Domain 5: Data Protection (18% of the exam content)

This domain accounts for 18% of the exam content.

Task 5.1: Design and implement controls that provide confidentiality and integrity for data in transit

Knowledge of:

TLS concepts
VPN concepts (for example, IPsec)
Secure remote access methods (for example, SSH, RDP over Systems Manager Session Manager)
Systems Manager Session Manager concepts
How TLS certificates work with various network services and resources (for example, CloudFront, load balancers)

Skills in:

Designing secure connectivity between and on-premises networks (for example, by using Direct Connect and VPN gateways)
Designing mechanisms to require encryption when connecting to resources (for example, Amazon RDS, Amazon Redshift, CloudFront, Amazon S3, Amazon DynamoDB, load balancers, Amazon Elastic File System [Amazon EFS], Amazon API Gateway)
Requiring TLS for API calls (for example, with Amazon S3)
Designing mechanisms to forward traffic over secure connections (for example, by using Systems Manager and EC2 Instance Connect)
Designing cross-Region networking by using private VIFs and public VIFs

Knowledge of:

Encryption technique selection (for example, client-side, server-side, symmetric, asymmetric)
Integrity-checking techniques (for example, hashing algorithms, digital signatures)
Resource policies (for example, for DynamoDB, Amazon S3, and Key Management Service [ KMS])
IAM roles and policies

Skills in:

Designing resource policies to restrict access to authorized users (for example, S3 bucket policies, DynamoDB policies)
Designing mechanisms to prevent unauthorized public access (for example, S3 Block Public Access, prevention of public snapshots and public AMIs)
Configuring services to activate encryption of data at rest (for example, Amazon S3, Amazon RDS, DynamoDB, Amazon Simple Queue Service [Amazon SQS], Amazon EBS, Amazon EFS)
Designing mechanisms to protect data integrity by preventing modifications (for example, by using S3 Object Lock, KMS key policies, S3 Glacier Vault Lock, and Backup Vault Lock)
Designing encryption at rest by using CloudHSM for relational databases (for example, Amazon RDS, RDS Custom, databases on EC2 instances)
Choosing encryption techniques based on business requirements

Knowledge of:

Skills in:

Designing S3 Lifecycle mechanisms to retain data for required retention periods (for example, S3 Object Lock, S3 Glacier Vault Lock, S3 Lifecycle policy)
Designing automatic lifecycle management for services and resources (for example, Amazon S3, EBS volume snapshots, RDS volume snapshots, AMIs, container images, CloudWatch log groups, Amazon Data Lifecycle Manager)
Establishing schedules and retention for Backup across services

Knowledge of:

Skills in:

Designing management and rotation of secrets for workloads (for example, database access credentials, API keys, IAM access keys, KMS customer managed keys)
Designing KMS key policies to limit key usage to authorized users
Establishing mechanisms to import and remove customer-provided key material
Implementing secure storage and retrieval of secrets
Implementing automatic rotation of secrets

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Domain 4: Identity and Access Management (20% of the exam content)

Domain 6: Management and Security Governance (8% of the exam content)