Self-service portal for on-demand access to AWS compliance reports (SOC, PCI, ISO) and to review and accept AWS agreements. The primary source of AWS compliance documentation for auditors.
Compliance Varies by Geography & Industry
Different regions and industries carry different regulatory requirements — GDPR in the EU, HIPAA for U.S. healthcare data, FedRAMP for U.S. government workloads. Customers remain responsible for meeting requirements that apply to their own workload.
Shared Compliance Responsibility
AWS provides compliant infrastructure and certifications; the customer is responsible for configuring their own workload to actually meet the compliance requirements that apply to them.
2.2
Encryption Options
Type
Protects
Example
Encryption at Rest
Data stored on disk (in a database, S3 bucket, or EBS volume)
Exam trigger: "Protect data stored in S3" → encryption at rest. "Protect data moving between the client and the server" → encryption in transit.
2.2
Governance: Monitoring, Auditing & Reporting
Service
Category
Purpose
Amazon CloudWatch
Monitoring
Collects metrics and logs; triggers alarms on thresholds
AWS CloudTrail
Auditing
Logs every API call made in an account — "who did what, when"
AWS Config
Auditing
Tracks resource configuration changes over time for compliance
AWS Audit Manager
Auditing
Continuously collects evidence to simplify compliance audits
Amazon Inspector
Security Assessment
Automated vulnerability scanning for EC2 and container workloads
AWS Security Hub
Security Assessment
Centralized view of security findings across AWS accounts and services
Amazon GuardDuty
Threat Detection
Continuous, intelligent threat detection using ML and threat intel
2.3Task Statement 2.3
AWS Access Management
IAM · Root User Protection · Least Privilege · MFA
2.3
IAM Building Blocks
User
An identity representing a single person or application, with its own credentials.
Group
A collection of users; policies attached to the group apply to every member.
Role
A set of permissions assumed temporarily — by a user, service, or federated identity — without long-term credentials.
Policy
A JSON document defining permissions. Managed policies are reusable and AWS- or customer-created; inline policies are embedded directly in a single user, group, or role.
Principle of Least Privilege: grant only the permissions required to perform a task — nothing more. This is the guiding rule behind every IAM policy design decision on the exam.
2.3
Root User Protection & Authentication
Protecting the Root User
The root user is created with the AWS account and has unrestricted access. Best practice: enable MFA immediately, avoid daily use, and create an IAM administrator user for routine tasks instead.
Tasks Only the Root User Can Perform
Changing the account's support plan, closing the AWS account, changing the account root user email/password, and a small number of other account-level actions.
Multi-Factor Authentication (MFA)
Requires a second verification factor beyond a password (e.g., a hardware token or authenticator app). Strongly recommended for the root user and privileged IAM users.
IAM Identity Center & Federation
IAM Identity Center (formerly AWS SSO) provides centralized workforce access across multiple AWS accounts and applications. Federated identities let users authenticate with an existing external identity provider instead of creating a separate AWS-only credential.
2.3
Credential & Secrets Management
Tool
Purpose
AWS Secrets Manager
Stores, rotates, and retrieves secrets like database credentials and API keys
AWS Systems Manager Parameter Store
Stores configuration data and secrets as hierarchical key-value pairs
IAM Password Policy
Enforces password complexity, rotation, and reuse rules for IAM users
Access Keys
Long-term credentials (access key ID + secret key) for programmatic API/CLI access — should be rotated regularly and never hard-coded
Exam trigger: "Automatically rotate a database password" → Secrets Manager. "Store a simple config value or parameter" → Systems Manager Parameter Store.
2.4Task Statement 2.4
Security Components & Resources
Protective Services · AWS Marketplace · Where to Find Security Guidance
2.4
AWS Protective Security Services
AWS WAF
Web application firewall that filters malicious HTTP/HTTPS traffic (e.g., SQL injection, cross-site scripting) before it reaches an application.
AWS Shield
Protects against DDoS attacks. Standard tier is automatic and free; Shield Advanced adds enhanced detection and response for a fee.
AWS Firewall Manager
Centrally configures and manages WAF rules, Shield protections, and security groups across multiple accounts in an organization.
Amazon GuardDuty
Continuous, ML-driven threat detection that monitors for malicious or unauthorized account and network activity.
Exam trigger: "Block SQL injection at the application layer" → WAF. "Protect against a DDoS attack" → Shield. "Manage firewall rules across many accounts centrally" → Firewall Manager.
2.4
Finding Security Resources & Support
Resource
What It Provides
AWS Trusted Advisor
Automated checks across cost, performance, security, and fault tolerance, with actionable recommendations
AWS Knowledge Center
Official Q&A-style articles answering common AWS support questions
AWS Security Bulletins / Security Blog
Announcements on vulnerabilities, patches, and evolving security best practices
AWS Marketplace
Curated third-party software, including security tools, that deploy directly into a customer's AWS environment
Exam trigger: "Get automated recommendations to improve our security posture" → Trusted Advisor. "Find a third-party firewall or antivirus product for AWS" → AWS Marketplace.
Quick Review — Domain 2 Checklist
Can you answer these?
Task 2.1 — Shared Responsibility
Explain "security of" vs. "security in" the cloud
Say how the split shifts across EC2, RDS, and Lambda
Task 2.2 — Security & Compliance
Know AWS Artifact is where compliance reports live
Distinguish encryption at rest vs. in transit
Match CloudWatch, CloudTrail, Config & GuardDuty to their jobs