Task Statement 1.1: Design secure access to AWS resources.
📘AWS Certified Solutions Architect – (SAA-C03)
AWS Secure Access: IAM Users, Root Users, and MFA
When you work with AWS, controlling who can do what is one of the most important things. This is called Identity and Access Management (IAM). AWS provides tools to make access secure, including IAM users, groups, policies, roles, and multi-factor authentication (MFA).
1. Root User vs. IAM Users
Root User
- The root user is the original account created when you first sign up for AWS.
- It has full access to everything in your AWS account — no restrictions.
- Security best practice:
- Never use the root user for daily tasks.
- Enable MFA on the root user immediately.
- Use the root user only for account and billing management or special tasks that require full access.
IAM Users
- IAM (Identity and Access Management) users are individual accounts you create for team members or applications.
- Each IAM user can have permissions tailored to their role.
- You can assign users to groups with shared permissions.
- IAM users are safer than using the root user because permissions are limited.
2. IAM Best Practices
When designing secure access for AWS, follow these key IAM best practices:
- Avoid using root user for daily tasks.
- Use groups to assign permissions, not individual users directly.
- Example: Developers get the “Developer” group with only developer permissions.
- Grant least privilege — give users only the permissions they need to do their job.
- Rotate security credentials regularly, such as passwords and access keys.
- Use strong password policies for IAM users.
- Minimum length, required characters, password expiration.
- Monitor IAM activity using AWS CloudTrail.
- Logs show who did what, helping detect unauthorized access.
3. Multi-Factor Authentication (MFA)
MFA adds a second layer of security to AWS accounts.
Even if someone steals your password, they cannot access the account without the MFA code.
How MFA works:
- You enter your password (first factor).
- You enter a code from a physical device or smartphone app (second factor).
Types of MFA in AWS:
- Virtual MFA: Smartphone apps like Google Authenticator or AWS MFA app.
- Hardware MFA: Physical device generating codes.
MFA Best Practices:
- Enable MFA on root user — mandatory for exam scenarios.
- Enable MFA on IAM users with privileged access (admins, developers with wide permissions).
- Use virtual MFA for convenience; hardware MFA for extra security.
4. Example Exam Scenario
The exam often asks questions like:
“You are setting up an AWS account. How can you follow security best practices for IAM and root users?”
Correct approach:
- Enable MFA on root user. ✅
- Create IAM users for everyone else. ✅
- Assign users to groups and apply the least privilege principle. ✅
- Avoid using root user for day-to-day tasks. ✅
5. Key Terms You Must Know for the Exam
| Term | Explanation |
|---|---|
| Root user | Original AWS account user; has full access. |
| IAM user | Individual user created to access AWS resources with specific permissions. |
| Group | Collection of IAM users sharing the same permissions. |
| Policy | Rules defining what a user or group can do in AWS. |
| MFA (Multi-Factor Authentication) | Adds an extra verification step for stronger security. |
| Least privilege | Give only the permissions necessary, nothing more. |
✅ Summary / Exam Tips
- Never use root user for daily tasks.
- Enable MFA on root and privileged IAM users.
- Use IAM users, groups, and policies to control access.
- Follow least privilege principle.
- Monitor activity with CloudTrail.
By remembering these points, you can answer any question on AWS secure access, IAM, root users, and MFA correctly on the exam.
