5. Security and Compliance (16%)

Security in AWS is not a feature you turn on — it's a discipline built into every architectural decision. At 16%, this domain is the smallest by weight, but it's among the most consequential: a single misconfigured IAM policy or an unencrypted database can undo everything else you've built correctly. The SOA-C03 tests you as an operator of security controls, not as a designer — you're expected to know how to implement, troubleshoot, and verify security configurations rather than define governance frameworks from scratch.

The two task areas are implementing and managing security tools and policies (Task 4.1 — IAM, multi-account security, Trusted Advisor) and protecting data and infrastructure (Task 4.2 — encryption at rest, encryption in transit, secrets, and security finding services). Expect 8 questions, with a significant proportion involving IAM troubleshooting scenarios and encryption service selection.