AWS · SOA-C03

Identity And Access Governance — AWS SysOps Administrator (SOA-C03)

5%of exam questions (9 of 200)

Instance Profiles Exist Precisely to Replace Static Keys

Requirement: EC2 instances accessing S3 under least-privilege policy. Competing approaches: IAM user with access keys embedded in the application vs. IAM role via instance profile. The deciding constraint is credential scope and rotation. Static keys cannot be scoped to a specific instance, do not rotate automatically, and can be extracted from the instance. Instance profiles issue temporary, automatically rotated credentials scoped to the role. The exam will always prefer the option that eliminates long-lived credentials from compute workloads.

What This Pattern Tests

The exam presents access control scenarios and tests precise IAM mechanism selection. IAM roles with trust policies for cross-account access (no long-lived credentials). Identity Center (SSO) with permission sets for human access across multiple accounts. Permission boundaries to allow admins to create roles that cannot exceed a privilege ceiling. Resource-based policies on S3 buckets and KMS keys for cross-account resource sharing without assuming roles. The trap is creating IAM users with access keys for applications (use roles) or granting AdministratorAccess when a scoped policy suffices.

Decision Axis

Access pattern (service-to-service vs. human vs. cross-account vs. delegated admin) determines the IAM mechanism.

Associated Traps

Near-Right Architecture (3)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.Scope Overreach (3)CloudHSM with custom key stores for internal reports — when SSE-S3 is one checkbox.Operational Complexity Underestimation (3)Self-managed Kubernetes on EC2 — a full-time job disguised as a deployment strategy.

Decision Rules

Whether to enforce the GuardDuty protection guarantee at account scope via an SCP on the OU or at principal scope via IAM permission boundaries attached to each role — the correct tool is the one whose enforcement cannot be bypassed by an account-level administrator creating new IAM entities.

AWS OrganizationsAWS Identity and Access Management (IAM)

Whether account-wide preventive enforcement in a multi-account AWS Organizations environment is correctly achieved by attaching an SCP at the OU level versus attaching IAM permission boundaries to each existing IAM role—where the SCP is evaluated before any identity-based policy and is transparent to account admins, while permission boundaries are principal-scoped, require ongoing per-entity maintenance, and can be bypassed by any account admin creating a new role.

AWS OrganizationsAWS Identity and Access Management (IAM)

Whether native managed rotation in Secrets Manager eliminates the custom orchestration overhead that Parameter Store SecureString imposes when automatic credential rotation without application change is the dominant constraint.

AWS Secrets ManagerAWS Systems Manager Parameter Store

Domain Coverage

Security and Compliance

Difficulty Breakdown

Easy: 3Hard: 6

Build recognition speed →

See all SOA-C03 patterns →