Domains 3 (Infrastructure Security, ~20%) and 4 (IAM, ~16%) are the highest-scoring bundle in exams. Their relationship is clear: Domain 3 controls "where can you reach (network path)" while Domain 4 controls "what can you do (permission)". Specialty answers almost always demand "block at network boundary, then block again at IAM with least privilege" — dual control. Today we bind these two dimensions into one access control model.
| Control | Stateful | Unit | Key Features |
|---|---|---|---|
| Security Group | stateful | ENI/instance | Allow rules only. Auto-allow responses |
| NACL | stateless | Subnet | Allow+deny |