## Domain 6: Management and Security Governance
### Task Statement 6.1: Develop a strategy to centrally deploy and manage AWS accounts.
**Knowledge of:**
- 6.1.1 Multi-account strategies
- 6.1.2 Managed services that allow delegated administration
- 6.1.3 Policy-defined guardrails
- 6.1.4 Root account best practices
- 6.1.5 Cross-account roles
**Skills in:**
- 6.1.6 Deploying and configuring AWS Organizations
- 6.1.7 Determining when and how to deploy AWS Control Tower (for example, which services must be deactivated for successful deployment)
- 6.1.8 Implementing SCPs as a technical solution to enforce a policy (for example, limitations on the use of a root account, implementation of controls in AWS Control Tower)
- 6.1.9 Centrally managing security services and aggregating findings (for example, by using delegated administration and AWS Config aggregators)
- 6.1.10 Securing AWS account root user credentials
### Task Statement 6.2: Implement a secure and consistent deployment strategy for cloud resources.
**Knowledge of:**
- 6.2.1 Deployment best practices with infrastructure as code (IaC) (for example, AWS CloudFormation template hardening and drift detection)
- 6.2.2 Best practices for tagging
- 6.2.3 Centralized management, deployment, and versioning of AWS services
- 6.2.4 Visibility and control over AWS infrastructure
**Skills in:**
- 6.2.5 Using CloudFormation to deploy cloud resources consistently and securely
- 6.2.6 Implementing and enforcing multi-account tagging strategies
- 6.2.7 Configuring and deploying portfolios of approved AWS services (for example, by using AWS Service Catalog)
- 6.2.8 Organizing AWS resources into different groups for management
- 6.2.9 Deploying Firewall Manager to enforce policies
- 6.2.10 Securely sharing resources across AWS accounts (for example, by using AWS Resource Access Manager [AWS RAM])
### Task Statement 6.3: Evaluate the compliance of AWS resources.
**Knowledge of:**
- 6.3.1 Data classification by using AWS services
- 6.3.2 How to assess, audit, and evaluate the configurations of AWS resources (for example, by using AWS Config)
**Skills in:**
- 6.3.3 Identifying sensitive data by using Macie
- 6.3.4 Creating AWS Config rules for detection of noncompliant AWS resources
- 6.3.5 Collecting and organizing evidence by using Security Hub and AWS Audit Manager
### Task Statement 6.4: Identify security gaps through architectural reviews and cost analysis.
**Knowledge of:**
- 6.4.1 AWS cost and usage for anomaly identification
- 6.4.2 Strategies to reduce attack surfaces
- 6.4.3 AWS Well-Architected Framework
**Skills in:**
- 6.4.4 Identifying anomalies based on resource utilization and trends
- 6.4.5 Identifying unused resources by using AWS services and tools (for example, AWS Trusted Advisor, AWS Cost Explorer)
- 6.4.6 Using the AWS Well-Architected Tool to identify security gaps
