What You'll Be Tested On

IAM users, roles, policies, permission boundaries, federation, MFA, and least privilege
Encryption with KMS, key policies, grants, rotation, S3/EBS/RDS encryption, and Secrets Manager
Compliance monitoring with AWS Config rules, conformance packs, aggregators, and remediation
Threat and vulnerability detection with GuardDuty, Security Hub, Inspector, WAF, and Shield
Audit evidence and account governance with CloudTrail, Organizations, SCPs, and centralized logging

Key AWS Services in This Domain

🔐IAM 🛡️Security & Compliance 🔑KMS 📋AWS Config 🔍CloudTrail 🏢Organizations 🧱WAF & Shield

Exam Tips for Domain 4

💡

When access is denied, check identity policies, resource policies, permission boundaries, SCPs, session policies, and explicit denies.

💡

Default encryption protects future data, but bucket policies or service controls are needed when uploads must be rejected unless a specific key is used.

💡

AWS Config detects configuration drift and compliance gaps; it does not block an action unless paired with remediation or preventive controls.

💡

Security Hub aggregates findings; GuardDuty detects threats; Inspector scans workloads for vulnerabilities.

Practice Domain 4 Questions

Test your knowledge of Security and Compliance with practice questions from our SOA-C03 question bank.

Start Practice Quiz →

Other SOA-C03 Domains

Domain 1Monitoring, Logging, Analysis, Remediation, and Performance Optimization22%Domain 2Reliability and Business Continuity22%Domain 3Deployment, Provisioning, and Automation22%Domain 5Networking and Content Delivery18%

← SOA-C03 Study Hub Free Mock Exam 30-Day Study Plan