Security, Identity, and Compliance Services
The AWS services that protect accounts, data, and workloads.
The CLF-C02 exam rarely asks you to configure security — it asks you to match a stated problem to the one AWS service that solves it. Success here is a vocabulary game: know the single core purpose of each service so that a keyword in the question ("DDoS," "leaked passwords in code," "sensitive data in S3," "SQL injection") snaps instantly to the right answer. The services below cover multi-account governance, encryption, network protection, threat detection, and compliance evidence.
Core Idea
- Each service has one job. The exam tests whether you can map a scenario to that job, not how to build it.
- Encryption keys are managed by AWS KMS; the encrypting is applied to data at rest (stored) and in transit (moving over the network).
- Detection services (GuardDuty, Inspector, Macie) find problems; protection services (Shield, WAF, Secrets Manager) block or contain them.
Governance: Organizations and SCPs
- AWS Organizations lets you centrally manage and consolidate billing across many AWS accounts grouped into organizational units (OUs).
- Service Control Policies (SCPs) set the maximum permissions available to accounts or OUs — they are guardrails, not grants. An SCP can deny a whole account access to a region or service even if IAM allows it.
- Consolidated billing under Organizations also earns volume discounts by combining usage across accounts.
Encryption Key Management: KMS and CloudHSM
- AWS KMS (Key Management Service) creates and controls the encryption keys used across AWS services (S3, EBS, RDS, and more). It is the default, fully managed choice.
- AWS CloudHSM provides a dedicated, single-tenant hardware security module for customers who must manage keys themselves, often for strict regulatory or FIPS 140-2 Level 3 requirements.
- Encryption at rest protects stored data (disks, snapshots, buckets); encryption in transit uses TLS/SSL to protect data as it moves. Both commonly rely on KMS keys.
Network and Application Protection: Shield and WAF
- AWS Shield defends against DDoS (Distributed Denial of Service) attacks. Shield Standard is free and automatic; Shield Advanced is paid and adds enhanced protection plus cost protection.
- AWS WAF (Web Application Firewall) filters HTTP/HTTPS web traffic at the application layer, blocking common exploits like SQL injection and cross-site scripting (XSS) using rules.
- Remember the layer: Shield stops floods of traffic; WAF inspects the content of web requests.
Threat Detection and Data Discovery
- Amazon GuardDuty is an intelligent threat detection service that continuously analyzes logs (CloudTrail, VPC Flow, DNS) to spot malicious or unusual activity.
- Amazon Inspector performs automated vulnerability assessments of EC2 instances, container images, and Lambda functions, checking for software flaws and unintended network exposure.
- Amazon Macie uses machine learning to discover and protect sensitive data (like PII) specifically in Amazon S3.
Secrets, Identity, and Compliance Evidence
- AWS Secrets Manager securely stores and automatically rotates secrets such as database credentials and API keys, so passwords never live in code.
- Amazon Cognito manages identity for your applications' end users — sign-up, sign-in, and access control for web and mobile apps (this is app users, not your internal AWS staff).
- AWS Artifact is a self-service portal to download AWS compliance reports and audit documents (SOC, PCI, ISO) on demand.
High-Yield Exam Patterns
- "Sensitive data / PII in S3" → Macie. "DDoS" → Shield. "SQL injection / web exploits" → WAF.
- "Threat detection / suspicious activity from logs" → GuardDuty, versus "scan for software vulnerabilities / CVEs" → Inspector.
- "Rotate database passwords / stop hardcoding secrets" → Secrets Manager.
- "Restrict what member accounts can do" → Service Control Policies within AWS Organizations.
- "Add login for app users" → Cognito; "download an audit / compliance report" → Artifact.
- "Manage encryption keys" → KMS by default; "dedicated hardware / single-tenant HSM" → CloudHSM.
Common Traps to Avoid
- Confusing Cognito (external app users) with IAM (your AWS account users and roles).
- Confusing Inspector (vulnerability scanning) with GuardDuty (active threat detection).
- Thinking SCPs grant permissions — they only set a permission ceiling; you still need IAM policies to allow actions.
- Choosing WAF for a network flood — WAF filters web request content, while Shield handles DDoS volume.
- Assuming CloudHSM is the default; KMS is the standard managed key service unless dedicated hardware is required.
Flashcards
Card 1 of 14
Question
What does AWS Organizations let you do?
Click or press Space to reveal answer
Answer
Centrally manage multiple AWS accounts and consolidate their billing, grouping accounts into organizational units.
Keyboard: Space/Enter to flip • Arrow keys to navigate
Ready to Test Your Knowledge?
This quiz has 8 questions and each one has 4 options.
Quiz Details
8 Questions
Multiple choice with instant self-check
Final Review
See correct answers and explanations at the end
Build your own lesson in minutes.
Upload a source document and turn it into flashcards, quizzes, and a study-ready lesson bank.