PrepTempo

Chapter 1 of 4 · study guide + 9-question quiz

AWS Solutions Architect – AssociateIAM, network security, data protection, and application security scenario questions.

Design Secure Architectures

Skip to the chapter quiz ↓

Study guide

Security is the largest single domain on the SAA-C03 exam, worth about 30% of scored questions, because AWS expects every architecture decision to start from a security baseline rather than have security bolted on afterward. This chapter walks through identity, network, data-protection, and monitoring controls the way the exam tests them: as a scenario where you pick the narrowest, most auditable control that still lets the workload function.

Identity: IAM Policies, Roles, and Permission Boundaries

AWS Identity and Access Management (IAM) controls who can do what inside an account. An IAM policy is a JSON document that lists allowed or denied actions on specific resources; you attach policies to users, groups, or roles rather than granting permissions directly to a person whenever you can avoid it. A role is a temporary identity that an EC2 instance, Lambda function, or another AWS account can assume to get short-lived credentials, which removes the need to embed long-lived access keys inside application code. The exam consistently rewards the answer that uses a role instead of a hard-coded key. A permission boundary is a separate, advanced control: it sets the maximum permissions an IAM identity can ever have, even if an attached policy tries to grant more. Picture a contractor account at a company called Loomis Analytics: administrators want a delegated team lead to create IAM users for new contractors but never let those contractors reach S3 buckets containing payroll data. A permission boundary attached to any user the team lead creates enforces that ceiling regardless of what the team lead's own policy later grants. Combine this with the principle of least privilege, meaning every identity starts with zero permissions and gains only what its job requires, and with IAM Access Analyzer, a tool that scans policies and flags any that grant access to an external account or the public. Multi-factor authentication (MFA) should be required for any human identity with elevated privileges, especially the account root user, which should be locked away and never used for daily tasks after initial setup.

Governing Multiple Accounts: AWS Organizations and SCPs

Most real companies do not run a single AWS account; they run dozens, separated by business unit, environment, or compliance requirement. AWS Organizations lets you group these accounts under one management account and apply controls consistently across all of them. A Service Control Policy (SCP) is the key tool here: it sets the maximum permissions available to every IAM identity in the accounts it targets, similar in spirit to a permission boundary but applied organization-wide rather than to one identity. An SCP cannot grant permissions by itself; it can only restrict what IAM policies inside the account are allowed to do. Imagine a holding company, Anvers Group, that wants every account in its Sandbox organizational unit (OU) to be blocked from ever launching resources outside the us-east-1 and eu-west-1 regions, regardless of what any developer's IAM policy says. An SCP attached to that OU enforces the restriction at the organization level, so no individual account can override it. Organizations also supports consolidated billing, so usage across all member accounts rolls up to a single invoice and can unlock volume pricing tiers, and it enables delegated administration, where specific security or logging responsibilities are handed to a designated member account instead of the fragile, all-powerful management account. When the exam describes a requirement to enforce a rule across many accounts at once, an SCP is almost always the intended answer over an IAM policy repeated in each account.

Protecting Data: KMS, Encryption, and Secrets Management

AWS Key Management Service (KMS) creates and manages the cryptographic keys used to encrypt data across most AWS services. A customer managed key gives you control over the key policy, rotation schedule, and audit trail through CloudTrail, while an AWS managed key is created and rotated automatically by the service that uses it, trading some control for simplicity. Encryption at rest protects data stored on disk, for example an encrypted EBS volume or an S3 bucket with default encryption enabled, while encryption in transit protects data moving across a network, typically through TLS. The exam often frames a scenario where a compliance requirement mandates that the customer, not AWS, must control key rotation and access logging; that phrasing points to a customer managed KMS key rather than the default AWS managed option. For storing application secrets such as database passwords or API keys, two services compete: AWS Secrets Manager and Systems Manager Parameter Store. Secrets Manager natively supports automatic rotation of credentials, for example rotating an RDS database password on a schedule without any application downtime, and charges per secret per month. Parameter Store's Standard tier is free and works well for configuration values and secrets that do not need built-in rotation, while its Advanced tier adds higher storage limits and policy features for a small per-parameter cost. A scenario asking for automatic credential rotation with minimal custom code points to Secrets Manager; a scenario emphasizing cost efficiency for static configuration values points to Parameter Store.

Network Security: VPC Controls and Private Connectivity

Inside a Virtual Private Cloud (VPC), two layers of traffic filtering work together. A security group is stateful and attaches to individual resources like EC2 instances; it only supports allow rules, so if you allow inbound traffic on a port, the matching outbound response is automatically permitted. A network access control list (NACL) is stateless and attaches to a subnet; it evaluates rules in numbered order and supports both allow and deny rules, which makes it useful for explicitly blocking a known bad IP range at the subnet boundary. A common exam trap describes traffic that should be blocked at the subnet level for an entire address range, which calls for a NACL deny rule rather than trying to remove an allow rule from a security group. For reaching AWS services without traversing the public internet, a VPC endpoint creates a private connection from your VPC to a supported service. A gateway endpoint works only for S3 and DynamoDB and is added as a route table entry at no hourly cost. An interface endpoint, powered by AWS PrivateLink, creates an elastic network interface with a private IP address in your subnet and supports most other AWS services and even private connections to services hosted by other AWS customers. When a scenario says a workload in a private subnet with no internet gateway or NAT device must still reach S3, a gateway endpoint is the precise fit.

Threat Detection, Perimeter Defense, and Resource Policies

Amazon GuardDuty continuously analyzes account activity, VPC flow logs, and DNS logs using threat intelligence to detect things like a compromised credential making calls from an unusual location. AWS Security Hub aggregates findings from GuardDuty and other security tools into a single dashboard and checks resource configurations against standards such as the CIS AWS Foundations Benchmark. Amazon Macie focuses specifically on data stored in S3, using machine learning to discover and classify sensitive data such as personally identifiable information, which matters for a scenario about locating unlabeled customer data across many buckets. At the network edge, AWS Shield Standard is automatically included for every customer and defends against common infrastructure-layer distributed denial of service (DDoS) attacks at no charge; Shield Advanced is a paid tier adding detailed attack diagnostics, cost protection for scaling triggered by an attack, and 24/7 access to the AWS Shield Response Team (SRT), formerly known as the DDoS Response Team. AWS WAF (Web Application Firewall) filters HTTP and HTTPS requests based on rules you define, such as blocking requests containing SQL injection patterns or rate-limiting a single IP address. On the policy side, remember the distinction between an identity-based policy, attached to a user, group, or role, and a resource-based policy, attached directly to a resource such as an S3 bucket policy or a KMS key policy. Resource-based policies are the mechanism that enables cross-account access: a bucket policy in Account A can grant a role in Account B direct access without that role needing any permission granted from within Account B itself. S3 access points add another layer, giving each application its own named access path with its own policy, simplifying permission management for buckets shared across many teams.

Key terms

IAM role
A temporary identity with its own permissions that a user, application, or AWS service can assume to get short-lived credentials, avoiding long-lived access keys.
Permission boundary
An IAM feature that sets the maximum permissions an identity can have, even if an attached policy grants more.
Service Control Policy (SCP)
An AWS Organizations policy that sets the maximum permissions available to accounts or organizational units; it restricts but never grants access.
Customer managed key
A KMS encryption key that the customer creates and fully controls, including its rotation schedule and access policy.
AWS Secrets Manager
A service for storing secrets such as database credentials that supports automatic, scheduled rotation.
Systems Manager Parameter Store
A service for storing configuration values and secrets; its Standard tier is free but lacks built-in automatic rotation.
Security group
A stateful, instance-level virtual firewall in a VPC that supports only allow rules.
Network ACL
A stateless, subnet-level firewall in a VPC that supports both allow and deny rules evaluated in numbered order.
VPC endpoint
A private connection from a VPC to a supported AWS service that avoids routing traffic over the public internet; gateway type for S3/DynamoDB, interface type (PrivateLink) for most other services.
Amazon GuardDuty
A threat detection service that analyzes account and network activity for signs of compromise using threat intelligence.
Amazon Macie
A service that uses machine learning to discover and classify sensitive data stored in Amazon S3.
Resource-based policy
A permissions policy attached directly to a resource, such as an S3 bucket policy, that can grant cross-account access.

Exam tips

  • When a question emphasizes a rule that must apply across many or all AWS accounts at once, look for AWS Organizations SCPs before considering per-account IAM policies.
  • If a scenario needs automatic, scheduled rotation of a database password with no custom scripting, choose Secrets Manager over Parameter Store.
  • Distinguish stateful (security group) from stateless (NACL) filtering, and remember only NACLs can explicitly deny traffic.
  • For private access to S3 or DynamoDB from a subnet with no internet route, the gateway VPC endpoint is normally the lowest-cost, purpose-built answer.
  • Cross-account access questions usually hinge on a resource-based policy (like an S3 bucket policy) rather than trying to modify permissions in the requesting account.

AI checkpoint · chapter 1

Three questions picked live from what you just read — your past misses and untouched topics first. Pass the checkpoint, then take the full chapter quiz below.

Chapter 1 quiz — prove it

Loading…

AWS® and AWS Certified Solutions Architect – Associate® are trademarks of Amazon Web Services, Inc., which is not affiliated with this site and does not endorse this product.