Task Statement 1.1: Design secure access to AWS resources.
📘AWS Certified Solutions Architect – (SAA-C03)
1. What is Role-Based Access Control (RBAC)?
Role-Based Access Control (RBAC) is a way to control who can do what in AWS based on roles rather than individual users.
- Users are people, applications, or services that need access.
- Roles are sets of permissions (policies) that define what actions are allowed.
RBAC simplifies permission management by grouping permissions into roles instead of assigning them to each user individually.
Example in AWS:
- You can create a role called
S3ReadOnlyRolethat allows read-only access to S3 buckets. - Any user or service that needs read-only access can assume this role, instead of giving each user direct S3 permissions.
2. Key AWS Components for RBAC
- IAM Users
- Represents a person or service in your AWS account.
- Users are assigned permissions directly or through roles.
- Example:
Aliceis an IAM user.
- IAM Roles
- A role is not a person; it’s a set of permissions that users or services can assume temporarily.
- Roles can be assumed by:
- IAM users in the same account
- IAM users in another account (cross-account access)
- AWS services (like EC2 or Lambda)
- Policies
- Policies are JSON documents that define permissions (what actions are allowed or denied).
- Example:
Allow s3:GetObjectmeans the role can read objects from S3. - Policies can be inline (attached directly to a role) or managed (reusable across multiple roles).
- AWS Security Token Service (AWS STS)
- STS is a service that provides temporary security credentials to assume roles.
- Credentials are time-limited, reducing the risk if compromised.
3. How Role-Based Access Control Works in AWS
Here’s the workflow:
- A user or service wants to perform an action in AWS.
- Instead of giving the user direct permissions, the user assumes a role.
- AWS STS provides temporary credentials for the role.
- The user performs the allowed actions using these credentials.
Benefits:
- Reduces the need to give permanent credentials.
- Enforces the principle of least privilege (only give what’s necessary).
- Easy to audit and manage access.
4. Role Switching
- AWS allows role switching, where an IAM user can temporarily use a role.
- This is helpful when:
- A user has their regular account permissions, but needs elevated permissions for a short time.
- A user needs to access resources in another AWS account.
Example:
- User
Alicein Account A wants to manage EC2 instances in Account B. - She switches to a role in Account B that has EC2 permissions.
- She receives temporary credentials to perform those actions.
Important Exam Point:
- Role switching uses AWS STS temporary credentials.
- Credentials have a limited lifespan, usually between 15 minutes and 1 hour (can extend up to 12 hours).
5. Cross-Account Access
- Cross-account access is giving users or services in one AWS account permission to access resources in another AWS account.
- Achieved by:
- Creating a role in Account B with permissions for resources in Account B.
- Trusting Account A (specifying which users or roles from Account A can assume this role).
- Users in Account A assume the role in Account B via AWS STS.
Example for exam clarity:
- Account A has a DevOps team, Account B has production S3 buckets.
- DevOps team assumes a role in Account B to deploy files to production, without giving permanent permissions in Account B.
6. Best Practices for RBAC in AWS
- Use Roles, Not Root Account
- Never use the root account for daily tasks. Always create IAM users with roles.
- Follow the Principle of Least Privilege
- Give users and roles only the permissions they need.
- Example: Read-only S3 access for reporting users.
- Use Temporary Credentials
- Always use AWS STS to grant temporary access when possible.
- Audit and Monitor Roles
- Enable AWS CloudTrail to track role usage.
- Review permissions periodically.
- Separate Environments by Account
- Use separate accounts for dev, test, and production, and allow cross-account access through roles.
7. Exam Tips for Role-Based Access Control
- Questions often ask you to choose secure access patterns:
- Use IAM roles for services, temporary credentials, cross-account access.
- Look for temporary permissions vs permanent credentials:
- AWS STS → temporary credentials → more secure than IAM user permanent keys.
- Know role trust policies:
- Trust policies define who can assume the role.
- Understand role vs user vs group:
- User → individual person/service
- Group → collection of users (for easy permission assignment)
- Role → temporary set of permissions assumed by a user or service
✅ Key AWS Terms to Remember
| Term | Definition |
|---|---|
| IAM User | Represents a person/service, permanent credentials |
| IAM Role | Temporary permissions, can be assumed by users/services |
| Policy | JSON document defining permissions |
| AWS STS | Provides temporary credentials for a role |
| Role Switching | Users temporarily assume a role to perform actions |
| Cross-Account Access | Allows users/services from one account to access another account |
By mastering this, you can design a secure access strategy in AWS, which is a core part of Task 1.1 in the exam. Focus on roles, STS, temporary credentials, role switching, and cross-account access.
