AWS Certified Cloud Practitioner: Security Components & Resources

This curriculum overview focuses on Domain 2: Security and Compliance of the AWS Certified Cloud Practitioner (CLF-C02) exam. It outlines the essential knowledge and skills required to identify security components, manage access, and utilize AWS resources to maintain a robust security posture.

Prerequisites

Before beginning this curriculum, learners should have a foundational understanding of the following:

• Cloud Computing Basics: Understanding of On-demand delivery, pay-as-you-go pricing, and scalability.
• The AWS Shared Responsibility Model: A fundamental grasp of the "Security of the Cloud" (AWS) vs. "Security in the Cloud" (Customer) paradigm.
• Basic Networking: Conceptual knowledge of IP addresses, subnets, and firewalls.

Module Breakdown

Module Objectives per Module

MOD 01: Identity and Access Management

• Define IAM Components: Master the use of Users, Groups, Roles, and Policies.
• Secure the Root User: Explain the critical importance of MFA and why the root account should not be used for daily tasks.
• Implement Least Privilege: Understand how to grant only the minimum permissions required for a task.

MOD 02: Detection and Monitoring

• Threat Detection: Distinguish between Amazon GuardDuty (intelligent threat detection) and Amazon Inspector (vulnerability scanning).
• Auditing and Tracking: Use AWS CloudTrail for API call logging and AWS Config for resource configuration history.

MOD 03: Infrastructure Protection

• Firewall Management: Identify the difference between Security Groups (stateful, instance-level) and Network ACLs (stateless, subnet-level).
• DDoS Protection: Understand how AWS Shield (Standard and Advanced) protects against distributed attacks.

MOD 04: Data Protection

• Encryption Options: Differentiate between Encryption at Rest (S3, EBS) and Encryption in Transit (TLS/SSL).
• Key Management: Use AWS KMS (Key Management Service) for software-based keys and CloudHSM for hardware-based modules.

MOD 05: Compliance and Governance

• Self-Service Audits: Utilize AWS Artifact to download AWS's third-party compliance reports (ISO, SOC, PCI).
• Security Centralization: Use AWS Security Hub to aggregate findings from GuardDuty, Inspector, and Macie into a single dashboard.

Success Metrics

To demonstrate mastery of this curriculum, learners must be able to:

1. Categorize Services: Correctly assign an AWS security service to one of the five NIST Cybersecurity Framework functions (Identify, Protect, Detect, Respond, Recover).
2. Shared Responsibility Assignment: Given a scenario (e.g., patching an EC2 OS vs. patching an RDS engine), identify who is responsible.
3. Root User Protection: List at least 3 tasks that only the root user can perform (e.g., changing account settings, closing the account).
4. Architectural Decision Making: Choose between a Security Group and a NACL based on whether the requirement is per-instance or per-subnet.

[!IMPORTANT] Success is measured not just by knowing what a tool does, but by knowing where to find information. For example, knowing that AWS Artifact is the go-to portal for compliance documentation.

Real-World Application

Understanding these components is vital for several career paths and business scenarios:

• Security Analyst: Using Amazon Detective to conduct post-incident analysis and investigate the root cause of security findings.
• Cloud Architect: Designing a multi-tier VPC that uses Security Groups to enforce strict traffic boundaries between web and database layers.
• Compliance Officer: Using AWS Audit Manager to continuously collect evidence for regulatory audits (HIPAA, GDPR), reducing the manual work required for compliance.
• DevOps Engineer: Automating secret rotation for database credentials using AWS Secrets Manager, ensuring that plain-text passwords are never stored in code.

Estimated Timeline