AWS Cloud Practitionersecurity-identity-and-compliance-services

Security, Identity, and Compliance Services

The AWS services that protect accounts, data, and workloads.

The CLF-C02 exam rarely asks you to configure security — it asks you to match a stated problem to the one AWS service that solves it. Success here is a vocabulary game: know the single core purpose of each service so that a keyword in the question ("DDoS," "leaked passwords in code," "sensitive data in S3," "SQL injection") snaps instantly to the right answer. The services below cover multi-account governance, encryption, network protection, threat detection, and compliance evidence.

Core Idea

  • Each service has one job. The exam tests whether you can map a scenario to that job, not how to build it.
  • Encryption keys are managed by AWS KMS; the encrypting is applied to data at rest (stored) and in transit (moving over the network).
  • Detection services (GuardDuty, Inspector, Macie) find problems; protection services (Shield, WAF, Secrets Manager) block or contain them.

Governance: Organizations and SCPs

  • AWS Organizations lets you centrally manage and consolidate billing across many AWS accounts grouped into organizational units (OUs).
  • Service Control Policies (SCPs) set the maximum permissions available to accounts or OUs — they are guardrails, not grants. An SCP can deny a whole account access to a region or service even if IAM allows it.
  • Consolidated billing under Organizations also earns volume discounts by combining usage across accounts.

Encryption Key Management: KMS and CloudHSM

  • AWS KMS (Key Management Service) creates and controls the encryption keys used across AWS services (S3, EBS, RDS, and more). It is the default, fully managed choice.
  • AWS CloudHSM provides a dedicated, single-tenant hardware security module for customers who must manage keys themselves, often for strict regulatory or FIPS 140-2 Level 3 requirements.
  • Encryption at rest protects stored data (disks, snapshots, buckets); encryption in transit uses TLS/SSL to protect data as it moves. Both commonly rely on KMS keys.

Network and Application Protection: Shield and WAF

  • AWS Shield defends against DDoS (Distributed Denial of Service) attacks. Shield Standard is free and automatic; Shield Advanced is paid and adds enhanced protection plus cost protection.
  • AWS WAF (Web Application Firewall) filters HTTP/HTTPS web traffic at the application layer, blocking common exploits like SQL injection and cross-site scripting (XSS) using rules.
  • Remember the layer: Shield stops floods of traffic; WAF inspects the content of web requests.

Threat Detection and Data Discovery

  • Amazon GuardDuty is an intelligent threat detection service that continuously analyzes logs (CloudTrail, VPC Flow, DNS) to spot malicious or unusual activity.
  • Amazon Inspector performs automated vulnerability assessments of EC2 instances, container images, and Lambda functions, checking for software flaws and unintended network exposure.
  • Amazon Macie uses machine learning to discover and protect sensitive data (like PII) specifically in Amazon S3.

Secrets, Identity, and Compliance Evidence

  • AWS Secrets Manager securely stores and automatically rotates secrets such as database credentials and API keys, so passwords never live in code.
  • Amazon Cognito manages identity for your applications' end users — sign-up, sign-in, and access control for web and mobile apps (this is app users, not your internal AWS staff).
  • AWS Artifact is a self-service portal to download AWS compliance reports and audit documents (SOC, PCI, ISO) on demand.

High-Yield Exam Patterns

  • "Sensitive data / PII in S3" → Macie. "DDoS" → Shield. "SQL injection / web exploits" → WAF.
  • "Threat detection / suspicious activity from logs" → GuardDuty, versus "scan for software vulnerabilities / CVEs" → Inspector.
  • "Rotate database passwords / stop hardcoding secrets" → Secrets Manager.
  • "Restrict what member accounts can do" → Service Control Policies within AWS Organizations.
  • "Add login for app users" → Cognito; "download an audit / compliance report" → Artifact.
  • "Manage encryption keys" → KMS by default; "dedicated hardware / single-tenant HSM" → CloudHSM.

Common Traps to Avoid

  • Confusing Cognito (external app users) with IAM (your AWS account users and roles).
  • Confusing Inspector (vulnerability scanning) with GuardDuty (active threat detection).
  • Thinking SCPs grant permissions — they only set a permission ceiling; you still need IAM policies to allow actions.
  • Choosing WAF for a network flood — WAF filters web request content, while Shield handles DDoS volume.
  • Assuming CloudHSM is the default; KMS is the standard managed key service unless dedicated hardware is required.

Flashcards

Card 1 of 14

1/14

Keyboard: Space/Enter to flip • Arrow keys to navigate

Ready to Test Your Knowledge?

This quiz has 8 questions and each one has 4 options.

Quiz Details

8 Questions

Multiple choice with instant self-check

Final Review

See correct answers and explanations at the end

Build your own lesson in minutes.

Upload a source document and turn it into flashcards, quizzes, and a study-ready lesson bank.