- [Blaine] Welcome back. There are six domains, each with a different focus, that together make up the AWS Certified SysOps Administrator exam. Let's take a look at the Security and Compliance domain, which accounts for 16 percent of the total score. Remember, you can design the most-resilient architecture, but if you don't protect it from all enemies, both foreign and domestic, then we haven't finished our job. And security is not a single subject or single-solution conversation. AWS recommends a security-in-depth, best-practice approach, which means this exam is following that pattern. So everything from user management, network controls, data classification methodologies, encryption, encryption at rest and in transit. And speaking of encryption, how do you manage your encryption keys and securely store other secrets? There are two subdomains with Security and Compliance. Implement and manage security and compliance policies. Implement data and infrastructure protection strategies. All right, let's break them down. First, implement and manage security and compliance policies starts with IAM, Identity and Access Management. And there's a lot of details to think about in those three letters. What password policies are the best for certain scenarios? What about requiring MFA? Know the differences between users, groups, roles and the associated policy documents. And speaking to policy documents, consider resource policies to be absolutely in play here, along with finer details about those policies, such as conditions. Now, you should be able to look at the JSON of an IAM policy and be able to interpret what it is actually allowing, or perhaps denying. This subdomain also explores validating policies and permissions. Also, troubleshooting and auditing access issues, which would include services like CloudTrail, obviously, but also loops in objects like the IAM Access Analyzer and the IAM Policy Simulator. You should understand how Trusted Advisor works, and which security controls it observes. Multi-account strategies are in play, which means you should be comfortable with AWS Control Tower, and absolutely know the moving parts with AWS Organizations. Finally, multi-Region strategies might be a concern for compliance. So the exam will see if you can validate your Region and service selection. No, the exam will not ask you to be an expert in a particular compliance structure, like GDPR or PCI, but you may be presented with an unnamed compliance requirement, such as, for compliance reasons, your user data is required to be encrypted at rest and reside inside German borders, how do you achieve compliance? Now, that you'd need to be able to answer. The second domain is implement data and infrastructure protection strategies. As we dive into data protection, we start by being able to implement a data classification scheme. How do we identify which data needs to be locked down, and what data is publicly available? Once you can identify what needs to be locked down, well, then, lock it down. (chuckles) Encryption. Managing encryption keys with native options available in S3, and other services. Also, understand how KMS and CloudHSM work to enable encryption-at-rest strategies. For encryption in transit, understand your encryption termination options, how to leverage VPN and AWS Certificate Manager. Other secrets may need to be managed by the appropriately named AWS Secrets Manager. And people say our names are weird. Also, in that category, don't forget to review the Systems Manager Parameter Store. Finally, protection schemes that are not reviewed, observed, and reported are just wish lists. So, be familiar with the full range of security-assisting services like AWS Config, GuardDuty, Security Hub, Inspector, Amazon Macie. Know where each one contributes to a comprehensive view of your current posture. Those are the subjects in play for Security and Compliance. Keep it secret, keep it safe.
