Domain 4: Security and Governance (16% of the exam content) - AWS Certification
Task 4.1: Apply authentication mechanismsTask 4.2: Apply authorization mechanismsTask 4.3: Ensure data encryption and maskingTask 4.4: Prepare logs for auditTask 4.5: Understand data privacy and governance

Domain 4: Security and Governance (16% of the exam content)

This domain accounts for 16% of the exam content.

Task 4.1: Apply authentication mechanisms

Knowledge of:

  • VPC security networking concepts

  • Differences between managed services and unmanaged services

  • Authentication methods (password-based, certificate-based, and role-based)

  • Differences between managed policies and customer managed policies

Skills in:

  • Updating VPC security groups

  • Creating and updating IAM groups, roles, endpoints, and services

  • Creating and rotating credentials for password management (for example, Secrets Manager)

  • Setting up IAM roles for access (for example, Lambda, Amazon API Gateway, CLI, CloudFormation)

  • Applying IAM policies to roles, endpoints, and services (for example, S3 Access Points, PrivateLink)

Task 4.2: Apply authorization mechanisms

Knowledge of:

  • Authorization methods (role-based, policy-based, tag-based, and attribute-based)

  • Principle of least privilege as it applies to security

  • Role-based access control and expected access patterns

  • Methods to protect data from unauthorized access across services

Skills in:

  • Creating custom IAM policies when a managed policy does not meet the needs

  • Storing application and database credentials (for example, Secrets Manager, Systems Manager Parameter Store)

  • Providing database users, groups, and roles access and authority in a database (for example, for Amazon Redshift)

  • Managing permissions through Lake Formation (for Amazon Redshift, Amazon EMR, Athena, and Amazon S3)

Task 4.3: Ensure data encryption and masking

Knowledge of:

  • Data encryption options available in analytics services (for example, Amazon Redshift, Amazon EMR, Glue)

  • Differences between client-side encryption and server-side encryption

  • Protection of sensitive data

  • Data anonymization, masking, and key salting

Skills in:

  • Applying data masking and anonymization according to compliance laws or company policies

  • Using encryption keys to encrypt or decrypt data (for example, Key Management Service [ KMS])

  • Configuring encryption across account boundaries

  • Enabling encryption in transit for data

Task 4.4: Prepare logs for audit

Knowledge of:

  • How to log application data

  • How to log access to services

  • Centralized logs

Skills in:

  • Using CloudTrail to track API calls

  • Using CloudWatch Logs to store application logs

  • Using CloudTrail Lake for centralized logging queries

  • Analyzing logs by using services (for example, Athena, CloudWatch Logs Insights, Amazon OpenSearch Service)

  • Integrating various services to perform logging (for example, Amazon EMR in cases of large volumes of log data)

Task 4.5: Understand data privacy and governance

Knowledge of:

  • How to protect personally identifiable information (PII)

  • Data sovereignty

Skills in:

  • Granting permissions for data sharing (for example, data sharing for Amazon Redshift)

  • Implementing PII identification (for example, Macie with Lake Formation)

  • Implementing data privacy strategies to prevent backups or replications of data to disallowed Regions

  • Managing configuration changes that have occurred in an account (for example, Config)