Domain 5 · 18% of Exam

Data Protection

Design and implement data encryption, key management, secrets management, and data classification solutions.

What You'll Be Tested On

  • Implement encryption at rest with KMS (CMKs, key policies, grants)
  • Design encryption in transit (TLS, IPSec, client-side encryption)
  • Implement secrets management with rotation and cross-account access
  • Configure S3 data protection (SSE, Object Lock, Macie)
  • Design key management for multi-account and multi-region workloads

Key AWS Services in This Domain

🔐KMS🗝️Secrets Manager📦S3 Security📜Certificate Manager🔎Macie

Exam Tips for Domain 5

💡

Know KMS key policy + IAM policy evaluation for cross-account

💡

Understand envelope encryption flow and when to use it

💡

Practice designing key hierarchy for multi-account environments

Practice Domain 5 Questions

Test your knowledge of Data Protection with practice questions from our SCS-C02 question bank.

Start Practice Quiz →

Other SCS-C02 Domains

Domain 1Threat Detection & Incident Response14%Domain 2Security Logging & Monitoring18%Domain 3Infrastructure Security20%Domain 4Identity & Access Management16%Domain 6Management & Security Governance14%
← SCS-C02 Study HubFree Mock Exam30-Day Study Plan