Step 3 โ Security & Responsibility
Ask any long-time AWS trainer which single concept trips up the most Cloud Practitioner candidates, and theyโll say the same thing: people assume AWS secures everything for them. It doesnโt. Security on AWS is a partnership with a clearly drawn line, and almost every security question on this exam is really just asking you where that line sits.
The Shared Responsibility Model
The idea is simple once it clicks: AWS secures the cloud itself, you secure what you put in the cloud.
AWS is responsible for: YOU are responsible for: โโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโ Physical data centers Your data and how it's classified Hardware and host infrastructure Identity and access management Network infrastructure Operating system patches (on EC2) Virtualization layer Firewall / security group configuration Client-side and server-side encryptionThe exact split shifts depending on the service. With EC2, youโre managing more โ the guest operating system, any software you install, network configuration through security groups. With a fully managed service like DynamoDB or RDS, AWS absorbs more of that burden โ youโre mainly responsible for your data and whoโs allowed to access it.
A helpful mental shortcut: the more โmanagedโ a service is, the more responsibility shifts to AWS. The more raw control you have (like a bare EC2 instance), the more responsibility sits with you.
IAM: Controlling Who Can Do What
IAM โ Identity and Access Management โ is the system governing every action taken inside an AWS account. At the foundational level, you donโt need to write policies yourself, but you do need to know what each building block represents.
Root user โ (the email address that created the account โ extremely powerful, rarely used day to day) โ โโโ IAM Users โ individual identities for people or applications โ โโโ IAM Groups โ collections of users, given permissions once, shared by everyone in the group โ โโโ IAM Roles โ temporary permissions assumed by a user, application, or AWS service โ โโโ IAM Policies โ JSON documents that define exactly what's allowed or deniedUsers represent an individual person or application that needs to sign in. Groups let you manage permissions in bulk โ attach a policy once to a group, and every member inherits it, instead of repeating the same policy on ten different users. Roles are different from users in one key way: nobody logs into a role permanently. A role is assumed temporarily โ an EC2 instance might assume a role to read from an S3 bucket, or an employee might assume a role to get elevated access for a specific task, then have it expire.
Policies are the documents that actually spell out permissions โ which actions are allowed, on which resources, under which conditions. You donโt need to write policy JSON for this exam, but you should recognize that a policy is what turns a user or role from โexistsโ into โcan actually do something.โ
A useful phrase for remembering the pattern: users are who you are, groups are how youโre organized, roles are what you can temporarily become, and policies are what youโre allowed to do.
Root Account Best Practices
The root user is created the moment you set up an AWS account, tied to the original email address, and it can do literally anything โ including closing the account. That power is exactly why AWSโs guidance is consistent and blunt:
- Donโt use the root account for everyday tasks. Create an IAM user (or use IAM Identity Center) for daily work instead.
- Enable MFA (Multi-Factor Authentication) on the root account immediately.
- Store root credentials somewhere secure and donโt share them.
- Use the root account only for the small number of tasks that genuinely require it, such as changing the accountโs support plan or closing the account entirely.
If an exam question asks โwhat is the most secure way to grant access to a new employee,โ the answer is never โshare the root credentialsโ and never โlog them in as root.โ Itโs some form of IAM user, group, or role.
Multi-Factor Authentication (MFA)
MFA requires a second proof of identity beyond a password โ typically a rotating code from a virtual authenticator app, a hardware security key, or a code sent to a registered device. The logic is straightforward: even if a password leaks, an attacker still canโt get in without that second factor.
AWS recommends MFA on the root account without exception, and strongly encourages it for any IAM user with meaningful permissions. When a question describes a security incident caused by a leaked password, the โhow could this have been preventedโ answer usually points straight at MFA.
Encryption Basics
Encryption on AWS breaks down into two states, and the exam expects you to know the difference:
| Type | What it protects | Example |
|---|---|---|
| Encryption at rest | Data sitting in storage | An encrypted S3 bucket, an encrypted EBS volume |
| Encryption in transit | Data moving across a network | HTTPS/TLS between a browser and a web server |
AWS Key Management Service (KMS) is the service most commonly mentioned for managing the encryption keys behind at-rest encryption โ you donโt need its internal mechanics for this exam, just recognize it as โthe service that manages encryption keysโ when a scenario mentions protecting stored data.
You should also be comfortable with the general idea that many AWS services offer encryption as a checkbox or a default setting rather than something you build from scratch โ the exam is testing awareness that encryption options exist and are commonly enabled, not how to implement cryptography.
DDoS Protection with AWS Shield
A Distributed Denial of Service (DDoS) attack tries to overwhelm a system with traffic until it can no longer serve legitimate users. AWS Shield defends against this at two levels:
AWS Shield Standard - Automatically enabled for every AWS customer, at no extra cost - Protects against the most common, most frequent network and transport layer attacks
AWS Shield Advanced - Paid tier, subscription-based - Adds enhanced detection, 24/7 access to a specialized response team, and cost protection against scaling charges caused by an attackIf a question describes needing extra DDoS support with direct access to AWSโs response team, thatโs Shield Advanced. If itโs just asking โdoes AWS provide any baseline DDoS protection automatically,โ the answer is Shield Standard, and it applies to everyone by default.
Compliance and AWS Artifact
Organizations in regulated industries โ finance, healthcare, government โ often need documented proof that AWS meets specific compliance standards before theyโre allowed to use it. Thatโs where AWS Artifact comes in: a self-service portal where you can download AWS compliance reports and agreements, such as SOC reports or evidence tied to standards like ISO 27001 or PCI DSS.
Artifact doesnโt make your workload compliant on its own โ remember the Shared Responsibility Model. AWS provides evidence that its side of the infrastructure meets a given standard; youโre still responsible for configuring your own applications and data handling in a way that satisfies the same standard.
Exam Focus: What Questions Test From This Step
- Correctly splitting a described responsibility between AWS and the customer under the Shared Responsibility Model
- Recognizing IAM users, groups, roles, and policies by definition, not by hands-on configuration
- Root account best practices โ never for daily use, always with MFA enabled
- Knowing MFA adds a second layer of proof beyond a password
- Telling encryption at rest apart from encryption in transit
- Shield Standard (automatic, free, everyone) versus Shield Advanced (paid, enhanced, dedicated support)
- AWS Artifact as the source for compliance reports, not a compliance guarantee by itself