Domain 2: Security (26% of the exam content)

This domain accounts for 26% of the exam content.

Task 1: Implement authentication and/or authorization for applications and services

Knowledge of:

Identity federation (for example, Security Assertion Markup Language [SAML], OpenID Connect [OIDC], Amazon Cognito)
Bearer tokens (for example, JSON Web Token [JWT], OAuth, Security Token Service [ STS])
The comparison of user pools and identity pools in Amazon Cognito
Resource-based policies, service policies, and principal policies
Role-based access control (RBAC)
Application authorization that uses ACLs
The principle of least privilege
Differences between managed policies and customer-managed policies
Identity and access management

Skills in:

Using an identity provider to implement federated access (for example, Amazon Cognito, Identity and Access Management [IAM])
Securing applications by using bearer tokens
Configuring programmatic access to
Making authenticated calls to services
Assuming an IAM role
Defining permissions for principals

Knowledge of:

Encryption at rest and in transit
Certificate management (for example, Private Certificate Authority)
Key protection (for example, key rotation)
Differences between client-side encryption and server-side encryption
Differences between managed and customer managed Key Management Service ( KMS) keys

Skills in:

Knowledge of:

Data classification (for example, personally identifiable information [PII], protected health information [PHI])
Environment variables
Secrets management (for example, Secrets Manager, Systems Manager Parameter Store)
Secure credential handling

Skills in:

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Domain 1: Development with Services (32% of the exam content)

Domain 3: Deployment (24% of the exam content)