7. Security Foundations and Governance (14%)

Governance is the framework that ensures security controls are applied consistently across every account, every Region, and every resource in your organization — not just the ones you're personally watching. Without governance, security depends on individual discipline: one developer might follow best practices while another deploys an unencrypted database in a new account nobody monitors. Think of governance like the building codes for a city: individual homeowners might build safe structures, but building codes ensure every structure meets minimum safety standards regardless of who builds it. What breaks when governance is absent? Shadow IT grows in ungoverned accounts, non-compliant resources proliferate, security service coverage has gaps, and organizational policies exist on paper but aren't enforced technically. The SCS-C03 renames this domain to "Security Foundations and Governance" and introduces new policy types (RCPs, declarative policies) alongside expanded coverage of root user management.

The First Principle is that governance automates the enforcement of security baselines across an entire organization, ensuring that compliance is a technical control — not a human behavior.

Scenario: A 500-account organization discovers that 30% of accounts don't have GuardDuty enabled, 15% have CloudTrail trails delivering to buckets the security team can't access, and 3 accounts have root users with no MFA.

Reflection Question: How does centralized governance transform security from a per-account responsibility into an organizational guarantee?