AWS Certified Cloud Practitioner (CLF-C02) Domain 2

Security and Compliance

Official Exam Guide: Domain 2: Security and Compliance
Skill Builder: AWS Cloud Practitioner Foundational (CLF-C02) Exam Prep

Note: Some Skill Builder labs require a subscription.

---

How to Study This Domain Effectively

Study Tips

1. Understand the Shared Responsibility Model thoroughly - This is the most important concept in Domain 2. Create a visual diagram showing what AWS manages (security OF the cloud) vs what you manage (security IN the cloud). Exam questions frequently present scenarios and ask you to identify who is responsible for a specific security task.

2. Learn IAM inside and out - IAM is tested heavily across all domains. Understand users, groups, roles, and policies. Practice creating IAM policies and understand the principle of least privilege. Many exam questions present scenarios about granting permissions and ask you to identify the correct IAM approach.

3. Memorize compliance programs - Know major compliance programs (HIPAA, PCI DSS, SOC, GDPR, FedRAMP) and what they mean for AWS customers. Create flashcards linking compliance programs to industries (healthcare → HIPAA, payment cards → PCI DSS). Exam questions ask you to identify which compliance program applies to specific business scenarios.

4. Understand encryption concepts - Know the difference between encryption at rest and encryption in transit. Understand AWS Key Management Service (KMS) and when to use it. Exam questions test your ability to identify appropriate encryption solutions for different data protection scenarios.

5. Study security services by use case - Group security services by what they protect: network (Security Groups, NACLs, WAF), data (KMS, CloudHSM), identity (IAM, Cognito), monitoring (CloudTrail, GuardDuty, Inspector). This organization helps you quickly identify the right service for exam scenarios.

Recommended Approach

1. Master the Shared Responsibility Model first - Everything in Domain 2 builds on this foundation. Understand it thoroughly before moving to other topics. This model appears in questions across all domains, not just security.

2. Deep dive into IAM - Study IAM users, groups, roles, and policies in detail. Understand best practices like MFA, password policies, and least privilege. Practice in the AWS Console to see how IAM works hands-on.

3. Learn network security - Study Security Groups and Network ACLs, understanding their differences (stateful vs stateless, deny rules). Learn AWS WAF and AWS Shield for DDoS protection.

4. Study data protection - Understand encryption at rest and in transit. Learn KMS, CloudHSM, AWS Certificate Manager, and Secrets Manager. Know when to use each service.

5. Master monitoring and compliance - Study CloudTrail, Config, GuardDuty, and Inspector. Understand AWS Artifact for compliance documentation. Review major compliance programs and what they mean.

---

Task 2.1: Understand the AWS shared responsibility model

Knowledge Areas & AWS Documentation Reading List

1. AWS responsibility (security OF the cloud)

Why: Understanding what AWS manages is critical for the exam. AWS is responsible for protecting the infrastructure (physical security, hardware, networking, hypervisor). Exam questions test whether you know AWS handles tasks like data center security, hardware patching, and network infrastructure. This prevents you from incorrectly assuming you need to manage these aspects.

AWS Documentation:

• AWS Shared Responsibility Model
• Security of the AWS Cloud
• AWS Global Infrastructure Security
• Physical and Environmental Security

2. Customer responsibility (security IN the cloud)

Why: Customers are responsible for securing their data, applications, IAM, operating systems, and network configuration. Exam questions frequently test whether you understand customer responsibilities like configuring Security Groups, encrypting data, and managing IAM users. Knowing the customer’s security responsibilities helps you answer questions about what actions YOU must take to secure workloads.

AWS Documentation:

• Customer Responsibility
• Security Best Practices
• AWS Security Best Practices
• Shared Responsibility Model Examples

3. Shared controls (for example, patch management, configuration management, awareness and training)

Why: Some security controls are shared between AWS and customers. AWS patches the infrastructure (hypervisor, physical systems), but customers patch operating systems and applications. Understanding shared controls helps you answer questions about who patches what, who manages configuration, and security training responsibilities.

AWS Documentation:

• Shared Controls
• Patch Management
• AWS Systems Manager
• Configuration Management

---

Task 2.2: Understand AWS Cloud security, governance, and compliance concepts

Knowledge Areas & AWS Documentation Reading List

1. AWS compliance and governance concepts (for example, AWS Artifact, AWS Compliance Program)

Why: Organizations need compliance documentation for audits and certifications. AWS Artifact provides access to compliance reports (SOC, PCI, ISO). Exam questions test whether you know where to find compliance documentation and which compliance programs apply to specific industries. Understanding AWS compliance programs helps you answer questions about meeting regulatory requirements.

AWS Documentation:

• AWS Compliance
• AWS Artifact
• AWS Compliance Programs
• HIPAA Compliance
• PCI DSS Compliance
• SOC Compliance
• GDPR
• FedRAMP
• ISO Certifications

2. Identification and access management (for example, AWS Identity and Access Management [IAM], AWS IAM Identity Center [AWS Single Sign-On])

Why: IAM is the most critical security service and appears throughout the exam. You must understand IAM users, groups, roles, and policies. Exam questions test your ability to identify correct IAM solutions for granting permissions, implementing least privilege, and managing access. IAM Identity Center (SSO) helps manage access across multiple AWS accounts.

AWS Documentation:

• AWS IAM
• IAM User Guide
• IAM Best Practices
• IAM Policies
• IAM Roles
• IAM Users and Groups
• Multi-Factor Authentication (MFA)
• AWS IAM Identity Center
• Principle of Least Privilege

3. Security best practices (for example, least privilege, separation of duties)

Why: Security best practices like least privilege and separation of duties are fundamental principles tested throughout Domain 2. Exam questions present scenarios and ask you to identify which best practice applies or recommend secure solutions. Understanding these principles helps you evaluate whether a proposed solution follows AWS security recommendations.

AWS Documentation:

• Security Best Practices in IAM
• Least Privilege
• Separation of Duties
• Defense in Depth
• Security Pillar - Design Principles

4. AWS security services (for example, AWS CloudTrail, Amazon GuardDuty, AWS Security Hub, AWS Inspector, AWS Config)

Why: AWS provides multiple security services for different purposes. CloudTrail logs API calls, GuardDuty detects threats, Security Hub provides central security view, Inspector scans for vulnerabilities, and Config tracks configuration changes. Exam questions test your ability to identify which service solves specific security monitoring and compliance needs.

AWS Documentation:

• AWS CloudTrail
• Amazon GuardDuty
• AWS Security Hub
• Amazon Inspector
• AWS Config
• AWS CloudWatch
• Amazon Macie
• AWS Audit Manager

---

Task 2.3: Identify AWS access management capabilities

Knowledge Areas & AWS Documentation Reading List

1. IAM users, groups, and roles

Why: Understanding the difference between users (individual identities), groups (collections of users), and roles (temporary access for services/users) is fundamental. Exam questions frequently ask you to identify the correct IAM construct for specific scenarios (e.g., use roles for EC2 instances to access S3, not access keys).

AWS Documentation:

• IAM Users
• IAM Groups
• IAM Roles
• When to Create IAM Users
• Using Roles vs Resource-based Policies

2. IAM policies (for example, AWS managed policies, customer managed policies, inline policies)

Why: IAM policies define permissions and are tested extensively. You must understand the difference between AWS managed (AWS maintains), customer managed (you create and maintain), and inline policies (embedded in user/role). Exam questions ask you to identify appropriate policy types and evaluate policy permissions.

AWS Documentation:

• IAM Policies
• Managed Policies vs Inline Policies
• AWS Managed Policies
• Customer Managed Policies
• Policy Evaluation Logic

3. Multi-factor authentication (MFA)

Why: MFA adds an extra layer of security beyond passwords. Exam questions test whether you understand when to require MFA (root account, privileged users, sensitive operations). MFA is a critical security best practice and frequently appears in security-focused scenarios.

AWS Documentation:

• Multi-Factor Authentication
• Using MFA in AWS
• MFA for Root Account
• Virtual MFA Devices
• Hardware MFA Devices

4. Temporary security credentials (for example, AWS Security Token Service [AWS STS], AWS IAM Identity Center)

Why: Temporary credentials are more secure than long-term access keys. AWS STS generates temporary credentials for roles, while IAM Identity Center provides temporary access for federated users. Exam questions test whether you understand when to use temporary credentials instead of permanent access keys.

AWS Documentation:

• AWS Security Token Service (STS)
• Temporary Security Credentials
• Requesting Temporary Security Credentials
• AWS IAM Identity Center
• Federation

---

Task 2.4: Identify components and resources for security

Knowledge Areas & AWS Documentation Reading List

1. Network security (for example, AWS Network Firewall, security groups, network ACLs, AWS WAF)

Why: Network security controls protect your AWS resources from unauthorized access. Security Groups act as virtual firewalls for instances, NACLs provide subnet-level security, WAF protects web applications, and Network Firewall provides VPC-level protection. Exam questions test your ability to identify the correct network security tool for different scenarios.

AWS Documentation:

• Amazon VPC Security
• Security Groups
• Network ACLs
• AWS WAF
• AWS Network Firewall
• AWS Shield
• Comparison: Security Groups vs NACLs

2. Encryption (for example, AWS Key Management Service [AWS KMS], AWS Certificate Manager [ACM], AWS Secrets Manager)

Why: Encryption protects data at rest and in transit. KMS manages encryption keys, ACM manages SSL/TLS certificates, and Secrets Manager stores sensitive information like database passwords. Exam questions test your knowledge of which service to use for different encryption scenarios and when encryption is required.

AWS Documentation:

• AWS Key Management Service (KMS)
• KMS Developer Guide
• AWS Certificate Manager
• AWS Secrets Manager
• Encryption at Rest
• Encryption in Transit
• AWS CloudHSM

3. DDoS protection (for example, AWS Shield)

Why: DDoS attacks can make applications unavailable. AWS Shield provides DDoS protection (Standard is free, Advanced provides enhanced protection). Exam questions test whether you know Shield protects against DDoS attacks and when to use Shield Advanced for mission-critical applications.

AWS Documentation:

• AWS Shield
• Shield Standard
• Shield Advanced
• DDoS Resiliency

4. Data classification (for example, Amazon Macie)

Why: Amazon Macie automatically discovers and classifies sensitive data like PII (Personally Identifiable Information). Exam questions test whether you know Macie helps with data discovery, classification, and protection for compliance requirements.

AWS Documentation:

• Amazon Macie
• Macie User Guide
• Data Classification

---

AWS Service FAQs (Recommended Reading)

• IAM FAQs
• KMS FAQs
• CloudTrail FAQs
• GuardDuty FAQs
• Shield FAQs
• WAF FAQs
• Security Hub FAQs
• Inspector FAQs
• Config FAQs
• Artifact FAQs

---

AWS Whitepapers (Essential Reading)

1. AWS Security Pillar - Security best practices and design principles
2. Introduction to AWS Security - Comprehensive security overview
3. AWS Security Best Practices - Security implementation guidance
4. Shared Responsibility Model - Understanding security responsibilities
5. AWS Compliance - Compliance programs and certifications
6. DDoS Resiliency Best Practices - DDoS protection strategies

---

Final Thoughts on Domain 2

Domain 2 (Security and Compliance) represents 30% of the exam - the largest single domain. Security is AWS’s #1 priority and understanding security concepts is critical for passing the exam.

Key Takeaways:

1. Master the Shared Responsibility Model - Know what AWS secures vs what you secure
2. IAM is everywhere - Users, groups, roles, and policies appear in every domain
3. Know your security services - CloudTrail (logging), GuardDuty (threat detection), Config (compliance)
4. Understand encryption - At rest (KMS), in transit (ACM), secrets (Secrets Manager)
5. Network security matters - Security Groups (stateful), NACLs (stateless), WAF (application protection)
6. Compliance is critical - Know AWS Artifact and major compliance programs (HIPAA, PCI DSS, SOC)

Study Strategy:

• Spend 30-35% of your study time on this domain (matches exam weight)
• Create a Shared Responsibility Model diagram and memorize it
• Practice creating IAM policies in the AWS Console
• Understand the difference between Security Groups and NACLs (frequently tested)
• Learn which compliance program applies to which industry
• Know when to use each security service (CloudTrail vs GuardDuty vs Inspector)

Common Exam Question Patterns:

• Scenario: Who is responsible for patching? → Answer: AWS patches infrastructure, you patch OS/apps
• Scenario: Grant EC2 access to S3 → Answer: Use IAM role, not access keys
• Scenario: Detect suspicious activity → Answer: Amazon GuardDuty
• Scenario: Track API calls → Answer: AWS CloudTrail
• Scenario: Healthcare data compliance → Answer: HIPAA compliance via AWS Artifact
• Scenario: Protect web application → Answer: AWS WAF + Shield

Security is the foundation of everything in AWS. Master Domain 2 thoroughly!