Domain 4: Network Security, Compliance, and Governance (24% of the exam content) - AWS Certification
Task 4.1: Implement and maintain network features to meet security and compliance needs and requirementsTask 4.2: Validate and audit security by using network monitoring and logging servicesTask 4.3: Implement and maintain confidentiality of data and communications of the network

Domain 4: Network Security, Compliance, and Governance (24% of the exam content)

This domain accounts for 24% of the exam content.

Task 4.1: Implement and maintain network features to meet security and compliance needs and requirements

Knowledge of:

  • Different threat models based on application architecture

  • Common security threats

  • Mechanisms to secure different application flows

  • network architecture that meets security and compliance requirements

Skills in:

  • Securing inbound traffic flows into (for example, WAF, Shield, Network Firewall)

  • Securing outbound traffic flows from (for example, Network Firewall, proxies, Gateway Load Balancers)

  • Securing inter-VPC traffic within an account or across multiple accounts (for example, security groups, network ACLs, VPC endpoint policies)

  • Implementing an network architecture to meet security and compliance requirements (for example, untrusted network, perimeter VPC, three-tier architecture)

  • Developing a threat model and identifying appropriate mitigation strategies for a given network architecture

  • Testing compliance with the initial requirements (for example, failover test, resiliency)

  • Automating security incident reporting and alerting using

Task 4.2: Validate and audit security by using network monitoring and logging services

Knowledge of:

  • Network monitoring and logging services that are available in (for example, CloudWatch, CloudTrail, VPC Traffic Mirroring, VPC Flow Logs, Transit Gateway Network Manager)

  • Alert mechanisms (for example, CloudWatch alarms)

  • Log creation in different services (for example, VPC flow logs, load balancer access logs, CloudFront access logs)

  • Log delivery mechanisms (for example, Amazon Kinesis, Route 53, CloudWatch)

  • Mechanisms to audit network security configurations (for example, security groups, Firewall Manager, Trusted Advisor)

Skills in:

  • Creating and analyzing a VPC flow log (including base and extended fields of flow logs)

  • Creating and analyzing network traffic mirroring (for example, using VPC Traffic Mirroring)

  • Implementing automated alarms by using CloudWatch

  • Implementing customized metrics by using CloudWatch

  • Correlating and analyzing information across single or multiple log sources

  • Implementing log delivery solutions

  • Implementing a network audit strategy across single or multiple network services and accounts (for example, Firewall Manager, security groups, network ACLs)

Task 4.3: Implement and maintain confidentiality of data and communications of the network

Knowledge of:

  • Network encryption options that are available on

  • VPN connectivity over Direct Connect

  • Encryption methods for data in transit (for example, IPsec)

  • Network encryption under the shared responsibility model

  • Security methods for DNS communications (for example, DNSSEC)

Skills in:

  • Implementing network encryption methods to meet application compliance requirements (for example, IPsec, TLS)

  • Implementing encryption solutions to secure data in transit (for example, CloudFront, Application Load Balancers and Network Load Balancers, VPN over Direct Connect, managed databases, Amazon S3, custom solutions on Amazon EC2, Transit Gateway)

  • Implementing a certificate management solution by using a certificate authority (for example, ACM, Private Certificate Authority [ACM PCA])

  • Implementing secure DNS communications