AWS Certified Developer Associate (DVA-C02) Domain 2

Security

Official Exam Guide: Domain 2: Security
Skill Builder: AWS Developer Associate (DVA-C02) Exam Prep

Note: Some Skill Builder labs require a subscription.

---

How to Study This Domain Effectively

Study Tips

1. Practice IAM policy creation hands-on - Security is best learned by doing. Create IAM users, roles, and policies in your AWS account. Experiment with different policy structures, test least privilege access, practice assuming roles programmatically, and observe what happens when permissions are insufficient. Understanding IAM through trial and error builds intuition that’s difficult to gain from reading alone, and policy evaluation is heavily tested on the exam.

2. Implement authentication flows in sample applications - Build small applications that use Cognito User Pools for user authentication, implement JWT token validation, configure federated identity providers, and practice programmatic access with temporary credentials. Hands-on experience with authentication flows helps you understand the exam scenarios that describe user login requirements, token management, and federated access patterns.

3. Work with AWS KMS encryption in code - Write code that encrypts and decrypts data using KMS, configure encryption at rest for S3 and DynamoDB, practice using envelope encryption, and understand how to grant cross-account KMS access. The exam tests your ability to implement encryption programmatically, not just understand it conceptually, so writing actual encryption code is essential for mastering this domain.

4. Master AWS Secrets Manager and Parameter Store - Create secrets in Secrets Manager, store parameters in Systems Manager Parameter Store, practice retrieving secrets in Lambda functions and EC2 applications, implement automatic rotation for RDS credentials, and understand cost differences between the two services. Exam questions frequently test when to use each service and how to securely retrieve secrets in application code.

5. Create a security decision matrix - Build a reference table that maps common security scenarios to AWS services: user authentication (Cognito), service-to-service auth (IAM roles), API authorization (API Gateway authorizers), encryption at rest (KMS), encryption in transit (TLS/SSL certificates), secret management (Secrets Manager vs Parameter Store), and temporary credentials (STS). This matrix helps you quickly identify the right security approach during exam questions.

Recommended Approach

1. Start with IAM fundamentals - Begin by deeply understanding IAM users, groups, roles, and policies. Learn policy structure (Effect, Action, Resource, Condition), policy evaluation logic, the difference between identity-based and resource-based policies, and how to implement least privilege. IAM is the foundation for all AWS security, and mastering it is critical for this domain and the entire exam.

2. Master authentication patterns with Cognito - Study Cognito User Pools for user directory and authentication, Cognito Identity Pools for temporary AWS credentials, integration with social identity providers, JWT token structure and validation, and how Cognito integrates with API Gateway and Application Load Balancer. Understanding Cognito authentication flows is essential for answering user authentication scenarios.

3. Deep dive into encryption services - Study AWS KMS thoroughly: customer managed keys vs AWS managed keys, key policies, grants, envelope encryption, and cross-account access. Then learn encryption at rest for S3, EBS, RDS, and DynamoDB. Finally, understand encryption in transit with TLS/SSL certificates and AWS Certificate Manager. Encryption appears throughout the exam in various contexts.

4. Learn secret management best practices - Study AWS Secrets Manager for automatic rotation and database credentials, Systems Manager Parameter Store for configuration data, how to retrieve secrets in Lambda and EC2, encryption of secrets with KMS, and when to use each service. Practice writing code that retrieves secrets securely rather than hardcoding credentials.

5. Practice security scenarios end-to-end - Build complete applications that implement authentication (Cognito), authorization (IAM policies), encryption (KMS), and secret management (Secrets Manager). Understanding how these services work together in real applications prepares you for complex exam scenarios. Complete with practice exams focused on Domain 2 to identify security knowledge gaps.

---

Task 1: Implement authentication and/or authorization for applications and AWS services

Skills & Corresponding Documentation

Skill 2.1.1: Use an identity provider to implement federated access (for example, Amazon Cognito, IAM)

Why: Federated access is extensively tested because modern applications often integrate with external identity providers like Google, Facebook, Active Directory, or SAML providers. You must understand how Cognito User Pools authenticate users, how Cognito Identity Pools provide temporary AWS credentials, how IAM identity providers enable SAML and OIDC federation, and when to use each approach. Exam questions present authentication requirements involving external identity sources and expect you to configure the appropriate federation mechanism.

AWS Documentation:

• Amazon Cognito User Pools
• Amazon Cognito Identity Pools (Federated Identities)
• Amazon Cognito Developer Guide
• Integrating User Pools with Identity Pools
• Adding Social Identity Providers to User Pools
• IAM Identity Providers and Federation
• SAML 2.0 Federation
• OpenID Connect (OIDC) Federation
• Web Identity Federation
• Cognito User Pool Authentication Flow

Skill 2.1.2: Secure applications by using bearer tokens

Why: Bearer token authentication is fundamental for securing APIs and is tested through scenarios involving JWT tokens, OAuth 2.0 flows, and token validation. You must understand how Cognito issues JWT tokens (ID, access, refresh), how to validate tokens in API Gateway or Lambda, token expiration and refresh mechanisms, and how to extract claims from tokens. Exam questions present API security requirements and expect you to implement token-based authentication correctly.

AWS Documentation:

• Using Tokens with User Pools
• JSON Web Tokens (JWT)
• Verifying a JSON Web Token
• Using ID Tokens and Access Tokens
• Token Refresh
• API Gateway Lambda Authorizers
• API Gateway Cognito User Pool Authorizers
• OAuth 2.0 Grants in Cognito

Skill 2.1.3: Configure programmatic access to AWS

Why: Programmatic access is tested because applications must authenticate to AWS services via SDKs and CLI. You need to understand AWS access keys vs temporary credentials, IAM roles for EC2 instances and Lambda functions, credential provider chains, credential precedence, and security best practices (never hardcode credentials). Exam questions present scenarios where applications need AWS access and expect you to configure secure programmatic authentication.

AWS Documentation:

• AWS Security Credentials
• Managing Access Keys for IAM Users
• IAM Roles for Amazon EC2
• AWS Lambda Execution Role
• Configuring the AWS CLI
• AWS SDK Credential Provider Chain
• Best Practices for Managing AWS Access Keys
• Temporary Security Credentials
• Using Instance Profiles

Skill 2.1.4: Make authenticated calls to AWS services

Why: This skill is fundamental for developers because all AWS SDK interactions require proper authentication. You must understand how to configure SDK credentials, use SigV4 signing for API requests, implement retry logic for throttling, handle credential expiration, and work with temporary credentials from assumed roles. Exam questions present code scenarios and expect you to identify correct authentication patterns or troubleshoot authentication failures.

AWS Documentation:

• Signing AWS API Requests
• Signature Version 4 Signing Process
• Making Requests Using AWS SDKs
• AWS SDK Authentication and Access
• Boto3 Credentials Configuration
• Error Handling for AWS SDKs
• Request Signing for Custom Requests

Skill 2.1.5: Assume an IAM role

Why: Role assumption is heavily tested because it’s the secure way to grant temporary permissions and enable cross-account access. You must understand AssumeRole, AssumeRoleWithWebIdentity, and AssumeRoleWithSAML API calls, how to configure trust policies, session duration settings, external ID for third-party access, and how to use temporary credentials in code. Exam questions present scenarios requiring role switching or cross-account access and expect you to implement role assumption correctly.

AWS Documentation:

• Using IAM Roles
• AWS STS AssumeRole
• Switching to an IAM Role (AWS CLI)
• AssumeRole in AWS SDKs
• Trust Policies for IAM Roles
• Cross-Account Access with IAM Roles
• Using External IDs for Third-Party Access
• Temporary Security Credentials
• Session Tags in AssumeRole

Skill 2.1.6: Define permissions for IAM principals

Why: IAM policy creation is one of the most critical skills because permissions control all AWS access. You must understand policy structure (Version, Statement, Effect, Action, Resource, Condition), identity-based vs resource-based policies, inline vs managed policies, policy variables, NotAction and NotResource, and least privilege principles. Exam questions frequently present access requirements and expect you to write or identify correct IAM policies that grant appropriate permissions.

AWS Documentation:

• IAM Policies and Permissions
• IAM JSON Policy Reference
• Creating IAM Policies
• IAM Policy Elements Reference
• Identity-Based vs Resource-Based Policies
• IAM Policy Evaluation Logic
• Managed Policies vs Inline Policies
• IAM Policy Conditions
• Policy Variables
• Testing IAM Policies with the IAM Policy Simulator
• Granting Least Privilege

Skill 2.1.7: Implement application-level authorization for fine-grained access control

Why: Application-level authorization is tested through scenarios requiring more granular access control than IAM provides. You must understand how to implement custom authorization logic in Lambda authorizers, use Cognito groups for role-based access, implement attribute-based access control (ABAC) with IAM tags and policy variables, and enforce row-level or column-level security in applications. Exam questions present multi-tenant or hierarchical access scenarios and expect you to implement appropriate authorization patterns.

AWS Documentation:

• Fine-Grained Access Control
• API Gateway Lambda Authorizers
• Cognito User Pool Groups
• Attribute-Based Access Control (ABAC)
• Using Tags to Control Access
• DynamoDB Fine-Grained Access Control
• S3 Bucket Policies for Fine-Grained Access
• Controlling Access with VPC Endpoints

Skill 2.1.8: Handle cross-service authentication in microservice architectures

Why: Microservices authentication is tested because modern distributed applications require secure service-to-service communication. You must understand how to use IAM roles for service authentication, implement service mesh patterns, use VPC endpoints for private connectivity, secure API Gateway integrations, and handle authentication context propagation across services. Exam questions present microservices scenarios and expect you to implement secure inter-service authentication.

AWS Documentation:

• Service-to-Service Authentication
• IAM Roles for Services
• VPC Endpoints for Private Connectivity
• API Gateway Resource Policies
• Service-to-Service Authentication in Microservices
• AWS App Mesh for Service Mesh
• Cross-Service Confused Deputy Prevention
• Lambda Function URLs with IAM Authentication

AWS Service FAQs:

• Amazon Cognito FAQ
• AWS IAM FAQ
• AWS STS FAQ
• AWS API Gateway FAQ

AWS Whitepapers:

• Security Pillar - AWS Well-Architected Framework
• AWS Security Best Practices
• Identity and Access Management for AWS
• Microservices on AWS - Security

---

Task 2: Implement encryption by using AWS services

Skills & Corresponding Documentation

Skill 2.2.1: Define encryption at rest and in transit

Why: Understanding encryption types is fundamental for securing data throughout its lifecycle. You must know that encryption at rest protects stored data (S3, EBS, RDS, DynamoDB) using KMS or service-managed keys, while encryption in transit protects data during transmission using TLS/SSL. Exam questions test your ability to identify when each type is needed, understand how they work together for defense in depth, and select appropriate encryption services for different scenarios.

AWS Documentation:

• Encryption at Rest
• Encryption in Transit
• Data Protection in AWS
• S3 Encryption
• EBS Encryption
• RDS Encryption
• DynamoDB Encryption at Rest
• TLS/SSL Certificates
• Encrypting Data in Transit

Skill 2.2.2: Describe certificate management (for example, AWS Private CA)

Why: Certificate management is tested because TLS/SSL certificates are essential for secure communication. You must understand AWS Certificate Manager for public certificates, AWS Private Certificate Authority for private PKI, certificate validation methods (DNS, email), certificate renewal, how to attach certificates to load balancers and CloudFront distributions, and when to use public vs private certificates. Exam questions present HTTPS requirements and expect you to configure certificate management correctly.

AWS Documentation:

• AWS Certificate Manager (ACM)
• Issuing and Managing Certificates
• AWS Private Certificate Authority
• Certificate Validation
• Using ACM Certificates with AWS Services
• Managed Certificate Renewal
• Importing Certificates into ACM
• Private Certificates and Internal Resources

Skill 2.2.3: Describe differences between client-side encryption and server-side encryption

Why: Understanding encryption ownership and responsibility is critical for compliance and security design. You must know that server-side encryption (SSE) is managed by AWS services (SSE-S3, SSE-KMS, SSE-C), while client-side encryption requires applications to encrypt data before sending to AWS. Exam questions test your understanding of when each approach is appropriate, compliance implications, performance considerations, and how to implement each encryption type correctly.

AWS Documentation:

• Protecting Data Using Encryption
• Server-Side Encryption
• Client-Side Encryption
• S3 Server-Side Encryption with Amazon S3 Managed Keys (SSE-S3)
• S3 Server-Side Encryption with AWS KMS (SSE-KMS)
• S3 Server-Side Encryption with Customer-Provided Keys (SSE-C)
• AWS Encryption SDK
• Client-Side Encryption with AWS SDKs

Skill 2.2.4: Use encryption keys to encrypt or decrypt data

Why: Working with KMS keys programmatically is essential for implementing encryption in applications. You must understand how to call KMS Encrypt and Decrypt APIs, work with customer managed keys (CMKs), use envelope encryption for large data, implement grant-based access, and handle encryption context for additional security. Exam questions present encryption requirements and expect you to write or identify code that correctly encrypts and decrypts data using KMS.

AWS Documentation:

• AWS Key Management Service (KMS)
• Encrypting and Decrypting Data
• KMS Encrypt API
• KMS Decrypt API
• Using Customer Managed Keys
• Envelope Encryption
• Encryption Context
• KMS GenerateDataKey
• Using KMS Keys in AWS SDKs
• Data Key Caching

Skill 2.2.5: Generate certificates and SSH keys for development purposes

Why: Certificate and key generation is tested through scenarios involving development environments, EC2 instance access, and secure communication setup. You must understand how to generate SSH key pairs for EC2 access, create self-signed certificates for development, use OpenSSL for certificate generation, and understand key pair management. Exam questions may ask about securing development environments or configuring secure access to instances.

AWS Documentation:

• Amazon EC2 Key Pairs
• Creating Key Pairs
• Connecting to Your Linux Instance Using SSH
• Self-Signed Certificates for Development
• AWS Systems Manager Session Manager
• EC2 Instance Connect

Skill 2.2.6: Use encryption across account boundaries

Why: Cross-account encryption is tested because enterprises often need to share encrypted data between AWS accounts. You must understand how to configure KMS key policies for cross-account access, use grants for temporary permissions, share encrypted S3 objects across accounts, and implement encryption in cross-account scenarios. Exam questions present multi-account requirements and expect you to configure encryption access correctly across account boundaries.

AWS Documentation:

• Allowing Users in Other Accounts to Use a KMS Key
• Cross-Account Access to KMS Keys
• Sharing Encrypted S3 Objects Across Accounts
• Using Grants in AWS KMS
• Cross-Account KMS Key Usage
• Encrypting Data Keys with Cross-Account Access

Skill 2.2.7: Enable and disable key rotation

Why: Key rotation is a security best practice that’s tested through scenarios about maintaining encryption security over time. You must understand automatic key rotation for customer managed keys (yearly rotation), how rotation affects existing data (it doesn’t - old versions decrypt existing data), manual rotation requirements for imported keys, and the difference between AWS managed key rotation (every year) and customer managed key rotation. Exam questions test your understanding of rotation mechanics and best practices.

AWS Documentation:

• Rotating AWS KMS Keys
• Automatic Key Rotation
• How Automatic Key Rotation Works
• Manual Key Rotation
• Key Rotation Best Practices
• Rotating Customer Managed Keys

AWS Service FAQs:

• AWS KMS FAQ
• AWS Certificate Manager FAQ
• AWS Private Certificate Authority FAQ
• Amazon S3 FAQ - Encryption

AWS Whitepapers:

• AWS Key Management Service Best Practices
• Encrypting Data at Rest
• AWS Security Best Practices - Encryption

---

Task 3: Manage sensitive data in application code

Skills & Corresponding Documentation

Skill 2.3.1: Describe data classification (for example, personally identifiable information [PII], protected health information [PHI])

Why: Data classification is tested because different data types require different protection levels and compliance controls. You must understand what constitutes PII (names, SSNs, email addresses), PHI (health records under HIPAA), financial data (PCI DSS), and other sensitive data types. You should know regulatory requirements, how to identify sensitive data in applications, and AWS services that help classify data. Exam questions present data handling scenarios and expect you to identify appropriate protection measures based on data classification.

AWS Documentation:

• Data Classification
• AWS Data Privacy
• Identifying and Protecting Sensitive Data
• Amazon Macie for Data Discovery
• HIPAA Compliance
• PCI DSS Compliance
• GDPR Compliance
• Data Protection in AWS

Skill 2.3.2: Encrypt environment variables that contain sensitive data

Why: Environment variable encryption is tested because configuration often contains sensitive values like API keys, database passwords, and tokens. You must understand how to encrypt Lambda environment variables with KMS, store encrypted values in ECS task definitions, use encryption in Elastic Beanstalk environments, and decrypt variables programmatically in application code. Exam questions present scenarios with sensitive configuration data and expect you to implement secure storage and retrieval patterns.

AWS Documentation:

• Lambda Environment Variables
• Securing Lambda Environment Variables
• Encrypting Lambda Environment Variables
• ECS Task Definition Environment Variables
• ECS Secrets Management
• Elastic Beanstalk Environment Properties
• Using KMS to Encrypt Environment Variables

Skill 2.3.3: Use secret management services to secure sensitive data

Why: Secret management is heavily tested because hardcoded credentials are a major security vulnerability. You must understand AWS Secrets Manager for automatic rotation and database credentials, Systems Manager Parameter Store for configuration data and secrets, when to use each service (rotation needs, cost, integration), how to retrieve secrets in Lambda and EC2, and how to grant access to secrets via IAM. Exam questions present credential management scenarios and expect you to implement secure secret retrieval patterns.

AWS Documentation:

• AWS Secrets Manager
• What is AWS Secrets Manager
• Creating and Managing Secrets
• Rotating Secrets
• Retrieving Secrets in Code
• AWS Systems Manager Parameter Store
• Parameter Store vs Secrets Manager
• Using Parameter Store with Lambda
• SecureString Parameters
• Secrets Manager Lambda Extension

Skill 2.3.4: Sanitize sensitive data

Why: Data sanitization is tested through scenarios involving logging, error messages, debugging output, and data transmission. You must understand how to remove or mask sensitive data from logs, prevent credentials from appearing in error messages, sanitize data before sending to third parties, and implement secure logging practices. Exam questions present situations where sensitive data might leak and expect you to implement appropriate sanitization measures.

AWS Documentation:

• Logging Best Practices
• CloudWatch Logs Data Protection
• Redacting Sensitive Data
• AWS Lambda Logging Best Practices
• Data Masking in Applications
• Preventing Sensitive Data Exposure

Skill 2.3.5: Implement application-level data masking and sanitization

Why: Application-level masking is tested because applications often need to display partial sensitive data (last 4 digits of SSN) or different data views based on user roles. You must understand how to implement masking logic in application code, use Lambda@Edge for response transformation, implement field-level encryption in CloudFront, and design APIs that return appropriately masked data. Exam questions present requirements for partial data visibility and expect you to implement masking strategies correctly.

AWS Documentation:

• Data Masking Techniques
• Field-Level Encryption in CloudFront
• Lambda@Edge for Response Transformation
• API Gateway Response Transformation
• DynamoDB Attribute Projection
• Application-Level Access Control

Skill 2.3.6: Implement data access patterns for multi-tenant applications

Why: Multi-tenant data isolation is tested through scenarios involving SaaS applications that serve multiple customers. You must understand tenant isolation strategies (database per tenant, schema per tenant, shared database with tenant ID), how to implement row-level security with IAM policy variables, use Cognito identity pools with fine-grained access control, and ensure data cannot leak between tenants. Exam questions present multi-tenant requirements and expect you to implement secure isolation patterns.

AWS Documentation:

• SaaS Tenant Isolation Strategies
• Multi-Tenant Architecture on AWS
• DynamoDB Multi-Tenant Data Access
• Row-Level Security with IAM
• Cognito Identity Pools for Multi-Tenant Access
• Using Policy Variables for Multi-Tenancy
• S3 Multi-Tenant Access Patterns
• RDS Multi-Tenant Patterns

AWS Service FAQs:

• AWS Secrets Manager FAQ
• AWS Systems Manager FAQ
• Amazon Macie FAQ
• AWS Lambda FAQ

AWS Whitepapers:

• Data Classification
• SaaS Tenant Isolation Strategies
• Security Best Practices - Data Protection
• AWS Security Best Practices

---

Final Thoughts

Domain 2: Security is fundamental to AWS development and requires both theoretical knowledge and practical implementation skills. Focus heavily on IAM (policies, roles, trust relationships, policy evaluation), Cognito (authentication flows, JWT tokens, federated identities), and KMS (encryption at rest, envelope encryption, key policies). Practice writing IAM policies and implementing authentication in real applications—security is best learned through hands-on experimentation. Master secret management with Secrets Manager and Parameter Store, understand when to use each, and practice retrieving secrets in Lambda functions. Security principles from this domain appear throughout the exam and in real-world AWS development, making it essential to deeply understand authentication, authorization, encryption, and secret management patterns. The time invested in mastering these security fundamentals will pay dividends across all other exam domains and in your AWS development career.