Domain 2 of 4

Security and Compliance

Domain · 30% of the CLF-C02 exam

The Shared Responsibility Model is the frame that decides every other security question

Before choosing any service, place the task on the AWS Shared Responsibility Model: AWS owns "security OF the cloud" (data centers, hardware, hypervisor, managed network) and the customer owns "security IN the cloud" (data, identity, configuration). That dividing line rises as the service becomes more managed (AWS absorbs more of the stack), so the customer's share shrinks across EC2 → RDS → Lambda: EC2 leaves the guest OS, patching, and firewall to the customer, RDS hands engine patching to AWS, and Lambda removes the OS entirely. What never shifts up the stack is data classification, IAM permissions, and client-side encryption: always the customer's. On the exam, the first move for any "who is responsible?" stem is to ask which side of this line the task falls on, then which abstraction tier the named service occupies.

Compliance is inherited from AWS, but proving and checking your own posture stays with you

Running on AWS lets you inherit the certifications AWS already holds for its infrastructure (SOC, ISO 27001, PCI DSS, FedRAMP, and more) instead of auditing data centers yourself, and you pull the audit evidence on demand from AWS Artifact at no additional cost. Inheritance is not blanket: which programs apply depends on geography, industry, and the specific service, so you must check the published "Services in Scope" rather than assume coverage. Artifact hands you AWS's reports. It does not assess whether your own buckets, security groups, or IAM policies are configured compliantly; that is your job, performed with services like AWS Config.

Detection and governance services partition by the question they answer. Match the input, not the keyword 'security'

AWS exposes one service per audit question rather than one tool that does everything, so the exam tests whether you can pick by input. AWS CloudTrail records account activity (who made which API call, when, from where) while AWS Config records resource configuration over time and evaluates it against rules. Among detection services, Amazon GuardDuty analyzes logs for malicious activity, Amazon Inspector scans workloads for software vulnerabilities, Amazon Macie finds sensitive data in S3, and AWS Security Hub aggregates all of their findings; none of these detection services block traffic. They alert, and a separate enforcement layer (AWS WAF, security groups) does the blocking.

Identity is the real perimeter: least privilege, temporary credentials, and a guarded root user

IAM (free and global) authenticates principals and authorizes their API actions, and because every cloud action flows through it, getting identity right matters more than any single network control. The exam-correct posture is least privilege (grant only what a task needs), IAM roles delivering short-lived auto-rotated credentials instead of long-lived access keys, IAM Identity Center for workforce sign-on across many accounts, and secrets kept in Secrets Manager or Parameter Store rather than in code. The account root user sits above IAM with unrestricted access, so it must be protected with MFA, stripped of access keys, and never used for daily work.

Protective services layer by attack surface. Pick the service that operates at the layer under attack

Once identity and detection are in place, the protective services map onto the layer they defend: AWS WAF inspects layer-7 HTTP/HTTPS requests and blocks web exploits such as SQL injection and cross-site scripting, while AWS Shield absorbs network/transport-layer (layer 3/4) DDoS floods, Shield Standard automatically and free for everyone. Encryption is its own pair of layers: KMS-backed encryption at rest protects stored data (S3 even applies SSE-S3 to every new bucket by default), and TLS protects data in transit on the wire. When breadth across many accounts is needed, Firewall Manager enforces WAF and Shield Advanced policies organization-wide, and Trusted Advisor and AWS Marketplace round out best-practice checks and third-party tooling.

Security job → AWS service category (Cloud Practitioner mental map)

Security jobService / categoryWhat it doesWhat it is NOT
Decide who is responsibleShared Responsibility ModelSplits OF-the-cloud (AWS) from IN-the-cloud (customer); line moves with abstractionNot a service you deploy. A model you apply
Prove inherited complianceAWS ArtifactOn-demand download of AWS audit reports and agreements at no costDoes not assess YOUR resource configuration
Audit account activityAWS CloudTrailRecords who made which API call, when, and from whereNot a configuration or vulnerability tool
Audit resource configurationAWS ConfigRecords config over time and evaluates against rulesNot an activity log
Detect malicious activityAmazon GuardDutyAnalyzes CloudTrail / VPC Flow / DNS logs for threats; alertsDoes not block traffic
Find sensitive data / scan for CVEsAmazon Macie / Amazon InspectorMacie finds PII in S3; Inspector scans workloads for vulnerabilitiesNeither blocks or remediates on its own
Govern who can do whatAWS IAM (+ Identity Center)Authn/authz of principals; least privilege; temporary credentials; workforce SSONot a network firewall
Store application secretsSecrets Manager / Parameter StoreEncrypted secret storage, optional rotationNot IAM. Governs values, not API permissions
Block web exploits (L7)AWS WAFFilters HTTP/HTTPS requests; SQLi/XSS managed rules; rate limitingDoes not stop L3/4 volumetric floods
Absorb DDoS floods (L3/4)AWS ShieldStandard is automatic and free; Advanced adds L7 + SRT (paid)Not a web-request content filter
Encrypt dataAWS KMS (at rest) / TLS (in transit)KMS manages keys for stored data; TLS protects data on the wireAt-rest and in-transit are independent controls

Subtopics in this domain