Security And Governance Boundary — AWS Cloud Practitioner (CLF-C02)
Detection, prevention, and federation are different problems
IAM handles permission boundaries. GuardDuty handles threat detection. Security Hub aggregates findings across accounts. IAM Identity Center handles multi-account federated access. CLF-C02 questions name a scenario and ask which service applies — the wording cue is threat type or scope. "Centralize security findings" points to Security Hub; "unusual API activity" points to GuardDuty; "single sign-on across accounts" points to IAM Identity Center.
What This Pattern Tests
The exam describes a security requirement and tests which access control layer applies. IAM policies attach to principals (users, roles). Resource policies attach to resources (S3 bucket policies, KMS key policies). SCPs restrict what an entire AWS account can do. Permission boundaries cap what an IAM entity can be granted. The trap is applying EC2-level security group thinking to Lambda (which uses IAM execution roles), or writing an IAM policy when an SCP is needed for account-wide restriction. S3 Block Public Access, VPC endpoint policies, and Organizations tag policies each add another control plane the exam expects you to distinguish.
Decision Axis
Control scope determines the mechanism: principal-level (IAM), resource-level (resource policies), account-level (SCPs), or network-level (security groups, NACLs).
Associated Traps
Decision Rules
Which detective control satisfies continuous behavioral threat-intelligence monitoring of API and network activity (GuardDuty) versus scheduled software-vulnerability scanning of compute resources (Inspector) when the threat vector is credential-based anomalous access.
Determine whether closing an AWS Organizations member account is a root-user-exclusive action or one that can be delegated to an IAM administrator.
Determine whether the requirement calls for inline traffic filtering at the HTTP layer (perimeter blocking) or passive threat detection, and select the service that can intercept and drop the named exploit before it reaches the origin.
Does the requirement call for continuous active threat detection and behavioral anomaly analysis across live log streams, or for periodic advisory recommendations against static AWS best-practice benchmarks?
Whether the compliance need requires retrieving AWS's pre-existing certification documentation (AWS Artifact) or automating the collection of the customer's own resource-level compliance evidence (AWS Audit Manager).
Determine whether the compliance need is to obtain AWS's own regulatory documentation (AWS Artifact) or to continuously evaluate the customer's resource configurations against compliance rules (AWS Config).
Is capturing the customer's own account-level API call history the customer's responsibility to configure (AWS CloudTrail), or does AWS's default monitoring infrastructure (Amazon CloudWatch) already satisfy this audit-trail-integrity requirement?
Determine whether the security requirement calls for passive best-practice advisory (Trusted Advisor, already included in Business Support) or active continuous threat detection (GuardDuty, separate enablement and cost), where Trusted Advisor's inclusion in the existing support plan creates a pricing-based distractor that fails on the active-detection dimension.
Does the requirement for active DDoS Response Team engagement and financial cost protections require AWS Shield Advanced rather than the automatically-applied, no-cost AWS Shield Standard tier?
Whether the requirement calls for active, continuous aggregation of cross-service security findings with standards-based compliance scoring (Security Hub) or for passive, independent best-practice advisory checks that do not consume findings from other AWS security detection services (Trusted Advisor).
Domain Coverage
Difficulty Breakdown