fajarsumirat.online

AWS CCP Exam Official Domain

2.0 Security and Compliance:

2.1 Understand the AWS shared responsibility model.
2.2 Understand AWS Cloud security, governance, and compliance concepts.
2.3 Identify AWS access management capabilities.
2.4 Identify components and resources for security.

The AWS Certified Cloud Practitioner (CCP) exam is designed to validate a fundamental understanding of the AWS cloud, including its core services, security, and compliance features. The Security and Compliance domain of the exam comprises 25% of the content and focuses on key security concepts, access management, governance, and compliance. Let’s explore the four subsections under Security and Compliance in more detail:

2.1 Understand the AWS Shared Responsibility Model

The AWS Shared Responsibility Model defines the division of security tasks between AWS and the customer. It breaks down into two main responsibilities:

  • AWS’s Responsibility (“Security of the Cloud”):
    • AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This includes physical security, network security, and the underlying infrastructure’s hardware and software.
    • Security components covered by AWS include:
      • Regions, Availability Zones, and Edge Locations
      • Compute, storage, and database infrastructure
      • Network infrastructure (data centers, physical servers)
      • Patching and updates of managed services like Amazon RDS, S3, etc.
  • Customer’s Responsibility (“Security in the Cloud”):
    • The customer is responsible for securing the applications, data, and resources that they deploy on AWS.
    • Depending on the service model (IaaS, PaaS, SaaS), customers are responsible for configuring their AWS services to meet security and compliance requirements.
    • Customer responsibilities include:
      • Securing operating systems, patches, and application layers (for services like EC2)
      • Configuring access controls, such as Identity and Access Management (IAM)
      • Data encryption and protection of sensitive information (both in transit and at rest)
      • Managing network configurations, like security groups and network ACLs

2.2 Understand AWS Cloud Security, Governance, and Compliance Concepts

AWS provides a comprehensive set of security, governance, and compliance services and tools to ensure that workloads and data in the cloud are secure. This section involves understanding key concepts:

Security

  • Identity and Access Management (IAM): AWS IAM allows you to create users, groups, and roles and assign permissions to them. Policies define what actions users can take on AWS resources.
  • Data Encryption:
    • Encryption at Rest: AWS services such as S3, EBS, and RDS provide options to encrypt data at rest using AWS Key Management Service (KMS) or customer-managed keys.
    • Encryption in Transit: Data encryption while in transit (e.g., TLS/SSL encryption for HTTPS connections).
  • Network Security:
    • Security Groups: Virtual firewalls that control inbound and outbound traffic to AWS resources, like EC2 instances.
    • Network Access Control Lists (NACLs): Act as a firewall for controlling traffic at the subnet level.
  • AWS Shield and AWS WAF (Web Application Firewall): Protection against Distributed Denial of Service (DDoS) attacks and other web-based threats.

Governance

  • AWS Organizations: Provides central governance across multiple AWS accounts. Organizations allow you to manage policies and billing for multiple AWS accounts.
  • Service Control Policies (SCPs): Policies attached to AWS Organizations to control access and usage across multiple accounts.
  • AWS Config: Enables you to assess, audit, and evaluate the configurations of AWS resources.

Compliance

  • AWS Artifact: A self-service portal for on-demand access to AWS compliance reports and select online agreements.
  • AWS Compliance Programs: AWS complies with global standards, such as GDPR, HIPAA, SOC, and PCI DSS. AWS offers compliance certifications for industries and countries, ensuring regulatory adherence.

2.3 Identify AWS Access Management Capabilities

AWS provides a range of access management tools to control who can access AWS resources and what they can do with those resources. Understanding these tools is key for the exam:

  • IAM (Identity and Access Management):
    • Users: Individuals who can sign in to your AWS account.
    • Groups: Collections of users to which you can assign permissions.
    • Roles: Entities that allow applications or services to act with specific permissions. Often used for services like EC2 or Lambda to access other AWS resources securely.
    • IAM Policies: Documents (written in JSON) that define permissions for users, groups, or roles.
    • Multi-Factor Authentication (MFA): Adds an additional layer of security by requiring not only a password but also a temporary code from a device.
  • AWS Single Sign-On (SSO): A service that enables centralized access to multiple AWS accounts and third-party applications, using a single set of credentials.
  • AWS Key Management Service (KMS):
    • Allows customers to create and manage cryptographic keys for use in encryption across AWS services.
    • Supports encryption for S3, EBS, RDS, and more, ensuring secure key usage.
  • AWS Secrets Manager and AWS Systems Manager Parameter Store:
    • Services that securely store and retrieve secrets such as database credentials, API keys, or other sensitive information.

2.4 Identify Components and Resources for Security

AWS offers various security components and resources that help manage, monitor, and improve the security of your AWS environment:

  • Amazon GuardDuty: A managed threat detection service that continuously monitors for malicious or unauthorized behavior.
  • AWS Security Hub: Provides a comprehensive view of your security alerts and compliance status across AWS accounts.
  • AWS Inspector: An automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It checks for vulnerabilities and deviations from security best practices.
  • AWS CloudTrail:
    • Records AWS API calls for your account. It provides audit logs of who did what, when, and from where.
    • Can be used for compliance auditing and operational troubleshooting.
  • AWS CloudWatch: Provides monitoring for AWS resources and the applications you run on AWS. You can set alarms and automate responses based on thresholds.
  • Amazon Macie: A fully managed data security and data privacy service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS S3.
  • AWS Trusted Advisor: A tool that provides real-time guidance to help you provision your resources according to AWS best practices. It checks for security gaps, such as exposed keys, lack of MFA, or underutilized resources.

Summary

In the AWS CCP exam’s Security and Compliance domain, you’ll need to grasp:

  • Shared Responsibility Model (AWS vs. Customer responsibilities)
  • Security concepts like encryption, IAM, network security, DDoS protection, and service-specific controls.
  • Access management through IAM roles, policies, and tools like AWS SSO, KMS, and Secrets Manager.
  • Security resources and tools including GuardDuty, Security Hub, CloudTrail, and Trusted Advisor.

Each of these concepts is critical to ensuring the secure use of AWS resources and managing compliance with organizational or regulatory standards. Understanding these areas thoroughly will help prepare you for this section of the AWS CCP exam.

fajarsumirat.online

Leave a Reply

Your email address will not be published. Required fields are marked *