Cloud/ AWS / AWS Certified Cloud Practitioner (CLF-C02) / AWS Security & Shared Responsibility for CLF-C02 Exam Prep

AWS Amazon Web Services Foundational Step 3 of 5 106 guides ยท updated 2026

Hands-on guides to compute, storage, databases, networking, and serverless on the world's most widely adopted cloud platform.

Step 3 โ€” Security & Responsibility

Ask any long-time AWS trainer which single concept trips up the most Cloud Practitioner candidates, and theyโ€™ll say the same thing: people assume AWS secures everything for them. It doesnโ€™t. Security on AWS is a partnership with a clearly drawn line, and almost every security question on this exam is really just asking you where that line sits.


The Shared Responsibility Model

The idea is simple once it clicks: AWS secures the cloud itself, you secure what you put in the cloud.

AWS is responsible for: YOU are responsible for:
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
Physical data centers Your data and how it's classified
Hardware and host infrastructure Identity and access management
Network infrastructure Operating system patches (on EC2)
Virtualization layer Firewall / security group configuration
Client-side and server-side encryption

The exact split shifts depending on the service. With EC2, youโ€™re managing more โ€” the guest operating system, any software you install, network configuration through security groups. With a fully managed service like DynamoDB or RDS, AWS absorbs more of that burden โ€” youโ€™re mainly responsible for your data and whoโ€™s allowed to access it.

A helpful mental shortcut: the more โ€œmanagedโ€ a service is, the more responsibility shifts to AWS. The more raw control you have (like a bare EC2 instance), the more responsibility sits with you.


IAM: Controlling Who Can Do What

IAM โ€” Identity and Access Management โ€” is the system governing every action taken inside an AWS account. At the foundational level, you donโ€™t need to write policies yourself, but you do need to know what each building block represents.

Root user
โ”‚ (the email address that created the account โ€” extremely powerful, rarely used day to day)
โ”‚
โ”œโ”€โ”€ IAM Users โ†’ individual identities for people or applications
โ”‚
โ”œโ”€โ”€ IAM Groups โ†’ collections of users, given permissions once, shared by everyone in the group
โ”‚
โ”œโ”€โ”€ IAM Roles โ†’ temporary permissions assumed by a user, application, or AWS service
โ”‚
โ””โ”€โ”€ IAM Policies โ†’ JSON documents that define exactly what's allowed or denied

Users represent an individual person or application that needs to sign in. Groups let you manage permissions in bulk โ€” attach a policy once to a group, and every member inherits it, instead of repeating the same policy on ten different users. Roles are different from users in one key way: nobody logs into a role permanently. A role is assumed temporarily โ€” an EC2 instance might assume a role to read from an S3 bucket, or an employee might assume a role to get elevated access for a specific task, then have it expire.

Policies are the documents that actually spell out permissions โ€” which actions are allowed, on which resources, under which conditions. You donโ€™t need to write policy JSON for this exam, but you should recognize that a policy is what turns a user or role from โ€œexistsโ€ into โ€œcan actually do something.โ€

A useful phrase for remembering the pattern: users are who you are, groups are how youโ€™re organized, roles are what you can temporarily become, and policies are what youโ€™re allowed to do.


Root Account Best Practices

The root user is created the moment you set up an AWS account, tied to the original email address, and it can do literally anything โ€” including closing the account. That power is exactly why AWSโ€™s guidance is consistent and blunt:

If an exam question asks โ€œwhat is the most secure way to grant access to a new employee,โ€ the answer is never โ€œshare the root credentialsโ€ and never โ€œlog them in as root.โ€ Itโ€™s some form of IAM user, group, or role.


Multi-Factor Authentication (MFA)

MFA requires a second proof of identity beyond a password โ€” typically a rotating code from a virtual authenticator app, a hardware security key, or a code sent to a registered device. The logic is straightforward: even if a password leaks, an attacker still canโ€™t get in without that second factor.

AWS recommends MFA on the root account without exception, and strongly encourages it for any IAM user with meaningful permissions. When a question describes a security incident caused by a leaked password, the โ€œhow could this have been preventedโ€ answer usually points straight at MFA.


Encryption Basics

Encryption on AWS breaks down into two states, and the exam expects you to know the difference:

TypeWhat it protectsExample
Encryption at restData sitting in storageAn encrypted S3 bucket, an encrypted EBS volume
Encryption in transitData moving across a networkHTTPS/TLS between a browser and a web server

AWS Key Management Service (KMS) is the service most commonly mentioned for managing the encryption keys behind at-rest encryption โ€” you donโ€™t need its internal mechanics for this exam, just recognize it as โ€œthe service that manages encryption keysโ€ when a scenario mentions protecting stored data.

You should also be comfortable with the general idea that many AWS services offer encryption as a checkbox or a default setting rather than something you build from scratch โ€” the exam is testing awareness that encryption options exist and are commonly enabled, not how to implement cryptography.


DDoS Protection with AWS Shield

A Distributed Denial of Service (DDoS) attack tries to overwhelm a system with traffic until it can no longer serve legitimate users. AWS Shield defends against this at two levels:

AWS Shield Standard
- Automatically enabled for every AWS customer, at no extra cost
- Protects against the most common, most frequent network and transport layer attacks
AWS Shield Advanced
- Paid tier, subscription-based
- Adds enhanced detection, 24/7 access to a specialized response team,
and cost protection against scaling charges caused by an attack

If a question describes needing extra DDoS support with direct access to AWSโ€™s response team, thatโ€™s Shield Advanced. If itโ€™s just asking โ€œdoes AWS provide any baseline DDoS protection automatically,โ€ the answer is Shield Standard, and it applies to everyone by default.


Compliance and AWS Artifact

Organizations in regulated industries โ€” finance, healthcare, government โ€” often need documented proof that AWS meets specific compliance standards before theyโ€™re allowed to use it. Thatโ€™s where AWS Artifact comes in: a self-service portal where you can download AWS compliance reports and agreements, such as SOC reports or evidence tied to standards like ISO 27001 or PCI DSS.

Artifact doesnโ€™t make your workload compliant on its own โ€” remember the Shared Responsibility Model. AWS provides evidence that its side of the infrastructure meets a given standard; youโ€™re still responsible for configuring your own applications and data handling in a way that satisfies the same standard.


Exam Focus: What Questions Test From This Step