The last domain requires you to have a solid understanding and awareness of how data within AWS can be protected through an encryption mechanism, both at rest and in transit. You will be assessed on services relating to encryption, specifically the Key Management Service (KMS):
- 5.1: Design and implement key management and use: This point requires you to demonstrate your knowledge when it comes to encryption using KMS. You must be aware of when, how, and why this service is used, and which services can benefit from the features it offers.
- 5.2: Troubleshoot key management: Data encryption keys are a powerful tool to help protect your data, but you must understand how you can configure the permissions surrounding these keys and what to look for when troubleshooting issues relating to data encryption and customer master keys.
- 5.3: Design and implement a data encryption solution for data at rest and data in transit: Here, you will be assessed on your understanding of encryption as a whole. You must demonstrate that you have the knowledge to encrypt data in any state using the correct configuration, depending on a set of requirements.
It is of no surprise that the Security Specialty exam will assess your understanding of encryption, which will be centered around two key services, AWS KMS and AWS CloudHSM. The KMS service integrates with many different AWS services to offer a level of encryption, so make sure that you are familiar with all the components of KMS.