The final part of Domain 1 covers encryption, secrets management, and VPC networking — how to protect data at rest and in transit, and how to architect a secure network in AWS.

Part 2 covers the security services that protect, detect, and audit your AWS environment — WAF, Shield, GuardDuty, Inspector, Macie, and the IAM tools that keep your permissions in check.

Domain 1 of the SAA-C03 covers secure architectures — and it starts with identity. Here’s everything I’ve learned about IAM, STS, Cognito, Organizations, and how AWS decides who gets to do what.