1.5. Phase 1 Reflection Checkpoint

Key Takeaways:

1. The SCS-C03 tests your ability to design and troubleshoot security architectures — not memorize service features
2. Defense-in-depth, least privilege, zero trust, and automation are the four principles that answer most exam questions
3. The shared responsibility model defines what YOU must secure (data, identity, encryption) versus what AWS handles
4. AWS global infrastructure provides isolation for compliance (Regions) and resilience (AZs), but security services must be enabled everywhere

Connecting Forward: In Phase 2, you'll apply these principles to the Detection domain — designing monitoring, logging, and alerting solutions that provide continuous visibility across your AWS environment.

Self-Check Questions:

• Can you explain why defense-in-depth is preferred over a single strong control?
• Can you describe three things that are ALWAYS the customer's responsibility, regardless of service type?
• Can you explain why security services must be enabled in ALL Regions, not just your primary Region?