Study SAP-C02 Security Controls for New Solutions: key concepts, common traps, and exam decision cues.
Security questions for new AWS solutions usually reward candidates who layer controls in the right order: identity, network exposure, encryption, secret handling, and edge protection. SAP-C02 wants design judgment, not a bag of disconnected security names.
| Need | Strongest first fit | Why |
|---|---|---|
| least-privilege access for users and workloads | IAM roles and scoped policies | identity boundary first |
| instance or subnet level traffic filtering | security groups and NACLs | network boundary controls |
| encryption for data at rest and in transit | KMS and ACM | key and certificate management |
| private AWS service access without public egress | VPC endpoints or PrivateLink | reduce public exposure |
| secret storage and rotation | AWS Secrets Manager or Systems Manager Parameter Store | central secret handling |
| Layer 7 edge protection | AWS WAF and Shield | application edge protection |
| Trap | Better rule |
|---|---|
| relying on one security layer only | identity, network, encryption, and secret handling all have separate roles |
| storing credentials in code or instance metadata by habit | use managed secret services and roles |
| forgetting private access options | endpoints often solve both security and egress concerns |
| choosing network controls for an identity problem | access authorization and packet filtering are different lanes |
Security-design questions usually start with the path you are trying to protect. If workloads in private subnets must reach AWS services privately, think VPC endpoints or PrivateLink. If the issue is centralized secret storage and rotation, think Secrets Manager. If the issue is keys versus certificates, separate KMS from ACM. SAP-C02 often tests that service-fit discipline directly.