AWS Certified Cloud Practitioner · CLF-C02

Security and Compliance

Domain 2 — Comprehensive Study Guide
Task Statements 2.1 · 2.2 · 2.3 · 2.4

30% of Exam Score — Highest Weighted Domain

Domain 2 Overview

Task 2.1 — Shared Responsibility Model

  • AWS responsibilities vs. customer responsibilities
  • How the split shifts by service type
  • "Security OF the cloud" vs. "IN the cloud"

Task 2.2 — Security, Governance & Compliance

  • AWS Artifact & compliance programs
  • Encryption in transit / at rest
  • Monitoring, auditing & reporting services

Task 2.3 — Access Management

  • IAM users, groups, roles & policies
  • Root user protection
  • MFA, IAM Identity Center, federation

Task 2.4 — Security Components & Resources

  • AWS WAF, Shield, GuardDuty, Firewall Manager
  • AWS Marketplace security products
  • Where to find AWS security documentation
2.1Task Statement 2.1

The AWS Shared Responsibility Model

Security OF the Cloud · Security IN the Cloud

2.1

Security OF vs. IN the Cloud

AWS Responsibility — "OF the Cloud"

  • Physical data center security
  • Hardware, networking infrastructure
  • Host operating system & virtualization layer
  • Global infrastructure (Regions, AZs, edge locations)

Customer Responsibility — "IN the Cloud"

  • Guest OS, updates & patches
  • Data encryption & protection
  • IAM configuration — users, groups, policies
  • Network & firewall configuration (security groups, NACLs)
  • Application-level security
Exam trigger: "Who patches the underlying hypervisor?" → AWS. "Who configures security group rules?" → Customer. Any question about data, IAM, or application config → Customer.
2.1

How Responsibility Shifts by Service

Service TypeExampleCustomer ManagesAWS Manages
Infrastructure (IaaS)Amazon EC2Guest OS, patches, apps, data, firewall configPhysical host, hypervisor, network, facilities
Managed ServiceAmazon RDSData, access control, database settingsOS patching, DB engine installation, backups infrastructure
Serverless (Abstracted)AWS LambdaFunction code, IAM permissions, dataOS, runtime, server provisioning & scaling
Exam trigger: the more "managed" or "serverless" a service is, the more AWS takes on — and the less the customer has to patch or provision.
2.2Task Statement 2.2

Security, Governance & Compliance

Compliance Programs · Encryption · Monitoring · Auditing

2.2

Compliance Programs & AWS Artifact

AWS Artifact

Self-service portal for on-demand access to AWS compliance reports (SOC, PCI, ISO) and to review and accept AWS agreements. The primary source of AWS compliance documentation for auditors.

Compliance Varies by Geography & Industry

Different regions and industries carry different regulatory requirements — GDPR in the EU, HIPAA for U.S. healthcare data, FedRAMP for U.S. government workloads. Customers remain responsible for meeting requirements that apply to their own workload.

Shared Compliance Responsibility

AWS provides compliant infrastructure and certifications; the customer is responsible for configuring their own workload to actually meet the compliance requirements that apply to them.

2.2

Encryption Options

TypeProtectsExample
Encryption at RestData stored on disk (in a database, S3 bucket, or EBS volume)Amazon S3 server-side encryption, AWS KMS-managed keys
Encryption in TransitData moving across a network between systemsTLS/SSL for API calls and web traffic
Exam trigger: "Protect data stored in S3" → encryption at rest. "Protect data moving between the client and the server" → encryption in transit.
2.2

Governance: Monitoring, Auditing & Reporting

ServiceCategoryPurpose
Amazon CloudWatchMonitoringCollects metrics and logs; triggers alarms on thresholds
AWS CloudTrailAuditingLogs every API call made in an account — "who did what, when"
AWS ConfigAuditingTracks resource configuration changes over time for compliance
AWS Audit ManagerAuditingContinuously collects evidence to simplify compliance audits
Amazon InspectorSecurity AssessmentAutomated vulnerability scanning for EC2 and container workloads
AWS Security HubSecurity AssessmentCentralized view of security findings across AWS accounts and services
Amazon GuardDutyThreat DetectionContinuous, intelligent threat detection using ML and threat intel
2.3Task Statement 2.3

AWS Access Management

IAM · Root User Protection · Least Privilege · MFA

2.3

IAM Building Blocks

User

An identity representing a single person or application, with its own credentials.

Group

A collection of users; policies attached to the group apply to every member.

Role

A set of permissions assumed temporarily — by a user, service, or federated identity — without long-term credentials.

Policy

A JSON document defining permissions. Managed policies are reusable and AWS- or customer-created; inline policies are embedded directly in a single user, group, or role.

Principle of Least Privilege: grant only the permissions required to perform a task — nothing more. This is the guiding rule behind every IAM policy design decision on the exam.
2.3

Root User Protection & Authentication

Protecting the Root User

The root user is created with the AWS account and has unrestricted access. Best practice: enable MFA immediately, avoid daily use, and create an IAM administrator user for routine tasks instead.

Tasks Only the Root User Can Perform

Changing the account's support plan, closing the AWS account, changing the account root user email/password, and a small number of other account-level actions.

Multi-Factor Authentication (MFA)

Requires a second verification factor beyond a password (e.g., a hardware token or authenticator app). Strongly recommended for the root user and privileged IAM users.

IAM Identity Center & Federation

IAM Identity Center (formerly AWS SSO) provides centralized workforce access across multiple AWS accounts and applications. Federated identities let users authenticate with an existing external identity provider instead of creating a separate AWS-only credential.

2.3

Credential & Secrets Management

ToolPurpose
AWS Secrets ManagerStores, rotates, and retrieves secrets like database credentials and API keys
AWS Systems Manager Parameter StoreStores configuration data and secrets as hierarchical key-value pairs
IAM Password PolicyEnforces password complexity, rotation, and reuse rules for IAM users
Access KeysLong-term credentials (access key ID + secret key) for programmatic API/CLI access — should be rotated regularly and never hard-coded
Exam trigger: "Automatically rotate a database password" → Secrets Manager. "Store a simple config value or parameter" → Systems Manager Parameter Store.
2.4Task Statement 2.4

Security Components & Resources

Protective Services · AWS Marketplace · Where to Find Security Guidance

2.4

AWS Protective Security Services

AWS WAF

Web application firewall that filters malicious HTTP/HTTPS traffic (e.g., SQL injection, cross-site scripting) before it reaches an application.

AWS Shield

Protects against DDoS attacks. Standard tier is automatic and free; Shield Advanced adds enhanced detection and response for a fee.

AWS Firewall Manager

Centrally configures and manages WAF rules, Shield protections, and security groups across multiple accounts in an organization.

Amazon GuardDuty

Continuous, ML-driven threat detection that monitors for malicious or unauthorized account and network activity.

Exam trigger: "Block SQL injection at the application layer" → WAF. "Protect against a DDoS attack" → Shield. "Manage firewall rules across many accounts centrally" → Firewall Manager.
2.4

Finding Security Resources & Support

ResourceWhat It Provides
AWS Trusted AdvisorAutomated checks across cost, performance, security, and fault tolerance, with actionable recommendations
AWS Knowledge CenterOfficial Q&A-style articles answering common AWS support questions
AWS Security Bulletins / Security BlogAnnouncements on vulnerabilities, patches, and evolving security best practices
AWS MarketplaceCurated third-party software, including security tools, that deploy directly into a customer's AWS environment
Exam trigger: "Get automated recommendations to improve our security posture" → Trusted Advisor. "Find a third-party firewall or antivirus product for AWS" → AWS Marketplace.

Quick Review — Domain 2 Checklist

Can you answer these?

Task 2.1 — Shared Responsibility

  • Explain "security of" vs. "security in" the cloud
  • Say how the split shifts across EC2, RDS, and Lambda

Task 2.2 — Security & Compliance

  • Know AWS Artifact is where compliance reports live
  • Distinguish encryption at rest vs. in transit
  • Match CloudWatch, CloudTrail, Config & GuardDuty to their jobs

Task 2.3 — Access Management

  • Define users, groups, roles & policies
  • List root-user-only tasks
  • Secrets Manager vs. Parameter Store

Task 2.4 — Security Components

  • WAF vs. Shield vs. Firewall Manager
  • Know Trusted Advisor gives automated recommendations
  • Know AWS Marketplace hosts third-party security tools

Quick Reference — Concept Map

Shared Responsibility

  • AWS → of the cloud
  • Customer → in the cloud
  • Shifts with service type

Compliance & Monitoring

  • Artifact → compliance reports
  • CloudTrail → who did what
  • CloudWatch → performance/alarms
  • Config → what changed

Access Management

  • Users/Groups/Roles/Policies
  • Least privilege always
  • Root user → MFA + minimal use
  • Secrets Manager → auto-rotation

Security Components

  • WAF → app layer filtering
  • Shield → DDoS protection
  • GuardDuty → threat detection
  • Trusted Advisor → recommendations
Domain 2 Complete

You're Ready for Domain 2

30% of CLF-C02 · Security and Compliance
The highest-weighted domain — review it twice.