Study guide
Security and Compliance is the second-largest domain on the CLF-C02 exam, worth about 30% of scored content, because AWS wants every cloud practitioner to understand where AWS's responsibility ends and the customer's begins. This chapter walks through the shared responsibility model, the identity tools that control who can do what, and the security and compliance services that monitor and enforce good practice across an account.
The Shared Responsibility Model
The AWS shared responsibility model divides security duties between AWS and the customer. AWS is responsible for security of the cloud, meaning the physical facilities, the hardware, the networking infrastructure, and the software that runs the underlying services. The customer is responsible for security in the cloud, meaning how they configure and use the services AWS provides, including data, identity and access management, operating system patching where applicable, and network traffic protection. Where exactly the line falls shifts depending on the service. For Amazon EC2, an infrastructure-as-a-service offering, AWS secures the physical hosts and hypervisor, but the customer manages the guest operating system, applied patches, firewall configuration through security groups, and any data placed on the instance. For Amazon RDS, a managed database service, AWS takes on more: it manages the underlying operating system and database engine patching, while the customer is still responsible for managing database-level access controls, data encryption choices, and network configuration such as which subnets the database sits in. For AWS Lambda, a serverless compute service, AWS manages the operating system, runtime, and scaling infrastructure entirely, leaving the customer responsible only for their application code, the permissions granted to the function through IAM, and the data the function processes. A useful rule of thumb: the more managed a service is, the more of the stack AWS takes on, but the customer never fully hands off responsibility for data, identity, and access configuration.
Compliance, Governance, and Monitoring Tools
AWS Artifact is a self-service portal that gives customers on-demand access to AWS compliance reports, such as ISO certifications and PCI DSS attestations, along with the ability to review and accept certain AWS agreements online. This matters because customers in regulated industries frequently need to prove to auditors that their cloud provider meets specific standards, and Artifact provides that documentation directly. Encryption protects data in two states: encryption at rest protects data while stored, for example an encrypted Amazon S3 bucket or EBS volume, and encryption in transit protects data while it moves across a network, typically using TLS. Several services give visibility into what is happening inside an account. Amazon CloudWatch collects metrics and logs and can trigger alarms, for example alerting an operations team when CPU utilization on a fleet of instances stays above a threshold for too long. AWS CloudTrail records a history of API calls made within an account, capturing who did what, from where, and when, which is essential for security investigations and compliance audits. AWS Config continuously assesses, audits, and evaluates the configurations of AWS resources against rules a customer defines, flagging drift such as a storage bucket that becomes publicly accessible when it should not be. AWS Audit Manager helps continuously audit AWS usage to simplify how a customer assesses risk and compliance with regulations and industry standards, automating evidence collection that would otherwise be manual. Together these tools answer the exam's common framing: which service tells you who did something (CloudTrail), which tracks a metric over time and can alarm (CloudWatch), and which checks whether a resource's configuration complies with a rule (Config).
IAM Fundamentals: Users, Roles, and Federation
AWS Identity and Access Management (IAM) controls authentication (verifying who someone is) and authorization (determining what they can do) within an AWS account. The root user is created automatically when an account is opened and has unrestricted access to every resource and billing setting; AWS strongly recommends locking the root user's credentials away, enabling multi-factor authentication (MFA) on it immediately, and never using it for daily work. Instead, administrators create individual IAM users or, more commonly today, use IAM roles, temporary identities with their own permissions that a person, application, or AWS service can assume without needing a long-lived password or access key. The principle of least privilege means granting only the minimum permissions required to perform a task, and nothing more, which limits the damage if credentials are ever compromised. Multi-factor authentication adds a second verification step, such as a code from an authenticator app, beyond a password alone, and should be required for any account with meaningful privileges. AWS IAM Identity Center (the successor to AWS Single Sign-On) provides a central place to manage workforce access across multiple AWS accounts and business applications, letting a company like Farview Retail let employees sign in once and reach every AWS account they are authorized for without separate credentials per account. Federated identity extends this further, allowing users to authenticate through an external identity provider, such as a corporate directory or a social identity provider, and receive temporary AWS credentials without ever creating a separate IAM user, which is the pattern used when a mobile app lets customers sign in with an existing account rather than registering a new password.
Security Services for Detection and Protection
Inside a Virtual Private Cloud (VPC), a security group is a stateful, instance-level virtual firewall that only supports allow rules, meaning any traffic you explicitly allow gets its automatic return traffic permitted. A network access control list (NACL) is a stateless, subnet-level firewall that supports both allow and deny rules evaluated in numbered order, useful for blocking a specific range of traffic at the subnet boundary rather than resource by resource. AWS WAF (Web Application Firewall) inspects web requests and blocks ones matching rules a customer defines, such as those containing SQL injection patterns. AWS Shield defends against distributed denial-of-service (DDoS) attacks; Shield Standard is included automatically for all customers at no extra charge, while Shield Advanced is a paid tier that adds detailed attack visibility, cost protection, and access to a specialized response team. Amazon GuardDuty is a threat-detection service that continuously analyzes account activity, network logs, and DNS query patterns using threat intelligence to flag suspicious behavior, such as an EC2 instance suddenly communicating with a known malicious IP address. Amazon Inspector automatically scans EC2 instances, container images, and Lambda functions for software vulnerabilities and unintended network exposure. AWS Security Hub aggregates findings from GuardDuty, Inspector, and other tools into one dashboard and checks resources against security standards. AWS Trusted Advisor reviews an account against best practices across cost, performance, security, fault tolerance, and service limits, flagging things like an S3 bucket with open permissions or an idle load balancer. On the exam, match the symptom to the tool: ongoing threat detection points to GuardDuty, vulnerability scanning points to Inspector, and a consolidated best-practices dashboard points to Trusted Advisor or Security Hub depending on scope.
Key terms
- Shared Responsibility Model
- — The division of security duties where AWS secures the cloud infrastructure and the customer secures what they configure and store within it.
- AWS Artifact
- — A self-service portal providing on-demand access to AWS compliance reports and agreements.
- AWS CloudTrail
- — A service that logs a history of API calls and account activity for auditing and security investigation.
- Amazon CloudWatch
- — A monitoring service that collects metrics and logs and can trigger alarms based on defined thresholds.
- AWS Config
- — A service that continuously evaluates AWS resource configurations against defined rules and flags configuration drift.
- Root user
- — The initial, all-powerful identity created with an AWS account; best practice is to secure it with MFA and avoid routine use.
- Principle of least privilege
- — Granting an identity only the minimum permissions necessary to perform its required tasks.
- IAM Identity Center
- — A service for centrally managing workforce access across multiple AWS accounts and applications with single sign-on.
- Federated identity
- — A method allowing users to authenticate through an external identity provider and receive temporary AWS credentials without a dedicated IAM user.
- Amazon GuardDuty
- — A threat-detection service that analyzes account and network activity for signs of malicious or unauthorized behavior.
- AWS Shield
- — A service protecting against DDoS attacks; Standard is included free, Advanced is a paid tier with additional protections.
- AWS Trusted Advisor
- — A tool that reviews an account against best practices in cost, performance, security, fault tolerance, and service limits.
Exam tips
- Memorize how the shared responsibility line shifts across EC2 (customer manages the OS), RDS (AWS manages the OS and engine), and Lambda (AWS manages nearly everything but code and IAM permissions).
- Separate the monitoring trio clearly: CloudTrail answers 'who did what,' CloudWatch answers 'what is a metric doing and should it alarm,' and Config answers 'is this resource's configuration compliant.'
- Root user tasks should be rare; if an answer choice suggests using the root user for daily operations, it is almost always wrong.
- GuardDuty detects threats using logs and intelligence; Inspector scans for vulnerabilities in resources; keep these two apart in scenario questions.
- Security groups are stateful and instance-level with only allow rules; NACLs are stateless and subnet-level with allow and deny rules — a favorite exam contrast.