# Content Domain 1: Design Secure Architectures
**Topics**
+ [Task 1.1: Design secure access to AWS resources](#solutions-architect-associate-03-domain1-task1)
+ [Task 1.2: Design secure workloads and applications](#solutions-architect-associate-03-domain1-task2)
+ [Task 1.3: Determine appropriate data security controls](#solutions-architect-associate-03-domain1-task3)
## Task 1.1: Design secure access to AWS resources
Knowledge of:
+ Access controls and management across multiple accounts
+ AWS federated access and identity services (for example, IAM, AWS IAM Identity Center)
+ AWS global infrastructure (for example, Availability Zones, AWS Regions)
+ AWS security best practices (for example, the principle of least privilege)
+ The AWS shared responsibility model
Skills in:
+ Applying AWS security best practices to IAM users and root users (for example, multi-factor authentication [MFA])
+ Designing a flexible authorization model that includes IAM users, groups, roles, and policies
+ Designing a role-based access control strategy (for example, AWS STS, role switching, cross-account access)
+ Designing a security strategy for multiple AWS accounts (for example, AWS Control Tower, service control policies [SCPs])
+ Determining the appropriate use of resource policies for AWS services
+ Determining when to federate a directory service with IAM roles
## Task 1.2: Design secure workloads and applications
Knowledge of:
+ Application configuration and credentials security
+ AWS service endpoints
+ Control ports, protocols, and network traffic on AWS
+ Secure application access
+ Security services with appropriate use cases (for example, AWS Cognito, AWS GuardDuty, AWS Macie)
+ Threat vectors external to AWS (for example, DDoS, SQL injection)
Skills in:
+ Designing VPC architectures with security components (for example, security groups, route tables, network ACLs, NAT gateways)
+ Determining network segmentation strategies (for example, using public subnets and private subnets)
+ Integrating AWS services to secure applications (for example, AWS Shield, AWS WAF, IAM Identity Center, AWS Secrets Manager)
+ Securing external network connections to and from the AWS Cloud (for example, VPN, AWS Direct Connect)
## Task 1.3: Determine appropriate data security controls
Knowledge of:
+ Data access and governance
+ Data recovery
+ Data retention and classification
+ Encryption and appropriate key management
Skills in:
+ Aligning AWS technologies to meet compliance requirements
+ Encrypting data at rest (for example, AWS KMS)
+ Encrypting data in transit (for example, AWS Certificate Manager [ACM] using TLS)
+ Implementing access policies for encryption keys
+ Implementing data backups and replications
+ Implementing policies for data access, lifecycle, and protection
+ Rotating encryption keys and renewing certificates