AWS Cloud Practitioner ← Back to blog

AWS CCP Study Guide: Security, Identity & Compliance

28 April 2026 · Matt

IAM, the Shared Responsibility Model, MFA, KMS, Shield, WAF, GuardDuty, and compliance tools.

Shared Responsibility Model

The single most important security concept for the CCP exam. AWS and the customer share security responsibilities:

  • AWS responsible for (Security OF the cloud): Physical data centres, hardware, hypervisor, managed service underlying infrastructure (e.g. RDS OS patching, Lambda runtime, S3 storage systems).
  • You responsible for (Security IN the cloud): Your data, EC2 OS configuration and patching, application code, identity and access management (IAM), encryption at rest and in transit, security group rules, patching your own AMIs.
Exam tip: The more managed the service, the more AWS takes on. Lambda: you own the code and data only. EC2: you own everything from OS up. RDS: AWS patches the OS and database engine — you patch your app and manage users/access.

IAM — Identity and Access Management

Controls who (authentication) can do what (authorisation) in your AWS account. Global service — not region-specific.

  • Root account: Has unrestricted access. Should only be used for account setup and billing. Enable MFA, create an IAM admin user, then use that instead.
  • Users: Long-term credentials for human individuals. Best practice: one user per person, apply permissions via groups.
  • Groups: Collections of users sharing policies. Cannot nest groups within groups.
  • Roles: Assumed temporarily by services, applications, or users. EC2 instances assume roles to access S3 — no credentials embedded in code. Cross-account access uses roles.
  • Policies: JSON documents defining Allow/Deny for specific actions on specific resources. Types: AWS Managed (AWS creates/maintains), Customer Managed (you create), Inline (embedded in a single entity).
  • Principle of Least Privilege: Grant only the minimum permissions required. Start with nothing and add as needed.
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect":   "Allow",
    "Action":   ["s3:GetObject"],
    "Resource": "arn:aws:s3:::my-bucket/public/*"
  }]
}

MFA — Multi-Factor Authentication

Adds a second factor to IAM sign-in. Should be enabled on the root account and all privileged users. Types: virtual MFA (Google Authenticator, Authy), hardware TOTP token, FIDO security key (YubiKey). Policies can enforce MFA using the aws:MultiFactorAuthPresent condition key.

KMS — Key Management Service

Manages encryption keys used by AWS services. Two key types:

  • AWS Managed Keys: Created and rotated by AWS automatically. Free. Named aws/s3, aws/rds etc. You can't rotate manually or grant cross-account access.
  • Customer Managed Keys (CMK): You control creation, rotation policy, and deletion window. $1/month/key + API usage. Required for cross-account encryption and custom rotation schedules.

KMS integrates natively with S3, EBS, RDS, Secrets Manager, CloudTrail, and more. Envelope encryption: data is encrypted with a data key, which is encrypted with the CMK — only the CMK ever leaves KMS.

Secrets Manager vs SSM Parameter Store

  • Secrets Manager: Stores and rotates secrets (DB passwords, API keys). Automatic rotation via Lambda integration. ~$0.40/secret/month + $0.05/10,000 API calls. Built-in integration with RDS, Redshift, DocumentDB.
  • SSM Parameter Store: Stores config and secrets. Standard (free) and Advanced ($0.05/parameter/month) tiers. SecureString type encrypts with KMS. No automatic rotation — you build that yourself.

Shield, WAF, and Threat Detection

  • Shield Standard: Free, always-on DDoS protection at layer 3/4 for all AWS customers. Included automatically.
  • Shield Advanced: $3,000/month + data transfer fees. DDoS Response Team (DRT) access, advanced traffic analysis, cost protection during DDoS attacks. Attach to CloudFront, ALB, Route 53, Global Accelerator, EC2.
  • WAF (Web Application Firewall): Layer 7 rules — block SQL injection, XSS, specific IP ranges or countries, rate limiting. Attaches to CloudFront, ALB, API Gateway, AppSync. Rules use ACLs with allow/block/count actions.
  • GuardDuty: Threat detection service. Analyses CloudTrail logs, VPC Flow Logs, DNS logs, and S3 data events using ML. Detects compromised instances, unusual API calls, cryptocurrency mining, credential exfiltration. No agents to install — just enable it.
  • Inspector: Automated vulnerability scanner for EC2 instances and container images. Checks against CVE databases and CIS benchmarks.
  • Macie: Uses ML to discover and protect sensitive data in S3 (PII, credit cards, credentials).

CloudTrail & AWS Config

CloudTrail: Logs every API call in your account — who did what, when, from where (IP, user agent). Enabled by default for 90 days of event history. Create a trail to persist logs to S3 for longer retention or cross-account auditing. Essential for incident response.

AWS Config: Continuously records configuration state of AWS resources. Evaluates resources against compliance rules (e.g. "all S3 buckets must have encryption enabled"). Answers "what did this resource look like at 3pm last Tuesday?" CloudTrail tells you who changed it; Config tells you what changed and whether it was compliant.