Task Statement 1.1: Design secure access to AWS resources.
📘AWS Certified Solutions Architect – (SAA-C03)
1. Why Identity and Access Matter in AWS (Exam Context)
In AWS, everything starts with identity.
Before anyone or anything can:
- access an EC2 instance
- read data from S3
- deploy resources
- manage AWS accounts
AWS must know who the user is and what they are allowed to do.
This is called:
- Authentication → Who are you?
- Authorization → What are you allowed to do?
AWS provides identity and access services to control this securely, especially in large organizations and multi-account environments.
2. What Is Federated Access?
Federated access means:
Users do not have separate AWS usernames and passwords.
Instead, they sign in using an existing identity system, and AWS trusts that system.
Common identity sources:
- Company Active Directory
- Corporate identity provider (IdP)
- External identity systems (SAML, OIDC)
Why AWS Uses Federated Access:
- No long-term AWS passwords
- Centralized user management
- Easier user onboarding and offboarding
- Stronger security
3. AWS Identity and Access Management (IAM)
IAM is the core identity service in AWS.
What IAM Does:
- Manages users, groups, roles, and permissions
- Controls who can access AWS resources
- Works at the AWS account level
Key IAM Components (Very Important for Exam)
3.1 IAM Users
An IAM user represents:
- A person
- An application
- A service that needs AWS access
Each IAM user can have:
- Console access (username + password)
- Programmatic access (access key + secret key)
⚠️ Exam rule:
IAM users are NOT recommended for large organizations or external users
3.2 IAM Groups
IAM groups:
- Are collections of IAM users
- Make permission management easier
Example (IT context):
- Developers group
- Admins group
- Read-only group
Permissions are attached to groups, not directly to users (best practice).
3.3 IAM Policies (MOST IMPORTANT)
IAM policies define permissions.
They answer:
- What actions are allowed?
- On which AWS resources?
- Under what conditions?
Types of IAM Policies:
- AWS managed policies – created by AWS
- Customer managed policies – created by you
- Inline policies – attached to one identity only
Policy Logic:
- Default: Deny everything
- Explicit Allow grants access
- Explicit Deny always overrides Allow
⚠️ Exam rule:
AWS always follows the principle of least privilege.
3.4 IAM Roles (CRITICAL FOR FEDERATION)
An IAM role:
- Has permissions
- Does NOT have permanent credentials
- Is assumed temporarily
Roles are used by:
- AWS services
- Applications
- Federated users
- Cross-account access
Why roles are preferred:
- No long-term access keys
- Automatic credential rotation
- More secure
4. AWS IAM Identity Center (AWS Single Sign-On)
AWS IAM Identity Center is the modern identity service for organizations.
It replaces many traditional IAM user use cases.
4.1 What IAM Identity Center Does
It allows:
- Single sign-on (SSO) to AWS accounts
- Centralized user access across multiple accounts
- Federation with external identity providers
Users log in once and access:
- Multiple AWS accounts
- Multiple AWS services
- Business applications (optional)
4.2 When IAM Identity Center Is Used (Exam Focus)
IAM Identity Center is used when:
- You have multiple AWS accounts
- You use AWS Organizations
- Users already exist in an external directory
- You want centralized access management
⚠️ Exam rule:
IAM Identity Center is the recommended way to manage workforce access in AWS.
4.3 Identity Sources for IAM Identity Center
IAM Identity Center can use:
- Built-in identity store
- External identity provider (SAML 2.0)
- AWS Managed Microsoft AD or external AD
AWS trusts the identity provider to authenticate users.
4.4 Permission Sets (Very Important)
In IAM Identity Center, permissions are assigned using permission sets.
A permission set:
- Is similar to an IAM role
- Contains policies
- Defines what users can do in an account
Users:
- Are assigned to accounts
- With a specific permission set
This creates:
User → Permission Set → AWS Account → Role
5. Federated Access Flow (Simplified)
- User signs in to identity provider
- Identity provider authenticates user
- AWS trusts the identity provider
- User assumes an IAM role
- Temporary credentials are issued
- User accesses AWS resources
⚠️ Exam keyword:
Temporary security credentials
6. IAM vs IAM Identity Center (Exam Comparison)
| Feature | IAM | IAM Identity Center |
|---|---|---|
| Scope | Single AWS account | Multiple AWS accounts |
| Users | IAM users | Federated users |
| Best for | Small setups | Organizations |
| Credentials | Long-term possible | Temporary only |
| Central management | No | Yes |
| Exam recommendation | Limited use | Preferred |
7. Security Best Practices (Highly Tested)
7.1 Avoid IAM Users
- Use IAM Identity Center instead
- Use roles for services and users
7.2 Use Roles Everywhere
- For applications
- For AWS services
- For cross-account access
- For federated users
7.3 Enable MFA
- Especially for privileged access
- Required for sensitive operations
7.4 Follow Least Privilege
- Grant only required permissions
- Review policies regularly
8. Common Exam Scenarios You Must Recognize
Scenario 1:
Users already exist in a corporate directory and need access to multiple AWS accounts
✅ Correct answer:
AWS IAM Identity Center with federation
Scenario 2:
Application running on EC2 needs to access S3
✅ Correct answer:
IAM Role attached to EC2
Scenario 3:
Temporary access without storing credentials
✅ Correct answer:
IAM Role with temporary credentials
Scenario 4:
Centralized user access across AWS Organizations
✅ Correct answer:
IAM Identity Center
9. Key Exam Takeaways (Memorize This)
- IAM controls access inside one AWS account
- IAM Identity Center controls access across multiple accounts
- Federated users do not have IAM users
- Roles are the foundation of secure access
- Temporary credentials are more secure
- Least privilege is always enforced
- IAM Identity Center is preferred over IAM users
