AWS Security - Domain 6 - 50X - QUESTIONS AND ANSWERS

## Domain 6: Management and Security Governance ### Task Statement 6.1: Develop a strategy to centrally deploy and manage AWS accounts. **Knowledge of:** - 6.1.1 Multi-account strategies - 6.1.2 Managed services that allow delegated administration - 6.1.3 Policy-defined guardrails - 6.1.4 Root account best practices - 6.1.5 Cross-account roles **Skills in:** - 6.1.6 Deploying and configuring AWS Organizations - 6.1.7 Determining when and how to deploy AWS Control Tower (for example, which services must be deactivated for successful deployment) - 6.1.8 Implementing SCPs as a technical solution to enforce a policy (for example, limitations on the use of a root account, implementation of controls in AWS Control Tower) - 6.1.9 Centrally managing security services and aggregating findings (for example, by using delegated administration and AWS Config aggregators) - 6.1.10 Securing AWS account root user credentials ### Task Statement 6.2: Implement a secure and consistent deployment strategy for cloud resources. **Knowledge of:** - 6.2.1 Deployment best practices with infrastructure as code (IaC) (for example, AWS CloudFormation template hardening and drift detection) - 6.2.2 Best practices for tagging - 6.2.3 Centralized management, deployment, and versioning of AWS services - 6.2.4 Visibility and control over AWS infrastructure **Skills in:** - 6.2.5 Using CloudFormation to deploy cloud resources consistently and securely - 6.2.6 Implementing and enforcing multi-account tagging strategies - 6.2.7 Configuring and deploying portfolios of approved AWS services (for example, by using AWS Service Catalog) - 6.2.8 Organizing AWS resources into different groups for management - 6.2.9 Deploying Firewall Manager to enforce policies - 6.2.10 Securely sharing resources across AWS accounts (for example, by using AWS Resource Access Manager [AWS RAM]) ### Task Statement 6.3: Evaluate the compliance of AWS resources. **Knowledge of:** - 6.3.1 Data classification by using AWS services - 6.3.2 How to assess, audit, and evaluate the configurations of AWS resources (for example, by using AWS Config) **Skills in:** - 6.3.3 Identifying sensitive data by using Macie - 6.3.4 Creating AWS Config rules for detection of noncompliant AWS resources - 6.3.5 Collecting and organizing evidence by using Security Hub and AWS Audit Manager ### Task Statement 6.4: Identify security gaps through architectural reviews and cost analysis. **Knowledge of:** - 6.4.1 AWS cost and usage for anomaly identification - 6.4.2 Strategies to reduce attack surfaces - 6.4.3 AWS Well-Architected Framework **Skills in:** - 6.4.4 Identifying anomalies based on resource utilization and trends - 6.4.5 Identifying unused resources by using AWS services and tools (for example, AWS Trusted Advisor, AWS Cost Explorer) - 6.4.6 Using the AWS Well-Architected Tool to identify security gaps

There are no comments yet.

Please log in to write the first comment.