Organization-wide security controls
The two-layer model: preventive ceilings + detective coverage
A guardrail nobody monitors drifts silently, and a finding you can never prevent recurs forever, which is why org-wide security at the professional level is always two cooperating layers and never one. Preventive controls stop a disallowed action before it happens; detective controls find what slipped through. Almost every SAP-C02 security scenario is really asking which layer (and which service in it) the requirement maps to, and an answer that leans on only one layer is a recurring distractor.
Preventive: the ceiling is a filter, never a grant
The preventive primitives in AWS Organizations are service control policies (SCPs)[1], which cap what principals in member accounts may do, and resource control policies (RCPs)[2], which cap what may be done to resources in member accounts. The single most-tested fact about both: they only filter the maximum permissions; neither one ever grants anything. Effective access is the logical intersection[4] of every policy type that applies: the SCP AND the RCP AND the identity-based policy AND (where present) the resource-based policy AND the permissions boundary must all allow the action, and an explicit Deny at any one layer is terminal. Remove the IAM Allow and no SCP can resurrect access.
Both SCPs and RCPs skip the management account and service-linked roles, so they cannot constrain root in the management account, which is exactly why workloads and day-to-day administration belong in member accounts. RCPs additionally require all-features mode[2] and apply only to a subset of services[2]: the supported list includes Amazon S3, AWS STS, AWS KMS, Amazon SQS, AWS Secrets Manager, Amazon Cognito, CloudWatch Logs, and Amazon DynamoDB, among others. RCPs do not affect AWS managed KMS keys.
A third instrument: the permissions boundary
When the requirement is to cap one IAM identity rather than a whole OU (a delegated-admin user, a CI role, a developer who must be allowed to create roles but not escalate) the right tool is a permissions boundary[4], the IAM-level ceiling attached to a single user or role. Like an SCP it only filters: the boundary, any SCP in scope, and the identity-based policy must all allow the action. Reaching for an org-wide SCP to constrain a single principal, or a permissions boundary to govern an entire OU, is the classic wrong-instrument trap.
Detective: aggregate signal into dedicated accounts
The detective layer is Amazon GuardDuty[5] (threat detection from logs and telemetry), AWS Security Hub[11] (posture aggregation and standards scoring), Amazon Macie (sensitive-data discovery in S3), AWS Config[8] (configuration compliance and change history), IAM Access Analyzer[9] (external and unused access), and Amazon Detective[12] (investigation and root-cause analysis). The architectural rule is to centralize: aggregate every account's findings, logs, and compliance state into purpose-built Security/Audit and Log Archive accounts so an analyst reasons over the whole organization in one place. The account-vending and OU structure that hosts those accounts is governance plumbing covered by multi-account-environment; this subtopic prescribes the controls layered on top.
Run security services from a delegated administrator
Every org-integrated security service supports registering a delegated administrator: a dedicated member account (commonly a Security or Audit account) from which you operate the service instead of the management account. This is not merely tidy; it is a least-privilege control. Because SCPs and RCPs skip the management account[1] but do apply to member accounts, a delegated-admin account is itself constrained by your guardrails, whereas administration done from the management account would be exempt. The management-account best practice[13] is to keep as few humans in it as possible. The diagram captures that hierarchy: the management account sits above the guardrails, the delegated Security or Audit account runs the services in the middle, and the member accounts it governs sit beneath.
GuardDuty: Regional, with NEW vs ALL auto-enable
GuardDuty is a Regional service. You must designate the same member account as delegated administrator in every Region[5] you want governed; there is no single global switch. From that account you set organization auto-enable to NEW (new accounts only) or ALL (new and existing); choose ALL so every current and future member gets continuous threat detection. A single GuardDuty delegated administrator can manage a maximum of 50,000 member accounts per Region[5]; an organization can hold more than 50,000 accounts, but one delegated admin still cannot exceed that ceiling in a single Region (you receive a CloudWatch, Health Dashboard, and email notification when you approach it).
Security Hub: central configuration
Security Hub aggregates findings in the AWS Security Finding Format (ASFF) from GuardDuty, Amazon Inspector, Macie, and IAM Access Analyzer, giving one pane of glass, and scores accounts against standards including AWS Foundational Security Best Practices (FSBP), the CIS AWS Foundations Benchmark, NIST SP 800-53 Rev 5, NIST SP 800-171, and PCI DSS. Its central configuration[11] lets the delegated admin define configuration policies (enable or disable Security Hub, standards, and individual controls) that apply to OUs, accounts, and the root as centrally managed, while designated targets stay self-managed. Central configuration takes effect in the home Region plus linked Regions and covers new and existing accounts, eliminating per-account, per-Region drift.
Macie, Config, and Access Analyzer org-wide
Amazon Macie[10] runs automated sensitive-data discovery across Amazon S3 (classifying PII, credentials, and financial data, and reporting bucket-level public-access and encryption posture) and is enabled org-wide from a delegated admin. AWS Config[8] records configuration and change history; an organization aggregator plus organization Config rules and conformance packs give org-wide compliance evaluation, but the Config recorder must be on in each account, and Config flags non-compliant resources rather than blocking them. IAM Access Analyzer[9] set with the AWS Organization as its zone of trust flags resources shared outside the org. Its pricing split is a frequent exam detail: external-access analysis is free[14] while a separate unused-access analyzer (dormant roles, permissions, and credentials) is billed per IAM role or user analyzed per month.
Detective: investigate, do not detect
Amazon Detective[12] is the investigation layer, not another detector. It automatically extracts time-based events from AWS CloudTrail and Amazon VPC Flow Logs and ingests GuardDuty findings, then uses machine learning and graph theory to build a behavior graph for root-cause analysis across up to a year of history. It is integrated with AWS Organizations: the management account designates a Detective administrator account that enables members into the organization behavior graph, and you pivot directly from a GuardDuty or Security Hub finding into Detective. Choosing Detective when a scenario asks to detect (rather than investigate) a threat is a trap; that is GuardDuty's job.
IAM Identity Center delegation is narrower
Workforce access via IAM Identity Center[15] also supports a delegated administrator, but with an important asymmetry: the Identity Center instance must always reside in the management account, and a delegated admin cannot modify permission sets that grant access to the management account. Delegating Identity Center reduces who needs management-account access without surrendering control of management-account access itself.
Centralized logging, KMS, and cross-account access
Once the guardrails and detective services are in place, the remaining controls protect the data those layers generate and consume: centralizing the audit trail, governing the encryption keys, and gating cross-account access. This section walks those three in order.
Organization CloudTrail to one log-archive account
A single organization trail[7] in AWS CloudTrail captures every member account's management events (and, optionally, data events) into one S3 log-archive bucket in a dedicated account. Created from the management account or a CloudTrail delegated administrator, it applies to all members, including accounts that join later, and members cannot remove or alter it, giving tamper-resistant central audit logs that pair with Security Hub and Config. The bucket policy must allow each member account's delivery, which the organization-trail flow configures for you.
KMS: key policy, IAM, and grants
Every customer-managed KMS key has a key policy (a resource policy on the key itself) that is the root of trust for that key. For cross-account use, the key policy in the owner account AND an IAM policy in the external account must both allow the operation; neither alone is sufficient[16]. The key policy decides who can be given access; the IAM policy decides who does. The diagram renders this two-key requirement as a single gate: only when both the owner-account key policy and the external-account IAM policy allow does the cross-account operation succeed. AWS managed KMS keys cannot be shared cross-account this way.
A grant[17] is the third KMS access instrument and the one purpose-built for temporary, programmatic, granular delegation, exactly how AWS services that integrate with KMS encrypt your data at rest. Grant facts the exam leans on:
- A grant can allow access to a KMS key but cannot deny[17]; it is purely additive, like an SCP/RCP is purely subtractive.
- Each grant allows access to exactly one KMS key[17], and you can create a grant for a key in a different account.
- The grantee can be an IAM identity or a service principal, but not an AWS organization or IAM group[17]; grants do not target an org the way an SCP does.
- Grant changes follow an eventual-consistency[17] model; use a grant token to exercise a new grant's permissions immediately.
- KMS limits each key to 50,000 grants[17].
Scheduling deletion of a customer-managed key enforces a mandatory 7-to-30-day waiting period (default 30 days)[18]; deletion is never immediate and is cancellable until the window ends.
Secrets, certificates, and the perimeter
For credential hygiene, AWS Secrets Manager managed rotation[19] (no Lambda required) covers Aurora, RDS, DocumentDB, and Redshift; custom secrets still need a rotation Lambda implementing the four-step contract. For data in transit, AWS Certificate Manager[20] issues and auto-renews free public certificates whose private key never leaves AWS, but note the Region rule: an ALB certificate must be in the same Region as the load balancer, while a CloudFront certificate must be in us-east-1 regardless of where the distribution serves. To enforce an organization data perimeter at the resource edge, an RCP[2] using aws:PrincipalOrgID (with a carve-out for aws:PrincipalIsAWSService) denies any principal outside the org from reaching supported resources such as S3 buckets and KMS keys.
Exam-pattern recognition: stems, correct picks, and traps
SAP-C02 security questions almost always describe a multi-account organization and ask for the one control that satisfies a precise requirement at the lowest operational overhead. Match the stem's verb and object to the layer first, then to the service.
Pattern 1: "prevent ... across all accounts"
Stem: "A company must ensure no member account can launch resources outside two approved Regions, including accounts added later." Correct: an SCP[1] with a Deny on aws:RequestedRegion (carving out global services like IAM, STS, CloudFront, Route 53, Support via NotAction), attached at the root or a parent OU so inheritance covers future accounts. Why distractors fail: an IAM policy in each account does not stop a future account and is per-account toil; an SCP that grants the two Regions is wrong by construction (SCPs never grant); AWS Config can report out-of-Region resources but cannot prevent them.
Pattern 2: "block anyone outside the organization from reaching our resources"
Stem: "Prevent any principal not in the organization from accessing our S3 buckets and KMS keys, org-wide." Correct: an RCP[2] denying access when aws:PrincipalOrgID does not match, with an aws:PrincipalIsAWSService carve-out, attached high in the OU tree. Why distractors fail: an SCP constrains your principals, not external ones touching your resources; bucket policies on every bucket are per-resource sprawl that misses new buckets; RCPs additionally require all-features mode, so a billing-only org is a setup trap.
Pattern 3: "cap one privileged identity"
Stem: "The DevOps team has admin in their account and must be allowed to create IAM roles, but must not be able to grant those roles permissions beyond an approved set." Correct: a permissions boundary[4] attached to the team's roles, plus a condition requiring the boundary on any role they create. Why distractors fail: an org-wide SCP would constrain the whole account, not just that team; the SCP-only answer cannot express 'roles you create must also carry this boundary'.
Pattern 4: "detect / one pane of glass / investigate"
Stem A ("continuously detect crypto-mining and credential exfiltration across every account and Region") → Amazon GuardDuty[5] from a delegated admin with auto-enable ALL, per Region. Stem B ("a single place to triage all findings and benchmark accounts against CIS and PCI DSS") → AWS Security Hub[11] with central configuration. Stem C ("after a GuardDuty alert, determine the root cause and full blast radius from CloudTrail and VPC flow history") → Amazon Detective[12]. Why distractors fail: Security Hub aggregates but does not itself detect threats; Detective investigates but does not generate the original findings; Config tracks configuration drift, not threat telemetry.
Pattern 5: "least privilege / unused access / external sharing"
Stem: "Identify IAM roles, users, and credentials that have not been used so the team can prune them, AND flag any resource shared outside the org." Correct: IAM Access Analyzer[9] at the organization zone of trust. External-access findings (free[14]) plus a separate unused-access analyzer (paid per role/user). Why distractors fail: Macie finds sensitive data in S3, not unused IAM permissions; GuardDuty finds active threats, not dormant entitlements; reading CloudTrail by hand is the brute-force non-answer.
Pattern 6: "mandate WAF / firewall rules on every account"
Stem: "Ensure AWS WAF is attached to every ALB across 200 accounts and auto-remediate new ones." Correct: AWS Firewall Manager[3] policies (WAF, Shield Advanced, security-group, Network Firewall, Route 53 Resolver DNS Firewall) from a Firewall Manager admin account. Trap: Firewall Manager has a hard prerequisite. AWS Config must be enabled[21] in every account and Region a policy scopes, plus an Organization with all features; an option that skips enabling Config is wrong.
Pattern 7: "share central infrastructure, encrypt cross-account"
Stem: "Workload accounts must use a central KMS key / a central VPC's subnets without each rebuilding them." Correct: for KMS, a key policy in the owner account plus IAM in the consumer account (or a grant[17] for temporary service-driven use); for networking, share subnets via AWS Resource Access Manager. Why distractors fail: an IAM policy alone cannot reach a cross-account key without the key policy allowing it[16]; copying the key into each account defeats centralized key management and rotation.
Org-wide security services: role, layer, and delegated-admin model
| Service | Amazon GuardDuty | AWS Security Hub | AWS Config | Amazon Macie | AWS Firewall Manager |
|---|---|---|---|---|---|
| Primary job | Threat detection from logs/telemetry | Posture aggregation + standards scoring | Config compliance + change history | Sensitive-data discovery in S3 | Push WAF/Shield/SG/NFW/DNS policies |
| Control layer | Detective | Detective (aggregator) | Detective | Detective (data) | Preventive (network) |
| Org delegated admin | Yes | Yes | Yes | Yes | Yes |
| Auto-enable new accounts | Yes (NEW or ALL) | Yes (central configuration) | Yes (org rules / packs) | Yes | Yes (policy scope) |
| Hard dependency | None | Consumes GuardDuty/Inspector/Macie via ASFF | Config recorder on | S3 only | AWS Config must be enabled |
| Typical scenario answer | Detect crypto-mining / recon org-wide | One pane for all findings + benchmarks | Detect/flag non-compliant resources | Find unencrypted PII in S3 | Mandate WAF on every ALB org-wide |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- Pair preventive guardrails with detective services org-wide
A complete org security posture needs two layers: preventive controls that block bad actions before they happen (SCPs, RCPs, AWS Firewall Manager) and detective services that surface what gets through (Amazon GuardDuty, AWS Security Hub, Amazon Macie, AWS Config, IAM Access Analyzer). A guardrail nobody monitors drifts unnoticed; a finding you cannot prevent recurs: SAP-C02 scenarios that name only one layer are usually incomplete.
Trap Treating GuardDuty or Security Hub as preventive controls that stop the offending action; detective services only surface findings, while SCPs, RCPs, or Firewall Manager are what actually block.
- Cap one IAM identity with a permissions boundary, not an SCP
A permissions boundary is the IAM-level ceiling on a single user or role, the right tool to cap one delegated-admin or CI principal, where an org-wide SCP would over-reach. It only filters, never grants: the effective permissions are the intersection of the boundary and the identity-based policy, so the action must be allowed by the boundary, any SCP, and the identity policy together.
Trap Reaching for an SCP to restrict a single principal: an SCP filters every identity in the account, not one user or role.
- Register a delegated admin so security runs outside the management account
GuardDuty, Security Hub, Macie, IAM Access Analyzer, AWS Config, and Firewall Manager each support registering a delegated administrator account. Run them from a dedicated Security or Audit member account so day-to-day administration happens outside the management account, in line with least privilege, and so the security tooling itself stays subject to the org's SCPs and RCPs.
Trap Operating org security services directly from the management account: it violates least privilege and the management account is exempt from SCPs and RCPs.
- Designate GuardDuty's delegated admin per Region and auto-enable ALL
GuardDuty is a Regional service, so the same member account must be designated as delegated administrator in every Region you use it. Organization auto-enable is
NEW(new member accounts only) orALL(new and existing); chooseALLso every current and future member gets continuous threat detection without manual onboarding.Trap Leaving auto-enable on NEW and assuming existing accounts are covered: NEW onboards only future members, so accounts already in the org stay unprotected.
- One GuardDuty delegated admin manages up to 50,000 members per Region
A single GuardDuty delegated administrator can manage a maximum of 50,000 member accounts per Region; cross that and you receive a notification via CloudWatch, the Health Dashboard, and email. An organization can hold more than 50,000 accounts, but one delegated admin cannot cover them all in a single Region: the cap is the testable ceiling.
- Security Hub scores controls against FSBP, CIS, NIST, and PCI DSS
Security Hub runs control checks and produces a per-standard security score against standards including AWS Foundational Security Best Practices (FSBP), CIS AWS Foundations Benchmark, NIST SP 800-53 Rev 5, and PCI DSS. Enabling a standard automatically enables all of its controls; you can then disable individual controls as needed.
Trap Assuming you opt into each control one by one; enabling a standard turns on all of its controls at once, and you disable the unwanted ones afterward.
- Push Security Hub config org-wide with central configuration policies
Security Hub central configuration lets the delegated administrator write configuration policies that target OUs and accounts from one home Region, enabling Security Hub, standards, and controls across new and existing accounts while leaving chosen accounts self-managed. It replaces per-account, per-Region setup, which is the source of configuration drift in large orgs.
Trap Relying on local configuration to cover the whole org: local config only auto-enables new accounts in the current Region, never existing accounts or other Regions.
4 questions test this
- A company has 150 AWS accounts managed by AWS Organizations across multiple Organizational Units (OUs). The security team needs to deploy…
- A financial services company has 150 AWS accounts managed through AWS Organizations. The security team needs to implement a centralized…
- A company has 120 AWS accounts across AWS Organizations and operates in 8 AWS Regions. The security team wants to centrally monitor…
- A company uses AWS Organizations with 100 member accounts and wants to implement automated security compliance monitoring. The company's…
- Mandate WAF, Shield, SGs, NFW, and DNS Firewall with Firewall Manager
AWS Firewall Manager centrally enforces AWS WAF, AWS Shield Advanced, security-group, AWS Network Firewall, and Route 53 Resolver DNS Firewall policies across every account in the org, automatically applying protection to newly created and non-compliant resources. Use it for org-wide mandates such as 'AWS WAF on every ALB' that must hold as new accounts and resources appear.
Trap Assuming Firewall Manager only protects resources created after the policy; it also detects and remediates existing non-compliant resources across the org.
- Firewall Manager needs AWS Config enabled in every in-scope account
Firewall Manager evaluates and remediates resources through AWS Config, so AWS Config must be enabled in every account and Region a Firewall Manager policy scopes. Without it, Firewall Manager has no resource inventory to assess in that account and silently cannot enforce or remediate there: enabling Config is a documented prerequisite.
Trap Expecting a Firewall Manager policy to protect an account where AWS Config is off: it cannot evaluate resources there, so coverage gaps go unnoticed.
- Access Analyzer external-access findings are free; unused-access is paid
An IAM Access Analyzer with the AWS Organization as its zone of trust flags resources shared with principals outside the org (external-access findings) at no charge. A separate unused-access analyzer continuously reviews dormant roles, access keys, and passwords and is billed per IAM role or user analyzed per analyzer per month, so 'find unintended external sharing' is the free use, while 'clean up unused access' carries a cost.
Trap Assuming every IAM Access Analyzer analyzer is free: only external-access analysis is free; unused-access (and internal-access) analyzers are billed.
13 questions test this
- A multinational company has an AWS Organizations structure with 500 member accounts. The security team wants to identify IAM roles and…
- A company uses AWS Organizations to manage workloads across three OUs: Production, Development, and Sandbox. The finance team wants to…
- A company operates a multi-account AWS environment using AWS Organizations. The security team wants to centrally identify all resources in…
- A global enterprise is implementing a comprehensive permissions governance strategy using IAM Access Analyzer. The security team needs to…
- A financial services company uses AWS Organizations with 50 member accounts across multiple organizational units. The company's security…
- A company wants to implement least privilege access for all IAM roles in their AWS environment. The security team has identified that many…
- A financial services company uses AWS Organizations with 150 member accounts. The security team needs to identify all resources across the…
- A security architect is implementing IAM Access Analyzer for a large enterprise with 500 AWS accounts in AWS Organizations. The security…
- A multinational financial services company has 150 AWS accounts organized under AWS Organizations. The security team needs to detect when…
- A company is establishing a multi-account security baseline using AWS Control Tower. The security architect must implement IAM Access…
- A company has implemented AWS Organizations with 200 member accounts. The security team needs to identify IAM roles and users across all…
- A financial services company uses AWS Organizations with 120 member accounts across multiple organizational units (OUs). The security team…
- A financial services company uses AWS Organizations to manage 150 accounts across multiple organizational units (OUs). The security team…
- Use Macie to discover sensitive data in S3 across the org
Amazon Macie runs automated sensitive-data discovery across Amazon S3, using machine learning and pattern matching to find PII, credentials, and financial data, and it reports each bucket's public-access and encryption posture. For 'locate unencrypted PII in S3 org-wide' scenarios, Macie is the answer: GuardDuty watches for threats and Config tracks configuration, but neither classifies object contents.
Trap Choosing GuardDuty or AWS Config to find sensitive data inside S3 objects: only Macie inspects and classifies object contents.
- Evaluate org-wide compliance with a Config aggregator and org rules
AWS Config records resource configuration and change history, and an organization Config aggregator plus organization Config rules and conformance packs give a single read-only, org-wide compliance view. Config requires its recorder enabled in each account, and it flags non-compliant resources rather than blocking them: pair it with an SCP or Firewall Manager when you actually need to prevent the drift.
Trap Expecting AWS Config to block non-compliant resources: Config detects and reports drift but never prevents the action.
3 questions test this
- A company recently migrated to AWS Control Tower and has 50 existing AWS accounts that need to be enrolled. Before enrolling the accounts,…
- A company has enabled AWS Security Hub with the CIS AWS Foundations Benchmark standard across all accounts in their AWS Organization. The…
- A global retail company uses AWS Organizations with 150 member accounts across 10 business units. The company's finance team needs to…
- Centralize audit logs with an organization CloudTrail to one bucket
An organization trail in AWS CloudTrail captures management (and optionally data) event API activity from the management account and every member account into a single S3 log-archive bucket, typically in a dedicated logging account. Member accounts can see the trail but cannot stop or alter it, giving tamper-resistant central audit logs that feed Security Hub and Config for org-wide detection.
Trap Stitching together a separate per-account trail in every member account: an organization trail logs all accounts into one bucket and members cannot disable it.
6 questions test this
- A large enterprise has deployed AWS Control Tower to manage its multi-account environment with over 200 accounts. The security team needs…
- A financial services company is deploying AWS Control Tower and needs to ensure that all newly provisioned accounts through Account Factory…
- A large financial services company is setting up AWS Control Tower to manage its multi-account environment. The company needs to centralize…
- A company is deploying a new AWS Control Tower landing zone to govern its multi-account environment. The company has an existing…
- A large enterprise is setting up AWS Control Tower to establish a multi-account environment. The company requires centralized logging of…
- A company has deployed AWS Control Tower with landing zone version 3.0 to manage its multi-account AWS environment. The security team wants…
- Network Firewall TLS inspection needs a CA certificate in ACM for egress
To inspect encrypted HTTPS payloads, AWS Network Firewall uses a TLS inspection configuration that decrypts traffic, runs it through the stateful rules, then re-encrypts it before forwarding. Outbound (egress) inspection requires importing a CA certificate into AWS Certificate Manager (Network Firewall uses it to generate the server certificate) while inbound uses a server certificate in ACM; scope settings control which flows are decrypted. Without TLS inspection you can only match unencrypted content or the TLS SNI.
7 questions test this
- A technology company wants to implement deep packet inspection for encrypted HTTPS traffic leaving their VPC to detect data exfiltration…
- A multinational corporation operates a centralized inspection architecture using AWS Network Firewall deployed in an inspection VPC…
- A healthcare company runs web applications in Amazon VPCs that process patient health information. Regulatory requirements mandate…
- A global financial services company is implementing a centralized network security architecture using AWS Network Firewall in an inspection…
- A multinational corporation is deploying AWS Network Firewall to inspect encrypted HTTPS traffic for data exfiltration prevention. The…
- A healthcare organization is deploying AWS Network Firewall to secure a VPC containing protected health information (PHI). The security…
- A media company requires Layer 7 traffic inspection for their outbound internet traffic from Amazon EC2 instances. The security policy…
- Network Firewall runs Suricata; use strict order for default-deny
Network Firewall's stateful engine is Suricata, so you can import Suricata-compatible IPS rulesets (e.g. Emerging Threats) directly for signature-based detection. Strict rule order evaluates rule groups by priority and rules in the exact sequence you define; pairing it with a 'Drop established' default action builds a default-deny posture where only explicitly allowed traffic passes.
Trap Assuming default (action) rule order honors your priorities literally: only strict order evaluates rules in your exact sequence; default order applies pass before drop before reject first.
9 questions test this
- A financial services company is deploying AWS Network Firewall to inspect east-west traffic between application tiers in a VPC. The…
- A company is migrating their on-premises intrusion detection system to AWS Network Firewall. They have existing Suricata-compatible rules…
- A multinational corporation operates a centralized inspection architecture using AWS Network Firewall deployed in an inspection VPC…
- A healthcare company uses AWS Network Firewall to protect PHI data by restricting outbound traffic to approved HTTPS domains. The security…
- A global financial services company is implementing a centralized network security architecture using AWS Network Firewall in an inspection…
- A healthcare organization is implementing AWS Network Firewall to control egress traffic from their VPC. The security team wants to allow…
- A financial services company requires Layer 7 application inspection with intrusion prevention capabilities for all VPC traffic. The…
- A healthcare organization uses AWS Network Firewall to protect sensitive patient data across multiple VPCs. The security team wants to…
- A media company requires Layer 7 traffic inspection for their outbound internet traffic from Amazon EC2 instances. The security policy…
- Gate IAM policies in CI/CD with Access Analyzer custom policy checks
IAM Access Analyzer custom policy checks use automated reasoning to validate policies before they ship in a pipeline:
CheckNoPublicAccessflags resource policies that could grant public access,CheckAccessNotGrantedfails when a policy permits a specified list of sensitive actions, andCheckNoNewAccessfails when an updated policy grants more access than a reference policy. Each call to check for new access is billed.Trap Mixing up the checks and using CheckAccessNotGranted to compare a policy against a prior version; comparing new access to a reference policy is the job of CheckNoNewAccess.
4 questions test this
- A solutions architect is implementing a data perimeter strategy for a company using AWS Organizations. The security team needs to validate…
- A company is implementing a DevSecOps pipeline using AWS CodePipeline. The security team requires that all IAM policies created by…
- A company's development teams frequently create and update IAM policies for their applications. The security team wants to implement…
- A company is implementing a CI/CD pipeline using AWS CodePipeline to deploy infrastructure with AWS CloudFormation. The security team…
- Back a KMS custom key store with CloudHSM for customer-controlled keys
When regulations require key material in FIPS 140 Level 3 validated hardware under your direct control (often with PKCS#11 support), back an AWS KMS custom key store with a CloudHSM cluster: keys are managed through the familiar KMS interface but generated and stored in HSMs you own and audit. A CloudHSM-backed key store supports only symmetric encryption KMS keys, not asymmetric keys, HMAC keys, imported key material, or automatic rotation.
Trap Planning to create asymmetric or HMAC KMS keys in a CloudHSM custom key store: it supports only symmetric (AES) encryption keys.
3 questions test this
- A company is migrating its payment processing application to AWS. The application requires PKCS#11 interface support for cryptographic…
- A healthcare company must encrypt all patient data at rest using encryption keys that remain under the company's complete control to meet…
- A financial services company must comply with regulatory requirements that mandate all encryption key material for sensitive data be stored…
- Aggregate Security Hub findings cross-Region into one home Region
Security Hub cross-Region aggregation replicates findings, finding updates, insights, control statuses, and security scores from linked Regions into a single home (aggregation) Region, so the delegated administrator's home-Region console, EventBridge feed, and downstream integrations see every Region's findings at once instead of Region by Region. Updates flow both ways and the replication adds no cost.
Trap Reaching for central configuration to pull every Region's findings into one console; central configuration deploys settings org-wide, while cross-Region aggregation is what consolidates the findings themselves.
3 questions test this
- A company is implementing a multi-account security monitoring strategy using AWS Security Hub. The security team has designated a security…
- A global retail company is designing a multi-account security monitoring architecture on AWS. The company has three separate AWS…
- A financial services company has 150 AWS accounts managed through AWS Organizations. The security team needs to implement a centralized…
Also tested in
References
- Service control policies (SCPs)
- Resource control policies (RCPs)
- AWS Firewall Manager policies
- IAM JSON policy evaluation logic
- Managing GuardDuty accounts with AWS Organizations
- Managing administrator and member accounts in Security Hub CSPM
- Creating a trail for an organization
- Managing AWS Config rules across all accounts in your organization
- Getting started with IAM Access Analyzer
- Amazon Macie and AWS Organizations
- Understanding central configuration in Security Hub CSPM
- What is Amazon Detective?
- Best practices for the management account
- IAM Access Analyzer pricing
- Delegated administration for IAM Identity Center
- Allowing users in other accounts to use a KMS key
- Grants in AWS KMS
- Deleting AWS KMS keys
- Managed rotation for AWS Secrets Manager secrets
- Certificate Manager supported Regions and quotas
- AWS Firewall Manager prerequisites