🛡️Exam Guide: Cloud Practitioner
Domain 2: Security & Compliance
📘Task Statement 2.4
🎯What Is This Task Testing?
You need to recognize:
- Core AWS security capabilities (network controls, threat detection, DDoS protection, web protection)
- Where to find AWS security documentation and guidance
- That third-party security tools exist via AWS Marketplace
- Which AWS services can help identify security issues (for example, Trusted Advisor)
1) 🔐 AWS Security Features and Services to Know
“Which service/control should you use?” Know the purpose of each.
Security Groups (SGs)
- A virtual firewall for resources such as Amazon EC2.
- Control inbound and outbound traffic.
- Generally stateful (return traffic is automatically allowed).
Use SGs When: you need instance/resource-level traffic control (ports, protocols, source/destination).
Network ACLs (NACLs)
- A firewall at the subnet level in a VPC.
- Control inbound and outbound rules for subnets.
- Generally stateless (return traffic must be explicitly allowed).
Use NACLs When: you need subnet-wide allow/deny rules, including explicit denies.
AWS Web Application Firewall (WAF)
- A web application firewall that helps protect web apps from common exploits.
- Filters/monitors HTTP(S) requests (e.g., SQL injection, cross-site scripting).
Use WAF When: you want to block malicious web requests or enforce web rules at the edge/front door.
AWS Firewall Manager
- A central management service for security rules and policies.
- Helps you configure and manage protections (for example, WAF rules) across multiple accounts and resources, commonly in AWS Organizations environments.
Use Firewall Manager When: you need consistent security policy enforcement at scale across many accounts.
AWS Shield
- Helps protect against DDoS attacks.
- Commonly positioned for protecting internet-facing applications.
Use Shield when: the scenario mentions DDoS attacks, volumetric attacks, or keeping public endpoints available during attacks.
Amazon GuardDuty
- A threat detection service that monitors for suspicious activity and unauthorized behavior.
- Uses signals such as account activity and network/DNS patterns to generate findings.
Use GuardDuty when: you need continuous threat detection and alerts for potentially compromised resources or accounts.
2) 🧩 Third-Party Security Products
AWS Marketplace
AWS also supports third-party security tooling for needs like:
- SIEM/log analytics
- endpoint protection
- vulnerability scanning
- network security appliances
AWS Marketplace is where you can find and deploy third-party security products that integrate with AWS.
“Where can you obtain third-party security solutions for AWS?” → AWS Marketplace.
3) 📚 Where to Find AWS Security Information
Know where AWS publishes official guidance, updates, and troubleshooting:
- AWS Security Center: centralized security guidance and best practices.
- AWS Security Blog: announcements and deep dives on AWS security topics.
- AWS Knowledge Center: how-to articles and troubleshooting steps.
“official guidance/best practices” → Security Center
“latest updates and detailed posts” → Security Blog
“how do I fix/configure X?” → Knowledge Center
4) Using AWS Services to Identify Security Issues 🔎
AWS Trusted Advisor
Trusted Advisor scans your environment and provides best-practice recommendations across multiple categories, including Security.
Use Trusted Advisor When: you want recommendations that flag common security risks and misconfigurations (along with other best-practice areas).
✅ Quick Exam-Style Summary
- Security groups: instance-level firewall (stateful).
- NACLs: subnet-level firewall (stateless).
- AWS WAF: web request filtering/protection.
- AWS Firewall Manager: centralized policy management across accounts/resources.
- AWS Shield: DDoS protection.
- Amazon GuardDuty:threat detection findings.
- AWS Marketplace: third-party security products.
- Security info sources: AWS Security Center, AWS Security Blog, AWS Knowledge Center.
- AWS Trusted Advisor: identifies security issues via best-practice checks
Top comments (0)