Courses/SAA-C03/Domain 1: Design Secure Architectures
Practice questions →
AWSSAA-C03

Domain 1: Design Secure Architectures

Topic 1 of 4 · Study notes

AWS Certified Solutions Architect – Associate (SAA-C03) — Domain 1: Design Secure Architectures

Exam Code: SAA-C03  |  Level: Associate
Domain Weight: 30%  |  Total Domains: 4  |  Passing Score: 720/1000

Table of Contents

  1. IAM — Identity and Access Management
  2. VPC Security Architecture
  3. Data Security
  4. Application and Identity Security
  5. Exam Tips & Quick Reference

1. IAM — Identity and Access Management

IAM (Identity and Access Management) is the foundation of AWS security. It controls who can do what on which resources. Domain 1 is the heaviest domain (30%) and IAM questions appear in every other domain too — master this section first.

1.1 IAM Core Components

Every IAM question starts by identifying the correct principal type. Use the table below as your decision guide.

Component What It Is When to Use
IAM User Long-term identity with credentials (password + access keys) Human users needing permanent access; avoid for applications
IAM Group Collection of users; attach policies to group Organize users by job function (Developers, Admins, ReadOnly)
IAM Role Temporary identity; no long-term credentials; assumed by entities EC2 instances, Lambda, cross-account access, federated users
IAM Policy JSON document defining permissions Attach to users, groups, or roles

Policy Types — Complete Reference

Policy Type Attached To Key Behavior
Managed — AWS Users/groups/roles AWS maintains; cannot modify
Managed — Customer Users/groups/roles You create and version; reusable across principals
Inline Single user/group/role Embedded; deleted when principal deleted; not reusable
Resource-based S3, KMS, SQS, SNS, etc. Controls who can access this specific resource
SCP (Service Control Policy) Organizations OU or account Maximum permissions cap for the entire account
Permissions Boundary Specific user or role Maximum permissions cap for that individual principal
Session Policy Assumed role session Further restricts a temporary session at assume-role time

Key Concept: SCPs and Permissions Boundaries are caps, not grants. They limit the maximum permissions a principal can have but never add permissions on their own. An SCP Allow + no IAM Allow = denied.

1.2 IAM Policy Evaluation Logic

The evaluation order is critical and appears on nearly every IAM scenario question.

Policy Evaluation Order (MEMORIZE):
1. Explicit DENY anywhere in the chain? → DENY (always wins, no exceptions)
2. Are all required ALLOWs present?
   - Same-account: identity policy OR resource policy with ALLOW is sufficient
   - Cross-account: BOTH identity policy AND resource policy must ALLOW
3. Default if no match: DENY (implicit deny)

Exam Tip: There is no override for an explicit Deny — not even the root user can bypass it when it is set in an SCP. Memorize: Explicit Deny → Deny. Implicit Deny → Deny. Explicit Allow in both required policies → Allow.

Principle of Least Privilege

Start with zero permissions and add only what is required. Use IAM Access Analyzer to surface unused permissions over time, and regularly prune policies to match actual usage.

1.3 IAM Roles — Critical Patterns

EC2 Instance Roles (Instance Profiles)

Never store access keys on EC2 instances. The correct pattern:

  1. Create an IAM role with the required permissions.
  2. Attach the role to the EC2 instance as an instance profile.
  3. The application retrieves temporary credentials from the IMDS (Instance Metadata Service) at 169.254.169.254.
  4. Credentials auto-rotate; no expiration management required.
# The AWS SDK automatically retrieves credentials from the instance profile
import boto3
s3 = boto3.client('s3')  # No explicit credentials needed

Cross-Account Role Assumption

To grant Account A access to resources in Account B:

Step 1 — Account B (resource account): Create a role with a trust policy:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"AWS": "arn:aws:iam::ACCOUNT-A-ID:root"},
    "Action": "sts:AssumeRole"
  }]
}

Step 2 — Account A: Add an identity policy allowing role assumption:

{
  "Effect": "Allow",
  "Action": "sts:AssumeRole",
  "Resource": "arn:aws:iam::ACCOUNT-B-ID:role/RoleName"
}

Step 3: Application calls sts:AssumeRole to receive temporary credentials scoped to Account B.

Common Service Roles

  • Lambda execution role — permissions the function has while running
  • ECS task role — permissions the container code has (separate from execution role)
  • CodePipeline role — permissions for the pipeline to invoke other AWS services

1.4 Federation and SSO

SAML 2.0 Federation

For enterprise users with an existing AD or LDAP who need to access AWS without IAM users:

Corporate User → AD FS → SAML Assertion → AWS STS → Temporary Credentials → AWS Console/API

No IAM users are created. LDAP groups map to IAM roles. The API call is sts:AssumeRoleWithSAML.

AWS IAM Identity Center (Formerly AWS SSO)

Centralized SSO for multiple AWS accounts in an Organization. Integrates with Active Directory (via AD Connector or AWS Managed AD) and external IdPs such as Okta or Azure AD. Permission Sets define the IAM permissions applied when a user logs into a specific account.

Exam Tip: When the scenario mentions multiple AWS accounts + centralized access management + existing Active Directory, the answer is IAM Identity Center, not individual SAML federation per account.

AWS Directory Service Options

Service What It Is Use When
AWS Managed Microsoft AD Full Microsoft AD in AWS; trusts with on-prem AD Need full AD features; MFA; trusts with on-premises
AD Connector Proxy that redirects requests to on-premises AD Keep all users/groups on-premises AD; no directory sync
Simple AD Samba-based; limited AD-compatible directory Basic AD features; small scale; lowest cost

Web Identity Federation and Amazon Cognito

For mobile and web application users authenticating with external providers (Google, Facebook, Apple):

Mobile App → Cognito User Pool (authenticate) → JWT Token
                                                       │
                                               Cognito Identity Pool
                                                       │
                                               STS Temporary Credentials
                                                       │
                                           S3, DynamoDB, API Gateway

1.5 Multi-Account Security Strategy

AWS Organizations and SCPs

SCPs set the maximum permission boundary for all principals (including root) in member accounts. They never grant permissions — they only restrict.

Combination Result
SCP Deny + IAM Allow Denied (SCP always wins)
SCP Allow + IAM Allow Allowed
SCP Allow + No IAM Policy Denied (still need an IAM allow)

AWS Control Tower

Automates multi-account setup using Organizations, IAM Identity Center, Config, and CloudTrail. Key concepts:

  • Landing zone — baseline multi-account environment with guardrails pre-configured
  • Guardrails — preventive (SCPs) and detective (Config rules)
  • Account Factory — automated account vending with a consistent baseline configuration

AWS Resource Access Manager (RAM)

Share resources across accounts without duplicating them. Shareable resources include VPC subnets, Transit Gateways, Route 53 Resolver rules, and License Manager configurations.

Note: S3 buckets cannot be shared via RAM. Use bucket policies for cross-account S3 access instead.

2. VPC Security Architecture

VPC security is built on layered defenses. Understanding each layer — and which layer is the right tool for a given requirement — is essential for Domain 1.

2.1 Network Security Layers

Internet
    │
[AWS Shield / WAF]         ← DDoS protection, Layer 7 filtering
    │
[CloudFront / ALB]         ← Edge caching, TLS termination
    │
[Network ACL (NACL)]       ← Subnet-level stateless firewall
    │
[Security Group (SG)]      ← Instance-level stateful firewall
    │
[EC2 / RDS / Lambda]       ← OS-level controls (iptables)

Security Groups vs. Network ACLs

Feature Security Groups Network ACLs
Level Instance (ENI) Subnet
State Stateful — return traffic is automatic Stateless — both directions must be explicitly allowed
Rules Allow only Allow AND Deny
Evaluation All rules checked; most permissive wins Numbered rules; first match wins (lower number = higher priority)
Default (new custom) No inbound, all outbound allowed All inbound and outbound denied
Default (AWS default VPC) All traffic within group allowed All traffic allowed

Exam Tip: Security groups are stateful — you only need to allow inbound; the return traffic is automatic. NACLs are stateless — you must create both an inbound AND outbound rule. A common trap is forgetting the ephemeral port range (1024–65535) in NACL outbound rules.

2.2 Subnet Architecture

Subnet Types and Their Uses

Subnet Type Route Table Typical Resources
Public 0.0.0.0/0 → Internet Gateway ALBs, NAT Gateways, bastion hosts
Private 0.0.0.0/0 → NAT Gateway (or no default route) EC2 app servers, RDS, Lambda, ECS tasks
Isolated No route to internet at all Sensitive databases, compliance workloads

Three-Tier Architecture Security Pattern

Tier 1 — Public Subnets:   ALB across 2+ AZs
                            SG: Allow 80/443 from 0.0.0.0/0

Tier 2 — Private Subnets:  EC2 / ECS application layer
                            SG: Allow 8080 from ALB security group ID only

Tier 3 — Isolated Subnets: RDS / Aurora database layer
                            SG: Allow 3306 from App SG ID only

Key Concept: Reference security group IDs (not CIDR blocks) in inbound rules wherever possible. This ensures only traffic originating from specific resources is permitted, and automatically adapts when IPs change.

VPC Endpoints allow private connectivity to AWS services without traffic traversing the public internet. This improves security and reduces NAT Gateway data-processing costs.

Endpoint Type Services Cost How It Works
Gateway Endpoint S3, DynamoDB only Free Entry added to route table; traffic stays on AWS network
Interface Endpoint Most other AWS services $0.01/hr + $0.01/GB Creates an ENI with private IP in your subnet

PrivateLink is the technology behind Interface Endpoints. It also allows you to expose your own services to other VPCs or accounts privately, without VPC peering or public internet. The consumer creates an Interface Endpoint pointing to your endpoint service.

Exam Tip: For private EC2 instances that need to reach S3 or DynamoDB, always use a Gateway Endpoint (free). For other services (SSM, Secrets Manager, KMS), use Interface Endpoints. Both avoid internet exposure and eliminate the need for a NAT Gateway for those service calls.

2.4 VPN and Private Connectivity

Feature Site-to-Site VPN Direct Connect Client VPN
Connection Internet (IPSec tunnels) Dedicated fiber Internet (TLS)
Encryption Built-in Must add IPSec VPN on top Built-in
Speed Up to 1.25 Gbps 1–100 Gbps Variable
Latency Variable (internet) Consistent, low Variable
Setup Time Minutes Weeks to months Hours
Cost Low High (1–3 yr commitment) Per-user/hour
Use Case Hybrid connectivity, fast setup Large data transfer, low latency Remote user VPC access

Note: Direct Connect traffic is private but not encrypted by default. Add an IPSec VPN on top of Direct Connect for both privacy and encryption — required by many compliance frameworks.

2.5 AWS WAF, Shield, and Network Firewall

AWS WAF

Layer 7 Web Application Firewall. Deployed on CloudFront, ALB, API Gateway, or AppSync.

WAF Rule Types:

  • IP match sets — allow or block specific IP ranges
  • Rate-based rules — throttle IPs exceeding a request threshold
  • Managed rule groups — AWS or Marketplace rules covering OWASP Top 10, SQL injection, XSS
  • Geo-match rules — block or allow traffic by country
  • String/regex match — inspect URI path, headers, body, query strings

Exam Tip: WAF attached to CloudFront must be created in us-east-1 (N. Virginia) because CloudFront is a global service. WAF on ALB/API Gateway is regional and must be created in the same region.

AWS Shield

Tier Cost Protection Scope
Shield Standard Free Layer 3/4 DDoS; volumetric attacks; automatic
Shield Advanced $3,000/month + data charges Layer 7 DDoS; DRT access; cost protection; real-time visibility

Shield Advanced protects: CloudFront, Route 53, ALB, NLB, EC2 Elastic IPs.

AWS Network Firewall

Managed stateful network firewall with deep packet inspection (IDS/IPS) capabilities deployed at the VPC level. Deploy in a dedicated firewall subnet; use Gateway Load Balancer to route traffic through inspection appliances.

AWS Firewall Manager

Centrally configure and enforce WAF, Shield Advanced, Security Groups, Network Firewall, and Route 53 DNS Firewall policies across all accounts in an AWS Organization. Automatically applies policies to newly created accounts and resources.

3. Data Security

Protecting data at rest and in transit is tested heavily. Know which encryption option applies to each service, when encryption can or cannot be added retroactively, and when to use KMS versus CloudHSM.

3.1 Encryption at Rest — KMS and CloudHSM

KMS Key Types

Key Type Created By Auto-Rotation Cross-Account Monthly Cost
AWS Owned Keys AWS Yes No Free
AWS Managed Keys AWS (per service) Yes (annual) No Free
Customer Managed Keys (CMK) You Optional (annual) Yes $1/month
Imported Key Material You provide No Yes $1/month

Exam Tip: Imported key material cannot be automatically rotated. To rotate, create a new CMK, re-encrypt data, then update the alias. This is a frequent trap — if the question mentions automatic rotation, imported key material is the wrong choice.

Envelope Encryption (How KMS Actually Works)

1. KMS generates a Data Encryption Key (DEK)
2. DEK encrypts the data (performed by the service or client)
3. KMS encrypts the DEK using your CMK (the DEK never leaves AWS in plaintext)
4. Encrypted DEK is stored alongside the encrypted data
5. To decrypt: KMS decrypts DEK → DEK decrypts data

Key CMK permissions (for policy and exam):

Action Purpose
kms:Encrypt / kms:Decrypt Encrypt or decrypt data with the key
kms:GenerateDataKey Generate a DEK for envelope encryption
kms:CreateGrant Delegate key usage to other principals
kms:ReEncrypt* Re-encrypt data under a new key without exposing plaintext

AWS CloudHSM

CloudHSM provides dedicated, single-tenant hardware security modules validated to FIPS 140-2 Level 3. AWS has zero access to your keys. Use CloudHSM when regulations explicitly require a dedicated HSM, or when custom cryptographic operations are needed. It is more expensive and operationally complex than KMS.

Key Concept: KMS is shared multi-tenant but highly secure and integrated with all AWS services. CloudHSM is dedicated hardware — you manage keys entirely. Choose CloudHSM only when compliance explicitly requires it.

3.2 Service-Level Encryption Reference

Service Encryption Notes
S3 SSE-S3 (AES-256), SSE-KMS (CMK), SSE-C (client provides key), or client-side
EBS AES-256 via KMS; must enable at volume creation; snapshots inherit encryption
RDS KMS encryption; must enable at DB creation — cannot add to existing instance
EFS KMS encryption; must enable at creation
DynamoDB Default encryption with AWS owned key; optional CMK
Secrets Manager Always encrypted using KMS
SNS / SQS Optional KMS encryption for messages at rest

Exam Tip: For RDS, EFS, and EBS — encryption can only be enabled at creation time. To encrypt an existing resource: take a snapshot → copy the snapshot with encryption enabled → restore from the encrypted copy. This sequence is frequently tested.

3.3 Encryption in Transit

AWS Certificate Manager (ACM)

ACM provisions, manages, and deploys public and private TLS certificates. Public certificates are free when used with ALB, CloudFront, API Gateway, and other integrated services. ACM auto-renews certificates it issued; it does not auto-renew certificates you import from a third-party CA.

Enforcing HTTPS

On ALB: Add a listener on port 80 with a redirect action to HTTPS port 443.

On S3: Add a bucket policy that denies requests where aws:SecureTransport is false:

{
  "Effect": "Deny",
  "Principal": "*",
  "Action": "s3:*",
  "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"],
  "Condition": {
    "Bool": {"aws:SecureTransport": "false"}
  }
}

SSL Termination Patterns

Pattern How It Works Use When
Terminate at ALB ALB decrypts; backend receives plain HTTP Simpler for backend; acceptable for internal traffic
End-to-end SSL ALB re-encrypts to backend; both have certificates Strict compliance requiring encryption at every hop
SSL passthrough (NLB) NLB forwards raw TCP; backend decrypts Backend must own the certificate; no HTTP-level features

3.4 S3 Security In Depth

Access Control Hierarchy

Mechanism Scope Use For
Bucket Policy Resource-based; bucket + objects Cross-account access; enforce encryption; public block
IAM Policy Identity-based Control what a principal can do across all S3
S3 Block Public Access Account or bucket level Prevent any public exposure; overrides bucket ACLs
Presigned URLs Per object, time-limited Temporary access to a specific object without AWS credentials
S3 Access Points Named endpoints with own policies Simplify large-scale access management across teams

For cross-account S3 access: BOTH the bucket policy (granting the external account) AND the IAM policy in the external account must allow the action.

S3 Encryption — Enforce on Upload

{
  "Effect": "Deny",
  "Principal": "*",
  "Action": "s3:PutObject",
  "Resource": "arn:aws:s3:::my-bucket/*",
  "Condition": {
    "StringNotEquals": {
      "s3:x-amz-server-side-encryption": "aws:kms"
    }
  }
}

S3 Data Protection Features

Feature Purpose Key Detail
Versioning Protect against accidental deletion/overwrite Once enabled, can only be suspended (never disabled)
MFA Delete Require MFA to permanently delete versions Only root user can enable; adds strong protection
Object Lock — Governance WORM protection; authorized users can override Requires Object Lock enabled at bucket creation
Object Lock — Compliance Strict WORM; no one can override, including root Use for regulatory compliance (SEC 17a-4, etc.)
Replication (CRR/SRR) Replicate objects cross-region or same-region Requires versioning on both source and destination

3.5 Secrets and Credentials Management

Feature Secrets Manager Parameter Store
Automatic Rotation Yes — built-in for RDS, Redshift, DocumentDB No
Cost $0.40/secret/month + API calls Standard tier: free; Advanced: $0.05/parameter/month
Max Value Size 64 KB Standard: 4 KB; Advanced: 8 KB
Encrypted Type Always (KMS) SecureString type (KMS)
CloudFormation Support Yes (dynamic reference) Yes (dynamic reference)
Best For Database credentials, API keys needing rotation Config values, environment variables, non-sensitive data

Exam Tip: If the scenario mentions automatic rotation of credentials, the answer is always Secrets Manager. If it is configuration values or does not mention rotation, Parameter Store is the cheaper and simpler choice.

4. Application and Identity Security

4.1 Amazon Cognito

Cognito provides authentication and authorization for web and mobile applications. It has two distinct components that work together.

User Pools vs. Identity Pools

Component Role Output
User Pools Authentication — "Who are you?" JWT tokens (ID, access, refresh)
Identity Pools Authorization — "What can you access in AWS?" Temporary AWS credentials via STS

User Pools provide a full user directory with sign-up, sign-in, MFA, email/phone verification, and social provider (Google, Facebook, Apple) and SAML federation. Lambda triggers customize the auth flow (pre-authentication, post-confirmation, custom message, etc.).

Identity Pools exchange tokens (from User Pools, social IdPs, or SAML) for temporary AWS credentials, enabling direct access to AWS services like S3 and DynamoDB from client applications.

Full Cognito Architecture

Mobile App → Cognito User Pool → JWT Token
                                      │
                              Cognito Identity Pool
                                      │
                               STS AssumeRoleWithWebIdentity
                                      │
                          Temporary AWS Credentials
                                      │
                         S3 / DynamoDB / API Gateway

4.2 Threat Detection and Security Services

Service Selection Guide

Need Correct Service
Detect compromised EC2, unusual API calls, port scanning Amazon GuardDuty
Find OS/package CVEs on EC2 and container images Amazon Inspector
Discover PII or sensitive data in S3 Amazon Macie
Aggregate findings from all security tools AWS Security Hub
Investigate blast radius and root cause of a finding Amazon Detective
DDoS protection AWS Shield
Block SQLi, XSS, and web-layer attacks AWS WAF
Deep packet inspection at VPC level AWS Network Firewall
Org-wide WAF and Shield policy enforcement AWS Firewall Manager

Amazon GuardDuty

GuardDuty uses machine learning on CloudTrail logs, VPC Flow Logs, DNS logs, EKS audit logs, and S3 data events to detect threats. It is detection-only — it never blocks traffic. Integrate with EventBridge → Lambda or SNS to automate responses. Enable from the management account to aggregate findings across an Organization.

Amazon Inspector

Automated vulnerability assessment for EC2 instances (OS CVEs and network reachability), ECR container images (package vulnerabilities), and Lambda functions. Requires SSM Agent on EC2. Findings are surfaced in Security Hub.

Amazon Macie

ML-based service that automatically discovers and classifies sensitive data (PII, financial data, healthcare data, credentials) stored in S3. Supports custom data identifiers for domain-specific patterns.

AWS Security Hub

Aggregates and normalizes findings from GuardDuty, Inspector, Macie, Config, IAM Access Analyzer, and supported third-party tools. Maps findings to compliance standards (CIS AWS Foundations, PCI-DSS, AWS Foundational Security Best Practices). Drives automated response via EventBridge rules.

4.3 Compliance and Governance Services

AWS Config

Records the configuration state of AWS resources over time. Config rules evaluate compliance (managed rules exist for common checks; custom rules use Lambda). Remediation actions use SSM Automation runbooks to automatically fix non-compliant resources. Use a Config Aggregator to consolidate findings across accounts and Regions.

AWS CloudTrail

Records every AWS API call (management events by default; data events — S3 object calls, Lambda invocations — are optional and have extra cost). Key features: multi-region trails, log file integrity validation using SHA-256 hashing, and Athena integration to query logs stored in S3.

Governance Service Summary

Service What It Does When to Use
AWS Config Continuous configuration recording + compliance rules Track what changed; enforce compliance rules; remediation
AWS CloudTrail API call audit log (who did what, when, from where) Security investigation; compliance audit trail
AWS Audit Manager Continuous evidence collection for audits (PCI, HIPAA, SOC 2) Formal compliance audit preparation
AWS Artifact On-demand AWS compliance reports and agreements Download SOC/ISO/PCI reports; sign BAA/NDA

Exam Tips & Quick Reference

Scenario-to-Answer Mapping

Scenario Keyword / Requirement Correct Answer
"EC2 needs S3 access without credentials in code" IAM role attached as instance profile
"Cross-account resource access" IAM role in target account + trust policy + AssumeRole in source
"Corporate users SSO to multiple AWS accounts" IAM Identity Center + AD Connector or AWS Managed AD
"Mobile app users accessing AWS services directly" Cognito Identity Pools → STS temporary credentials
"Authenticate with Google/Facebook → access DynamoDB" Cognito Identity Pools (Web Identity Federation)
"Detect compromised EC2 or unusual API calls" Amazon GuardDuty
"Find CVE vulnerabilities on EC2 instances" Amazon Inspector
"Discover PII data stored in S3" Amazon Macie
"All org accounts must have Config enabled" AWS Config + Organizations + CloudFormation StackSets
"Prevent specific actions across all org accounts" SCP in AWS Organizations
"Provision accounts with guardrails pre-configured" AWS Control Tower
"Rotate RDS credentials automatically" AWS Secrets Manager with rotation schedule
"Configuration values; no rotation needed" SSM Parameter Store
"Enforce encryption on all S3 uploads" Bucket policy denying PutObject without encryption header
"Access S3 from private VPC without internet" S3 Gateway VPC Endpoint (free)
"Web app protection against SQLi and XSS" AWS WAF
"Protect ALB against Layer 7 DDoS" Shield Advanced + WAF
"Investigate GuardDuty finding — full scope" Amazon Detective
"Download AWS compliance reports (SOC, PCI)" AWS Artifact
"Dedicated HSM; FIPS 140-2 Level 3" AWS CloudHSM
"KMS key I fully control; imported key material" Customer Managed Key with imported key material (no auto-rotation)
"Force HTTPS on S3 bucket" Bucket policy: Deny when aws:SecureTransport = false
"Encrypt existing unencrypted EBS volume" Snapshot → copy snapshot with encryption → restore
"Share VPC subnets across accounts" AWS RAM
"Private connectivity to AWS services from VPC" VPC Interface Endpoints (PrivateLink)
"Windows AD users need AWS console access without IAM users" AWS Managed AD + IAM Identity Center

Common Traps

  • SCP trap: SCPs cannot grant permissions — only restrict. An SCP with Allow * does nothing unless IAM policies also allow the action.
  • Cross-account S3 trap: Both the bucket policy and the IAM policy must explicitly allow. One alone is not sufficient for cross-account.
  • GuardDuty trap: GuardDuty detects but never blocks. Always pair it with EventBridge + Lambda for automated response.
  • Encryption retroactive trap: RDS, EBS, and EFS cannot be encrypted after creation. The answer always involves a snapshot → re-create workflow.
  • WAF scope trap: WAF for CloudFront must be created in us-east-1 regardless of where your resources are.
  • ACM renewal trap: ACM auto-renews certificates it issued. It does NOT auto-renew third-party imported certificates.
  • Permissions boundary trap: A permissions boundary limits max permissions for one principal. It is not an SCP and does not affect the whole account.

Key Terms — Domain 1

Term One-Line Definition
IAM Role Temporary identity assumed by AWS services, users, or external accounts; no long-term credentials
Instance Profile Container that holds an IAM role so it can be attached to an EC2 instance
SCP Service Control Policy; sets maximum permission cap for an entire AWS account or OU
Permissions Boundary IAM policy that sets the maximum permissions a specific user or role can have
Envelope Encryption Pattern where a data key encrypts data and a master key (CMK) encrypts the data key
IMDS Instance Metadata Service; endpoint at 169.254.169.254 where EC2 retrieves role credentials
Cognito User Pool Managed user directory for authentication; returns JWT tokens
Cognito Identity Pool Exchanges tokens for temporary AWS IAM credentials; enables direct AWS service access
GuardDuty ML-based threat detection; detection only; never blocks
Macie Sensitive data discovery (PII, credentials) in S3 using ML
Inspector Automated CVE and vulnerability assessment for EC2, ECR, Lambda
Security Hub Central aggregator and normalizer for all security findings
Detective Investigation tool for root-cause analysis of security findings
CloudHSM Dedicated hardware security module; FIPS 140-2 Level 3; you manage keys entirely
SSE-KMS Server-side encryption using a KMS CMK; audit trail in CloudTrail
Object Lock WORM protection on S3; Governance (authorized override) or Compliance (no override)
MFA Delete Requires MFA to permanently delete S3 object versions; only root can enable
PrivateLink Technology for private connectivity to AWS services or custom services via Interface Endpoints
RAM Resource Access Manager; share AWS resources across accounts without replication

End of Domain 1. Continue to Domain 2: Design Resilient Architectures →

Next

Domain 2: Design Resilient Architectures

Ready to test yourself?

Practice questions for this topic

Start Practicing →

SAA-C03 Topics

Topic 1 of 4