Domain 1 of 4 · Chapter 2 of 5

Organization-wide security controls

The two-layer model: preventive ceilings + detective coverage

A guardrail nobody monitors drifts silently, and a finding you can never prevent recurs forever, which is why org-wide security at the professional level is always two cooperating layers and never one. Preventive controls stop a disallowed action before it happens; detective controls find what slipped through. Almost every SAP-C02 security scenario is really asking which layer (and which service in it) the requirement maps to, and an answer that leans on only one layer is a recurring distractor.

Preventive: the ceiling is a filter, never a grant

The preventive primitives in AWS Organizations are service control policies (SCPs)[1], which cap what principals in member accounts may do, and resource control policies (RCPs)[2], which cap what may be done to resources in member accounts. The single most-tested fact about both: they only filter the maximum permissions; neither one ever grants anything. Effective access is the logical intersection[4] of every policy type that applies: the SCP AND the RCP AND the identity-based policy AND (where present) the resource-based policy AND the permissions boundary must all allow the action, and an explicit Deny at any one layer is terminal. Remove the IAM Allow and no SCP can resurrect access.

Both SCPs and RCPs skip the management account and service-linked roles, so they cannot constrain root in the management account, which is exactly why workloads and day-to-day administration belong in member accounts. RCPs additionally require all-features mode[2] and apply only to a subset of services[2]: the supported list includes Amazon S3, AWS STS, AWS KMS, Amazon SQS, AWS Secrets Manager, Amazon Cognito, CloudWatch Logs, and Amazon DynamoDB, among others. RCPs do not affect AWS managed KMS keys.

A third instrument: the permissions boundary

When the requirement is to cap one IAM identity rather than a whole OU (a delegated-admin user, a CI role, a developer who must be allowed to create roles but not escalate) the right tool is a permissions boundary[4], the IAM-level ceiling attached to a single user or role. Like an SCP it only filters: the boundary, any SCP in scope, and the identity-based policy must all allow the action. Reaching for an org-wide SCP to constrain a single principal, or a permissions boundary to govern an entire OU, is the classic wrong-instrument trap.

Detective: aggregate signal into dedicated accounts

The detective layer is Amazon GuardDuty[5] (threat detection from logs and telemetry), AWS Security Hub[11] (posture aggregation and standards scoring), Amazon Macie (sensitive-data discovery in S3), AWS Config[8] (configuration compliance and change history), IAM Access Analyzer[9] (external and unused access), and Amazon Detective[12] (investigation and root-cause analysis). The architectural rule is to centralize: aggregate every account's findings, logs, and compliance state into purpose-built Security/Audit and Log Archive accounts so an analyst reasons over the whole organization in one place. The account-vending and OU structure that hosts those accounts is governance plumbing covered by multi-account-environment; this subtopic prescribes the controls layered on top.

Effective access = the logical intersection: ALL layers must allowSCPRCPIdentity-basedpolicyResource-basedpolicy (where present)PermissionsboundaryEvery layer allows the action?explicit Deny at any layer is terminalAll allowAny layer denies / no AllowAction allowedAction deniedSCP/RCP/boundary only filter; never grant
AWS policy evaluation is an intersection: an action is allowed only when SCP, RCP, identity policy, resource policy, and permissions boundary all allow it; an explicit Deny at any layer is terminal.

Run security services from a delegated administrator

Every org-integrated security service supports registering a delegated administrator: a dedicated member account (commonly a Security or Audit account) from which you operate the service instead of the management account. This is not merely tidy; it is a least-privilege control. Because SCPs and RCPs skip the management account[1] but do apply to member accounts, a delegated-admin account is itself constrained by your guardrails, whereas administration done from the management account would be exempt. The management-account best practice[13] is to keep as few humans in it as possible. The diagram captures that hierarchy: the management account sits above the guardrails, the delegated Security or Audit account runs the services in the middle, and the member accounts it governs sit beneath.

GuardDuty: Regional, with NEW vs ALL auto-enable

GuardDuty is a Regional service. You must designate the same member account as delegated administrator in every Region[5] you want governed; there is no single global switch. From that account you set organization auto-enable to NEW (new accounts only) or ALL (new and existing); choose ALL so every current and future member gets continuous threat detection. A single GuardDuty delegated administrator can manage a maximum of 50,000 member accounts per Region[5]; an organization can hold more than 50,000 accounts, but one delegated admin still cannot exceed that ceiling in a single Region (you receive a CloudWatch, Health Dashboard, and email notification when you approach it).

Security Hub: central configuration

Security Hub aggregates findings in the AWS Security Finding Format (ASFF) from GuardDuty, Amazon Inspector, Macie, and IAM Access Analyzer, giving one pane of glass, and scores accounts against standards including AWS Foundational Security Best Practices (FSBP), the CIS AWS Foundations Benchmark, NIST SP 800-53 Rev 5, NIST SP 800-171, and PCI DSS. Its central configuration[11] lets the delegated admin define configuration policies (enable or disable Security Hub, standards, and individual controls) that apply to OUs, accounts, and the root as centrally managed, while designated targets stay self-managed. Central configuration takes effect in the home Region plus linked Regions and covers new and existing accounts, eliminating per-account, per-Region drift.

Macie, Config, and Access Analyzer org-wide

Amazon Macie[10] runs automated sensitive-data discovery across Amazon S3 (classifying PII, credentials, and financial data, and reporting bucket-level public-access and encryption posture) and is enabled org-wide from a delegated admin. AWS Config[8] records configuration and change history; an organization aggregator plus organization Config rules and conformance packs give org-wide compliance evaluation, but the Config recorder must be on in each account, and Config flags non-compliant resources rather than blocking them. IAM Access Analyzer[9] set with the AWS Organization as its zone of trust flags resources shared outside the org. Its pricing split is a frequent exam detail: external-access analysis is free[14] while a separate unused-access analyzer (dormant roles, permissions, and credentials) is billed per IAM role or user analyzed per month.

Detective: investigate, do not detect

Amazon Detective[12] is the investigation layer, not another detector. It automatically extracts time-based events from AWS CloudTrail and Amazon VPC Flow Logs and ingests GuardDuty findings, then uses machine learning and graph theory to build a behavior graph for root-cause analysis across up to a year of history. It is integrated with AWS Organizations: the management account designates a Detective administrator account that enables members into the organization behavior graph, and you pivot directly from a GuardDuty or Security Hub finding into Detective. Choosing Detective when a scenario asks to detect (rather than investigate) a threat is a trap; that is GuardDuty's job.

IAM Identity Center delegation is narrower

Workforce access via IAM Identity Center[15] also supports a delegated administrator, but with an important asymmetry: the Identity Center instance must always reside in the management account, and a delegated admin cannot modify permission sets that grant access to the management account. Delegating Identity Center reduces who needs management-account access without surrendering control of management-account access itself.

Operate security services from a delegated administrator, not the management accountManagement accountSCPs and RCPs skip itDelegated admin: Security / Audit account (SCPs and RCPs apply)GuardDutySecurity HubMacieConfigIAM Access AnalyzerDetectiveEach service governs every member account org-wideMember accounts (workloads, governed by the controls above)
Operate org security services from a delegated Security/Audit account; SCPs and RCPs constrain that admin but skip the management account.

Centralized logging, KMS, and cross-account access

Once the guardrails and detective services are in place, the remaining controls protect the data those layers generate and consume: centralizing the audit trail, governing the encryption keys, and gating cross-account access. This section walks those three in order.

Organization CloudTrail to one log-archive account

A single organization trail[7] in AWS CloudTrail captures every member account's management events (and, optionally, data events) into one S3 log-archive bucket in a dedicated account. Created from the management account or a CloudTrail delegated administrator, it applies to all members, including accounts that join later, and members cannot remove or alter it, giving tamper-resistant central audit logs that pair with Security Hub and Config. The bucket policy must allow each member account's delivery, which the organization-trail flow configures for you.

KMS: key policy, IAM, and grants

Every customer-managed KMS key has a key policy (a resource policy on the key itself) that is the root of trust for that key. For cross-account use, the key policy in the owner account AND an IAM policy in the external account must both allow the operation; neither alone is sufficient[16]. The key policy decides who can be given access; the IAM policy decides who does. The diagram renders this two-key requirement as a single gate: only when both the owner-account key policy and the external-account IAM policy allow does the cross-account operation succeed. AWS managed KMS keys cannot be shared cross-account this way.

A grant[17] is the third KMS access instrument and the one purpose-built for temporary, programmatic, granular delegation, exactly how AWS services that integrate with KMS encrypt your data at rest. Grant facts the exam leans on:

Scheduling deletion of a customer-managed key enforces a mandatory 7-to-30-day waiting period (default 30 days)[18]; deletion is never immediate and is cancellable until the window ends.

Secrets, certificates, and the perimeter

For credential hygiene, AWS Secrets Manager managed rotation[19] (no Lambda required) covers Aurora, RDS, DocumentDB, and Redshift; custom secrets still need a rotation Lambda implementing the four-step contract. For data in transit, AWS Certificate Manager[20] issues and auto-renews free public certificates whose private key never leaves AWS, but note the Region rule: an ALB certificate must be in the same Region as the load balancer, while a CloudFront certificate must be in us-east-1 regardless of where the distribution serves. To enforce an organization data perimeter at the resource edge, an RCP[2] using aws:PrincipalOrgID (with a carve-out for aws:PrincipalIsAWSService) denies any principal outside the org from reaching supported resources such as S3 buckets and KMS keys.

Cross-account KMS access needs BOTH approvals; neither alone is enoughKey policy (owner account)allows the operationIAM policy (external account)allows the operationBoth policies allow?key policy AND IAM, not oneBoth allowEither missingCross-account operationsucceedsDenied
Cross-account KMS use needs two approvals: the owner account's key policy AND the external account's IAM policy must both allow; neither alone is sufficient.

Exam-pattern recognition: stems, correct picks, and traps

SAP-C02 security questions almost always describe a multi-account organization and ask for the one control that satisfies a precise requirement at the lowest operational overhead. Match the stem's verb and object to the layer first, then to the service.

Pattern 1: "prevent ... across all accounts"

Stem: "A company must ensure no member account can launch resources outside two approved Regions, including accounts added later." Correct: an SCP[1] with a Deny on aws:RequestedRegion (carving out global services like IAM, STS, CloudFront, Route 53, Support via NotAction), attached at the root or a parent OU so inheritance covers future accounts. Why distractors fail: an IAM policy in each account does not stop a future account and is per-account toil; an SCP that grants the two Regions is wrong by construction (SCPs never grant); AWS Config can report out-of-Region resources but cannot prevent them.

Pattern 2: "block anyone outside the organization from reaching our resources"

Stem: "Prevent any principal not in the organization from accessing our S3 buckets and KMS keys, org-wide." Correct: an RCP[2] denying access when aws:PrincipalOrgID does not match, with an aws:PrincipalIsAWSService carve-out, attached high in the OU tree. Why distractors fail: an SCP constrains your principals, not external ones touching your resources; bucket policies on every bucket are per-resource sprawl that misses new buckets; RCPs additionally require all-features mode, so a billing-only org is a setup trap.

Pattern 3: "cap one privileged identity"

Stem: "The DevOps team has admin in their account and must be allowed to create IAM roles, but must not be able to grant those roles permissions beyond an approved set." Correct: a permissions boundary[4] attached to the team's roles, plus a condition requiring the boundary on any role they create. Why distractors fail: an org-wide SCP would constrain the whole account, not just that team; the SCP-only answer cannot express 'roles you create must also carry this boundary'.

Pattern 4: "detect / one pane of glass / investigate"

Stem A ("continuously detect crypto-mining and credential exfiltration across every account and Region") → Amazon GuardDuty[5] from a delegated admin with auto-enable ALL, per Region. Stem B ("a single place to triage all findings and benchmark accounts against CIS and PCI DSS") → AWS Security Hub[11] with central configuration. Stem C ("after a GuardDuty alert, determine the root cause and full blast radius from CloudTrail and VPC flow history") → Amazon Detective[12]. Why distractors fail: Security Hub aggregates but does not itself detect threats; Detective investigates but does not generate the original findings; Config tracks configuration drift, not threat telemetry.

Pattern 5: "least privilege / unused access / external sharing"

Stem: "Identify IAM roles, users, and credentials that have not been used so the team can prune them, AND flag any resource shared outside the org." Correct: IAM Access Analyzer[9] at the organization zone of trust. External-access findings (free[14]) plus a separate unused-access analyzer (paid per role/user). Why distractors fail: Macie finds sensitive data in S3, not unused IAM permissions; GuardDuty finds active threats, not dormant entitlements; reading CloudTrail by hand is the brute-force non-answer.

Pattern 6: "mandate WAF / firewall rules on every account"

Stem: "Ensure AWS WAF is attached to every ALB across 200 accounts and auto-remediate new ones." Correct: AWS Firewall Manager[3] policies (WAF, Shield Advanced, security-group, Network Firewall, Route 53 Resolver DNS Firewall) from a Firewall Manager admin account. Trap: Firewall Manager has a hard prerequisite. AWS Config must be enabled[21] in every account and Region a policy scopes, plus an Organization with all features; an option that skips enabling Config is wrong.

Pattern 7: "share central infrastructure, encrypt cross-account"

Stem: "Workload accounts must use a central KMS key / a central VPC's subnets without each rebuilding them." Correct: for KMS, a key policy in the owner account plus IAM in the consumer account (or a grant[17] for temporary service-driven use); for networking, share subnets via AWS Resource Access Manager. Why distractors fail: an IAM policy alone cannot reach a cross-account key without the key policy allowing it[16]; copying the key into each account defeats centralized key management and rotation.

Org-wide security services: role, layer, and delegated-admin model

ServiceAmazon GuardDutyAWS Security HubAWS ConfigAmazon MacieAWS Firewall Manager
Primary jobThreat detection from logs/telemetryPosture aggregation + standards scoringConfig compliance + change historySensitive-data discovery in S3Push WAF/Shield/SG/NFW/DNS policies
Control layerDetectiveDetective (aggregator)DetectiveDetective (data)Preventive (network)
Org delegated adminYesYesYesYesYes
Auto-enable new accountsYes (NEW or ALL)Yes (central configuration)Yes (org rules / packs)YesYes (policy scope)
Hard dependencyNoneConsumes GuardDuty/Inspector/Macie via ASFFConfig recorder onS3 onlyAWS Config must be enabled
Typical scenario answerDetect crypto-mining / recon org-wideOne pane for all findings + benchmarksDetect/flag non-compliant resourcesFind unencrypted PII in S3Mandate WAF on every ALB org-wide

Decision tree

Block the action (preventive)or find it (detective)?Prevent / blockDetect / findCap principals/resources, orpush network firewall rules?PrincipalsResourcesWAF/SG/NFWWhat do you need to surface?threats, posture, config, data, accessThreatsOne paneConfig driftPII / accessSCPprincipal ceilingper OU/accountRCPresource ceiling;blocks external (all-features)AWS Firewall Managerorg-wide WAF/Shield/SG/NFW/DNS (needs AWS Config)Amazon GuardDutythreat detection;auto-enable ALLAWS Security Hubaggregates findings (ASFF);FSBP/CIS/NIST/PCI scoringAWS Configcompliance + changehistory; org rules/packsSensitive data in S3, orunused / external access?PII in S3AccessAmazon MacieS3 sensitive-data discoveryIAM Access Analyzerexternal-access (free) +unused-access (paid) findingsAlways: run from a delegated admin (Security/Audit account),never the management account — SCPs/RCPs/FMS skip it, and a memberadmin is itself constrained. Guardrails filter only; never grant.

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Pair preventive guardrails with detective services org-wide

A complete org security posture needs two layers: preventive controls that block bad actions before they happen (SCPs, RCPs, AWS Firewall Manager) and detective services that surface what gets through (Amazon GuardDuty, AWS Security Hub, Amazon Macie, AWS Config, IAM Access Analyzer). A guardrail nobody monitors drifts unnoticed; a finding you cannot prevent recurs: SAP-C02 scenarios that name only one layer are usually incomplete.

Trap Treating GuardDuty or Security Hub as preventive controls that stop the offending action; detective services only surface findings, while SCPs, RCPs, or Firewall Manager are what actually block.

Cap one IAM identity with a permissions boundary, not an SCP

A permissions boundary is the IAM-level ceiling on a single user or role, the right tool to cap one delegated-admin or CI principal, where an org-wide SCP would over-reach. It only filters, never grants: the effective permissions are the intersection of the boundary and the identity-based policy, so the action must be allowed by the boundary, any SCP, and the identity policy together.

Trap Reaching for an SCP to restrict a single principal: an SCP filters every identity in the account, not one user or role.

1 question tests this
Register a delegated admin so security runs outside the management account

GuardDuty, Security Hub, Macie, IAM Access Analyzer, AWS Config, and Firewall Manager each support registering a delegated administrator account. Run them from a dedicated Security or Audit member account so day-to-day administration happens outside the management account, in line with least privilege, and so the security tooling itself stays subject to the org's SCPs and RCPs.

Trap Operating org security services directly from the management account: it violates least privilege and the management account is exempt from SCPs and RCPs.

1 question tests this
Designate GuardDuty's delegated admin per Region and auto-enable ALL

GuardDuty is a Regional service, so the same member account must be designated as delegated administrator in every Region you use it. Organization auto-enable is NEW (new member accounts only) or ALL (new and existing); choose ALL so every current and future member gets continuous threat detection without manual onboarding.

Trap Leaving auto-enable on NEW and assuming existing accounts are covered: NEW onboards only future members, so accounts already in the org stay unprotected.

One GuardDuty delegated admin manages up to 50,000 members per Region

A single GuardDuty delegated administrator can manage a maximum of 50,000 member accounts per Region; cross that and you receive a notification via CloudWatch, the Health Dashboard, and email. An organization can hold more than 50,000 accounts, but one delegated admin cannot cover them all in a single Region: the cap is the testable ceiling.

Security Hub scores controls against FSBP, CIS, NIST, and PCI DSS

Security Hub runs control checks and produces a per-standard security score against standards including AWS Foundational Security Best Practices (FSBP), CIS AWS Foundations Benchmark, NIST SP 800-53 Rev 5, and PCI DSS. Enabling a standard automatically enables all of its controls; you can then disable individual controls as needed.

Trap Assuming you opt into each control one by one; enabling a standard turns on all of its controls at once, and you disable the unwanted ones afterward.

1 question tests this
Push Security Hub config org-wide with central configuration policies

Security Hub central configuration lets the delegated administrator write configuration policies that target OUs and accounts from one home Region, enabling Security Hub, standards, and controls across new and existing accounts while leaving chosen accounts self-managed. It replaces per-account, per-Region setup, which is the source of configuration drift in large orgs.

Trap Relying on local configuration to cover the whole org: local config only auto-enables new accounts in the current Region, never existing accounts or other Regions.

4 questions test this
Mandate WAF, Shield, SGs, NFW, and DNS Firewall with Firewall Manager

AWS Firewall Manager centrally enforces AWS WAF, AWS Shield Advanced, security-group, AWS Network Firewall, and Route 53 Resolver DNS Firewall policies across every account in the org, automatically applying protection to newly created and non-compliant resources. Use it for org-wide mandates such as 'AWS WAF on every ALB' that must hold as new accounts and resources appear.

Trap Assuming Firewall Manager only protects resources created after the policy; it also detects and remediates existing non-compliant resources across the org.

1 question tests this
Firewall Manager needs AWS Config enabled in every in-scope account

Firewall Manager evaluates and remediates resources through AWS Config, so AWS Config must be enabled in every account and Region a Firewall Manager policy scopes. Without it, Firewall Manager has no resource inventory to assess in that account and silently cannot enforce or remediate there: enabling Config is a documented prerequisite.

Trap Expecting a Firewall Manager policy to protect an account where AWS Config is off: it cannot evaluate resources there, so coverage gaps go unnoticed.

Access Analyzer external-access findings are free; unused-access is paid

An IAM Access Analyzer with the AWS Organization as its zone of trust flags resources shared with principals outside the org (external-access findings) at no charge. A separate unused-access analyzer continuously reviews dormant roles, access keys, and passwords and is billed per IAM role or user analyzed per analyzer per month, so 'find unintended external sharing' is the free use, while 'clean up unused access' carries a cost.

Trap Assuming every IAM Access Analyzer analyzer is free: only external-access analysis is free; unused-access (and internal-access) analyzers are billed.

13 questions test this
Use Macie to discover sensitive data in S3 across the org

Amazon Macie runs automated sensitive-data discovery across Amazon S3, using machine learning and pattern matching to find PII, credentials, and financial data, and it reports each bucket's public-access and encryption posture. For 'locate unencrypted PII in S3 org-wide' scenarios, Macie is the answer: GuardDuty watches for threats and Config tracks configuration, but neither classifies object contents.

Trap Choosing GuardDuty or AWS Config to find sensitive data inside S3 objects: only Macie inspects and classifies object contents.

Evaluate org-wide compliance with a Config aggregator and org rules

AWS Config records resource configuration and change history, and an organization Config aggregator plus organization Config rules and conformance packs give a single read-only, org-wide compliance view. Config requires its recorder enabled in each account, and it flags non-compliant resources rather than blocking them: pair it with an SCP or Firewall Manager when you actually need to prevent the drift.

Trap Expecting AWS Config to block non-compliant resources: Config detects and reports drift but never prevents the action.

3 questions test this
Centralize audit logs with an organization CloudTrail to one bucket

An organization trail in AWS CloudTrail captures management (and optionally data) event API activity from the management account and every member account into a single S3 log-archive bucket, typically in a dedicated logging account. Member accounts can see the trail but cannot stop or alter it, giving tamper-resistant central audit logs that feed Security Hub and Config for org-wide detection.

Trap Stitching together a separate per-account trail in every member account: an organization trail logs all accounts into one bucket and members cannot disable it.

6 questions test this
Network Firewall TLS inspection needs a CA certificate in ACM for egress

To inspect encrypted HTTPS payloads, AWS Network Firewall uses a TLS inspection configuration that decrypts traffic, runs it through the stateful rules, then re-encrypts it before forwarding. Outbound (egress) inspection requires importing a CA certificate into AWS Certificate Manager (Network Firewall uses it to generate the server certificate) while inbound uses a server certificate in ACM; scope settings control which flows are decrypted. Without TLS inspection you can only match unencrypted content or the TLS SNI.

7 questions test this
Network Firewall runs Suricata; use strict order for default-deny

Network Firewall's stateful engine is Suricata, so you can import Suricata-compatible IPS rulesets (e.g. Emerging Threats) directly for signature-based detection. Strict rule order evaluates rule groups by priority and rules in the exact sequence you define; pairing it with a 'Drop established' default action builds a default-deny posture where only explicitly allowed traffic passes.

Trap Assuming default (action) rule order honors your priorities literally: only strict order evaluates rules in your exact sequence; default order applies pass before drop before reject first.

9 questions test this
Gate IAM policies in CI/CD with Access Analyzer custom policy checks

IAM Access Analyzer custom policy checks use automated reasoning to validate policies before they ship in a pipeline: CheckNoPublicAccess flags resource policies that could grant public access, CheckAccessNotGranted fails when a policy permits a specified list of sensitive actions, and CheckNoNewAccess fails when an updated policy grants more access than a reference policy. Each call to check for new access is billed.

Trap Mixing up the checks and using CheckAccessNotGranted to compare a policy against a prior version; comparing new access to a reference policy is the job of CheckNoNewAccess.

4 questions test this
Back a KMS custom key store with CloudHSM for customer-controlled keys

When regulations require key material in FIPS 140 Level 3 validated hardware under your direct control (often with PKCS#11 support), back an AWS KMS custom key store with a CloudHSM cluster: keys are managed through the familiar KMS interface but generated and stored in HSMs you own and audit. A CloudHSM-backed key store supports only symmetric encryption KMS keys, not asymmetric keys, HMAC keys, imported key material, or automatic rotation.

Trap Planning to create asymmetric or HMAC KMS keys in a CloudHSM custom key store: it supports only symmetric (AES) encryption keys.

3 questions test this
Aggregate Security Hub findings cross-Region into one home Region

Security Hub cross-Region aggregation replicates findings, finding updates, insights, control statuses, and security scores from linked Regions into a single home (aggregation) Region, so the delegated administrator's home-Region console, EventBridge feed, and downstream integrations see every Region's findings at once instead of Region by Region. Updates flow both ways and the replication adds no cost.

Trap Reaching for central configuration to pull every Region's findings into one console; central configuration deploys settings org-wide, while cross-Region aggregation is what consolidates the findings themselves.

3 questions test this

Also tested in

References

  1. Service control policies (SCPs)
  2. Resource control policies (RCPs)
  3. AWS Firewall Manager policies
  4. IAM JSON policy evaluation logic
  5. Managing GuardDuty accounts with AWS Organizations
  6. Managing administrator and member accounts in Security Hub CSPM
  7. Creating a trail for an organization
  8. Managing AWS Config rules across all accounts in your organization
  9. Getting started with IAM Access Analyzer
  10. Amazon Macie and AWS Organizations
  11. Understanding central configuration in Security Hub CSPM
  12. What is Amazon Detective?
  13. Best practices for the management account
  14. IAM Access Analyzer pricing
  15. Delegated administration for IAM Identity Center
  16. Allowing users in other accounts to use a KMS key
  17. Grants in AWS KMS
  18. Deleting AWS KMS keys
  19. Managed rotation for AWS Secrets Manager secrets
  20. Certificate Manager supported Regions and quotas
  21. AWS Firewall Manager prerequisites