Cloud Practitioner logo
Focused certification exam prep
Start practice
Home / Study Resources / Domain Deep Dives / Cloud Practitioner Domain 2: Security and

Cloud Practitioner Domain 2: Security and Compliance (30%) - Complete Study Guide 2026

Updated 11 min read Cloud Practitioner Exam Prep
Table of Contents
TL;DR
  • Domain 2 carries 30% of your score - the second-largest domain on the CLF-C02 exam.
  • The Shared Responsibility Model appears in virtually every Security domain question in some form.
  • IAM users, groups, roles, and policies each have distinct exam-tested behaviors you must distinguish precisely.
  • AWS lists dozens of compliance programs (SOC, PCI DSS, HIPAA, ISO) and you need to know which AWS tool surfaces them.

What Domain 2 Actually Covers

Security and Compliance is worth 30% of your CLF-C02 score - that's 15 of your 50 scored questions. Only Domain 3 (Cloud Technology and Services at 34%) outweighs it. If you treat security as a secondary concern, you are gambling with nearly a third of your exam. Understanding the full picture of all four exam areas first is worth your time; the Cloud Practitioner Exam Domains 2026: Complete Guide to All 4 Content Areas gives you that overview before you dive into any single domain.

AWS breaks Domain 2 into three task statements in the official CLF-C02 exam guide:

  • Task 2.1 - Understand the Shared Responsibility Model
  • Task 2.2 - Understand AWS Cloud security, governance, and compliance concepts
  • Task 2.3 - Identify AWS access management capabilities
  • Task 2.4 - Identify components and resources for security

Each task statement has concrete knowledge and skill requirements. This guide addresses all four in the sections below with the specific terms and services the exam tests.

Why Security Dominates the CLF-C02: AWS built its entire cloud value proposition on a "security is job zero" culture. The Cloud Practitioner exam reflects that priority. Even candidates who never touch a security tool directly must be able to articulate how security responsibility is divided, which AWS services enforce policies, and what compliance documentation AWS provides.

The Shared Responsibility Model

No other concept appears more consistently across Domain 2 questions than the Shared Responsibility Model. AWS defines it simply: AWS is responsible for security OF the cloud; customers are responsible for security IN the cloud. The exam tests whether you can apply this distinction to concrete scenarios.

AWS's Side of the Model

AWS manages the underlying infrastructure - physical data centers, hardware, networking, and the virtualization layer. Specific items AWS is responsible for include:

  • Physical security of data center facilities (guards, biometrics, surveillance)
  • Hardware and firmware lifecycle management
  • Global network infrastructure (Regions, Availability Zones, edge locations)
  • Hypervisor and host operating system patching for managed services

Customer's Side of the Model

Customers control everything they deploy on top of the infrastructure. This shifts based on the service type - and that's exactly where exam questions get tricky.

Shared Responsibility Shifts by Service Type

The customer's responsibility shrinks as the service abstraction layer rises.

  • EC2 (IaaS): Customer patches the guest OS, manages firewall rules (security groups), and controls application code
  • RDS (managed database): AWS handles OS and database engine patching; customer controls network access and data encryption settings
  • Lambda (serverless): AWS manages runtime and infrastructure; customer controls code, IAM permissions, and data handling
  • S3 (object storage): AWS secures the service; customer controls bucket policies, ACLs, and encryption choices

A typical exam scenario might read: "A company runs an application on Amazon EC2. Who is responsible for applying operating system security patches?" The answer is the customer. Flip the service to RDS, and the answer changes. Knowing where that line sits for each major service type is non-negotiable preparation.

IAM: Identity and Access Management

AWS Identity and Access Management (IAM) is the single most tested service in Domain 2. It underpins nearly every other security concept on the exam. IAM is a global service - it operates across all AWS Regions and has no additional cost.

IAM Core Components

  • Root user: Created when an AWS account is first opened. Has unrestricted access to all resources. AWS best practice - and exam answer - is to lock the root user with multi-factor authentication (MFA) and avoid using it for daily tasks.
  • IAM Users: Individual identity with permanent credentials (username/password or access keys). Represents a person or application.
  • IAM Groups: Collection of users. Policies attached to a group apply to all members. Groups cannot be nested within other groups.
  • IAM Roles: Identity with temporary credentials assumed by trusted entities - AWS services, other accounts, or federated users. Roles are the correct mechanism for granting an EC2 instance permission to access S3, for example.
  • IAM Policies: JSON documents that define allowed or denied actions on specific resources. Attached to users, groups, or roles.
Principle of Least Privilege: AWS defines this as granting only the permissions required to perform a specific task - nothing more. The CLF-C02 exam expects you to recognize this principle by name and identify when it is or is not being followed in a scenario.

MFA and Access Keys

Multi-factor authentication adds a second verification layer beyond a password. The exam may ask which account types should always have MFA enabled (root user, privileged IAM users) or what MFA device types AWS supports (virtual authenticator apps, hardware TOTP tokens, FIDO security keys).

Access keys (an access key ID plus a secret access key) are used for programmatic access via the AWS CLI or SDKs. The exam tests the security practice of rotating access keys regularly and never embedding them in application code.

AWS Organizations and Service Control Policies

AWS Organizations lets a company manage multiple AWS accounts centrally. Service Control Policies (SCPs) act as guardrails - they define the maximum permissions available to accounts within an Organizational Unit (OU). SCPs do not grant permissions; they restrict them. This distinction matters on exam questions.

Compliance Frameworks and AWS Programs

Task 2.2 specifically requires candidates to know how AWS supports compliance, what documentation exists, and which tools surface it. This is less about memorizing every regulation and more about knowing AWS's compliance posture and tools.

Key Compliance Programs AWS Participates In

Framework / Standard What It Covers Relevant Industry
SOC 1, SOC 2, SOC 3 Controls over financial reporting and security/availability Finance, Technology
PCI DSS Payment card data security Retail, Financial Services
HIPAA Health information privacy and security Healthcare
ISO 27001 Information security management systems Global enterprise
FedRAMP U.S. federal government cloud security Government
GDPR EU data privacy and protection Any company with EU customers

AWS Artifact

AWS Artifact is the self-service portal where customers download AWS compliance reports and agreements. If an exam question asks how a company can access AWS SOC 2 reports or sign a HIPAA Business Associate Agreement (BAA), the answer is AWS Artifact. This is a frequently tested single-service fact.

AWS Compliance Center and Customer Compliance

AWS Compliance Center provides country-specific compliance information. The exam also tests the concept that achieving compliance is always a shared effort - AWS can be compliant at the infrastructure layer while a customer's poorly configured S3 bucket violates PCI DSS. Compliance follows the same shared responsibility logic as security.

Core AWS Security Services

Task 2.4 asks candidates to identify security service components. The exam does not expect deep technical configuration knowledge - it expects you to match services to their purpose and know when each is the right tool.

Security Services You Must Know by Function

Match each service to its exact security function - not just a general "it's a security tool" answer.

  • AWS Shield: DDoS protection. Shield Standard is automatic and free for all AWS customers. Shield Advanced adds enhanced detection and 24/7 DRT support for a fee.
  • AWS WAF (Web Application Firewall): Filters HTTP/HTTPS traffic using rules to block SQL injection, cross-site scripting, and other Layer 7 attacks. Attached to CloudFront, ALB, or API Gateway.
  • Amazon GuardDuty: Threat detection service that continuously monitors CloudTrail, VPC Flow Logs, and DNS logs for malicious activity. Does not prevent threats - it detects and alerts.
  • Amazon Inspector: Automated vulnerability management for EC2 instances and container images. Scans for software vulnerabilities and unintended network exposure.
  • AWS Security Hub: Aggregates security findings from GuardDuty, Inspector, Macie, and partner tools into a single dashboard with compliance checks against standards like CIS AWS Foundations.
  • Amazon Macie: Uses machine learning to discover, classify, and protect sensitive data (especially PII) in S3.
  • AWS CloudTrail: Records API calls made in an AWS account. Used for auditing, governance, and operational troubleshooting. "Who did what, when?" - CloudTrail answers that.
  • AWS Config: Tracks resource configuration changes over time and evaluates them against compliance rules. "Is this resource configured correctly?" - AWS Config answers that.
  • Amazon VPC and Security Groups: Security groups act as stateful virtual firewalls at the instance level. Network ACLs (NACLs) are stateless and operate at the subnet level.

AWS Trusted Advisor Security Checks

AWS Trusted Advisor provides automated recommendations across five categories. The Security category flags issues like open S3 buckets, unrestricted security group rules, missing MFA on the root account, and exposed access keys. Basic Security checks are free for all accounts; additional checks require a Business or Enterprise Support plan.

Data Protection and Encryption

Data protection topics appear consistently in Domain 2 questions. The exam tests two states of data - data at rest and data in transit - and the services that encrypt each.

Encryption at Rest

AWS Key Management Service (KMS) is the primary service for creating and managing cryptographic keys used to encrypt data stored in S3, EBS, RDS, and other services. KMS integrates natively with most AWS storage and database services. You can use AWS-managed keys (AWS handles rotation) or customer-managed keys (you control the key policy and rotation schedule).

AWS CloudHSM provides dedicated Hardware Security Module appliances inside your VPC for workloads requiring exclusive key control - used when regulations prohibit shared key management infrastructure.

Encryption in Transit

AWS uses TLS (Transport Layer Security) to encrypt data moving between clients and AWS services or between AWS services internally. Certificate management for public-facing endpoints is handled by AWS Certificate Manager (ACM), which provisions and renews SSL/TLS certificates for use with CloudFront, ALB, and API Gateway.

Key Takeaway

When an exam question mentions "encrypting data stored in an S3 bucket," the answer is almost always KMS (Server-Side Encryption). When it mentions securing data "moving between a browser and an application," think TLS and ACM. These are not interchangeable.

How Domain 2 Questions Are Written

The CLF-C02 uses multiple choice (one correct answer from four options) and multiple response (two or more correct answers from five options) formats across all 65 questions - 50 scored and 15 unscored, with no way to tell which is which during the exam. There are no labs or simulations. The 90-minute window gives you roughly 83 seconds per question on average.

Security domain questions follow predictable patterns:

  1. Scenario-based responsibility questions: "A company wants to ensure its EC2 instances have the latest OS patches applied. Who is responsible?" These hinge entirely on your Shared Responsibility Model fluency.
  2. Service-matching questions: "Which AWS service provides automatic DDoS protection for all customers at no additional cost?" (Answer: AWS Shield Standard.) You need clean service-to-purpose mapping.
  3. Least privilege / IAM design questions: A scenario describes permissions that are too broad or improperly structured, and you identify the correct IAM fix.
  4. Compliance documentation questions: "A customer needs to download AWS ISO 27001 certification reports. What should they use?" (Answer: AWS Artifact.)
  5. Threat detection vs. prevention questions: Many candidates confuse GuardDuty (detects) with WAF or Shield (prevents/blocks). Exam distractors exploit this confusion deliberately.

There is no penalty for guessing on the CLF-C02. If you are uncertain between two options, eliminate distractors and commit - leaving an answer blank achieves nothing. For broader context on how difficulty is distributed across the exam, the How Hard Is the Cloud Practitioner Exam? Complete Difficulty Guide 2026 breaks down exactly where candidates tend to struggle.

Practice tests that mirror the actual question style are the fastest way to internalize these patterns. The Cloud Practitioner Exam Prep practice tests are structured by domain so you can isolate Domain 2 questions specifically before testing yourself across all four areas.

Domain 2 Study Schedule

Given Domain 2's 30% weight and the breadth of services it covers, most candidates benefit from allocating proportionally more preparation time here than to Domain 4 (Billing at 12%) or even Domain 1 (Cloud Concepts at 24%). A focused two-week block dedicated to security works well within a standard four-to-six-week study plan.

Week 1

Foundations and IAM

  • Master the Shared Responsibility Model with service-level examples (EC2, RDS, S3, Lambda)
  • Learn IAM users, groups, roles, policies, and root user best practices
  • Understand MFA types, access key security, and the principle of least privilege
  • Study AWS Organizations, SCPs, and multi-account security architecture
  • Complete Domain 2 IAM-focused practice questions; review every wrong answer
Week 2

Services, Compliance, and Encryption

  • Map each security service to its precise function (GuardDuty, Macie, Inspector, Security Hub, WAF, Shield)
  • Distinguish CloudTrail (audit log) from AWS Config (compliance evaluation)
  • Learn AWS Artifact, key compliance frameworks, and the concept of customer compliance responsibility
  • Cover KMS vs. CloudHSM, encryption at rest vs. in transit, and ACM
  • Run full mixed-domain practice tests and track Domain 2 performance specifically

The Feynman technique - explaining a concept aloud as if teaching it - works particularly well for the Shared Responsibility Model. After one pass through the material, try explaining it without notes using three different service examples. Gaps in your explanation reveal exactly where to re-study.

If you want a full preparation roadmap that integrates all four domains into a single timeline, the Cloud Practitioner Study Guide 2026: How to Pass on Your First Attempt provides a structured approach including how to sequence Domain 1, 2, 3, and 4 study blocks relative to your exam date.

Domain 2 connects naturally to Domain 3 material as well - many security services (VPC, CloudWatch, CloudTrail) appear in both domains. Review Cloud Practitioner Domain 3: Cloud Technology and Services (34%) - Complete Study Guide 2026 after completing your Domain 2 pass to see where the service knowledge reinforces itself. And if you want to revisit Domain 1 fundamentals before tackling security, the Cloud Practitioner Domain 1: Cloud Concepts (24%) - Complete Study Guide 2026 covers the foundational cloud framework that security concepts build on.

When you feel ready, take full-length CLF-C02 practice exams under timed conditions - 65 questions in 90 minutes - to simulate the actual Pearson VUE testing environment. The 15 unscored pretest questions on the real exam mean you cannot pace yourself by skipping "easy" questions; treat every question as scored.

Registration Reminder: The CLF-C02 exam costs $100 USD and is delivered through Pearson VUE either at a testing center or via online proctoring. After a failed attempt, you must wait 14 days before retesting. There is no limit on the number of attempts after failures, but passing candidates cannot retake the same exam version for two years. Certifications are valid for three years.

Frequently Asked Questions

Do I need a minimum score on Domain 2 to pass the CLF-C02?

No. The CLF-C02 uses compensatory scoring - there is no per-domain minimum. You need a 700 on a 100-1000 scaled score overall. However, at 30% of the exam, consistently missing Domain 2 questions makes hitting 700 much harder. Treat it as a must-master domain even though no formal minimum exists.

What is the single most important concept in Domain 2?

The Shared Responsibility Model. It appears in scenario questions, service questions, and compliance questions throughout Domain 2. If you understand precisely where AWS's responsibility ends and the customer's begins for each service type, a large portion of Domain 2 questions become significantly easier to parse.

How many security services do I need to know for the CLF-C02?

At the Cloud Practitioner level, depth is less important than breadth. You need to know the purpose of approximately 10-15 core security services well enough to match them to use cases: IAM, KMS, CloudHSM, CloudTrail, AWS Config, GuardDuty, Inspector, Macie, Security Hub, AWS Shield, AWS WAF, AWS Artifact, Trusted Advisor, ACM, and VPC security groups. You will not be asked to configure them - only to identify the right tool for a scenario.

What is the difference between GuardDuty and Inspector on the exam?

GuardDuty is a threat detection service that monitors account activity and identifies malicious behavior by analyzing CloudTrail, VPC Flow Logs, and DNS logs. Inspector is a vulnerability assessment service that scans EC2 instances and container images for known software vulnerabilities and network exposure issues. GuardDuty watches behavior; Inspector scans configuration and software. Exam distractors frequently swap these two - know the distinction cold.

Is Domain 2 harder than the other CLF-C02 domains?

Difficulty is subjective, but Domain 2 is considered challenging because it combines memorization (service functions, compliance frameworks) with applied reasoning (Shared Responsibility Model scenarios). Candidates with IT security backgrounds often find it more intuitive, while those from non-technical fields tend to invest more time here. The volume of named services to distinguish makes it dense, but every concept tested is learnable without hands-on lab experience.

Continue reading:

Ready to pass your Cloud Practitioner exam?

Put this into practice with free Cloud Practitioner questions across every exam domain.