AWS Certified DevOps Engineer - Professional (DOP-C02) Domain 6

Security and Compliance

Official Exam Guide: Domain 6: Security and Compliance

Skill Builder: AWS Certified DevOps Engineer - Professional Exam Prep

---

Domain Overview

Domain 6 (17%) focuses on identity and access management at scale, automating security controls and data protection, and implementing security monitoring and auditing.

---

Task 6.1: Implement techniques for identity and access management at scale

Essential Documentation:

• AWS IAM User Guide
• AWS IAM Identity Center
• IAM Permissions Boundaries
• Service Control Policies
• AWS Secrets Manager
• AWS STS API Reference

---

Task 6.2: Apply automation for security controls and data protection

Essential Documentation:

• AWS Security Hub User Guide
• AWS WAF Developer Guide
• Amazon GuardDuty User Guide
• AWS KMS Developer Guide
• AWS CloudHSM User Guide
• AWS Certificate Manager User Guide
• Amazon Macie User Guide
• AWS Network Firewall Developer Guide

---

Task 6.3: Implement security monitoring and auditing solutions

Essential Documentation:

• AWS CloudTrail User Guide
• AWS Config Developer Guide
• VPC Flow Logs
• CloudFormation Drift Detection
• Amazon Inspector User Guide
• IAM Access Analyzer
• Amazon Detective Administration Guide

---

AWS Service FAQs

• AWS IAM FAQs
• Amazon GuardDuty FAQs
• AWS Security Hub FAQs
• AWS KMS FAQs

---

Study Tips

1. Master IAM at scale - Roles vs users, permissions boundaries, SCPs for Organizations, IAM Identity Center for SSO.

2. Learn automated security - Security Hub for centralized findings, Config rules with remediation, GuardDuty for threat detection.

3. Understand encryption - KMS for key management, CloudHSM for hardware security modules, ACM for certificates, encryption at rest/in transit.

4. Practice security auditing - CloudTrail for API logging, Config for resource configuration history, VPC Flow Logs for network traffic.

5. Study defense in depth - Security groups, NACLs, WAF, Network Firewall, Shield for DDoS protection, layered security controls.

---

Complete Exam Summary

Exam Format:

• 75 questions (65 scored + 10 unscored)
• Multiple choice and multiple response
• Passing score: 750/1000
• 180 minutes

Domain Weightings:

• Domain 1: SDLC Automation (22%)
• Domain 2: Configuration Management and IaC (17%)
• Domain 3: Resilient Cloud Solutions (15%)
• Domain 4: Monitoring and Logging (15%)
• Domain 5: Incident and Event Response (14%)
• Domain 6: Security and Compliance (17%)

Target Candidate:

• 2+ years provisioning, operating, managing AWS environments
• Experience with SDLC and programming/scripting
• Experience in building highly automated infrastructure

Key AWS Services to Master:

• CI/CD: CodePipeline, CodeBuild, CodeDeploy, CodeCommit, CodeArtifact
• IaC: CloudFormation, CDK, SAM, Service Catalog
• Configuration: Systems Manager, Config, OpsWorks
• Monitoring: CloudWatch, X-Ray, CloudTrail
• Automation: Lambda, Step Functions, EventBridge
• Security: IAM, Secrets Manager, KMS, Security Hub, GuardDuty
• Containers: ECS, EKS, ECR, Fargate
• Networking: VPC, Load Balancers, Route 53
• Multi-Account: Organizations, Control Tower

Core DevOps Concepts:

• Infrastructure as Code (IaC)
• Continuous Integration/Continuous Deployment (CI/CD)
• Configuration management
• Monitoring and logging
• Incident response
• Security automation
• High availability and disaster recovery
• Auto scaling and performance optimization

Study Resources:

• AWS Well-Architected Framework
• AWS DevOps
• AWS Whitepapers

Good luck with your AWS Certified DevOps Engineer - Professional certification!

---

Note: This is Domain 6 of 6, representing 17% of exam content.