AWS Certified SysOps Administrator - Associate (SOA-C03) Domain 4

Security and Compliance

Official Exam Guide: Domain 4: Security and Compliance
Skill Builder: AWS Certified SysOps Administrator - Associate (SOA-C03) Exam Prep

Note: Some Skill Builder labs require a subscription.

---

How to Study This Domain Effectively

Study Tips

1. Master IAM policy evaluation logic - Understanding how AWS evaluates IAM policies is critical for troubleshooting access issues and is heavily tested. Learn the policy evaluation order: explicit deny always wins, then explicit allow, then implicit deny. Understand how identity-based policies, resource-based policies, service control policies (SCPs), and permission boundaries interact. Practice creating IAM policies with conditions (IpAddress, StringLike, DateGreaterThan) and test them using the IAM policy simulator. The exam frequently presents scenarios with access denied errors requiring you to identify the policy blocking access.

2. Understand encryption comprehensively - Encryption at rest and in transit are fundamental security controls tested extensively. For KMS, understand customer managed keys versus AWS managed keys, key policies versus IAM policies, key rotation, and cross-account key access. Know when to use AWS KMS versus customer-provided keys (SSE-C) versus CloudHSM. For encryption in transit, understand how ACM manages SSL/TLS certificates, certificate renewal, and integration with services (ELB, CloudFront, API Gateway). Practice implementing encryption for S3, EBS, RDS, and understand the performance and cost implications.

3. Learn AWS Organizations security features - Multi-account strategies are increasingly tested as organizations adopt landing zones and control tower architectures. Understand Service Control Policies (SCPs) for permission guardrails, how SCPs affect all principals in an account including the root user, organizational units (OUs) for grouping accounts, and consolidated billing. Know when to use SCPs versus IAM policies versus resource policies. Practice implementing security controls at the organization level that cannot be overridden by individual accounts, such as preventing disabling CloudTrail or enforcing encryption.

4. Practice with AWS security services - Hands-on experience with Security Hub (centralized security view), GuardDuty (threat detection), Config (resource compliance), and Inspector (vulnerability scanning) is essential. Understand what each service detects, how findings are prioritized, and remediation workflows. Create Config rules to enforce compliance (encrypted volumes, public S3 buckets), enable GuardDuty to detect threats, and aggregate Security Hub findings across accounts. The exam tests your ability to select the appropriate service for specific security scenarios and interpret findings.

5. Understand compliance frameworks and audit requirements - Know how AWS helps meet compliance requirements (HIPAA, PCI DSS, SOC 2) through shared responsibility model, AWS Artifact for compliance reports, and AWS Audit Manager for continuous audit readiness. Understand CloudTrail for audit logging (who did what, when, where), how to configure organization trails, log file integrity validation, and integration with CloudWatch Logs for real-time analysis. Practice implementing detective controls that prove compliance and enable forensic investigation of security incidents.

Recommended Approach

1. Start with IAM fundamentals and best practices - Study the IAM User Guide thoroughly, focusing on users, groups, roles, policies, and the principle of least privilege. Understand when to use IAM users (individual people) versus roles (services, cross-account access, federated users). Learn IAM policy structure (Effect, Action, Resource, Condition) and practice writing policies. Master MFA implementation for privileged accounts and understand federated access using Security Assertion Markup Language (SAML) 2.0 or OpenID Connect (OIDC). IAM is foundational to all AWS security and appears throughout the exam.

2. Deep dive into access troubleshooting tools - Practice using CloudTrail to investigate API calls, IAM Access Analyzer to identify resources shared with external entities, and IAM policy simulator to test policy effects before deployment. Create scenarios where access is denied and use these tools to diagnose the issue. Understand CloudTrail event history, how to query logs with CloudWatch Logs Insights, and how to detect unusual API activity. These troubleshooting skills are tested through scenario-based questions requiring you to identify why access failed.

3. Master encryption implementation across AWS services - Study KMS comprehensively: key creation, key policies, grants, encryption context, and key rotation. Practice encrypting S3 buckets (SSE-KMS, SSE-S3, SSE-C), EBS volumes (encryption by default, encrypted snapshots), RDS databases (encryption at creation, encrypted read replicas), and understand that encryption settings cannot be changed after resource creation for many services. For ACM, practice requesting certificates, validating domain ownership (DNS, email), and integrating with load balancers and CloudFront distributions.

4. Implement security monitoring and remediation - Enable Security Hub as a central security dashboard, turn on GuardDuty for threat detection, configure Config rules for compliance checking, and run Inspector for vulnerability assessments. Practice creating EventBridge rules that trigger Lambda functions for automated remediation (e.g., remove public access from S3 bucket when detected). Understand the types of findings each service generates and how to prioritize remediation based on severity. This hands-on experience prepares you for exam questions about automated security response.

5. Study multi-account security patterns - Learn AWS Organizations structure (management account, member accounts, OUs), how to create and manage SCPs, and best practices for multi-account security (isolated security account, centralized logging account, delegated administrator accounts). Understand AWS Control Tower for automated account provisioning and guardrails. Practice implementing organization-wide security controls like enforcing MFA, preventing public S3 buckets, and requiring encryption. Multi-account security is a growing exam topic as organizations scale their AWS presence.

---

Task 4.1: Implement and manage security and compliance tools and policies

Skills & Corresponding Documentation

Skill 4.1.1: Implement AWS Identity and Access Management (IAM) features (for example, password policies, multi-factor authentication [MFA], roles, federated identity, resource policies, policy conditions)

Why: IAM is the foundation of AWS security and is the most heavily tested topic in Domain 4. You must understand all IAM components: users and groups for long-term credentials, roles for temporary credentials and service access, identity-based policies (attached to users/groups/roles) versus resource-based policies (attached to resources like S3 buckets), and policy conditions for context-based access control. The exam tests password policy configuration (complexity, rotation, reuse prevention), MFA implementation (virtual, hardware, U2F), role assumption (cross-account, service roles, instance profiles), and federated access using SAML 2.0 or OIDC for enterprise single sign-on. Understanding IAM policy evaluation logic (explicit deny, explicit allow, implicit deny) is critical for troubleshooting access issues that dominate SysOps scenarios.

AWS Documentation:

• AWS Identity and Access Management User Guide
• What Is IAM?
• IAM Identities (Users, Groups, and Roles)
• IAM Policies and Permissions
• Policy Evaluation Logic
• IAM JSON Policy Elements Reference
• IAM Policy Conditions
• Setting an Account Password Policy
• Using Multi-Factor Authentication (MFA) in AWS
• Enabling MFA Devices
• IAM Roles
• Using IAM Roles
• IAM Roles for Amazon EC2
• Identity Providers and Federation
• Enabling SAML 2.0 Federated Users
• About Web Identity Federation
• Resource-Based Policies
• IAM Best Practices

Skill 4.1.2: Troubleshoot and audit access issues by using AWS tools (for example, AWS CloudTrail, IAM Access Analyzer, IAM policy simulator)

Why: Troubleshooting access issues is a core SysOps responsibility and is tested through scenarios requiring you to diagnose why API calls fail. CloudTrail provides detailed logs of all API calls (who made the call, when, from where, what was the result), essential for auditing and forensic investigation. IAM Access Analyzer identifies resources shared with external entities (S3 buckets, IAM roles, KMS keys) to detect unintended access. The IAM policy simulator tests policy effects before deployment, helping you validate that policies grant intended access without over-permissioning. The exam presents access denied errors with CloudTrail logs and requires you to identify the root cause (missing IAM permission, SCP blocking, resource policy denying, MFA not satisfied, IP condition not met).

AWS Documentation:

• AWS CloudTrail User Guide
• How CloudTrail Works
• Creating a Trail
• Viewing Events with CloudTrail Event History
• CloudTrail Log File Examples
• Validating CloudTrail Log File Integrity
• Using AWS IAM Access Analyzer
• Getting Started with IAM Access Analyzer
• IAM Access Analyzer Findings
• Testing IAM Policies with the IAM Policy Simulator
• Using the IAM Policy Simulator (Console)
• Troubleshooting IAM
• Troubleshooting Access Denied Error Messages
• Understanding How IAM Works
• Refining Permissions Using Service Last Accessed Data

Skill 4.1.3: Implement multi-account strategies securely

Why: Multi-account architectures are AWS best practice for isolating workloads, enforcing security boundaries, and managing costs, making this increasingly tested. AWS Organizations enables centralized management of multiple accounts with Service Control Policies (SCPs) that act as permission guardrails for all principals in member accounts. You must understand SCP inheritance (policies apply to OUs and all child accounts), how SCPs interact with IAM policies (SCPs don’t grant permissions, only limit maximum permissions), and common SCP patterns (deny regions, require encryption, prevent disabling security services). The exam tests cross-account access using roles (preferred over sharing credentials), resource sharing using AWS Resource Access Manager (RAM), and centralized logging/security services (GuardDuty delegated administrator, Security Hub aggregation across accounts).

AWS Documentation:

• AWS Organizations User Guide
• What Is AWS Organizations?
• AWS Organizations Terminology and Concepts
• Managing Organizational Units (OUs)
• Service Control Policies (SCPs)
• SCP Syntax
• Example Service Control Policies
• How SCPs Work
• AWS Control Tower User Guide
• What Is AWS Control Tower?
• Guardrails in AWS Control Tower
• Cross-Account Access with IAM Roles
• Providing Access to an IAM User in Another AWS Account
• Best Practices for AWS Organizations
• Organizing Your AWS Environment

Skill 4.1.4: Implement remediation based on the results of AWS Trusted Advisor security checks

Why: AWS Trusted Advisor provides automated best practice checks across cost optimization, performance, security, fault tolerance, and service limits. Security checks identify common vulnerabilities: unrestricted security group rules (0.0.0.0/0 on sensitive ports), exposed access keys, S3 buckets with public access, MFA not enabled on root account, and IAM password policy weaknesses. The exam tests your ability to interpret Trusted Advisor findings, prioritize remediation (red alerts first), and implement fixes (restrict security groups, rotate exposed keys, enable MFA, configure password policies). Understanding Trusted Advisor requires Business or Enterprise Support, and the exam tests knowledge of which checks are available in different support tiers and how to automate remediation using CloudWatch Events triggering Lambda functions.

AWS Documentation:

• AWS Trusted Advisor
• AWS Trusted Advisor Check Reference
• AWS Trusted Advisor Best Practice Checks
• Security Checks
• Getting Started with AWS Trusted Advisor
• Accessing AWS Trusted Advisor
• AWS Trusted Advisor Recommendations
• Automating Responses to Trusted Advisor Checks
• Monitoring Trusted Advisor Checks
• AWS Support Plans

Skill 4.1.5: Enforce compliance requirements (for example, AWS Region and service selections)

Why: Compliance requirements often mandate data residency (data must stay in specific regions), approved services only, and encryption requirements. Service Control Policies (SCPs) enforce these requirements at the organization level, preventing non-compliant actions even by administrators. The exam tests your ability to implement region restrictions (deny all actions except in approved regions), service restrictions (deny specific services like Amazon Macie if not approved), and encryption requirements (deny S3 uploads without encryption). Understanding how to use AWS Config rules to detect compliance violations (unencrypted volumes, resources in wrong regions), implement preventive controls with SCPs, and generate compliance reports is critical for regulated industries (healthcare, finance, government).

AWS Documentation:

• Service Control Policies (SCPs)
• Example Service Control Policies
• Restricting AWS Regions
• Require Encryption
• AWS Config Rules
• AWS Config Managed Rules
• Using AWS Config to Monitor Compliance
• AWS Artifact
• Downloading Reports in AWS Artifact
• AWS Compliance Programs
• AWS Audit Manager
• Continuous Compliance with AWS Audit Manager
• AWS Security Hub Compliance Standards
• Compliance Validation for AWS Services

---

Task 4.2: Implement strategies to protect data and infrastructure

Skills & Corresponding Documentation

Skill 4.2.1: Implement and enforce a data classification scheme

Why: Data classification (public, internal, confidential, restricted) determines appropriate protection controls and is foundational to compliance. The exam tests your ability to implement classification using resource tags, enforce classification with IAM policies that require specific tags, and use services like Amazon Macie to automatically discover and classify sensitive data (Personally Identifiable Information (PII), financial data, credentials). Understanding how to use tagging policies in AWS Organizations to mandate consistent tagging, implement tag-based access control with IAM condition keys (StringEquals on tags), and automate classification detection helps organizations protect sensitive data appropriately while enabling self-service access to less sensitive data.

AWS Documentation:

• Tagging AWS Resources
• Tag Policies
• Controlling Access Using Tags
• Attribute-Based Access Control (ABAC)
• Amazon Macie User Guide
• What Is Amazon Macie?
• Discovering Sensitive Data with Macie
• Macie Findings
• Custom Data Identifiers in Macie
• S3 Object Tagging
• Cost Allocation Tags
• Tag Editor

Skill 4.2.2: Implement, configure, and troubleshoot encryption at rest (for example, AWS Key Management Service [AWS KMS])

Why: Encryption at rest protects data stored on disk and is mandatory for many compliance frameworks. AWS KMS is the central service for encryption key management, and understanding KMS is critical for the exam. You must know customer managed keys (you control, can rotate, can share) versus AWS managed keys (AWS controls, automatic rotation), key policies versus IAM policies for access control, grants for temporary permissions, encryption context for additional security, and cross-account key access. The exam tests encryption implementation for S3 (SSE-KMS, SSE-S3, SSE-C), EBS (encryption by default, encrypted snapshots), RDS (must enable at creation), and troubleshooting scenarios (KMS key not accessible, permission denied encrypting data). Understanding that encryption settings are immutable for most services is critical.

AWS Documentation:

• AWS Key Management Service Developer Guide
• What Is AWS Key Management Service?
• AWS KMS Concepts
• Customer Managed Keys
• AWS Managed Keys
• Key Policies in AWS KMS
• Using Grants
• Rotating AWS KMS Keys
• Allowing Users in Other Accounts to Use a KMS Key
• Encryption Context
• Amazon S3 Encryption
• Using Server-Side Encryption with AWS KMS
• Amazon EBS Encryption
• Encrypting Amazon RDS Resources
• AWS CloudHSM User Guide
• Troubleshooting AWS KMS

Skill 4.2.3: Implement, configure, and troubleshoot encryption in transit (for example, AWS Certificate Manager [ACM])

Why: Encryption in transit protects data as it moves over networks using Transport Layer Security (TLS)/Secure Sockets Layer (SSL) protocols. AWS Certificate Manager simplifies SSL/TLS certificate provisioning, management, and renewal for AWS services. The exam tests your knowledge of ACM certificate request process (public certificates validated via DNS or email, private certificates from AWS Private CA), automatic certificate renewal (ACM handles DNS validation automatically), and integration with services (Application Load Balancer, CloudFront, API Gateway, Elastic Beanstalk). Understanding when to use ACM versus third-party certificates (ACM certificates can’t be exported, only used with integrated services), how to troubleshoot certificate validation failures, and how to implement end-to-end encryption (client to load balancer via HTTPS, load balancer to backend via HTTPS) is essential for secure architectures.

AWS Documentation:

• AWS Certificate Manager User Guide
• What Is AWS Certificate Manager?
• Requesting a Public Certificate
• DNS Validation
• Email Validation
• Managed Renewal for ACM Certificates
• Using ACM Certificates with AWS Services
• ACM Certificate Characteristics
• AWS Private Certificate Authority
• Creating HTTPS Listeners for Your Application Load Balancer
• Using HTTPS with CloudFront
• Configuring SSL/TLS Certificates for API Gateway
• Troubleshooting Certificate Validation
• VPN Encryption

Skill 4.2.4: Securely store secrets by using AWS services

Why: Hardcoding credentials in code or configuration files is a security risk, and the exam tests your knowledge of secure secret storage and retrieval. AWS Secrets Manager automatically rotates secrets (database passwords, API keys) and provides fine-grained access control via IAM policies. Systems Manager Parameter Store stores configuration data and secrets with or without encryption, integrates with CloudFormation, and is free for standard parameters. The exam tests when to use Secrets Manager (automatic rotation required, auditing, complex secrets) versus Parameter Store (simple configuration, cost-sensitive, hierarchical parameters). Understanding how to retrieve secrets programmatically, implement automatic rotation for RDS/Redshift/DocumentDB credentials, and use resource-based policies for cross-account secret access is critical for secure application architectures.

AWS Documentation:

• AWS Secrets Manager User Guide
• What Is AWS Secrets Manager?
• Creating and Managing Secrets
• Rotating Your AWS Secrets Manager Secrets
• Rotation Functions for Secrets Manager
• Retrieving Secrets
• AWS Systems Manager Parameter Store
• Creating Systems Manager Parameters
• Parameter Store vs. Secrets Manager
• Using Parameter Hierarchies
• Restricting Access to Systems Manager Parameters
• Referencing AWS Secrets Manager Secrets from Parameter Store

Skill 4.2.5: Configure reports and remediate findings from AWS services (for example, AWS Security Hub, Amazon GuardDuty, AWS Config, Amazon Inspector)

Why: AWS provides multiple security services that detect threats, misconfigurations, and compliance violations, and the exam extensively tests your knowledge of what each service does and how to respond to findings. Security Hub aggregates findings from multiple services (GuardDuty, Inspector, Macie, IAM Access Analyzer, Firewall Manager) and third-party tools into a single dashboard with compliance standards (CIS, PCI DSS). GuardDuty uses machine learning to detect threats (compromised instances, reconnaissance, cryptocurrency mining). Config evaluates resource configurations against rules (encrypted volumes, approved AMIs). Inspector scans EC2 instances and container images for vulnerabilities. The exam tests your ability to interpret findings, prioritize remediation by severity, implement automated remediation using EventBridge and Lambda, and understand the shared responsibility model for each service.

AWS Documentation:

• AWS Security Hub User Guide
• What Is AWS Security Hub?
• Security Hub Findings
• Security Standards in Security Hub
• Integrations with Security Hub
• Amazon GuardDuty User Guide
• What Is Amazon GuardDuty?
• GuardDuty Finding Types
• Remediating GuardDuty Findings
• AWS Config User Guide
• What Is AWS Config?
• Managing AWS Config Rules
• AWS Config Managed Rules
• Remediating Noncompliant Resources
• Amazon Inspector User Guide
• What Is Amazon Inspector?
• Inspector Findings
• Automated Response and Remediation
• Using EventBridge for Automated Remediation

---

AWS Service FAQs

• AWS IAM FAQs
• AWS CloudTrail FAQs
• AWS Organizations FAQs
• AWS Control Tower FAQs
• AWS Trusted Advisor FAQs
• AWS Config FAQs
• Amazon Macie FAQs
• AWS KMS FAQs
• AWS Certificate Manager FAQs
• AWS Secrets Manager FAQs
• AWS Systems Manager FAQs
• AWS Security Hub FAQs
• Amazon GuardDuty FAQs
• Amazon Inspector FAQs
• AWS Artifact FAQs
• AWS CloudHSM FAQs

---

AWS Whitepapers

• Security Pillar - AWS Well-Architected Framework
• AWS Security Best Practices
• Introduction to AWS Security
• AWS Security Incident Response Guide
• Organizing Your AWS Environment Using Multiple Accounts
• AWS Key Management Service Best Practices
• AWS Compliance Programs
• HIPAA Compliance
• PCI DSS Compliance

---

Final Thoughts

Domain 4 represents the security foundation of AWS operations and is heavily weighted in real-world SysOps roles. IAM proficiency is absolutely critical - invest significant time mastering policy evaluation logic, troubleshooting access issues with CloudTrail and policy simulator, and implementing least privilege access. Encryption knowledge across KMS, ACM, and service-specific implementations is essential for protecting data in regulated environments. Multi-account security strategies using Organizations and SCPs are increasingly important as organizations scale. Practice enabling and interpreting findings from Security Hub, GuardDuty, Config, and Inspector, then implement automated remediation workflows. The security skills tested in this domain are foundational to earning trust as a SysOps administrator and directly translate to high-value operational security responsibilities in production AWS environments.