AWS Certified Cloud Practitioner - 30% of exam

Security and Compliance

What you will learn

In this domain, you will learn the shared responsibility model that defines the boundary between AWS and customer responsibilities, the basics of identity and access management (IAM), and the key security services AWS provides, such as GuardDuty, WAF, Shield, and KMS. Accounting for 30% of the CLF-C02 exam, it is one of the most important domains.

Key points

  • AWS shared responsibility model - AWS is responsible for "security of the cloud" (the physical, hypervisor, and network foundations), while the customer is responsible for "security in the cloud" (the OS, applications, data, and IAM configuration)
  • Understand the differences between IAM users, groups, roles, and policies
  • The root user is the all-powerful account that exists immediately after creation. Avoid using it day to day and require MFA
  • The principle of least privilege - grant a user or role only the minimum permissions it needs
  • Data encryption with KMS (key management) and the distinction between encryption at rest and encryption in transit
  • Distinguish the roles of GuardDuty (threat detection), Shield (DDoS protection), WAF (web attack protection), and Inspector (vulnerability assessment)
  • You can obtain compliance reports such as SOC, PCI DSS, and ISO from AWS Artifact

Terms and concepts

Shared Responsibility Model

A model that divides security responsibilities between AWS and the customer. AWS protects the physical facilities, host hardware, and virtualization layer, while the customer protects the OS, applications, data, and IAM configuration. Note that the boundary of responsibility differs between EC2 and S3.

IAM (Identity and Access Management)

A service that controls who can access which AWS resources and which operations they are allowed to perform. It is made up of users (people), groups (collections of users), roles (bundles of permissions that can be temporarily assumed), and policies (permission rules written in JSON).

The Root User and Multi-Factor Authentication (MFA)

The root user is the account created when you set up an AWS account, and it holds the most powerful permissions. Except for a small number of operations such as changing billing information, use IAM users for day-to-day work, always configure MFA on the root user, and store its credentials securely.

KMS (Key Management Service)

A service for securely managing encryption keys. It integrates with many services, including S3, EBS, and RDS, and can encrypt data at rest. Using a scheme called envelope encryption, KMS manages the key (the CMK) that encrypts the data key.

Choosing Among GuardDuty, WAF, Shield, and Inspector

GuardDuty detects suspicious behavior within an AWS account, WAF defends against attacks on web applications (such as SQL injection), Shield defends against DDoS attacks, and Inspector assesses vulnerabilities in EC2 instances and containers. Each protects a different target.

Check your understanding

Check what you have learned with 5 questions