AWS data security controls: what CTOs need to know for 2026

The AWS Solutions Architect Associate exam (SAA-C03) isn't just certification prep, it's a blueprint for enterprise data security. Domain 1 carries 30% of the exam weight because data security controls remain the hardest part to get right in production.

What matters in practice

Data security starts with classification: public, internal, confidential, regulated (PII/PHI/PCI). From there, you're making three core decisions: who accesses it (IAM policies, resource policies), how it's encrypted (at rest via KMS, in transit via ACM/TLS), and how you recover it (backups, replication, RPO/RTO targets).

The difference between S3 bucket policies and object ACLs trips up even experienced architects. Bucket policies control access at the bucket level, object ACLs at the object level. For most enterprise use cases, bucket policies win because they're easier to audit and enforce centrally. Object ACLs persist for legacy reasons.

KMS vs Secrets Manager: know when to use which

KMS manages encryption keys. Secrets Manager rotates credentials. They're not interchangeable. If you're encrypting RDS data at rest, that's KMS. If you're rotating the database password your app uses, that's Secrets Manager. The exam tests this distinction because production teams conflate them.

Security groups (stateful, instance-level) versus NACLs (stateless, subnet-level) is another common gap. Security groups are where most filtering happens. NACLs add a second layer when you need explicit deny rules or subnet-wide controls.

Cross-account access: IAM policy conditions matter

Multi-account setups are standard now. IAM policy conditions let you enforce cross-account access rules (require MFA, restrict by source IP, limit to specific VPCs). The condition keys make or break least-privilege designs. Without them, you're granting broader access than needed.

DataSync encryption for migrations

DataSync handles large-scale S3 migrations with TLS encryption in transit. Exam question 483 on ExamTopics tests whether candidates know DataSync enforces TLS by default versus S3 Transfer Acceleration (which doesn't encrypt, just speeds up transfers). For regulated data migrations, DataSync is the right tool.

Certificate Manager versus self-signed certificates

ACM automates certificate provisioning and renewal for ALBs, CloudFront, API Gateway. Self-signed certificates require manual rotation and don't integrate with AWS services. Unless you have a specific FIPS or HSM requirement, ACM saves operational overhead. Question 744 on ExamTopics digs into this trade-off.

What skeptics get right

Critics argue AWS-native tools lock you in. Fair point. Hybrid setups using Active Directory SAML or third-party HSMs offer more control for strict compliance regimes. AWS Audit Manager automates evidence collection, but manual gaps persist. Auditors still find issues in multi-account deployments where Config rules aren't consistent.

The real test

The SAA-C03 exam costs $150 and takes 130 minutes. The real test is whether your team can implement these controls in production without breaking existing workflows. That's where most designs fail, not in the exam room.