The AWS Certified Cloud Practitioner (CLF-C02) exam validates a candidate’s foundational understanding of the AWS Cloud, services, and terminology. Among its various domains, Domain 2: Security and Compliance is critical, accounting for 30% of the scored content. This domain ensures that candidates grasp the core concepts of security and compliance within the AWS environment, a fundamental aspect for any AWS practitioner.

Overview of Domain 2: Security and Compliance

Domain 2 covers the following key areas:

1. AWS Shared Responsibility Model
2. AWS Cloud Security, Governance, and Compliance Concepts
3. AWS Access Management Capabilities
4. Security Components and Resources

Each of these areas is essential for ensuring the security and compliance of workloads and data on the AWS platform.

Task Statement 2.1: Understand the AWS Shared Responsibility Model

Knowledge and Skills Required:

• AWS Shared Responsibility Model:
  • Recognizing the components of the model.
  • Understanding the division of responsibilities between AWS and the customer.
• Customer Responsibilities on AWS:
  • Managing data, securing applications, and controlling user access.
  • Configuring identity and access management (IAM) policies.
  • Implementing data encryption and backup solutions.
• AWS Responsibilities:
  • Ensuring the security of the cloud infrastructure, including hardware, software, networking, and facilities.
  • Providing tools and services to enhance security, such as AWS Shield, AWS WAF, and AWS Key Management Service (KMS).

Key Points:

• Shared Responsibility:
  • Customer: Responsible for securing data, managing user permissions, and configuring security settings.
  • AWS: Responsible for securing the infrastructure and providing secure services.
• Service Dependency:
  • Responsibilities can shift depending on the service used. For instance, managing the underlying infrastructure is AWS’s responsibility in Amazon RDS, while securing the database’s data is the customer’s responsibility.

Task Statement 2.2: Understand AWS Cloud Security, Governance, and Compliance Concepts

Knowledge and Skills Required:

• AWS Compliance and Governance Concepts:
  • Understanding AWS compliance programs and certifications (e.g., GDPR, HIPAA).
  • Familiarity with AWS compliance tools like AWS Artifact.
• Cloud Security Benefits:
  • Implementing encryption for data at rest and in transit.
  • Using monitoring and logging services to enhance security visibility (e.g., Amazon CloudWatch, AWS CloudTrail).
• Security Resources:
  • Identifying and locating security logs.
  • Utilizing AWS services like Amazon Inspector, AWS Security Hub, and Amazon GuardDuty for resource security.

Key Points:

• Compliance Information:
  • Available through AWS Artifact, which provides access to AWS compliance reports and agreements.
• Security Tools:
  • Amazon Inspector: Automates security assessments to improve the security and compliance of applications.
  • AWS Security Hub: Provides a comprehensive view of security alerts and compliance status.
  • Amazon GuardDuty: Offers threat detection and continuous monitoring for malicious activities.
• Encryption Options:
  • Encryption in Transit: Protects data as it moves between services.
  • Encryption at Rest: Secures data stored on AWS services using AWS KMS or customer-managed keys.

Task Statement 2.3: Identify AWS Access Management Capabilities

Knowledge and Skills Required:

• Identity and Access Management (IAM):
  • Creating and managing IAM users, groups, and roles.
  • Applying the principle of least privilege to restrict permissions.
• Protecting the Root User Account:
  • Implementing multi-factor authentication (MFA) and minimizing the use of root credentials.
• Access Management Tools:
  • Using AWS IAM Identity Center (AWS Single Sign-On) for centralized access management.
  • Managing secrets and credentials with AWS Secrets Manager and AWS Systems Manager.

Key Points:

• Authentication Methods:
  • MFA: Enhances security by requiring additional authentication factors.
  • Cross-Account IAM Roles: Allow secure and controlled access between AWS accounts.
• Access Keys and Password Policies:
  • Enforcing strong password policies and securely storing access keys using AWS Secrets Manager.

Task Statement 2.4: Identify Components and Resources for Security

Knowledge and Skills Required:

• AWS Security Features and Services:
  • Utilizing security groups and network ACLs to control inbound and outbound traffic.
  • Implementing AWS WAF to protect web applications from common web exploits.
• Security Documentation and Resources:
  • Accessing AWS security information through the AWS Knowledge Center, AWS Security Center, and AWS Security Blog.

Key Points:

• Third-Party Security Products:
  • Available through AWS Marketplace, providing additional security solutions.
• AWS Trusted Advisor:
  • Offers real-time guidance to help provision resources following AWS best practices for security.

AWS CLF-C02 Sample Questions for Domain 2: Security and Compliance

1. Which task is a customer’s responsibility, according to the AWS shared responsibility model?
A. Management of the guest operating systems
B. Maintenance of the configuration of infrastructure devices
C. Management of the host operating systems and virtualization
D. Maintenance of the software that powers Availability Zones
A company has refined its workload to use specific AWS services to improve efficiency and reduce cost.
Answer: A
Explanation:
Management of the guest operating systems is a customer’s responsibility, according to the AWS shared responsibility model. The AWS shared responsibility model defines the different security and compliance responsibilities of AWS and the customer. AWS is responsible for the security of the cloud, which includes the physical infrastructure, hardware, software, and facilities that run the AWS Cloud. The customer is responsible for security in the cloud, which includes the configuration and management of the guest operating systems, applications, data, and network traffic protection

2. According to the AWS shared responsibility model, which of the following are AWS responsibilities? (Select TWO.)
A. Network infrastructure and virtualization of infrastructure
B. Security of application data
C. Guest operating systems
D. Physical security of hardware
E. Credentials and policies
Answer: A, D
Explanation:
The correct answers are A and D because network infrastructure and virtualization of infrastructure and physical security of hardware are AWS responsibilities according to the AWS shared responsibility model. The AWS shared responsibility model is a framework that defines the division of responsibilities between AWS and the customer for security and compliance. AWS is responsible for the security of the cloud, which includes the global infrastructure, such as the regions, availability zones, and edge locations; the hardware, software, networking, and facilities that run the AWS services; and the virtualization layer that separates the customer instances and storage. The customer is responsible for the security in the cloud, which includes the customer data, the guest operating systems, the applications, the identity and access management, the firewall configuration, and the encryption. The other options are incorrect because they are not AWS responsibilities according to the AWS shared responsibility model. Security of application data, guest operating systems, and credentials and policies are customer responsibilities according to the AWS shared responsibility model.

3. Which options does AWS make available for customers who want to learn about security in the cloud in an instructor-led setting? (Select TWO.)
A. AWS Trusted Advisor
B. AWS Online Tech Talks
C. AWS Blog
D. AWS Forums
E. AWS Classroom Training
Answer: B, E
Explanation:
The correct answers are B and E because AWS Online Tech Talks and AWS Classroom Training are options that AWS makes available for customers who want to learn about security in the cloud in an instructor-led setting. AWS Online Tech Talks are live, online presentations that cover a broad range of topics at varying technical levels. AWS Online Tech Talks are delivered by AWS experts and feature live Q&A sessions with the audience. AWS Classroom Training are in-person or virtual courses that are led by accredited AWS instructors. AWS Classroom Training offer hands-on labs, exercises, and best practices to help customers gain confidence and skills on AWS. The other options are incorrect because they are not options that AWS makes available for customers who want to learn about security in the cloud in an instructor-led setting. AWS Trusted Advisor is an AWS service that provides real-time guidance to help customers follow AWS best practices for security, performance, cost optimization, and fault tolerance. AWS Blog is an AWS resource that provides news, announcements, and insights from AWS experts and customers. AWS Forums are AWS resources that enable customers to interact with other AWS users and get feedback and support.

4. A company is configuring its AWS Cloud environment. The company’s administrators need to group users together and apply permissions to the group.
Which AWS service or feature can the company use to meet these requirements?
A. AWS Organizations
B. Resource groups
C. Resource tagging
D. AWS Identity and Access Management (IAM)
Answer: D
Explanation:
The AWS service or feature that the company can use to group users together and apply permissions to the group is AWS Identity and Access Management (IAM). AWS IAM is a service that enables users to create and manage users, groups, roles, and permissions for AWS services and resources. Users can use IAM groups to organize multiple users that have similar access requirements, and attach policies to the groups that define the permissions for the users in the group. This simplifies the management and administration of user access

5. A company is developing an application that uses multiple AWS services. The application needs to use temporary, limited-privilege credentials for authentication with other AWS APIs.
Which AWS service or feature should the company use to meet these authentication requirements?
A. Amazon API Gateway
B. IAM users
C. AWS Security Token Service (AWS STS)
D. IAM instance profiles
Answer: C
Explanation:
AWS Security Token Service (AWS STS) is a service that enables applications to request temporary, limited-privilege credentials for authentication with other AWS APIs. AWS STS can be used to grant access to AWS resources to users who are federated (using IAM roles), switched (using IAM users), or cross-account (using IAM roles). AWS STS can also be used to assume a role within the same account or a different account. The credentials issued by AWS STS are short-term and have a limited scope, which can enhance the security and compliance of the application.

6. A company has a compliance requirement to record and evaluate configuration changes, as well as perform remediation actions on AWS resources.
Which AWS service should the company use?
A. AWS Config
B. AWS Secrets Manager
C. AWS CloudTrail
D. AWS Trusted Advisor
Answer: A
Explanation:
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With AWS Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This can help you simplify compliance auditing, security analysis, change management, and operational troubleshooting1.

Conclusion

Understanding Domain 2: Security and Compliance is crucial for passing the AWS Certified Cloud Practitioner (CLF-C02) exam. This domain not only tests knowledge of security practices and compliance requirements but also emphasizes the practical skills needed to implement these practices effectively. Mastery of this domain ensures that candidates can confidently secure and manage their AWS environments, meeting both organizational and regulatory standards.