AWS · SAA-C03

Identity And Access Governance — AWS Solutions Architect (SAA-C03)

8%of exam questions (16 of 200)

Who needs access and from where changes everything

Watch for "federated users," "cross-account," "human operators," and "application roles" — these are not interchangeable access scenarios. IAM roles govern application and service access; IAM Identity Center handles human workforce federation at scale across accounts. Cross-account resource access uses resource-based policies or role assumption, not Identity Center. Candidates conflate these because identity is identity. The exam tests the specific mechanism that governs the stated access path, not general familiarity with the IAM console.

What This Pattern Tests

The exam presents access control scenarios and tests precise IAM mechanism selection. IAM roles with trust policies for cross-account access (no long-lived credentials). Identity Center (SSO) with permission sets for human access across multiple accounts. Permission boundaries to allow admins to create roles that cannot exceed a privilege ceiling. Resource-based policies on S3 buckets and KMS keys for cross-account resource sharing without assuming roles. The trap is creating IAM users with access keys for applications (use roles) or granting AdministratorAccess when a scoped policy suffices.

Decision Axis

Access pattern (service-to-service vs. human vs. cross-account vs. delegated admin) determines the IAM mechanism.

Associated Traps

Near-Right Architecture (4)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.Scope Overreach (4)CloudHSM with custom key stores for internal reports — when SSE-S3 is one checkbox.Security Default Assumption (4)S3 buckets block public access by default since 2023 — but the scenario describes a bucket created in 2019.Operational Complexity Underestimation (4)Self-managed Kubernetes on EC2 — a full-time job disguised as a deployment strategy.

Decision Rules

Attach an IAM role to the EC2 instance via an instance profile so that AWS STS automatically issues rotating temporary credentials to the application at runtime, rather than provisioning an IAM user and storing its long-term access key in the instance environment or configuration file.

AWS Identity and Access Management (IAM)AWS Security Token Service (AWS STS)

Whether to attach an AWS-managed S3 read policy whose Resource element covers all buckets (wildcard), or to create a customer-managed policy that restricts both the allowed actions and the Resource ARN to the specific bucket name and key prefix stated in the requirement.

AWS Identity and Access Management (IAM)Amazon S3

Whether the Lambda execution role's permission policy must be a narrow customer-managed policy scoped to s3:PutObject on the exact bucket-prefix ARN, or whether attaching the AWS managed AmazonS3FullAccess policy is acceptable because the cross-account trust policy already restricts which principal can assume the role.

AWS Identity and Access Management (IAM)AWS Security Token Service (AWS STS)Amazon S3

Whether to grant the EC2 fleet an IAM instance profile so STS issues automatically rotated temporary credentials, or embed long-term IAM user access keys in the launch template, trading away key-rotation manageability for a superficially simpler initial setup.

AWS Identity and Access Management (IAM)AWS Security Token Service (AWS STS)

Domain Coverage

Design Secure Architectures

Difficulty Breakdown

Medium: 8Hard: 8

Build recognition speed →

See all SAA-C03 patterns →