Domain 2: Security and Compliance

AWS Shared Responsibility Model

Defines how AWS and customers share security responsibilities across the cloud environment.

AWS Responsibilities (Security OF the Cloud)

Physical data centers, hardware, virtualization layer, network infrastructure, and global availability.

Customer Responsibilities (Security IN the Cloud)

Data encryption, IAM management, OS patching, network configuration, and application security.

Shared Controls

Patch management, configuration management, and awareness training are shared between AWS and the customer.

Service-Specific Variations

EC2: Customer manages OS and data. RDS: AWS manages OS and database. Lambda: AWS manages most, customer manages code and data.

Identity and Access Management Services

AWS IAM, IAM Identity Center (SSO), MFA, and cross-account roles.

AWS IAM

Manages users, groups, roles, and policies using the least privilege principle.

AWS IAM Identity Center (SSO)

Centralized single sign-on for multiple AWS accounts.

Multi-Factor Authentication (MFA)

Adds an extra authentication layer to user logins.

Cross-account roles

Enable secure access between accounts without sharing credentials.

Threat Detection and Response Services

Amazon GuardDuty, Inspector, Security Hub, and Detective.

Amazon GuardDuty

Uses machine learning for intelligent threat detection.

Amazon Inspector

Performs automated security assessments on AWS resources.

AWS Security Hub

Centralized dashboard that aggregates findings from multiple AWS security services.

Amazon Detective

Helps investigate and analyze security incidents.

Data Protection Services

AWS KMS, Secrets Manager, Certificate Manager, and CloudHSM.

AWS KMS (Key Management Service)

Manages encryption keys for data at rest and in transit.

AWS Secrets Manager

Securely stores and rotates credentials and secrets automatically.

AWS Certificate Manager

Provision and manage SSL/TLS certificates for encrypted communication.

AWS CloudHSM

Provides hardware security modules (HSMs) for cryptographic operations.

Network Security Services

Security Groups, Network ACLs, AWS WAF, AWS Shield, and AWS Network Firewall.

Security Groups

Stateful firewalls controlling inbound and outbound traffic for EC2.

Network ACLs

Stateless firewalls that operate at the subnet level.

AWS WAF (Web Application Firewall)

Protects against web exploits and attacks over HTTP/HTTPS.

AWS Shield

Provides DDoS protection (Standard is free, Advanced is paid).

AWS Network Firewall

Managed VPC-level firewall to protect cloud networks.

Compliance and Governance Services

AWS Artifact, SOC reports, PCI DSS, ISO, HIPAA BAA.

AWS Artifact

On-demand access to compliance reports and agreements.

SOC Reports

Service Organization Control audit reports showing internal control effectiveness.

PCI DSS

Ensures compliance for handling payment card data.

ISO Certifications

Show compliance with international security standards.

HIPAA BAA

Business Associate Agreement for handling healthcare data.

Monitoring and Auditing Tools

AWS CloudTrail, AWS Config, Audit Manager, Access Reports.

AWS CloudTrail

Logs API calls and provides an audit trail for governance.

AWS Config

Tracks resource configurations and checks compliance.

AWS Audit Manager

Automates evidence collection for compliance audits.

IAM Access Analyzer

Finds unused or overly broad permissions to improve security posture.

Geographic and Industry Compliance

Includes data residency, industry-specific, and regional laws.

Data Residency

Control where data is stored and processed geographically.

Industry-Specific Compliance

Covers HIPAA, SOX, PCI DSS, and FedRAMP standards.

Regional Compliance

Complies with GDPR (Europe) and data sovereignty requirements.

Security Best Practices – Access Management

Implement least privilege, use IAM roles, enable MFA, rotate keys, and prefer temporary credentials.

Security Best Practices – Data Protection

Encrypt data at rest and in transit, classify data, store secrets in Secrets Manager, enable S3 versioning and MFA delete.

Security Best Practices – Network Security

Use security groups, defense in depth, VPC endpoints, VPC Flow Logs, and regular audits.

Security Best Practices – Monitoring & Incident Response

Enable CloudTrail, use CloudWatch alarms, GuardDuty, and automated incident response with Lambda/SNS.

Security Best Practices – Root User Protection

Enable MFA, use strong passwords, avoid using root daily, store credentials securely, and monitor activity.

Root User Capabilities (Only Root Can Do)

Change account settings, close account, change support plan, register as seller, configure MFA delete, create CloudFront key pairs.

Root User Security Best Practices

Enable MFA, use a unique password, avoid daily use, store credentials safely, and create IAM admins for routine tasks.