# Content Domain 6: Security and Compliance
<a name="devops-engineer-professional-02-domain6"></a>

## Task Statement 6.1: Implement techniques for identity and access management at scale.
<a name="dop-02-task-6-1"></a>

### Knowledge of:
<a name="dop-02-task-6-1-knowledge"></a>
+ Appropriate usage of different IAM entities for human and machine access (for example, users, groups, roles, identity providers, identity-based policies, resource-based policies, session policies)
+ Identity federation techniques (for example, using IAM identity providers and AWS IAM Identity Center)
+ Permission management delegation by using IAM permissions boundaries
+ Organizational SCPs

### Skills in:
<a name="dop-02-task-6-1-skills"></a>
+ Designing policies to enforce least privilege access
+ Implementing role-based and attribute-based access control patterns
+ Automating credential rotation for machine identities (for example, AWS Secrets Manager)
+ Managing permissions to control access to human and machine identities (for example, enabling multi-factor authentication [MFA], AWS Security Token Service [AWS STS], IAM profiles)

## Task Statement 6.2: Apply automation for security controls and data protection.
<a name="dop-02-task-6-2"></a>

### Knowledge of:
<a name="dop-02-task-6-2-knowledge"></a>
+ Network security components (for example, security groups, network ACLs, routing, AWS Network Firewall, AWS WAF, AWS Shield)
+ Certificates and public key infrastructure (PKI)
+ Data management (for example, data classification, encryption, key management, access controls)

### Skills in:
<a name="dop-02-task-6-2-skills"></a>
+ Automating the application of security controls in multi-account and multi-Region environments (for example, AWS Security Hub, AWS Organizations, AWS Control Tower, AWS Systems Manager)
+ Combining security controls to apply defense in depth (for example, AWS Certificate Manager [ACM], AWS WAF, AWS Config, AWS Config rules, Security Hub, Amazon GuardDuty, security groups, network ACLs, Amazon Detective, Network Firewall)
+ Automating the discovery of sensitive data at scale (for example, Amazon Macie)
+ Encrypting data in transit and data at rest (for example, AWS Key Management Service [AWS KMS], AWS CloudHSM, ACM)

## Task Statement 6.3: Implement security monitoring and auditing solutions.
<a name="dop-02-task-6-3"></a>

### Knowledge of:
<a name="dop-02-task-6-3-knowledge"></a>
+ Security auditing services and features (for example, AWS CloudTrail, AWS Config, VPC Flow Logs, AWS CloudFormation drift detection)
+ AWS services for identifying security vulnerabilities and events (for example, GuardDuty, Amazon Inspector, IAM Access Analyzer, AWS Config)
+ Common cloud security threats (for example, insecure web traffic, exposed AWS access keys, S3 buckets with public access enabled or encryption disabled)

### Skills in:
<a name="dop-02-task-6-3-skills"></a>
+ Implementing robust security auditing
+ Configuring alerting based on unexpected or anomalous security events
+ Configuring service and application logging (for example, CloudTrail, Amazon CloudWatch Logs)
+ Analyzing logs, metrics, and security findings