Security and Compliance is the domain of the AWS Certified Cloud Practitioner (CLF-C02) exam that focuses on how AWS helps you protect your data, systems, and applications in the cloud. Think of it as the set of tools, best practices, and shared responsibilities that ensure your cloud environment is secure and meets legal or industry standards. In plain English, this domain covers everything from who is responsible for what (you vs. AWS) to how you encrypt data, manage access, monitor for threats, and comply with regulations like GDPR or HIPAA.
Why is this important in real-world IT? Because security is the number one concern for organizations moving to the cloud. A single misconfiguration—like leaving an S3 bucket public—can expose millions of customer records. Compliance failures can lead to massive fines and loss of trust. Understanding AWS security services (like IAM, KMS, Shield, and Inspector) and the Shared Responsibility Model is essential for anyone working with AWS, whether you're a developer, sysadmin, or manager. You need to know how to design secure architectures and respond to incidents.
On the exam, this domain tests your knowledge of core security concepts and AWS services. You'll be asked about the Shared Responsibility Model: which parts AWS secures (the cloud infrastructure) and which parts you secure (your data, OS, network configurations). You'll need to know IAM for managing users, groups, roles, and policies; encryption options like SSE-S3, SSE-KMS, and client-side encryption; and compliance programs like SOC, PCI DSS, and FedRAMP. Expect questions on DDoS protection (AWS Shield), web application firewalls (WAF), and monitoring tools like CloudTrail, Config, and GuardDuty. The exam also covers security best practices like least privilege, multi-factor authentication (MFA), and the principle of defense in depth.
To study this domain effectively, start by mastering the Shared Responsibility Model—it's the foundation. Then, get hands-on with IAM: create users, groups, and policies, and understand how roles work. Use the AWS Free Tier to explore S3 bucket policies, enable CloudTrail, and set up a basic CloudWatch alarm. Read the AWS Security Best Practices whitepaper and review the compliance programs on the AWS website. Practice with sample questions that test your ability to identify which service or practice applies to a given scenario. Focus on understanding the purpose of each security service rather than memorizing details. Finally, remember that the exam emphasizes concepts over deep technical implementation—know what each service does and when to use it.
Security and Compliance covers the AWS Shared Responsibility Model, identity and access management (IAM), data encryption, monitoring and logging, and compliance programs—essentially how AWS helps you secure your cloud resources and meet regulatory requirements.
Shared Responsibility Model: distinguishing between AWS responsibilities (physical security, hardware) and customer responsibilities (data, OS, network config)
IAM: managing users, groups, roles, policies, and applying least privilege
Data encryption: SSE-S3, SSE-KMS, client-side encryption, and encryption in transit (TLS)
Monitoring and logging: CloudTrail for API activity, CloudWatch for metrics, and Config for resource compliance
DDoS protection: AWS Shield Standard (free) vs. Shield Advanced (paid) for Layer 3/4 attacks
Compliance programs: SOC 1/2/3, PCI DSS Level 1, HIPAA BAA, and FedRAMP for regulated workloads
Common exam traps
Where candidates lose marks on Security and Compliance
⚠Assuming AWS is responsible for everything (forgetting the customer side of the Shared Responsibility Model)
⚠Confusing AWS Shield with AWS WAF (Shield is DDoS protection, WAF is a web application firewall for HTTP requests)
⚠Thinking that enabling CloudTrail automatically logs all data events (it logs management events by default; data events must be enabled separately)
⚠Believing that encryption at rest is always enabled by default (it's not; you must enable it on services like S3 and EBS)
CLF-C02 Security and Compliance — Practice Questions
A company is preparing for an annual compliance audit. The auditor requests a copy of the AWS SOC 2 Type II report to review AWS's controls. Which AWS service or tool can the company use to obtain this report?
A company has deployed multiple EC2 instances with different security groups. The compliance team wants to ensure that no security group allows unrestricted SSH access (0.0.0.0/0) and receive alerts if any such rule is created. Which AWS service can they use to continuously monitor and evaluate the security group configurations against this policy?
A company uses an IAM role to allow an application running on Amazon EC2 to decrypt data stored in Amazon S3. The security team wants to enforce that the application can only use the decryption permission when the IAM role has a specific tag (e.g., 'Environment=Production'). Which approach should the security team implement to meet this requirement?
A company needs to maintain a secure audit trail of all API calls made against its AWS resources. The audit trail must record the identity of the caller, the time of the call, the source IP address, and the request details. The records must be stored securely with integrity guarantees for a minimum of five years to meet compliance requirements. Which AWS service should the company use to capture and store this information?
A financial services company requires all data stored in Amazon S3 to be encrypted at rest. The company has a compliance policy that states encryption keys must be managed entirely by the customer and must never be stored or managed by the cloud provider. Which encryption option should the company use for Amazon S3?
A company runs a web application on Amazon EC2 that connects to an Amazon RDS database. The database credentials are currently hardcoded in the application configuration file. The security team requires that the credentials be automatically rotated every 90 days and that the application retrieves them securely from a managed service without storing them in the application code. Which AWS service should the company use to meet these requirements?
A company stores sensitive customer data in multiple Amazon S3 buckets. The security team wants to proactively identify any buckets that have been configured to allow unintended access from external AWS accounts or from the public internet. The team needs a service that continuously analyzes the resource-based policies attached to these buckets and generates findings when such unintended access is detected. Which AWS service should the security team use to meet this requirement?
A company has a compliance policy requiring that all Amazon EC2 instances in its production environment must have the tag "Environment=Production" and must be associated with a security group named "Prod-SG". The company wants to continuously monitor its AWS account and automatically detect any EC2 instances that do not meet these requirements. The IT team needs a service that can evaluate the configuration of resources against these rules and send notifications when a non-compliant resource is detected. Which AWS service should the company use?
A company runs a public-facing e-commerce website on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team has discovered that attackers are attempting SQL injection attacks through the website's search feature. The company wants to use a managed AWS service to inspect incoming HTTP requests and block these malicious payloads before they reach the application. Which AWS service should the company use?
A company is using AWS Organizations to manage multiple AWS accounts. The security team wants to ensure that users in the development accounts cannot disable AWS CloudTrail logging or delete CloudTrail trails, even if those users have full administrator permissions within their own accounts. The team needs a central mechanism that is enforced across all development accounts regardless of individual IAM policies. Which AWS feature should the security team use to meet this requirement?
A company's security policy requires that all IAM user access keys be rotated every 90 days. The security team wants to automatically identify any IAM user in the company's AWS account whose access keys are older than 90 days and trigger a notification to the security team. They need a managed AWS service that continuously evaluates the access key age against this requirement and generates findings. Which AWS service should the security team use?
A financial services company is preparing for an annual audit. The auditors have requested a copy of the AWS SOC 2 Type II report to verify the security controls of the AWS infrastructure that the company uses. The company's compliance officer needs to directly download this report from a trusted AWS source. Which AWS service should the compliance officer use to obtain the report?
A financial services company must comply with PCI DSS requirements that mandate the use of a dedicated hardware security module (HSM) to store encryption keys used to protect cardholder data. The company plans to use server-side encryption in Amazon S3 and needs to ensure that the encryption keys are stored in a dedicated HSM under the company's sole control. Which AWS service should the company use to meet this requirement?
A company runs a web application that connects to an Amazon RDS for MySQL database. The security policy requires that the database password be rotated every 30 days. The development team wants a fully managed solution that automatically rotates the password, handles the update in RDS, and provides the application with the latest credentials without any code changes. The application should also continue to work during the rotation process. Which AWS service should the company use to meet these requirements?
A company hosts a multi-tier web application on AWS. The web tier runs on Amazon EC2 instances in a public subnet, and the database tier runs on Amazon EC2 instances in a private subnet. The security team needs to configure security groups to allow only the web tier instances to communicate with the database tier on port 3306 (MySQL). The web tier must be accessible from the internet on port 443. Which security group configuration meets these requirements?
A company hosts a web application behind an Application Load Balancer (ALB) in AWS. The application must comply with a security policy requiring TLS encryption for all traffic between users and the ALB. The company wants to automate the renewal of TLS certificates and avoid manual certificate management. Which AWS service should the company use to provision and automatically renew the certificates?
A company runs multiple workloads on AWS and must ensure that all Amazon S3 buckets have server-side encryption enabled. The compliance team wants to automatically detect any S3 bucket that is created without encryption and receive an alert. They also want to continuously monitor existing buckets for compliance. Which AWS service should they use?
A company uses AWS Organizations to centrally manage multiple AWS accounts. The security team requires that no IAM users can be created in any member account. All access must use federated identities from the company's existing identity provider. The security team needs a single, centralized mechanism to enforce this restriction across all existing and future member accounts. Which AWS feature should the security team use to meet this requirement?
A company stores sensitive documents in Amazon S3. The security team wants a preventive control that ensures no S3 bucket in the AWS account can ever be configured with a bucket policy that grants public read or write access. This control must apply automatically to all newly created buckets and to existing buckets, without requiring changes to individual bucket policies. Which AWS feature should the security team use?
A company uses AWS Organizations to manage multiple AWS accounts. The security team must ensure that all API activity across all accounts, including any new accounts added in the future, is recorded and delivered to a centralized S3 bucket for auditing. The solution should require minimal ongoing manual effort. Which AWS feature should the security team use?
A company uses AWS Organizations to manage multiple AWS accounts. The security team needs to enforce a policy that prevents any employee from deploying resources in AWS Regions outside of the United States. The company’s legal department requires a preventive control that automatically blocks all resource creation in non-approved Regions for every account, including any new accounts added in the future. The team wants a solution that requires minimal ongoing administration. Which AWS feature should the security team use?
A company uses AWS Organizations to manage multiple accounts. The security team needs to enforce a policy that restricts SSH access (port 22) from the internet (0.0.0.0/0) in all VPCs across all accounts. The team wants to centrally define the allowed rules and automatically apply them to newly created VPCs and security groups, while also automatically remediating any existing non-compliant security groups. Which AWS service should the team use?
A company stores sensitive customer data in Amazon S3 buckets. The company's security policy requires that all objects in these buckets be encrypted at rest using an encryption key that the company can rotate annually and audit for usage. The company also needs to control which IAM users and roles can use, create, and manage these keys. The security team wants to use an AWS managed service to handle the key management lifecycle. Which AWS service should the company use to meet these requirements?
A company manages multiple AWS accounts using AWS Organizations and maintains hundreds of Amazon S3 buckets across these accounts. The security team wants a service that automatically scans all S3 bucket policies and identifies any bucket that grants access to an external AWS account (an account outside the organization). The team needs to receive findings when such policies are detected and wants to review the findings in a centralized dashboard. Which AWS service should the security team use to meet these requirements?
A company manages multiple AWS accounts using AWS Organizations. The company wants employees to sign in using their existing corporate credentials from an on-premises Microsoft Active Directory. The company also needs a single sign-on (SSO) experience so that each employee can access the AWS Management Console for any authorized account without needing separate passwords. Additionally, the company wants to centrally manage permissions across all accounts. Which AWS service should the company use to meet these requirements?
A company is preparing for a PCI DSS compliance audit. The security team needs to ensure that all AWS API calls are logged and that the logs are continuously analyzed for suspicious or unauthorized activity. The team wants a managed security service that uses machine learning to identify threats, generates findings for review, and can trigger automated remediation through AWS Lambda. Which AWS service should the team use?
A company's security team discovers that database credentials are stored in plaintext in application configuration files. The team wants to implement a secure way to store, manage, and automatically rotate these credentials every 90 days. The solution must provide fine-grained IAM policies to control which users and applications can access the secrets and must integrate with AWS services like Amazon RDS for automatic rotation. Which AWS service should the company use to meet these requirements?
A company runs a web application on Amazon CloudFront and an Application Load Balancer (ALB). The security team wants to protect the application from common web attacks such as SQL injection and cross-site scripting (XSS). Additionally, the company needs to block requests from specific countries due to compliance requirements. The security team prefers a managed service that provides pre-configured rule sets and integrates directly with CloudFront and ALB without requiring additional infrastructure. Which AWS service should the security team use?
A company is preparing for a SOC 2 Type II audit and needs to provide its auditor with evidence of AWS's operational security controls. The security team has been asked to download the latest SOC 2 Type II report published by AWS. The team must access the report through a self-service portal without needing to contact AWS Support. Which AWS service should the security team use to meet this requirement?
A financial services company uses AWS CloudTrail to log all API calls in its AWS account. The company must demonstrate to auditors that the CloudTrail log files have not been tampered with after they were delivered to the Amazon S3 bucket. The company wants to use a feature that automatically creates digest files containing a hash of each log file, allowing the auditor to mathematically verify the integrity of the logs. Which AWS feature should the company enable to meet this requirement?
More Security and Compliance questions available in the full practice test.