Objectives in this domain

Implement identity and access management at scale with IAM roles, AWS Organizations, service control policies and AWS IAM Identity Center.
Section 6.1hard
Automate secret and credential management using AWS Secrets Manager rotation, AWS Systems Manager Parameter Store and short-lived role credentials.
Section 6.2medium
Apply automated security controls and guardrails with AWS Config, AWS Control Tower, service control policies and CloudFormation hooks and AWS CloudFormation Guard.
Section 6.3medium
Automate data protection with AWS Key Management Service, encryption enforcement, Amazon S3 access controls and certificate management with AWS Certificate Manager.
Section 6.4medium
Implement security monitoring and threat detection with Amazon GuardDuty, AWS Security Hub, Amazon Inspector and Amazon Detective.
Section 6.5medium
Automate compliance auditing and evidence collection with AWS CloudTrail, AWS Config conformance packs and AWS Audit Manager.
Section 6.6medium

Sample question from this domain

Free sampleSecurity and Compliancehard

A company manages around 300 accounts in AWS Organizations grouped into organisational units by environment. Security needs a hard guarantee that no principal in any production account, including account administrators with broad IAM policies, can disable AWS CloudTrail or delete its trails. A previous attempt that relied on attaching an IAM deny policy in each account was bypassed when a team detached the policy. The team wants the most durable control that cannot be removed by account-level administrators. Which approach should they implement?

AAttach a permission boundary to every IAM role in the production accounts that omits the CloudTrail stop and delete actions, so the boundary caps what those roles can do regardless of their attached policies.
BDistribute an AWS Config rule to the production accounts that detects when a trail is stopped or deleted and triggers a remediation that recreates it, treating detection and repair as the enforcement mechanism for the requirement.
CMove all production accounts under a dedicated organisational unit and apply an IAM identity-based deny policy through AWS IAM Identity Center permission sets so every assigned user inherits the CloudTrail restriction centrally.
DAttach a service control policy to the production organisational unit that denies cloudtrail:StopLogging and cloudtrail:DeleteTrail, so the guardrail applies to every principal in those accounts and cannot be overridden locally. Correct

Use a service control policy on an organisational unit to set a preventive permission ceiling that even account administrators cannot override. Service control policies define the maximum permissions available to principals in the member accounts they target and are administered only from the AWS Organizations management account; denying cloudtrail:StopLogging and cloudtrail:DeleteTrail at the organisational unit means no principal in those accounts, including an account administrator, can perform those actions, which is a preventive guarantee that local IAM policies, permission boundaries, or detective controls cannot match.

Why A is wrong: A permission boundary caps a principal's effective permissions, but it is set within the account and an account administrator can change or remove it, so it does not survive a local admin acting against the control the way an organisation guardrail does.

Why B is wrong: Config with remediation detects and repairs after the fact rather than preventing the action, so there is a window where logging is off, and an account admin can disable the rule, which falls short of a hard preventive guarantee.

Why C is wrong: Identity Center permission sets only constrain principals that sign in through Identity Center, so roles, account root, and locally created users are unaffected, which leaves the very administrators the requirement targets able to stop or delete the trails.

Why D is correct: A service control policy sets the maximum available permissions for every principal in the targeted accounts including account administrators, and it is managed only from the organisation management account, so denying the CloudTrail stop and delete actions there is a preventive guardrail that local admins cannot remove.

Other domains in this exam

SDLC Automation22% of the exam
Configuration Management and Infrastructure as Code17% of the exam
Resilient Cloud Solutions15% of the exam
Monitoring and Logging15% of the exam
Incident and Event Response14% of the exam

See also the DOP-C02 cert hub, the study guide, and the cheat sheet.