Domain 4 of 4

Data Security and Governance

Domain · 18% of the DEA-C01 exam

One question runs through the whole domain: for this data, can you say who touched it, what they were allowed to do, and prove it later?

Every task here is a stage in the life of one request against your data, and reading them as a single line keeps the services straight. A pipeline component first proves who it is (authentication), the request is then checked against what that identity may do (authorization), the bytes themselves are protected so a leaked copy is useless (encryption and masking), every call is written to an evidence trail (audit logging), and the whole estate is held to a standard of where data may live and who may discover it (data privacy and governance). The classic exam trap is treating any one of these as the whole answer: an open security group does not matter if IAM denies the call, and a flawless IAM policy does not satisfy an auditor who also needs the data encrypted with a key you control and a CloudTrail record proving access. Read each scenario as 'which stage of that line is the question really testing,' and the right service usually falls out.

The domain unfolds in five steps, one per subtopic, in the order a request flows

Authentication comes first: a compute component assumes an IAM role and proves identity with temporary credentials rather than a stored key, with Secrets Manager holding any genuine database password and security groups and VPC endpoints gating connectivity before IAM is even consulted. Authorization is next: once the caller is known, AWS resolves what it may do through one evaluation model (deny by default, an explicit Deny wins) using IAM policies, Lake Formation grants over the data lake, and SQL GRANT inside Redshift, scoped by RBAC or ABAC, with permission boundaries and SCPs capping what any grant can deliver. Encryption and masking then protect the data itself, almost always through envelope encryption with a KMS key, and choose masking when an authorized viewer should see less than the stored value. Audit logging records who did what with CloudTrail, kept either in the free 90-day event history or a durable trail, and queried later from S3, CloudWatch Logs, or CloudTrail Lake. Data privacy and governance closes the loop across the estate: Macie discovers the PII (personally identifiable information), datashares and Lake Formation share live data without copies, the same SCP (service control policy), used here for residency, keeps data in approved Regions, and AWS Config proves the configuration stayed compliant.

When two answers both work, the exam rewards the managed, identity-first, least-privilege option

AWS keeps steering toward the same defaults, so prefer them when a question leaves room: an assumed IAM role over any long-lived access key, a managed secret store over a credential in code, a customer managed KMS key when control or auditing matters, a preventive guardrail (an SCP, a Config rule) over a manual runbook, and the narrowest grant that still lets the work finish. The instinct that ties the domain together is least privilege backed by evidence: grant the minimum, let the platform issue and rotate the credentials, and make sure every action lands in an immutable log you can query. When a choice promises less to remember (managed rotation, a Lake Formation grant instead of hand-written bucket and IAM policies, a conformance pack instead of one-off checks), it is usually the intended answer.

The five stages of a request, and which subtopic owns each

Stage in the requestQuestion it answersLead AWS servicesDrill into
Prove identityWho is connecting, and may they reach the endpoint?IAM roles, STS, Secrets Manager, security groups, VPC endpoints (PrivateLink)Authentication
Decide permissionsWhat may this identity do, on which resources?IAM policies, Lake Formation grants, Redshift GRANT, permission boundaries, SCPsAuthorization
Protect the dataIf a copy leaks, is it still unreadable?KMS envelope encryption, TLS in transit, Redshift dynamic data masking, Glue PII transformsEncryption and Masking
Prove accessWho did what, when, and can you defend the record?CloudTrail, CloudTrail Lake, CloudWatch Logs, AthenaAudit Logging
Govern the estateWhere may data live, who can discover it, did it stay compliant?Macie, Redshift datashares, residency SCPs, AWS Config, SageMaker CatalogData Privacy and Governance

Subtopics in this domain