AWS SAA-C03 Study Guide: Chapter 2 – IAM
AWS CERTIFIED SOLUTIONS ARCHITECT – ASSOCIATE

Chapter 2: Identity & Access Management (IAM)

“Forge Your AWS Security Fortress”

The IAM Champions (Infographic)

👤

Users

Permanent residents. Individuals or apps requiring long-term access via credentials.

👥

Groups

Collections of users. Apply policies to the group to manage permissions at scale.

🎭

Roles

Temporary “hats” worn by users or services. No long-term credentials. Uses STS.

📜

Policies

JSON blueprints defining “who” can do “what” to “which” resource.

1. Authentication vs. Authorization

Understanding the difference is critical for the SAA-C03 exam.

Authentication (AuthN)

“Who are you?”

  • Verifies Identity.
  • Methods: Username/Password, MFA, Access Keys.
  • Analogy: Showing your ID badge at the castle gate.

Authorization (AuthZ)

“What can you do?”

  • Checks Permissions.
  • Methods: IAM Policies (JSON).
  • Analogy: A permission slip saying you can enter the Armory.

2. IAM Policy Blueprint (JSON)

AWS evaluates policies in a specific order: Explicit Deny > Explicit Allow > Default Deny.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow", 
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::my-secure-vault",
      "Principal": "*" 
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::*log*"
    }
  ]
}
  • Effect: Allow or Deny.
  • Action: Specific API calls (e.g., s3:PutObject).
  • Resource: The ARN (Amazon Resource Name) of the target.
  • Condition: (Optional) When the policy is in effect (e.g., IP range).

3. Security Must-Haves

🛡️ The Principle of Least Privilege

Grant users only the minimum permissions necessary to perform their tasks. A junior dev shouldn’t have production access.

🔐 Multi-Factor Authentication (MFA)

The “Royal Guard Dog.” Always enforce MFA for the Root User and privileged IAM users. Supports Virtual MFA (TOTP) and Hardware Keys (FIDO).

👁️ CloudTrail: The All-Seeing Eye

Logs every API call in your account. If a breach occurs, CloudTrail tells you who, what, where, and when.

4. Advanced Access Strategies

Feature Use Case Key Benefit
STS Temporary access for apps/users. Credentials self-destruct (expires).
IAM Identity Center Large organizations with Active Directory. Single Sign-On (SSO) for multiple accounts.
SAML 2.0 Federating corporate IdP to AWS. No need to create individual IAM users.
Amazon Cognito Mobile/Web App user sign-in. Scales for millions of external users (OIDC).

5. Cross-Account Access

How to share resources between AWS Account A and Account B:

  • Resource-Based Policies: Directly attach a policy to the resource (S3 Buckets, SNS, SQS). User stays in their own account.
  • Cross-Account Roles: User in Account A “assumes” a role in Account B. They temporarily give up their Account A permissions to act in Account B.

Exam Tip: Always choose Roles over Access Keys for EC2 instances and Lambda functions to avoid credential leakage!

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top