Task Statement 1.3: Determine appropriate data security controls.
📘AWS Certified Solutions Architect – (SAA-C03)
1. What is Data Access and Governance?
✅ Data Access
Data access means:
- Who can access data?
- What actions can they perform? (read, write, delete)
- From where can they access it?
- Under what conditions?
✅ Data Governance
Data governance means:
- Making sure data is protected
- Ensuring only authorized users access it
- Tracking who accessed data
- Making sure data follows compliance rules
- Managing data lifecycle (creation → usage → deletion)
For the exam, always think:
“How do we control, monitor, and protect data in AWS?”
2. Identity and Access Management (IAM)
The most important service for data access control is:
🔐 AWS Identity and Access Management (IAM)
IAM controls:
- Who can access AWS resources
- What actions they can perform
- Which resources they can access
IAM Components You Must Know
1️⃣ Users
- Represents a person or application
- Has long-term credentials
2️⃣ Groups
- Collection of users
- Permissions assigned once to group
3️⃣ Roles
- Temporary access
- Used by:
- EC2 instances
- Lambda functions
- Cross-account access
Roles are very important for secure data access.
IAM Policies
Policies define permissions.
Types of policies:
- Identity-based policies
- Resource-based policies
Policies follow:
- Effect (Allow / Deny)
- Action
- Resource
- Optional Condition
🔑 Important Exam Rule:
Explicit Deny always overrides Allow
3. Resource-Based Policies
Some AWS services support resource policies, such as:
- Amazon S3
- AWS Lambda
- Amazon SQS
These policies are attached directly to the resource.
Example:
- An S3 bucket policy allowing another AWS account to access the bucket.
4. Cross-Account Access
In real IT environments:
- One AWS account stores data
- Another AWS account needs access
This is done using:
- IAM roles
- Resource-based policies
Exam tip:
If question says “securely allow another account to access S3” → Think:
- IAM Role + Bucket Policy
5. Data Classification
Data governance starts with data classification.
Types:
- Public
- Internal
- Confidential
- Highly confidential
AWS helps discover sensitive data using:
🔍 Amazon Macie
Macie:
- Scans S3 buckets
- Detects sensitive data (PII, financial data)
- Generates findings
Exam point:
If question says “automatically discover sensitive data in S3” → Answer is Macie.
6. Monitoring Data Access
You must track:
- Who accessed data?
- When?
- From where?
- What actions?
📜 AWS CloudTrail
CloudTrail:
- Logs all API calls
- Tracks IAM activity
- Used for auditing
Exam tip:
If question asks:
“Track who deleted an S3 object”
Answer → CloudTrail
7. Data Encryption and Access Control
Data access governance also includes encryption.
Two types:
1️⃣ Encryption at Rest
Protects stored data.
Examples:
- S3
- EBS
- RDS
Uses:
🔐 AWS Key Management Service (KMS)
KMS:
- Manages encryption keys
- Controls who can use keys
- Provides key rotation
Important:
You can control access to data by controlling access to the KMS key.
2️⃣ Encryption in Transit
Protects data while moving.
Uses:
- HTTPS
- TLS certificates
Service used:
🔐 AWS Certificate Manager
8. S3 Data Access Controls (Very Important for Exam)
📦 Amazon S3
S3 supports multiple layers of access control:
1️⃣ IAM Policies
Control who can access bucket or objects.
2️⃣ Bucket Policies
Attached directly to bucket.
3️⃣ Access Control Lists (ACLs)
Older method (less recommended).
4️⃣ S3 Block Public Access
Prevents accidental public exposure.
Exam trick:
If question says:
“Prevent all public access to S3 bucket”
Answer → Enable Block Public Access.
9. Data Loss Prevention (DLP)
Prevent sensitive data from being exposed.
Services:
🔎 Amazon Macie
Detects sensitive data in S3.
🛡 AWS Config
Checks if resources follow compliance rules.
Example:
- Detect if S3 bucket becomes public.
10. Centralized Logging and Governance
Large organizations use centralized governance.
📊 AWS Organizations
Allows:
- Manage multiple AWS accounts
- Apply policies across accounts
🔒 Service Control Policies (SCPs)
SCPs:
- Control maximum permissions
- Applied at organization level
- Do NOT grant permissions
- Only restrict
Exam rule:
SCP = Guardrail
IAM = Actual permission
11. Fine-Grained Access Control
Sometimes we need:
- Access only specific rows
- Access only certain S3 prefixes
- Access only specific database tables
IAM supports:
- Conditions
- Tag-based access control
Example:
- Allow access only if resource has tag “Department=Finance”
This is called:
Attribute-Based Access Control (ABAC)
12. Database Access Governance
For databases like:
- Amazon RDS
- Amazon DynamoDB
You control access using:
- IAM
- Database authentication
- Encryption
- Security groups
13. Secrets Management
Applications need credentials (passwords, API keys).
Do NOT store them in:
- Code
- Configuration files
Use:
🔐 AWS Secrets Manager
Features:
- Stores secrets securely
- Automatic rotation
- IAM integration
Exam tip:
If question says:
“Automatically rotate database credentials”
Answer → Secrets Manager.
14. Audit and Compliance
Governance includes proving compliance.
📘 AWS Artifact
Provides:
- Compliance reports
- Security certifications
15. Key Exam Comparison Table
| Requirement | Service |
|---|---|
| Control user permissions | IAM |
| Restrict all accounts centrally | SCP |
| Discover sensitive S3 data | Macie |
| Log API calls | CloudTrail |
| Encrypt data | KMS |
| Store secrets | Secrets Manager |
| Prevent S3 public access | S3 Block Public Access |
| Monitor configuration changes | AWS Config |
16. Common Exam Scenarios
Scenario 1:
Allow EC2 to access S3 securely
→ Use IAM Role
Scenario 2:
Track who modified IAM policy
→ CloudTrail
Scenario 3:
Prevent any account from creating public S3 buckets
→ SCP + Block Public Access
Scenario 4:
Find PII in S3 automatically
→ Macie
17. Important Security Principles
For exam, always apply:
✅ Least Privilege
Give minimum permissions needed.
✅ Separation of Duties
Avoid giving full admin access unnecessarily.
✅ Defense in Depth
Multiple layers:
- IAM
- Encryption
- Monitoring
- Logging
Final Summary
For SAA-C03, Data Access and Governance means:
- Control access using IAM
- Use roles for secure temporary access
- Protect S3 with bucket policies and Block Public Access
- Encrypt data using KMS
- Monitor activity using CloudTrail
- Discover sensitive data using Macie
- Use SCPs for organization-level control
- Store secrets securely using Secrets Manager
- Follow least privilege principle
If you fully understand:
- IAM policies
- S3 access controls
- CloudTrail logging
- KMS key control
- Macie for data discovery
- SCP guardrails
You are fully prepared for this section of the SAA-C03 exam.
