Back to AWS Certified Cloud Practitioner (CLF-C02)

Security and Compliance

Understand the AWS shared responsibility model, security governance, access management, and security resources.

Covers the AWS shared responsibility model including customer vs AWS responsibilities. Includes security governance and compliance concepts, encryption options, IAM capabilities, root user protection, MFA, and AWS security services like WAF, Shield, GuardDuty, Inspector, and Security Hub. Represents 30% of the exam.
5 minutes 5 Questions

Security and Compliance are fundamental pillars of AWS Cloud services, representing a shared responsibility model between AWS and its customers. AWS manages security OF the cloud, which includes physical infrastructure, hardware, networking, and the virtualization layer. Customers are responsible f…

Concepts covered: AWS shared responsibility model, Customer responsibilities on AWS, AWS responsibilities, Shared responsibilities, Responsibility shift by service type, AWS Security Hub, AWS compliance and governance concepts, AWS Artifact, Amazon GuardDuty, Compliance requirements by region and industry, Encryption in transit, Encryption at rest, Amazon CloudWatch for monitoring, AWS CloudTrail for auditing, AWS Config, Access keys and password policies, AWS IAM Identity Center (SSO), AWS Audit Manager, Amazon Inspector, AWS Shield, AWS Identity and Access Management (IAM), Protecting the AWS root user account, Principle of least privilege, AWS Secrets Manager, AWS Systems Manager Parameter Store, Multi-factor authentication (MFA), IAM users, groups, and policies, Cross-account IAM roles, Federated identity management, Root user exclusive tasks, AWS WAF (Web Application Firewall), AWS Firewall Manager, AWS Marketplace third-party security, AWS Knowledge Center, AWS Security Center and Blog, AWS Trusted Advisor for security

Test mode:
Start practice test
CLF-C02 - Security and Compliance Example Questions

Test your knowledge of Security and Compliance

Question 1

What is the primary purpose of implementing Multi-Factor Authentication in an AWS environment?

Correct Answer: To require multiple independent credentials from different authentication categories before granting access to resources

The primary purpose of Multi-Factor Authentication (MFA) in AWS is to require multiple independent credentials from different authentication categories before granting access to resources.

MFA works by combining two or more independent factors:
- Something you know (like a password)
- Something you have (like a hardware token or smartphone app)
- Something you are (like biometric data)

This approach significantly enhances security by ensuring that even if one factor (such as a password) is compromised, unauthorized users still cannot access the account without the additional authentication factor.

Why the other answers are incorrect:

The option about multiple password variations and encrypted vaults misrepresents MFA. MFA is not about storing multiple passwords or password variations - it's about using different types of authentication factors altogether, not just variations of the same factor type.

The option regarding automatic failover between authentication servers describes a high availability or disaster recovery mechanism, not the core purpose of MFA. While AWS authentication services may have redundancy built in, this is not what MFA is designed to accomplish.

The option that mentions automatic credential rotation on a scheduled basis adds an incorrect element. While MFA does require multiple independent credentials from different categories (which is correct), it does not inherently include automatic scheduled rotation. Credential rotation is a separate security practice and is not a defining characteristic of MFA's primary purpose.

Question 2

Which AWS service should be configured to aggregate performance data from distributed application components, visualize resource consumption patterns through graphical dashboards, and trigger automated responses when system metrics breach predefined thresholds?

Correct Answer: Amazon CloudWatch

The correct answer is Amazon CloudWatch.

Amazon CloudWatch is the comprehensive monitoring and observability service that perfectly matches all three requirements mentioned in the question:

  1. Aggregating performance data: CloudWatch collects and stores metrics from various AWS services and application components automatically. It can also receive custom metrics from your applications.

  2. Visualizing through graphical dashboards: CloudWatch provides built-in dashboards and allows you to create custom dashboards with graphs, charts, and visual representations of your metrics and logs.

  3. Triggering automated responses: CloudWatch Alarms enable you to set thresholds on metrics and automatically trigger actions (like SNS notifications, Auto Scaling policies, or Lambda functions) when those thresholds are breached.

Why the other options are not the best fit:

AWS Systems Manager OpsCenter is designed for managing and resolving operational work items (OpsItems) and incidents. While it centralizes operational data, it's not primarily focused on performance monitoring, metric visualization, or threshold-based automated responses. It's more about incident management and remediation.

Amazon EventBridge is an event bus service that routes events between AWS services and applications. While it's excellent for event-driven architectures and can respond to state changes, it doesn't natively aggregate performance metrics, create graphical dashboards, or monitor thresholds. It's complementary to CloudWatch but doesn't provide the monitoring and visualization capabilities described.

AWS Health Dashboard provides information about AWS service health and events that might affect your resources. It's focused on AWS service availability and planned maintenance notifications, not on monitoring your application's performance metrics or creating custom dashboards with threshold-based alarms.

Question 3

What is the primary language in which AWS Knowledge Center articles are originally published?

Correct Answer: English, with translations available for select articles in multiple languages

AWS Knowledge Center articles are primarily published in English, with translations available for select articles in multiple languages. This is the standard approach AWS uses for its support documentation and knowledge resources.

AWS maintains its Knowledge Center content primarily in English as the source language, which ensures consistency and quality control. For important and frequently accessed articles, AWS provides official translations in various languages such as Japanese, Korean, Chinese, French, German, Portuguese, and Spanish. However, not all articles are translated into all languages - translations are typically provided for select articles based on demand and relevance to different regional markets.

The other options are incorrect because:

  • AWS does not use embedded machine translation tools as the primary method for providing multilingual content in the Knowledge Center. While machine translation exists on some AWS properties, the Knowledge Center relies on professional translations for select articles.

  • Articles are not published simultaneously in multiple languages by regional teams. There is a primary English publication followed by selective translation, not simultaneous multi-language publishing.

  • While AWS values community input, the Knowledge Center translations are not primarily community-contributed. AWS maintains professional translation processes for its official support documentation to ensure accuracy and consistency with technical terminology.

More Security and Compliance questions
1764 questions (total)
Start 100 question test