Cargando...
Cargando...
AWS IAM (Identity and Access Management) is the authorization engine that controls every action in your AWS account — and it is tested on every single AWS certification from CLF-C02 to the Security Specialty. Getting IAM wrong means failing exam questions and creating real-world security vulnerabilities. Getting it right means understanding the policy evaluation logic, the difference between identity-based and resource-based policies, and when to use roles vs users vs groups vs permission boundaries.
The IAM service cheat sheet covers the core model: principals, actions, resources, conditions, effects. It explains the policy evaluation order (explicit deny wins, then explicit allow, then implicit deny), the difference between inline and managed policies, service-linked roles vs customer-managed roles, and the IAM credential report and access advisor tools. Critical limits: 10 managed policies per user/role, 2048 characters per policy document, and the 1-hour default session duration for assumed roles.
The IAM Roles vs Users vs Groups vs Policies comparison sheet resolves the identity model confusion that trips up most candidates — when to use a role (for services and cross-account access), when users are appropriate (humans with long-term credentials), and why groups cannot be referenced as principals. The Organizations SCPs vs IAM Policies comparison is essential for SAP-C02 and SCS-C02 — SCPs define the maximum permissions envelope but do not grant permissions themselves.
For SCS-C02, focus on the Cognito cheat sheet (User Pools for authentication, Identity Pools for AWS access), the IAM Policies Deep Dive guide (policy conditions, global condition keys, sts:AssumeRole trust policies), and the Cognito User Pools vs Identity Pools comparison. Permission boundaries, service control policies, and attribute-based access control (ABAC) with tags are the advanced topics most frequently tested on the Security Specialty.
AWS Organizations and AWS Control Tower extend IAM governance across a multi-account structure — both have dedicated cheat sheets in the security section.
AWS IAM: The Identity & Access Command Center
Master who can do what, on which resource, under what conditions — the foundation of every secure AWS architecture
AWS Organizations: The Multi-Account Master Controller
Centrally govern, secure, and manage billing across every AWS account you own — at scale.
AWS Control Tower: The Multi-Account Governance Command Center
Automated, policy-driven landing zones that enforce guardrails across your entire AWS organization from day one.
IAM Roles vs Users vs Groups vs Policies: The Identity & Access Masterclass
Know exactly which IAM construct to use, when, and why — the definitive exam and practitioner guide
Organizations SCPs vs IAM Policies: The Permission Boundary Showdown
Master the layered permission model — SCPs set the ceiling, IAM Policies set the floor
Cognito User Pools vs Identity Pools: The Identity & Access Showdown
Authentication vs Authorization — know exactly which Cognito service to use and when
KMS vs Secrets Manager vs Parameter Store: The Definitive Security Trio
Stop guessing which service to use — master the decision framework that separates passing from failing on 8 AWS certifications