# Content Domain 2: Security and Compliance
<a name="cloud-practitioner-02-domain2"></a>

Domain 2 covers Security and Compliance and represents 30% of the scored content on the exam.

**Topics**
+ [Task Statement 2.1: Understand the AWS shared responsibility model.](#cloud-practitioner-02-task2.1)
+ [Task Statement 2.2: Understand AWS Cloud security, governance, and compliance concepts.](#cloud-practitioner-02-task2.2)
+ [Task Statement 2.3: Identify AWS access management capabilities.](#cloud-practitioner-02-task2.3)
+ [Task Statement 2.4: Identify components and resources for security.](#cloud-practitioner-02-task2.4)

## Task Statement 2.1: Understand the AWS shared responsibility model.
<a name="cloud-practitioner-02-task2.1"></a>

Knowledge of:
+ AWS shared responsibility model

Skills in:
+ Recognizing the components of the AWS shared responsibility model
+ Describing the customer's responsibilities on AWS
+ Describing AWS responsibilities
+ Describing responsibilities that the customer and AWS share
+ Describing how AWS responsibilities and customer responsibilities can shift, depending on the service used (for example, Amazon RDS, AWS Lambda, Amazon EC2)

## Task Statement 2.2: Understand AWS Cloud security, governance, and compliance concepts.
<a name="cloud-practitioner-02-task2.2"></a>

Knowledge of:
+ AWS compliance and governance concepts
+ Benefits of cloud security (for example, encryption)
+ Where to capture and locate logs that are associated with cloud security

Skills in:
+ Identifying where to find AWS compliance information (for example, AWS Artifact)
+ Understanding compliance needs among geographic locations or industries (for example, AWS compliance)
+ Describing how customers secure resources on AWS (for example, Amazon Inspector, AWS Security Hub, Amazon GuardDuty, AWS Shield)
+ Identifying encryption options (for example, encryption in transit, encryption at rest)
+ Recognizing services that aid in governance and compliance (for example, monitoring with Amazon CloudWatch; auditing with AWS CloudTrail, AWS Audit Manager, and AWS Config; reporting with access reports)
+ Recognizing compliance requirements that vary among AWS services

## Task Statement 2.3: Identify AWS access management capabilities.
<a name="cloud-practitioner-02-task2.3"></a>

Knowledge of:
+ Identity and access management (for example, AWS Identity and Access Management [IAM])
+ Importance of protecting the AWS root user account
+ Principle of least privilege
+ AWS IAM Identity Center (AWS Single Sign-On)

Skills in:
+ Understanding access keys, password policies, and credential storage (for example, AWS Secrets Manager, AWS Systems Manager)
+ Identifying authentication methods in AWS (for example, multi-factor authentication [MFA], IAM Identity Center, cross-account IAM roles)
+ Defining groups, users, custom policies, and managed policies in compliance with the principle of least privilege
+ Identifying tasks that only the account root user can perform
+ Understanding which methods can achieve root user protection
+ Understanding the types of identity management (for example, federated)

## Task Statement 2.4: Identify components and resources for security.
<a name="cloud-practitioner-02-task2.4"></a>

Knowledge of:
+ Security capabilities that AWS provides
+ Security-related documentation that AWS provides

Skills in:
+ Describing AWS security features and services (for example, AWS WAF, AWS Firewall Manager, AWS Shield, Amazon GuardDuty)
+ Understanding that third-party security products are available from AWS Marketplace
+ Identifying where AWS security information is available (for example, AWS Knowledge Center, AWS Security Center, AWS Security Blog)
+ Understanding the use of AWS services for identifying security issues (for example, AWS Trusted Advisor)