AWS · DVA-C02

Identity And Access Governance — AWS Developer (DVA-C02)

10%of exam questions (20 of 200)

Least Privilege Is a Wording Signal, Not a Slogan

'Least privilege' in a requirement is an instruction about policy scope, not an invitation to attach AmazonS3FullAccess. 'Temporary credentials' points to IAM roles and STS AssumeRole, not IAM user access keys. 'Cross-account' means a trust policy is required alongside the permission policy. A correctly scoped policy names specific actions such as s3:GetObject and s3:PutObject against a resource ARN like arn:aws:s3:::bucket-name/* rather than using a wildcard action against a wildcard resource. Permission boundaries set an outer limit on what an identity can do; they do not grant permissions on their own and must accompany an identity-based policy.

What This Pattern Tests

The exam presents access control scenarios and tests precise IAM mechanism selection. IAM roles with trust policies for cross-account access (no long-lived credentials). Identity Center (SSO) with permission sets for human access across multiple accounts. Permission boundaries to allow admins to create roles that cannot exceed a privilege ceiling. Resource-based policies on S3 buckets and KMS keys for cross-account resource sharing without assuming roles. The trap is creating IAM users with access keys for applications (use roles) or granting AdministratorAccess when a scoped policy suffices.

Decision Axis

Access pattern (service-to-service vs. human vs. cross-account vs. delegated admin) determines the IAM mechanism.

Associated Traps

Near-Right Architecture (12)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.Operational Complexity Underestimation (4)Self-managed Kubernetes on EC2 — a full-time job disguised as a deployment strategy.Security Default Assumption (4)S3 buckets block public access by default since 2023 — but the scenario describes a bucket created in 2019.

Decision Rules

Select the secrets store that satisfies both the no-hardcoded-credentials requirement and the mandatory automatic-rotation capability boundary, distinguishing Secrets Manager's native rotation from Parameter Store's rotation gap.

AWS Secrets ManagerAWS Systems ManagerAWS Lambda

When automatic credential rotation is a hard compliance constraint, AWS Secrets Manager is required over Systems Manager Parameter Store SecureString because Parameter Store provides no native automatic rotation and any rotation requires a custom Lambda-based automation that the developer must own and operate.

AWS Secrets ManagerAWS Systems ManagerAWS Lambda

Choose AWS Secrets Manager over Systems Manager Parameter Store SecureString when automatic credential rotation is mandatory, because Parameter Store cannot rotate natively and requires a custom Lambda orchestrator whose authoring, error handling, and scheduling constitute hidden operational burden that violates the no-custom-automation constraint.

AWS Secrets ManagerAWS Systems ManagerAWS Identity and Access Management

Which service owns the end-to-end external customer identity lifecycle—including social IdP federation, user directory, and JWT issuance for downstream API authorization—versus which service is scoped exclusively to workforce and enterprise SSO principals?

Amazon CognitoAWS IAM Identity CenterAmazon API Gateway

Whether the instance role's IAM policy scopes secretsmanager:GetSecretValue to the exact named secret ARN or uses a wildcard resource — both options eliminate hardcoded credentials via an instance profile, but only resource-level scoping to the specific ARN satisfies the no-wildcard-resource-in-secrets-policy constraint.

AWS Identity and Access ManagementAWS Secrets ManagerAmazon EC2

Domain Coverage

Development with AWS ServicesSecurity

Difficulty Breakdown

Easy: 8Hard: 12

Build recognition speed →

See all DVA-C02 patterns →