1.1: Design secure access to AWS resources
📘AWS Certified Solutions Architect – (SAA-C03)
1. What “access controls and management across multiple accounts” means
In AWS, organizations often use multiple AWS accounts instead of only one.
Each account can be used for:
- Production systems
- Development systems
- Testing systems
- Security and logging
- Billing separation
Access control across multiple accounts means:
- Deciding who can access what
- Making sure users do not get more permissions than needed
- Managing access centrally and securely
- Preventing accidental or malicious access
For the exam, you must understand how AWS controls access across many accounts securely and at scale.
2. Why multiple AWS accounts are used (exam importance)
AWS recommends using multiple accounts because they provide:
a. Strong security boundaries
- Each AWS account is an isolation boundary
- If one account is compromised, others remain safe
b. Easier permission management
- Permissions can be different per account
- Fewer chances of mistakes
c. Clear separation of environments
- Production resources stay separate from testing or development resources
d. Better auditing and compliance
- Logs and security controls can be centralized
💡 Exam tip:
AWS accounts are the strongest security boundary in AWS.
3. AWS Organizations (very important for the exam)
What is AWS Organizations?
AWS Organizations is a service that lets you:
- Create and manage multiple AWS accounts
- Control them centrally
- Apply security rules across all accounts
Key components of AWS Organizations
a. Management account
- The main (parent) account
- Controls the organization
- Manages billing
- Should be highly secured
b. Member accounts
- Child accounts
- Used for workloads and services
- Follow rules set by the organization
c. Organizational Units (OUs)
- Logical groups of accounts
- Example IT usage:
- OU for production accounts
- OU for development accounts
- OU for security accounts
💡 Exam tip:
OUs help apply security policies to groups of accounts at once.
4. Centralized identity management (IAM across accounts)
Problem without centralized access
- Creating users in every account
- Hard to manage passwords
- Difficult to remove access when users leave
AWS solution: Centralized identity
a. IAM Identity Center (formerly AWS SSO)
This is the recommended approach.
It allows:
- One login for multiple AWS accounts
- Central management of users and permissions
- Integration with external identity providers
Users log in once, then select:
- Which AWS account
- Which role they want to use
💡 Exam tip:
IAM Identity Center is preferred over creating IAM users in each account.
5. IAM Roles and cross-account access (critical exam topic)
What is an IAM role?
An IAM role:
- Has permissions
- Does NOT have long-term credentials
- Is assumed temporarily
Cross-account access using roles
This is how AWS securely allows access between accounts.
How it works:
- A role is created in Account B
- Account A is trusted to assume that role
- Users in Account A temporarily gain permissions in Account B
Why this is secure:
- No shared passwords
- Temporary credentials
- Permissions expire automatically
💡 Exam tip:
For cross-account access, use IAM roles, not IAM users.
6. Service Control Policies (SCPs)
What are SCPs?
SCPs are organization-level permission rules.
They:
- Define the maximum permissions an account or OU can have
- Do NOT grant permissions
- Restrict what IAM permissions can do
Important characteristics:
- Applied at organization or OU level
- Affect all IAM users and roles in that account
- Even affect the root user (except management account root)
Example IT usage:
- Block deleting logging resources
- Prevent disabling encryption services
- Restrict usage of certain AWS regions
💡 Exam tip:
SCPs act as a permission boundary, not a permission grant.
7. Centralized logging and monitoring (security best practice)
To secure multiple accounts, logs must be centralized.
Key AWS services used:
a. AWS CloudTrail
- Records all API activity
- Tracks who did what and when
- Can send logs to a central logging account
b. AWS CloudWatch
- Monitors metrics and logs
- Used for alerts and visibility
c. AWS Config
- Tracks configuration changes
- Helps with compliance and auditing
💡 Exam tip:
Security and logging are often placed in a separate dedicated account.
8. Root user access across multiple accounts
Root user risks
- Has full permissions
- Cannot be restricted by IAM
- Highly dangerous if compromised
AWS best practices:
- Do NOT use root user for daily tasks
- Enable MFA on all root accounts
- Store root credentials securely
- Use IAM roles instead
💡 Exam tip:
Root access should be locked down and rarely used.
9. Permission design best practices (exam favorites)
a. Least privilege
- Give only the permissions needed
- Nothing extra
b. Role-based access
- Assign permissions to roles
- Users assume roles
c. No long-term credentials
- Avoid IAM users with access keys
- Prefer roles and temporary credentials
d. Centralized control
- Use AWS Organizations
- Use SCPs
- Use IAM Identity Center
💡 Exam tip:
AWS exams heavily favor least privilege + roles + centralized access.
10. Common exam scenarios you should recognize
You may see questions like:
- “How do you securely allow users to access multiple AWS accounts?”
→ IAM Identity Center + roles - “How do you restrict what accounts can do, even if IAM allows it?”
→ Service Control Policies (SCPs) - “How do you allow access between two AWS accounts securely?”
→ Cross-account IAM roles - “How do you centrally manage many AWS accounts?”
→ AWS Organizations
11. Summary (quick exam revision)
- Use multiple AWS accounts for security and isolation
- Manage accounts with AWS Organizations
- Group accounts using Organizational Units
- Use IAM Identity Center for centralized access
- Use IAM roles for cross-account access
- Use SCPs to limit maximum permissions
- Centralize logs using CloudTrail and Config
- Protect root users with MFA
- Always follow least privilege
