CLF-C02 Security and Compliance Guide

This is the heaviest CLF-C02 domain. AWS is not expecting architect-level security design, but it does expect you to separate what AWS secures from what the customer still owns, understand basic identity and least-privilege logic, and recognize the governance or compliance service that fits the question.

Current weight in the exam guide

AWS currently weights Security and Compliance at 30% of scored content.

Work this domain in order

Fast routing inside this chapter

What strong answers usually do

• identify the responsibility boundary before they pick a control
• remove root-user and long-term-credential answers quickly
• keep identity, logging, compliance evidence, and threat detection as separate lanes
• prefer simple managed controls over home-built workarounds on a fundamentals exam

Common CLF-C02 traps in this domain

• assuming AWS secures everything after a workload is in the cloud
• mixing CloudTrail, CloudWatch, Config, and Artifact
• treating security group, network ACL, and WAF as if they all solve the same problem
• choosing a lower-level implementation detail instead of the broadest correct security answer

Late-stage review bias

If your misses include the phrase most secure, compliance, or shared responsibility, protect this chapter first. It is the biggest domain and it usually produces near-miss questions with plausible distractors.

In this section

• CLF-C02 Shared Responsibility and Protection Boundaries Guide
  Study CLF-C02 Shared Responsibility and Protection Boundaries: key concepts, common traps, and exam decision cues.
• CLF-C02 Identity, Access and Root-Account Protection Guide
  Study CLF-C02 Identity, Access and Root-Account Protection: key concepts, common traps, and exam decision cues.
• CLF-C02 Governance, Compliance, Logging and Security Services Guide
  Study CLF-C02 Governance, Compliance, Logging and Security Services: key concepts, common traps, and exam decision cues.