Mastering Security Controls: AWS SAP-C02 Study Guide

This guide covers the critical task of prescribing and determining security controls within complex AWS environments, focusing on automation, governance, and centralized management as required for the AWS Certified Solutions Architect - Professional (SAP-C02) exam.

Learning Objectives

After studying this guide, you should be able to:

Design secure workloads that scale across multi-account organizations.
Select appropriate AWS security services (GuardDuty, Security Hub, WAF) based on business requirements.
Implement centralized logging and auditing strategies using AWS Control Tower and S3.
Develop automated remediation strategies for common security misconfigurations.
Differentiate between detective and preventative security controls.

Key Terms & Glossary

Least Privilege: The practice of limiting access rights for users to the bare minimum permissions they need to perform their work.
Remediation: The act of reversing or fixing a security vulnerability or policy violation (e.g., closing an open S3 bucket).
Account Factory: A component of AWS Control Tower that automates the provisioning of new, standardized AWS accounts.
Detective Control: A security control designed to identify and alert on threats after they occur (e.g., AWS CloudTrail).
Preventative Control: A control that active prevents an unauthorized action from occurring (e.g., Service Control Policies or SCPs).
Drift: When the actual configuration of a resource deviates from its intended or

Mastering Security Controls: AWS SAP-C02 Study Guide

Learning Objectives

After studying this guide, you should be able to:

Design secure workloads that scale across multi-account organizations.
Select appropriate AWS security services (GuardDuty, Security Hub, WAF) based on business requirements.
Implement centralized logging and auditing strategies using AWS Control Tower and S3.
Develop automated remediation strategies for common security misconfigurations.
Differentiate between detective and preventative security controls.

Key Terms & Glossary

Least Privilege: The practice of limiting access rights for users to the bare minimum permissions they need to perform their work.
Remediation: The act of reversing or fixing a security vulnerability or policy violation (e.g., closing an open S3 bucket).
Account Factory: A component of AWS Control Tower that automates the provisioning of new, standardized AWS accounts.
Detective Control: A security control designed to identify and alert on threats after they occur (e.g., AWS CloudTrail).
Preventative Control: A control that active prevents an unauthorized action from occurring (e.g., Service Control Policies or SCPs).
Drift: When the actual configuration of a resource deviates from its intended or