CLF-C02 domain - 30% of the exam

Security and Compliance

Security and Compliance is 30% of the AWS Certified Cloud Practitioner (CLF-C02) exam. These are the objectives it covers, each with practice questions and worked explanations.

Objectives in this domain

Understand the AWS shared responsibility model and how responsibility for security shifts between the customer and AWS depending on the service used, such as Amazon EC2, Amazon RDS and AWS Lambda.
Section 2.1medium
Identify AWS governance and compliance concepts, including where to find compliance reports with AWS Artifact and how compliance needs vary by geography and industry.
Section 2.2medium
Identify AWS encryption options for protecting data, distinguishing encryption in transit from encryption at rest and the role of AWS Key Management Service.
Section 2.3medium
Recognise AWS services that aid governance, monitoring and threat detection, including Amazon CloudWatch, AWS CloudTrail, AWS Config, Amazon GuardDuty, Amazon Inspector and AWS Security Hub.
Section 2.4medium
Identify AWS Identity and Access Management capabilities, defining users, groups, roles and managed and custom policies in line with the principle of least privilege.
Section 2.5medium
Understand how to protect the root user and apply authentication methods such as multi-factor authentication, AWS IAM Identity Center and federation, and where to store credentials securely.
Section 2.6medium
Describe AWS network security features and services, including security groups, network access control lists, AWS WAF and AWS Shield.
Section 2.7medium
Identify components and resources for security, including AWS Trusted Advisor checks, third-party products in AWS Marketplace and where to find AWS security documentation.
Section 2.8easy

Sample question from this domain

Free sampleSecurity and Compliancemedium

A company runs its application on Amazon EC2 instances. Under the AWS shared responsibility model, which task is the responsibility of the customer rather than AWS?

AMaintaining the physical security of the data centres that host the instances
BInstalling operating system patches on the guest operating system of the instances Correct
CPatching the firmware of the underlying host servers that run the hypervisor
DReplacing failed physical disks in the storage racks that back the volumes

On Amazon EC2 the customer is responsible for patching and maintaining the guest operating system they run. Amazon EC2 is an infrastructure service where the responsibility boundary sits at the guest OS, so the customer patches and hardens the OS while AWS secures the hardware, hypervisor and facilities below it.

Why A is wrong: Physical security of the facilities is security OF the cloud, which AWS owns; the customer never sees the hardware, so this cannot be a customer task.

Why B is correct: On Amazon EC2 the customer controls the guest operating system, so patching, updating and hardening that OS is squarely a customer responsibility.

Why C is wrong: Host firmware and the hypervisor sit below the guest OS boundary, so AWS maintains them; a candidate may confuse host patching with guest patching.

Why D is wrong: Hardware replacement is part of the global infrastructure AWS operates; customers have no physical access, so this is never their duty.

Other domains in this exam

Cloud Concepts24% of the exam
Cloud Technology and Services34% of the exam
Billing, Pricing, and Support12% of the exam

See also the CLF-C02 cert hub, the study guide, and the cheat sheet.

Examworthy is not affiliated with or endorsed by Amazon Web Services. Original, blueprint-aligned practice material only.