeter controls
Hardware Servers, storage devices, networking equipment, racks
Virtualization layer Hypervisor, host operating system
Global network infrastructure Fiber, routers, switches connecting Regions and AZs
Managed service platform OS patching for RDS, Lambda runtime, ECS control plane

Customer is responsible for — "Security IN the Cloud"

Customer Manages Examples
Data Classification, encryption settings, backup
Identity and access management IAM users, roles, policies, MFA configuration
Operating system (on EC2) OS patching, hardening, vulnerability management
Application code Dependency vulnerabilities, secure coding practices
Network configuration Security Groups, NACLs, VPC routing
Client-side and server-side encryption Enabling encryption at rest and in transit

Exam Tip: The dividing line shifts based on the service. For EC2 (IaaS) the customer manages the OS. For RDS (managed service) AWS manages the OS and DB engine patches — the customer manages the schema, data, and DB user access.

1.2 Responsibility by Service Type

Service Type AWS Example AWS Manages Customer Manages
IaaS EC2 Hardware, hypervisor OS, apps, data, Security Groups, IAM
Managed Database RDS Hardware, OS, DB engine patches Schema, data, DB user accounts
Serverless Compute Lambda Hardware, OS, runtime Function code, IAM execution role, data
Container Platform ECS / Fargate Hardware, OS, container runtime Container image, task IAM role, networking
SaaS Amazon Chime Everything infrastructure User data, user access provisioning

2. AWS Identity and Access Management (IAM)

IAM controls authentication (who you are) and authorization (what you can do) in AWS. It is a global service with no additional cost. New IAM identities have zero permissions by default.

2.1 IAM Entities

Entity Purpose Key Characteristics
Root User Created at account signup; full unrestricted access Enable MFA immediately; delete access keys; use only for account-level tasks (close account, change support plan, restore IAM permissions)
IAM User Represents a person or application Has its own credentials (console password and/or access keys); no permissions by default; one real person should have one IAM user
IAM Group Collection of IAM users Cannot be nested; a user can belong to multiple groups; policies attached to the group apply to all members
IAM Role An identity that can be assumed by trusted entities No permanent credentials; provides temporary security credentials via AWS STS; assumed by AWS services, cross-account users, or federated identities

Key Concept: Use roles instead of access keys for applications running on AWS (EC2, Lambda). Roles provide automatically rotated temporary credentials and eliminate the risk of credentials being hardcoded in application code or configuration files.

2.2 IAM Policies

An IAM policy is a JSON document that defines permissions. It specifies the Effect (Allow or Deny), the Action (what AWS API operation), and the Resource (which AWS resource, identified by ARN).

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:PutObject"],
      "Resource": "arn:aws:s3:::my-bucket/*"
    },
    {
      "Effect": "Deny",
      "Action": "s3:DeleteObject",
      "Resource": "*"
    }
  ]
}

2.3 Policy Types

Policy Type Who Creates It Where It Attaches Use Case
AWS Managed Policy AWS Users, groups, or roles Pre-built common permissions (e.g., AdministratorAccess, ReadOnlyAccess)
Customer Managed Policy Customer Users, groups, or roles Custom permissions tailored to your organization; reusable
Inline Policy Customer Embedded in a single user, group, or role One-off permissions; not reusable; deleted when the identity is deleted
Service Control Policy (SCP) Customer (via Organizations) OUs or member accounts Organization-wide guardrails restricting what accounts can do
Resource-Based Policy Customer Attached to a resource (S3, KMS, SQS) Grant access to specific principals including cross-account access

2.4 Policy Evaluation Logic

When a request is made, IAM evaluates policies in this order:

  1. Start with an implicit Deny (default)
  2. Evaluate all applicable policies for an explicit Deny — if found, the request is denied immediately
  3. Evaluate for an explicit Allow — if found, the request is allowed
  4. If neither explicit Allow nor Deny is found, the implicit Deny applies

Exam Tip: An explicit Deny always overrides any Allow, regardless of which policy contains the Allow. This rule applies across all policy types including SCPs, IAM policies, and resource-based policies.

2.5 Multi-Factor Authentication

MFA requires something you know (password) plus something you have (MFA device) to authenticate.

MFA Type Description Security Level
Virtual MFA Authenticator app on a smartphone (Google Authenticator, Authy); generates TOTP codes Standard
Hardware MFA Physical key fob device (Gemalto); generates TOTP codes Standard
U2F / FIDO2 Security Key USB or NFC hardware key (YubiKey); phishing-resistant High

Exam Tip: Enabling MFA on the root account is consistently cited as the first security action to take after creating a new AWS account.

2.6 Identity Federation and Amazon Cognito

Identity Federation allows users with existing external identities to access AWS resources without creating IAM users for each person.

Method Identity Provider Typical Use Case
SAML 2.0 Federation Corporate directory (Microsoft Active Directory, Okta) Enterprise employees accessing AWS Console or APIs
Web Identity Federation Public identity providers (Google, Facebook) Mobile and web app users
IAM Identity Center (AWS SSO) AWS-managed or external IdP Centralized SSO access to multiple AWS accounts

Amazon Cognito provides identity management for web and mobile applications:

  • User Pools — Authentication: handles sign-up, sign-in, and user profile management
  • Identity Pools — Authorization: grants authenticated users temporary AWS credentials to access AWS services directly

2.7 IAM Security Best Practices

Practice Rationale
Lock root account; enable MFA on root Root compromise gives unrestricted access to the entire account
Enable MFA for all privileged IAM users Passwords alone are insufficient for high-privilege accounts
Never use root account for daily tasks Create individual IAM users or use roles instead
Use roles for AWS services, never access keys in code Credentials in code can be exposed through version control, logs, or debugging tools
Grant least privilege Minimize the blast radius if any credential or identity is compromised
Assign policies to groups, not individual users Easier to audit, manage, and scale as teams grow
Rotate access keys regularly Limits the time window during which a compromised key can be exploited
Use IAM Access Analyzer Identifies resources shared with external entities; flags unintended access

3. AWS Organizations

AWS Organizations allows central management of multiple AWS accounts from a single management account. It enables consolidated billing, policy enforcement, and automated account creation at scale.

3.1 Structure and Components

Root
└── Management Account (Payer Account)
    ├── OU: Production
    │   ├── Member Account: prod-app
    │   └── Member Account: prod-data
    ├── OU: Development
    │   └── Member Account: dev-team
    └── OU: Security
        └── Member Account: security-logs
Component Description
Root Top-level container; all accounts and OUs reside under root
Management Account Creates and manages the organization; receives the consolidated bill; not affected by SCPs
Member Accounts Individual AWS accounts joined to the organization
Organizational Units (OUs) Containers for grouping accounts by function, environment, or team

3.2 Service Control Policies

SCPs are permission guardrails applied to OUs or member accounts. They define the maximum permissions that any IAM identity within those accounts can have.

  • SCPs do not grant permissions — they only restrict
  • SCPs affect all principals in the account, including the account root user
  • The management account is not subject to SCPs
  • Effective permissions = intersection of SCP allowances and IAM policy allowances

Common SCP use cases:

Use Case Example SCP Effect
Enforce Region restrictions Deny all API calls outside approved Regions
Prevent disabling security services Deny cloudtrail:StopLogging, guardduty:DeleteDetector
Require encryption Deny creation of unencrypted S3 buckets or EBS volumes
Restrict instance types Deny launch of GPU or expensive instance families in dev accounts

Exam Tip: If a question asks what can restrict what the root user of a member account can do, the answer is Service Control Policies (SCPs). IAM policies cannot restrict the root user within an account, but SCPs can.

3.3 Consolidated Billing

All member accounts in an organization are billed to a single consolidated bill sent to the management account.

Benefit How It Works
Volume discounts Usage from all accounts is combined; higher aggregate usage reaches lower-price tiers (e.g., S3 tiered pricing, data transfer)
RI and Savings Plans sharing Unused Reserved Instance or Savings Plans capacity in one account automatically benefits other accounts in the organization
Simplified billing One bill, one payment method; easier for finance teams

4. AWS Security Services

4.1 Threat Detection and Investigation

Service Category What It Does Data Sources
Amazon GuardDuty Threat Detection Continuously monitors for malicious activity and unauthorized behavior using ML and threat intelligence. No agents required. CloudTrail, VPC Flow Logs, DNS logs
Amazon Detective Investigation Analyzes and visualizes the root cause of security findings; answers who, what, when, and blast radius questions. CloudTrail, VPC Flow Logs, GuardDuty findings

Key Concept: GuardDuty detects active threats. Detective investigates findings after detection. They are complementary services used together.

4.2 Vulnerability and Compliance Assessment

Service What It Scans What It Finds
Amazon Inspector EC2 instances, ECR container images, Lambda functions Known software vulnerabilities (CVEs), unintended network exposure, software version issues
AWS Trusted Advisor Your entire AWS account configuration Cost waste, security misconfigurations, performance issues, service limit risks

Key Concept: Inspector finds vulnerabilities in your workloads before they are exploited. GuardDuty detects active threats and attacks in progress. These are the two most commonly confused services on the exam.

4.3 Perimeter Protection

AWS WAF (Web Application Firewall)

Protects web applications from common exploits by filtering HTTP/HTTPS traffic based on rules defined in Web ACLs.

Protects Against Integration Points
SQL injection Amazon CloudFront
Cross-site scripting (XSS) Application Load Balancer
OWASP Top 10 vulnerabilities Amazon API Gateway
Bot traffic and scrapers AWS AppSync
Geographic-based blocking

AWS Shield — DDoS Protection

Feature Shield Standard Shield Advanced
Cost Free $3,000 / month
Availability Automatic for all AWS customers Opt-in
DDoS Protection Layer Layer 3 and 4 (network and transport) Layer 3, 4, and 7 (application)
Attack visibility No Real-time metrics and reports
DDoS Response Team (DRT) No 24/7 access
Cost protection No Credits for scaling costs during attacks
AWS WAF included No Yes

Exam Tip: Shield Standard protects against SYN floods, UDP floods, and DNS amplification. Shield Advanced adds application-layer protection (HTTP floods), requires WAF integration, and provides access to the AWS DDoS Response Team.

4.4 Security Aggregation and Automation

AWS Security Hub

Aggregates, normalizes, and prioritizes security findings from multiple AWS services and third-party tools into a single dashboard. Runs automated checks against security standards including CIS AWS Foundations Benchmark.

Sources Security Hub aggregates:

  • Amazon GuardDuty
  • Amazon Inspector
  • Amazon Macie
  • AWS IAM Access Analyzer
  • AWS Firewall Manager
  • Third-party tools from AWS Marketplace

Amazon Macie

Uses machine learning to automatically discover, classify, and report on sensitive data stored in Amazon S3 buckets — including PII, financial data, and credentials. Generates findings when sensitive data is found or when bucket permissions become overly permissive.

5. Data Protection and Encryption

5.1 Encryption Fundamentals

Type Description Protection Against
Encryption at Rest Data is encrypted when stored on disk or in a database Unauthorized physical access to storage media
Encryption in Transit Data is encrypted while moving between systems using TLS/SSL Man-in-the-middle attacks, network eavesdropping

AWS services support both types. S3, EBS, RDS, DynamoDB, and most other storage and database services support encryption at rest. All AWS service APIs use HTTPS (TLS) by default for encryption in transit.

5.2 AWS Key Management Service (KMS)

KMS is a managed service for creating and controlling cryptographic keys used to encrypt and decrypt data across AWS services.

KMS Key Types:

Key Type Who Manages It Cost Use Case
AWS Owned Keys AWS; used internally for some services Free Transparent encryption with no customer interaction required
AWS Managed Keys AWS creates and manages automatically Free Default encryption for services like S3, EBS, RDS
Customer Managed Keys Customer creates, manages, and defines key policies $1 / month per key + API call fees Fine-grained control, custom rotation policies, cross-account access

Key features:

  • All key usage is logged in AWS CloudTrail for audit purposes
  • Keys never leave KMS in unencrypted form
  • Automatic annual rotation is available for Customer Managed Keys
  • Envelope Encryption: For large data, KMS generates a Data Encryption Key (DEK); data is encrypted with the DEK; the DEK itself is encrypted with the KMS key and stored alongside the data

5.3 AWS CloudHSM

A dedicated Hardware Security Module in the AWS Cloud, providing FIPS 140-2 Level 3 validated cryptographic operations.

Feature AWS KMS AWS CloudHSM
Hardware Shared, AWS-managed Dedicated to single customer
FIPS Validation Level 2 Level 3
Key control AWS has access to key material Customer has exclusive control; AWS cannot access keys
Cost Per key + per API call Approximately $1.60 per HSM per hour
Typical use case General encryption needs Banking, financial regulatory requirements, BYOK (Bring Your Own Key)

5.4 AWS Certificate Manager

ACM provisions, manages, and deploys SSL/TLS certificates for use with AWS services. Public certificates for use with AWS services (CloudFront, ELB, API Gateway) are free. ACM handles automatic certificate renewal, eliminating manual expiration management.

5.5 AWS Secrets Manager

A service for storing, managing, and automatically rotating secrets such as database credentials, API keys, and OAuth tokens.

Feature AWS Secrets Manager AWS Systems Manager Parameter Store
Built-in auto-rotation Yes — configurable schedule No — requires custom Lambda
Cost $0.40 per secret per month Free tier for standard parameters; $0.05 per advanced parameter per month
Primary purpose Secrets (credentials, API keys) Configuration data and some secrets
Encryption KMS (required) KMS (optional for SecureString)

6. Network Security

6.1 Security Groups

A Security Group acts as a virtual firewall for EC2 instances (and other resources) at the network interface level, controlling inbound and outbound traffic.

Characteristics:

  • Stateful — if an inbound request is allowed, the response traffic is automatically allowed regardless of outbound rules
  • Rules are allow-only — you cannot explicitly deny; traffic not matching an allow rule is implicitly denied
  • Applied at the instance level (network interface)
  • Multiple Security Groups can be attached to a single instance
  • Security Groups can reference other Security Groups by ID as rule sources

Example inbound rules:

Protocol Port Source Purpose
TCP 443 0.0.0.0/0 Allow HTTPS from anywhere
TCP 80 0.0.0.0/0 Allow HTTP from anywhere
TCP 22 203.0.113.5/32 Allow SSH from a specific IP only
TCP 5432 sg-0abc123 Allow PostgreSQL from application Security Group

6.2 Network Access Control Lists (NACLs)

A NACL is an optional, stateless firewall applied at the subnet level within a VPC.

Characteristics:

  • Stateless — you must explicitly allow both inbound traffic and the corresponding outbound return traffic
  • Can have both Allow and Deny rules (unlike Security Groups)
  • Rules are evaluated in ascending numeric order; the first matching rule is applied
  • The default NACL allows all inbound and outbound traffic
  • Custom NACLs deny all traffic by default until rules are added

6.3 Security Groups vs NACLs

Feature Security Group NACL
Applied at Instance / network interface level Subnet level
State Stateful Stateless
Rule types Allow only Allow and Deny
Rule evaluation All rules evaluated together Rules evaluated in number order; first match wins
Default behavior Deny all inbound; allow all outbound Allow all inbound and outbound (default NACL)
Scope Applies to specific instances Applies to all resources in the subnet

Exam Tip: Security Groups are the first line of defense at the instance level. NACLs provide a second layer of defense at the subnet level. In most architectures, Security Groups are sufficient — NACLs are added for broad subnet-level blocking requirements such as blocking a range of IP addresses.

6.4 AWS VPN and Direct Connect

Feature AWS Site-to-Site VPN AWS Direct Connect
Connection path Over the public internet (encrypted) Dedicated private network connection
Encryption Yes — IPSec encrypted tunnel No — private but not encrypted by default
Bandwidth Up to ~1.25 Gbps 1 Gbps to 100 Gbps
Latency Variable — depends on internet conditions Consistent, predictable low latency
Setup time Minutes Weeks to months
Cost Lower Higher (dedicated circuit + port fees)
Use case Quick hybrid connectivity; cost-sensitive High-bandwidth or latency-sensitive workloads; large data transfer

7. Logging, Monitoring, and Auditing

7.1 AWS CloudTrail

CloudTrail records API calls and account activity across your AWS account. It answers: who made an API call, from where, at what time, and on which resource.

What CloudTrail logs:

Event Type Description Default
Management Events Control-plane operations: CreateBucket, RunInstances, DeleteVpc Enabled — 90-day history in console
Data Events Data-plane operations: S3 GetObject/PutObject, Lambda invocations Disabled by default; must be explicitly enabled
Insight Events Unusual API activity patterns detected by ML Disabled by default; optional

Key facts:

  • CloudTrail logs are stored in Amazon S3 for long-term retention
  • Logs can be sent to CloudWatch Logs for alerting on specific API activity
  • A single multi-region trail captures activity from all Regions in one configuration
  • CloudTrail cannot be disabled if properly configured with S3 Object Lock

7.2 Amazon CloudWatch

CloudWatch is the AWS monitoring and observability service. It collects metrics, logs, and events from AWS resources and applications to give you operational visibility.

Core capabilities:

Capability Description
Metrics Time-series data points from AWS services (CPU utilization, network I/O, DB connections) and custom application metrics
Alarms Monitor a metric and trigger an action when it crosses a threshold (SNS notification, Auto Scaling action, EC2 stop/start)
Logs Collect, store, and search log data from EC2, Lambda, CloudTrail, VPC Flow Logs, and custom applications
Dashboards Custom visualizations combining metrics and alarms from multiple services and Regions
Logs Insights Interactive SQL-like query language for analyzing log data at scale
Synthetics Configurable scripts (canaries) that monitor endpoints and APIs on a schedule

CloudWatch Alarm states:

  • OK — metric is within the defined threshold
  • ALARM — metric has breached the threshold
  • INSUFFICIENT_DATA — not enough data points to evaluate the metric

7.3 AWS Config

AWS Config records the configuration state of your AWS resources over time and evaluates them against desired configurations using Config Rules.

What Config does:

  • Records configuration changes to supported resources (EC2, S3, RDS, Security Groups, IAM, etc.)
  • Answers: "What did this resource look like at a specific point in time?" and "Has it changed?"
  • Evaluates resources against Config Rules and marks them as Compliant or Non-compliant
  • Can trigger remediation automatically via AWS Systems Manager Automation

Config Rule sources:

  • AWS Managed Rules — pre-built rules for common compliance checks (e.g., s3-bucket-public-read-prohibited, root-account-mfa-enabled, encrypted-volumes)
  • Custom Rules — written in Lambda, evaluated against your specific requirements

7.4 Service Comparison

AWS CloudTrail Amazon CloudWatch AWS Config
Primary question answered Who did what and when? How is my system performing? What does my resource look like, and has it changed?
Data captured API call records (who, what, when, where) Metrics, logs, and events from resources Resource configuration snapshots and change history
Primary use Security auditing and compliance Performance monitoring, alerting, and troubleshooting Configuration compliance and drift detection
Enabled by default Yes (management events, 90 days) Yes (AWS service metrics) No — must be enabled per Region

8. Compliance and Governance

8.1 AWS Compliance Programs

AWS maintains certifications and attestations for its global infrastructure. Customers inherit many of these controls for their portion of the shared responsibility.

Standard / Regulation Scope
SOC 1, 2, 3 Service Organization Controls for financial reporting, security, availability, and confidentiality
ISO 27001 Information security management system standard
PCI DSS Payment Card Industry Data Security Standard for processing credit card data
HIPAA Health Insurance Portability and Accountability Act for protected health information
FedRAMP Federal Risk and Authorization Management Program for US government cloud services
GDPR General Data Protection Regulation for personal data of EU individuals

Key Concept: AWS maintains compliance certifications for its infrastructure. Customers are responsible for the compliance of their applications and data. The Shared Responsibility Model applies to compliance exactly as it applies to security.

8.2 AWS Artifact

AWS Artifact is a self-service portal providing on-demand access to AWS compliance reports and agreements.

Available through Artifact:

  • Audit reports: SOC 1, SOC 2, SOC 3, ISO certifications, PCI DSS Attestation of Compliance
  • AWS Agreements: Business Associate Agreement (BAA) for HIPAA; GDPR Data Processing Addendum

Key facts:

  • Free to access
  • Reports can be downloaded and shared with auditors and regulators
  • No need to contact AWS directly — all available on-demand

Exam Tip: If a question asks "how can a customer download AWS compliance reports and certifications", the answer is AWS Artifact.

8.3 AWS Control Tower

Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment based on AWS best practices.

What Control Tower provides:

Feature Description
Landing Zone A baseline multi-account environment set up according to best practices
Guardrails Preventive (SCPs) and detective (Config Rules) controls applied across accounts
Account Factory Standardized, automated provisioning of new AWS accounts
Dashboard Centralized visibility into compliance status across all accounts
  • Preventive guardrails — SCPs that block non-compliant actions (e.g., prevent disabling CloudTrail)
  • Detective guardrails — Config Rules that detect non-compliance (e.g., detect whether MFA is enabled on root)

8.4 AWS Audit Manager

Audit Manager helps continuously audit AWS usage to simplify risk assessment and compliance with regulations and industry standards.

  • Provides pre-built frameworks: PCI DSS, HIPAA, SOC 2, GDPR, CIS Benchmarks
  • Automatically collects and organizes evidence from AWS services
  • Generates audit-ready reports mapped to specific compliance requirements

9. Exam Tips and Quick Reference

Security Service Differentiation

Service One-Line Summary Key Distinguisher
GuardDuty Active threat detection Monitors CloudTrail, VPC Flow Logs, DNS; uses ML; no agents
Inspector Vulnerability scanning Scans EC2 and containers for CVEs and network exposure
Macie Sensitive data discovery in S3 ML-based PII and credential detection in S3 buckets
Security Hub Centralized findings dashboard Aggregates from GuardDuty, Inspector, Macie, and more
Detective Root cause investigation Analyzes why and how after GuardDuty raises a finding
WAF HTTP/HTTPS traffic filtering Blocks SQL injection, XSS; attaches to CloudFront, ALB, API Gateway
Shield Standard Free DDoS protection Layer 3/4; automatic for all customers
Shield Advanced Enhanced DDoS protection Layer 3/4/7; $3,000/month; includes DRT access
Trusted Advisor Account-wide best practice checks Covers cost, performance, security, fault tolerance, and service limits

Scenario-to-Answer Mapping

Scenario Keyword or Requirement Correct Answer
"Who deleted an S3 bucket and when?" AWS CloudTrail
"Alert when CPU exceeds 80% for 5 minutes" Amazon CloudWatch Alarm
"Detect if S3 bucket became publicly accessible" AWS Config Rule
"Find active malware communication from an EC2 instance" Amazon GuardDuty
"Scan EC2 instances for unpatched software vulnerabilities" Amazon Inspector
"Find credit card numbers stored in S3" Amazon Macie
"Download AWS SOC 2 audit report" AWS Artifact
"Set up a secure multi-account environment with guardrails" AWS Control Tower
"Prevent member accounts from creating resources outside us-east-1" Service Control Policy (SCP)
"Allow EC2 instance to access S3 without hardcoded credentials" IAM Role attached to EC2
"First action to take after creating a new AWS account" Enable MFA on the root user

Common Exam Traps

  • CloudTrail vs CloudWatch: CloudTrail = API activity audit (who did what). CloudWatch = performance monitoring (how is it performing). They are frequently confused.
  • Config vs CloudTrail: Config shows what a resource looks like now and historically. CloudTrail shows which API call changed it and who made the call.
  • SCPs grant permissions: False — SCPs only restrict; they cannot grant permissions. The management account is not affected by SCPs.
  • GuardDuty vs Inspector: GuardDuty = active threats happening now. Inspector = potential vulnerabilities that could be exploited.

Key Terms — Domain 2

Term Definition
Shared Responsibility Model Framework defining what AWS secures (infrastructure) versus what the customer secures (data and configuration)
IAM AWS service for managing authentication and authorization
Least Privilege Security principle: grant only the minimum permissions required to perform a task
MFA Multi-Factor Authentication: adds a second factor beyond username and password
SCP Service Control Policy: an Organizations feature that restricts what member accounts can do
Encryption at Rest Data encrypted when stored on disk or in a database
Encryption in Transit Data encrypted while moving between systems (TLS/SSL)
KMS AWS Key Management Service: managed service for creating and controlling encryption keys
CloudHSM Dedicated Hardware Security Module with FIPS 140-2 Level 3 validation
CloudTrail AWS service that records API calls and account activity for auditing
AWS Config Service that records resource configuration changes and evaluates compliance
AWS Artifact Self-service portal for downloading AWS compliance reports and agreements

End of Domain 2. Continue to Domain 3: Cloud Technology and Services →

Previous

Domain 1: Cloud Concepts

Next

Domain 3: Cloud Technology and Services

Ready to test yourself?

Practice questions for this topic

Start Practicing →

CLF-C02 Topics

Topic 2 of 4