About This Domain
Domain 4 — Security and Compliance — accounts for 16% of the SOA-C03 certification exam. This domain evaluates your understanding of iam users, roles, policies, permission boundaries, federation, mfa, and least privilege, encryption with kms, key policies, grants, rotation, s3/ebs/rds encryption, and secrets manager, compliance monitoring with aws config rules, conformance packs, aggregators, and remediation, and related concepts. Domain 4 covers operational security controls, compliance evidence, identity troubleshooting, encryption, vulnerability detection, and governance. To pass this section you need practical knowledge of how these services and patterns work together in real-world architectures.
What You'll Be Tested On
- IAM users, roles, policies, permission boundaries, federation, MFA, and least privilege
- Encryption with KMS, key policies, grants, rotation, S3/EBS/RDS encryption, and Secrets Manager
- Compliance monitoring with AWS Config rules, conformance packs, aggregators, and remediation
- Threat and vulnerability detection with GuardDuty, Security Hub, Inspector, WAF, and Shield
- Audit evidence and account governance with CloudTrail, Organizations, SCPs, and centralized logging
Key AWS Services in This Domain
Study Strategy for Domain 4
While 16% might seem like a smaller portion of the exam, every point counts toward the passing score. Focus on understanding core concepts and common exam scenarios for this domain. Don't neglect it — even a few missed questions here can make the difference between pass and fail.
Exam Tips for Domain 4
When access is denied, check identity policies, resource policies, permission boundaries, SCPs, session policies, and explicit denies.
Default encryption protects future data, but bucket policies or service controls are needed when uploads must be rejected unless a specific key is used.
AWS Config detects configuration drift and compliance gaps; it does not block an action unless paired with remediation or preventive controls.
Security Hub aggregates findings; GuardDuty detects threats; Inspector scans workloads for vulnerabilities.
Frequently Asked Questions
How many questions on the SOA-C03 exam come from Domain 4?
Domain 4 (Security and Compliance) makes up 16% of the SOA-C03 exam. The exam has 65 scored questions, so approximately 10 questions will come from this domain.
What services should I focus on for Domain 4?
The key services for this domain include IAM, Security & Compliance, KMS, AWS Config, CloudTrail, Organizations, WAF & Shield. Make sure you understand how each service works, its use cases, and how they integrate with one another.
How should I prepare for Security and Compliance questions?
Start by reviewing the key topics listed above, then practice with domain-specific questions. Focus on understanding real-world scenarios rather than memorizing facts. Use our practice quizzes to test your knowledge and review explanations for any questions you get wrong.
What's the best order to study the SOA-C03 domains?
Many candidates start with the highest-weighted domains first. For the SOA-C03 exam, the domains in order of weight are: Monitoring, Logging, Analysis, Remediation, and Performance Optimization (22%), Reliability and Business Continuity (22%), Deployment, Provisioning, and Automation (22%), Security and Compliance (16%), Networking and Content Delivery (18%). However, start with whichever domain aligns best with your existing experience.
Practice Domain 4 Questions
Test your knowledge of Security and Compliance with practice questions from our SOA-C03 question bank.
Start Practice Quiz →