Task Statement 1.1: Design secure access to AWS resources.
📘AWS Certified Solutions Architect – (SAA-C03)
AWS provides a wide range of services and tools to secure your cloud environment. Security is not just a feature—it’s a responsibility. As an AWS architect, you must design access in a way that protects resources, limits risk, and follows best practices.
1. Principle of Least Privilege
The principle of least privilege is one of the most important AWS security best practices.
Definition:
Users, applications, and services should be given only the permissions they need to perform their tasks—and nothing more.
This reduces risk if credentials are compromised or if a user accidentally does something they shouldn’t.
Key points to understand for the exam:
- Users should not have full admin access unless absolutely necessary.
- Access should be specific to actions and resources.
- Permissions should be temporary when possible (e.g., using AWS STS).
Example in IT context:
- A developer working on an S3 bucket should only be able to read and write to that bucket, not delete other S3 buckets or manage IAM users.
- An EC2 instance running a web application should have access only to the databases and S3 buckets it needs, not the entire AWS account.
2. AWS Identity and Access Management (IAM) Best Practices
IAM is the main service for controlling access in AWS. Following IAM best practices ensures security:
- Use IAM Users, Groups, and Roles properly
- Users: Individual people or services.
- Groups: Collections of users with similar access.
- Roles: Temporary permissions for users or services (like EC2 or Lambda).
- Enable MFA (Multi-Factor Authentication)
- MFA adds an extra layer of security.
- Even if a password is stolen, the attacker cannot access resources without the MFA code.
- Use IAM Roles instead of long-term credentials
- For applications running on EC2, Lambda, or ECS, use roles with temporary credentials.
- This avoids storing sensitive credentials in code.
- Avoid using root account for daily tasks
- AWS root account has unlimited access.
- Only use it for account setup, billing, or critical security changes.
- Use Managed Policies and Custom Policies carefully
- AWS provides managed policies (predefined by AWS) for common roles like
ReadOnlyAccessorAdministratorAccess. - Custom policies allow fine-grained control, which is critical for applying least privilege.
- AWS provides managed policies (predefined by AWS) for common roles like
3. Additional Security Best Practices
- Enable CloudTrail and Logging
- CloudTrail tracks who did what and when.
- Helps audit activity and detect unauthorized access.
- Use AWS Organizations for multi-account setups
- Separate production, development, and test accounts.
- Apply centralized security controls using Service Control Policies (SCPs).
- Use AWS Key Management Service (KMS) for encryption
- Encrypt sensitive data at rest and in transit.
- Control access to encryption keys using IAM policies.
- Rotate credentials regularly
- Change passwords, access keys, and certificates periodically.
- Reduces the risk of old credentials being exploited.
- Monitor and respond to suspicious activity
- AWS GuardDuty detects threats in real-time.
- Combine with CloudWatch for automated alerts.
4. How the Principle of Least Privilege is Applied in IT
- S3 Bucket Access: Developers get s3:GetObject and s3:PutObject, but not s3:DeleteBucket.
- EC2 Management: DevOps engineers get start/stop/reboot permissions, but not full IAM permissions.
- Database Access: Applications access only their own database schemas, not the entire cluster.
Why it matters for the exam:
AWS expects you to design secure access using least privilege. Exam scenarios often describe a user or service performing a task and ask how to give minimum necessary permissions. If you grant more access than needed, that is considered insecure.
5. Exam Tips for Task Statement 1.1
- Remember the principle of least privilege → It’s the core AWS security best practice.
- Know IAM roles, users, groups, policies, and MFA → These are tested heavily.
- Understand temporary credentials and role assumptions → AWS STS (Security Token Service) is key.
- Enable logging and monitoring → CloudTrail, GuardDuty, and CloudWatch are your friends.
- Separate accounts for isolation → Production vs. dev/test.
✅ Summary Table for Students
| Security Area | Best Practice | Exam Focus |
|---|---|---|
| IAM Users & Groups | Only give necessary permissions | Least privilege |
| IAM Roles | Use for EC2, Lambda, etc. | Temporary access |
| MFA | Enable for all users | Extra security layer |
| Root Account | Avoid daily use | Only for critical tasks |
| Logging | CloudTrail, CloudWatch | Audit & detect changes |
| Multi-account | AWS Organizations & SCPs | Isolate environments |
| Encryption | KMS for sensitive data | Control key access |
| Credentials | Rotate regularly | Reduce risk of compromise |
