5.3. Reflection Checkpoint

Phase 5 covers the foundational security controls every CloudOps engineer must know. Without a solid grasp of IAM, KMS, and GuardDuty, security incidents become breaches — and breaches become regulatory violations. Consider these scenarios to verify you're ready to continue:

1. An IAM role has AdministratorAccess. The account has an SCP that denies s3:DeleteBucket. Can the role delete an S3 bucket? Why?
2. What is the purpose of a permission boundary, and does it grant permissions on its own?
3. When would you use IAM Identity Center instead of creating IAM users in each account?
4. What is IAM Access Analyzer used for? How does it differ from the IAM Policy Simulator?
5. RDS encryption must be configured at what point in the database lifecycle, and what is the workaround if you have an unencrypted database that must be encrypted?
6. ACM public certificates can be installed directly on an EC2 instance running Nginx. True or false? What is the correct approach?
7. Secrets Manager vs. Parameter Store: which service supports automatic credential rotation, and what does it use to perform the rotation?
8. GuardDuty detects that an EC2 instance is communicating with a known cryptocurrency mining endpoint. What is your immediate response, and what does GuardDuty actually do to stop this automatically?
9. What is the difference between Amazon Inspector and Amazon Macie? Give one finding type for each.
10. Security Hub does not detect threats itself — what is its primary function?

💾 CHECKPOINT — Session 4 (Phase 5) Complete Files saved: complete-guide.md (Phases 1–5), keywords.json, relationships.json Resume Point: Begin Phase 6 (Networking and Content Delivery) — final content phase.