AWS Certified Cloud Practitioner · CLF-C02

Domain 2
Security & Compliance

Shared Responsibility · Governance · IAM · Security Services
Task Statements 2.1 · 2.2 · 2.3 · 2.4
30% of Exam Score · ~15 questions on 50 scored questions

Domain 2 Overview

What You Need to Know

Task 2.1

Shared Responsibility Model

  • AWS vs customer responsibilities
  • How responsibility shifts by service
  • EC2 vs RDS vs Lambda
Task 2.2

Governance & Compliance

  • AWS Artifact
  • Encryption options
  • Logging & audit tools
  • Compliance frameworks
Task 2.3

Access Management

  • IAM users, groups, roles, policies
  • Root user protection
  • MFA, SSO, federation
  • Least privilege
Task 2.4

Security Resources

  • Network security (VPC, SGs, NACLs, WAF)
  • AWS Shield & GuardDuty
  • Inspector & Security Hub
  • Trusted Advisor
📋 Exam Weight: Domain 2 is 30% — the single largest domain. The Shared Responsibility Model alone can account for 3–4 questions. Know which layer AWS owns vs which layer you own, especially how it shifts for EC2, RDS, and Lambda.
2.1
Task Statement

Shared Responsibility
Model

AWS Responsibilities · Customer Responsibilities · Shifts by Service Type

Task 2.1 — Shared Responsibility

Who Owns What

AWS Owns
Physical data centers Hardware (servers, networking, storage) Global infrastructure (Regions, AZs, Edge) Hypervisor / virtualization layer Managed service software (e.g., RDS engine patching) Facility security & power
Customer Owns
Data classification & encryption IAM users, roles & policies Network config (VPC, SGs, NACLs) Operating system patches (on EC2) Application code & security Client-side data protection MFA & account security
⚡ Exam Note — How it shifts by service:
EC2 (IaaS): Customer patches OS, manages runtime, runtime patching, firewall rules.
RDS (PaaS): AWS patches database engine; customer manages data and access.
Lambda (Serverless): AWS manages everything below the code; customer owns the function code only.
2.2
Task Statement

Security, Governance
& Compliance

AWS Artifact · Encryption · Logging · Compliance Frameworks

Task 2.2 — Compliance Tools

AWS Governance & Compliance Services

AWS ArtifactSelf-service portal to download AWS compliance reports (SOC 2, ISO 27001, PCI DSS, HIPAA). Also where you accept AWS agreements (BAAs).
AWS Audit ManagerContinuously collects evidence from your AWS environment to automate audit preparation for compliance frameworks.
AWS CloudTrailRecords every API call made in your AWS account — who did what, when, from where. Your primary audit log.
Amazon CloudWatchMonitors resources and applications. Collects metrics, logs, and events. Set alarms on thresholds (e.g., CPU > 90%).
AWS ConfigTracks resource configuration changes over time and evaluates them against compliance rules. Answers "what changed and when?"
AWS Security HubAggregates security findings from GuardDuty, Inspector, Macie, and Config into a unified compliance dashboard.
⚡ Exam Note: AWS Artifact = download AWS's own compliance reports. AWS Audit Manager = collect evidence about your own environment. CloudTrail = API audit log. Config = configuration change history.

Task 2.2 — Encryption

Encryption in AWS

Encryption at Rest

Data is encrypted when stored on disk. Prevents unauthorized access to physical storage media.

  • S3 server-side encryption (SSE-S3, SSE-KMS)
  • EBS volume encryption via KMS
  • RDS encryption for database files
  • DynamoDB encryption at rest
Encryption in Transit

Data is encrypted while moving between systems. Prevents interception during transmission.

  • TLS/HTTPS for all AWS API calls
  • SSL certificates via AWS Certificate Manager (ACM)
  • VPN tunnels for network connectivity
AWS Key Management Service (KMS)

Managed service to create and control encryption keys. Integrates with S3, EBS, RDS, and most AWS services. CloudTrail logs every key usage.

AWS Secrets Manager

Stores, rotates, and retrieves secrets (database passwords, API keys) securely. Applications call the API instead of hardcoding credentials.

2.3
Task Statement

AWS Access
Management

IAM · Root User · Least Privilege · MFA · SSO · Federation

Task 2.3 — IAM

IAM Core Concepts

IAM User
A person or application with a long-term identity in AWS. Has username + password (console) or access keys (programmatic). One user per person best practice.
IAM Group
A collection of IAM users. Assign policies to the group; all users inherit them. Simplifies permission management. Cannot be nested (no groups within groups).
IAM Role
An identity that can be assumed by services, applications, or users. Provides temporary credentials. Use for EC2 instances, Lambda, cross-account access — never embed access keys.
IAM Policy
A JSON document defining allowed/denied actions on resources. Attached to users, groups, or roles. AWS provides managed policies; you can write custom ones.
Root User
The account owner — has unrestricted access to everything. Use only for account-level tasks (close account, change billing plan). Enable MFA immediately. Never use for daily tasks.
Access Keys
Access Key ID + Secret Access Key for programmatic (CLI/SDK) access. Should be rotated regularly, never committed to code, stored in AWS Secrets Manager or Systems Manager Parameter Store.
⚡ Exam Note: Principle of Least Privilege — grant only the minimum permissions required. This is the most important IAM principle on the exam.

Task 2.3 — Authentication Methods

MFA, IAM Identity Center & Federation

Multi-Factor Authentication (MFA)

Adds a second verification step beyond password. Required for the root user; strongly recommended for all privileged users.

  • Virtual MFA (Google Authenticator, Authy)
  • Hardware MFA token (TOTP device)
  • FIDO security key (YubiKey)
AWS IAM Identity Center (SSO)

Centrally manage access to multiple AWS accounts and business applications with a single sign-on. Replaces creating IAM users in every account.

  • Integrates with corporate identity providers (Active Directory)
  • Users log in once, access all authorized accounts
  • Built-in support for AWS Organizations
Identity Federation

Allow users to authenticate with an external identity provider (corporate AD, Google, Facebook) and assume an IAM role — no separate IAM user needed.

  • SAML 2.0 federation for enterprise IdPs
  • Amazon Cognito for web/mobile app users
  • Cross-account IAM roles for multi-account access
⚡ Exam Note: "A company has 5,000 employees who need AWS access" → IAM Identity Center (not 5,000 IAM users). "A web app needs to let users log in with Google" → Amazon Cognito / federation.
2.4
Task Statement

Security Services
& Resources

Network Security · Threat Detection · Vulnerability Assessment · WAF · Shield

Task 2.4 — Network Security

VPC Network Security Controls

Security Groups

Virtual firewall at the instance level. Controls inbound and outbound traffic for EC2 instances. Stateful — return traffic is automatically allowed.

Default: allow all outbound, deny all inbound. You add ALLOW rules only — no explicit DENY.

Network ACLs (NACLs)

Firewall at the subnet level. Controls traffic entering and leaving subnets. Stateless — must define both inbound AND outbound rules explicitly.

Default NACL allows all traffic. Custom NACLs deny all by default.

AWS WAF (Web Application Firewall)

Protects web applications from common exploits (SQL injection, cross-site scripting). Operates at Layer 7 (HTTP). Deployed on CloudFront, ALB, or API Gateway.

AWS Shield

Standard: Free, always-on DDoS protection for all AWS customers.
Advanced: Paid, enhanced protection with 24/7 DDoS response team and cost protection.

⚡ Exam Note: Security Groups = instance-level, stateful. NACLs = subnet-level, stateless. WAF = web app attacks (SQL injection, XSS). Shield = DDoS protection.

Task 2.4 — Security Services

AWS Security Services Quick Map

Amazon GuardDutyThreat detection service — monitors CloudTrail, VPC Flow Logs, and DNS logs for malicious or unauthorized activity using machine learning.
Amazon InspectorAutomated vulnerability assessment for EC2 instances and container images. Finds software vulnerabilities and unintended network exposure.
Amazon MacieDiscovers and protects sensitive data (PII, credentials) stored in Amazon S3 using machine learning.
AWS Security HubAggregates and prioritizes security findings from GuardDuty, Inspector, Macie, and Firewall Manager into a single dashboard.
AWS Trusted AdvisorProvides recommendations across five categories: Cost Optimization, Performance, Security, Fault Tolerance, and Service Limits. Flags open S3 buckets, weak passwords, etc.
Amazon DetectiveAnalyzes and visualizes security data to investigate potential security incidents and determine their root cause.
AWS Certificate Manager (ACM)Provisions, manages, and deploys SSL/TLS certificates for use with AWS services. Free public certificates.

Quick Review

Domain 2 Exam Checklist

Tasks 2.1 & 2.2
  • AWS = security "OF" the cloud (physical, hardware, global infra)
  • Customer = security "IN" the cloud (data, IAM, OS patching on EC2)
  • EC2 (IaaS): customer patches OS. RDS (PaaS): AWS patches DB engine. Lambda: AWS manages everything except code.
  • AWS Artifact = download AWS compliance reports
  • CloudTrail = API audit log (who did what)
  • Config = configuration change history
  • CloudWatch = monitoring (metrics, alarms, logs)
  • Encryption at rest (KMS, SSE) vs in transit (TLS/HTTPS)
  • Secrets Manager = store & rotate credentials
Tasks 2.3 & 2.4
  • IAM User = person. Group = collection of users. Role = for services. Policy = permissions document.
  • Root user = emergency only; enable MFA immediately
  • Least privilege = minimum necessary permissions
  • Roles for EC2/Lambda — never embed access keys in code
  • IAM Identity Center = SSO for many AWS accounts + workforce users
  • Security Groups = instance-level, stateful (ALLOW only)
  • NACLs = subnet-level, stateless (ALLOW + DENY)
  • WAF = web app attacks (SQL injection, XSS)
  • Shield = DDoS (Standard free, Advanced paid)
  • GuardDuty = threat detection. Inspector = vulnerability scanning. Macie = PII in S3.
Domain 2 Complete

You're ready for
Domain 2

30% of CLF-C02 · Security & Compliance
Good luck on the exam!

2.1

Shared Responsibility

2.2

Governance

2.3

Access Management

2.4

Security Services