Design Secure Access To AWS Resources
Published: (February 1, 2026 at 01:19 AM EST)
6 min read
Source: Dev.to
Source: Dev.to
Exam Guide: Solutions Architect – Associate
🛡️ Domain 1 – Design Secure Architectures
📘 Task Statement 1.1
Secure access means you can clearly answer the following questions:
- Who is trying to access AWS?
- What are they allowed to do?
- Where are they allowed to do it (which account / which resources)?
- How are they proving it’s really them (password, MFA, federation)?
- How long should that access last (temporary vs. long‑term)?
This task is mostly about identity + permissions + multi‑account setup.
Knowledge
1️⃣ Access Controls and Management Across Multiple Accounts
As a company grows, a single AWS account becomes messy:
| Problem | Impact |
|---|---|
| Too many people and teams in one place | Permissions become inconsistent and hard to audit |
| Inconsistent permissions | Mistakes have a bigger blast radius |
| Hard to separate dev/test/prod | Increases operational risk |
A multi‑account strategy helps you:
- Isolate workloads (dev / prod)
- Apply security rules consistently
- Reduce risk
Common Patterns
| Pattern | What it solves | Beginner way to think about it |
|---|---|---|
| AWS Organizations + Organizational Units (OUs) | Managing many accounts as one family | A folder system for accounts + shared rules |
| AWS Control Tower | Setting up multi‑account the standard way | A guided setup for a secure multi‑account environment |
| SCPs (Service Control Policies) | Guardrails across accounts | “Even admins can’t do this” rules |
Note: SCPs do not grant permissions. They only set the maximum allowed actions in an account/OU. You still need IAM permissions to allow anything.
2️⃣ AWS Federated Access and Identity Services
IAM & IAM Identity Center
Instead of creating an AWS username for every employee, many organizations use federation so people sign in with their existing corporate login.
| Component | Description |
|---|---|
| IAM (Identity and Access Management) | Core permissions engine – contains users, groups, roles, and policies |
| IAM Identity Center (AWS SSO) | Central sign‑in for workforce access across accounts – ideal for multiple accounts and a single place to manage access |
Simple Comparison
| Option | Best for | Why it’s safer |
|---|---|---|
| IAM Users (long‑term) | Small/simple setups, limited cases | Works, but passwords/keys can spread and are harder to manage safely |
| Federation / IAM Identity Center | Teams, companies, multiple accounts | Central login, easier off‑boarding, fewer long‑term credentials |
Recommendation: Prefer roles + federation for humans, and avoid creating lots of IAM users with long‑term credentials.
3️⃣ AWS Global Infrastructure
Regions & Availability Zones
- Some services are global (e.g., IAM, Route 53) – identity or permissions concepts apply broadly.
- Many resources are regional – they live in a specific Region.
Your access rules may include where actions are allowed, for example:
- “Only allow deployments in eu‑west-1”
- “Deny creating resources outside approved Regions”
4️⃣ AWS Security Best Practices
Principle of Least Privilege
Least privilege means:
- Don’t give “admin” unless truly needed.
- Grant only the actions required for the job.
- Limit access to specific resources – avoid
Resource: "*"whenever possible.
Examples
| Too open | Better |
|---|---|
Action: "*" on all S3 buckets | Action: "s3:GetObject" on a specific bucket/folder |
| Full EC2 management | Action: "ec2:StartInstances" / ec2:StopInstances on specific instance IDs |
If you see broad permissions like Action: "*", the “best answer” is usually narrower permissions + conditions.
5️⃣ The AWS Shared Responsibility Model
| Responsibility | AWS | Customer |
|---|---|---|
| Physical infrastructure | Data‑center hardware, power, cooling | — |
| Underlying service infrastructure | Compute, storage, networking | — |
| Availability of services | Service uptime SLAs | Architecture decisions (multi‑AZ, backups, DR) |
| Security of the cloud | Physical security, host OS, hypervisor | IAM permissions, data encryption, network configuration |
Security is shared:
AWS secures the cloud; you secure what you put in the cloud.
Skills
A – Apply Best Practices to IAM Users and Root Users
Multifactor Authentication (MFA)
- The root user is the account’s master key.
- Enable MFA on the root user and never use root for daily tasks.
- Use roles or controlled identities for admin work.
Scenario tip: If a question says “root user used daily,” the fix is almost always: enable MFA and stop daily root usage.
B – Design a Flexible Authorization Model (Users, Groups, Roles, Policies)
| Element | Purpose |
|---|---|
| Policies | Permission rules (allow/deny) |
| Roles | Temporary “job hats” you assume |
| Users | Individual logins (human or service) |
| Groups | Attach the same policies to many users at once |
- Humans → sign in via Identity Center / federation → assume roles.
- Applications / services → use roles (no long‑term access keys in code).
C – Role‑Based Access Control (RBAC) Strategy
- Access is granted by assuming a role, not by permanent admin rights.
AWS STS (Security Token Service)
- Issues temporary credentials → reduces long‑term secret exposure.
- Enables clean cross‑account access.
Cross‑Account Access
- Users in Account A assume a role in Account B.
- No shared passwords, no copying access keys between accounts.
D – Multi‑Account Security Strategy
Control Tower & Service Control Policies
- Use a structured account layout (e.g., prod / dev / security).
- Apply org‑wide guardrails with SCPs to keep shared security functions isolated.
SCP Mindset
| Policy type | Effect |
|---|---|
| IAM Policies | What a principal can do (allow/deny) |
| SCPs | What an account is ever allowed to do (maximum boundary) |
Effective permissions = Allowed by IAM AND not blocked by SCP.
E – Determine Appropriate Use of Resource Policies
Some AWS services support resource‑based policies (e.g., S3 bucket policies, SNS topic policies, SQS queue policies). Use them when you need to:
- Grant cross‑account access directly on the resource.
- Allow services to act on your behalf (e.g., Lambda invoking an S3 bucket).
- Apply conditions that are easier to express on the resource than in an IAM policy.
Summary
- Identify who, what, where, how, and for how long access is needed.
- Leverage multi‑account designs, AWS Organizations, and Control Tower for isolation and governance.
- Prefer federation + roles over long‑term IAM users.
- Apply least‑privilege principles, MFA, and SCPs to enforce guardrails.
- Use resource policies where they simplify cross‑account or service‑to‑service permissions.
Keep these concepts handy for the Design Secure Architectures domain of the Solutions Architect – Associate exam.
Resource‑Based Policies
Definition: Policies that are attached directly to the resource.
Common examples
- S3 buckets
- SQS queues
- SNS topics
- KMS keys
- Lambda functions
Typical uses
- Cross‑account access to a bucket, queue, or topic
- Service‑to‑service permissions
- Enforcing conditions (e.g., “HTTPS only”)
Decision Table
| Goal / Question | Best tool |
|---|---|
| Give a user/role permissions generally | Identity‑based policy (IAM policy) |
| Control access directly on the resource | Resource‑based policy |
| Allow cross‑account access cleanly | Often role assumption + sometimes a resource policy (depends on the service) |
When to Federate a Directory Service With IAM Roles
Federation is ideal when:
- Users already have corporate identities (Google Workspace, Okta, Azure AD, AD, etc.)
- You want easy onboarding and off‑boarding
- You want fewer long‑term IAM users
| Audience | Recommended approach |
|---|---|
| Workforce (employees/contractors) | Federation / IAM Identity Center |
| Workloads (apps/services) | IAM roles |
Cheat Sheet
| Scenario | Recommended solution |
|---|---|
| Many AWS accounts | Organizations / Control Tower + SCPs |
| Employees use corporate login | Federation / IAM Identity Center |
| Third‑party needs access | Cross‑account role + temporary credentials (STS) |
| Avoid storing keys in code | Use roles (temporary credentials) |
| Restrict actions across the org | SCP guardrails |
| Grant access to a specific resource | Resource‑based policy (or resource policy + role) |
Recap Checklist ✅
If you can explain these ideas in simple terms, you are well‑prepared for Task Statement 1.1:
- The root user is protected with MFA and not used for daily work
- IAM roles are preferred over long‑term IAM users
- Least privilege is applied: only needed actions, only needed resources
- Multiple AWS accounts are managed centrally
- Cross‑account access uses role assumption: temporary credentials
- Workforce access uses federation or IAM Identity Center
- You understand when to use identity‑based vs. resource‑based policies
AWS Whitepapers and Official Documentation
These are the primary AWS documents behind Task Statement 1.1.
You don’t need to memorize them; use them to understand why AWS security works the way it does.
Core Whitepapers
- AWS Well‑Architected Framework – Security Pillar – Principles behind secure access design (least privilege, identity management, governance).
- IAM Best Practices – Users, roles, groups, policies; why roles & temporary credentials are preferred.
- AWS Shared Responsibility Model – What AWS secures vs. what you must secure.
Identity and Federation References
- IAM User Guide – Deep dive on policies, roles, permission evaluation, policy conflicts.
- IAM Identity Center (AWS SSO) Documentation – Workforce access at scale.
- AWS Security Token Service (STS) Documentation – Temporary credentials & role assumption (key for cross‑account access).
Multi‑Account and Governance References
- AWS Organizations User Guide – Organizational units (OUs) and account structure (critical for SCP behavior).
- Service Control Policies (SCPs) Documentation – How SCPs restrict permissions (important for “even admins must not be able to…” scenarios).
- AWS Control Tower Overview – Visualizing a standard, secure multi‑account setup (often implied for large organizations or governance questions).