Task Statement 1.3: Determine appropriate data security controls.
📘AWS Certified Solutions Architect – (SAA-C03)
1. Introduction
For the SAA-C03 exam, you must understand how to control who can access data, how long data is stored, and how data is protected in AWS.
In AWS, data security is not only about encryption. It also includes:
- Controlling access (who can read, write, delete)
- Managing data lifecycle (when to archive or delete data)
- Protecting data (backup, versioning, replication, monitoring)
As a Solutions Architect, you must know which AWS service or policy to use in each situation.
2. Implementing Policies for Data Access
Data access policies define who can access what data and what actions they can perform.
2.1 IAM Policies
The main service used for access control is:
- AWS Identity and Access Management
IAM allows you to create:
- Users
- Groups
- Roles
- Policies
Key Concepts for the Exam
1. Identity-Based Policies
Attached to:
- IAM users
- IAM groups
- IAM roles
They define:
- Which actions are allowed or denied
- On which resources
- Under what conditions
Example IT scenario:
- A developer can read objects from S3 but cannot delete them.
2. Resource-Based Policies
Attached directly to a resource such as:
- Amazon S3 bucket policy
- AWS Key Management Service key policy
They define:
- Who can access that resource
Important for cross-account access.
3. Principle of Least Privilege
Very important for the exam.
Always:
- Grant only the minimum permissions required.
- Avoid using
*(wildcards) unless absolutely necessary.
4. IAM Roles (Instead of Access Keys)
For secure architecture:
- EC2 instances should use IAM roles
- Lambda functions should use IAM roles
- Avoid storing access keys in code
Relevant services:
- Amazon EC2
- AWS Lambda
Exam Tip:
If a question says “application running on EC2 needs access to S3” →
Correct answer is usually: Attach IAM role to EC2, not store credentials.
5. S3 Access Control
For S3, you must understand:
- Bucket Policies
- IAM Policies
- Access Control Lists (ACLs)
- Block Public Access settings
Important:
By default, S3 blocks public access.
If public access is required, it must be explicitly allowed.
6. Conditional Access
IAM policies can include conditions such as:
- Source IP address
- MFA required
- Time of day
- VPC endpoint access only
Example:
- Allow S3 access only from inside a specific VPC.
3. Implementing Data Lifecycle Policies
Data lifecycle policies control:
- When data moves to cheaper storage
- When data is archived
- When data is deleted
This reduces cost and improves compliance.
3.1 S3 Lifecycle Policies
Service:
- Amazon S3
S3 supports storage classes such as:
- Standard
- Intelligent-Tiering
- Standard-IA
- One Zone-IA
- Glacier Instant Retrieval
- Glacier Flexible Retrieval
- Glacier Deep Archive
You can configure lifecycle rules to:
- Move objects to cheaper storage after X days
- Delete objects after X days
- Transition non-current versions
- Abort incomplete multipart uploads
Exam Tip:
If question mentions:
- “Old logs after 90 days”
- “Long-term archival”
- “Minimize storage cost”
→ Use S3 Lifecycle Policy
3.2 Versioning and Lifecycle Together
When versioning is enabled:
- Old versions are stored
- Lifecycle rules can delete old versions automatically
Important for:
- Accidental deletion protection
- Compliance requirements
3.3 EBS Snapshot Lifecycle
Service:
- Amazon Elastic Block Store
Snapshots can be automated using:
- Data Lifecycle Manager (DLM)
You can:
- Create daily snapshots
- Retain last X backups
- Delete older ones automatically
Exam scenario:
If database server runs on EC2 and needs daily backups →
Use EBS snapshots with lifecycle policies.
3.4 Backup Policies
Service:
- AWS Backup
AWS Backup allows centralized backup management for:
- EC2
- EBS
- RDS
- DynamoDB
- EFS
You can define:
- Backup plans
- Retention periods
- Cross-region backups
- Cross-account backups
Exam Tip:
If question says:
“Centralized backup management across multiple services”
→ Answer is usually AWS Backup.
4. Implementing Data Protection Policies
Data protection includes:
- Encryption
- Backup
- Replication
- Monitoring
- Deletion protection
4.1 Encryption at Rest
Service:
- AWS Key Management Service
Used to encrypt:
- S3 objects
- EBS volumes
- RDS databases
- DynamoDB tables
Important:
KMS key policies control:
- Who can use the key
- Who can manage the key
Exam Tip:
If question mentions:
“Sensitive data stored in S3 must be encrypted automatically”
→ Use:
- S3 default encryption
- SSE-KMS
4.2 Encryption in Transit
Use TLS/SSL.
Service:
- AWS Certificate Manager
Used with:
- Load balancers
- CloudFront
- API Gateway
Exam Tip:
If question mentions:
“Secure communication between client and application”
→ Use HTTPS with ACM certificate.
4.3 Replication for Data Protection
S3 Cross-Region Replication (CRR)
- Automatically copies objects to another region
- Improves disaster recovery
Service:
- Amazon S3
RDS Multi-AZ
Service:
- Amazon RDS
Provides:
- Automatic failover
- High availability
Important:
Multi-AZ is for availability, not read scaling.
4.4 Object Lock (Compliance Protection)
In S3:
- Prevent object deletion
- WORM (Write Once Read Many)
- Used for compliance
Modes:
- Governance mode
- Compliance mode
Exam Tip:
If question says:
“Data must not be deleted for 7 years”
→ Use S3 Object Lock.
4.5 Monitoring and Auditing Access
Service:
- AWS CloudTrail
CloudTrail records:
- Who accessed resources
- What actions were taken
- When it happened
Used for:
- Auditing
- Security investigations
4.6 Data Classification and Tag-Based Policies
You can:
- Tag resources (e.g., “Confidential”, “Public”)
- Use IAM policies based on tags
This helps enforce:
- Access based on classification
- Environment-based controls (Dev, Test, Prod)
5. Important Exam Patterns
You must understand how to choose the correct solution.
If question mentions:
🔹 “Restrict access” → IAM policy
🔹 “Cross-account access” → Resource-based policy
🔹 “Secure EC2 access to S3” → IAM role
🔹 “Move data to cheaper storage after 30 days” → S3 lifecycle rule
🔹 “Automatic backups across services” → AWS Backup
🔹 “Prevent deletion for compliance” → S3 Object Lock
🔹 “Track API activity” → CloudTrail
🔹 “Encrypt using customer-managed keys” → KMS
6. Shared Responsibility Model
Remember:
AWS is responsible for:
- Infrastructure security
You are responsible for:
- IAM configuration
- Encryption settings
- Backup policies
- Lifecycle rules
- Monitoring
This is very important for the exam.
7. Final Exam Checklist
Make sure you understand:
✅ IAM identity-based vs resource-based policies
✅ Least privilege principle
✅ IAM roles for services
✅ S3 bucket policies and Block Public Access
✅ S3 lifecycle rules
✅ Versioning and object lock
✅ EBS snapshot lifecycle
✅ AWS Backup
✅ KMS key policies
✅ Encryption at rest and in transit
✅ CloudTrail logging
✅ Replication vs backup
✅ Retention requirements for compliance
Final Summary
Implementing policies for data access, lifecycle, and protection means:
- Controlling who can access data
- Defining how long data is stored
- Protecting data using encryption, backup, and replication
- Monitoring all access and changes
For the SAA-C03 exam, you must not only know the services, but also know when to use each one based on the requirement.
If you master these concepts, you will be fully prepared for this section of the exam.
