1. Home
  2. Training Library
  3. Amazon Web Services
  4. Courses
  5. Solution Architect Professional for AWS - Domain Six - Security

Identity and Access Management

Start course
1h 15m

Course Description

In this course, you'll gain a solid understanding of the key concepts for Domain Six of the AWS Solutions Architect Professional certification: Security.

Course Objectives

By the end of this course, you'll have the tools and knowledge you need to successfully accomplish the following requirements for this domain, including:

  • Design information security management systems and compliance controls
  • Design security controls with the AWS shared responsibility model and global infrastructure
  • Design identity and access management controls
  • Design protection of Data at Rest controls
  • Design protection of Data in Flight and Network Perimeter controls

Intended Audience

This course is intended for students seeking to acquire the AWS Solutions Architect Professional certification. It is necessary to have acquired the Associate level of this certification. You should also have at least two years of real-world experience developing AWS architectures.


As stated previously, you will need to have completed the AWS Solutions Architect Associate certification, and we recommend reviewing the relevant learning path in order to be well-prepared for the material in this one.

This Course Includes

  • Expert-led instruction and exploration of important concepts.
  • Complete coverage of critical Domain Six concepts for the AWS Solutions Architect - Professional certification exam.

What You Will Learn

  • Designing ISMS systems and compliance controls
  • Designing security controls
  • Designing IAM management controls
  • Identity and Access Management
  • Designing protection of Data at Rest controls
  • Designing protection of Data in Flight and Network Perimeter controls

Okay, let's talk about AWS Identity and Access Management, or I-A-M. Now, IAM let's you create individual users within your AWS account, and give them each their own user name, password, and if required, access keys. Individual users can then log into the console using a URL that's specific to your account. As a best practice, create an IAM user for admin or privileged users so that you do not use your root account credentials for everyday access to AWS. Always enable MFA, or Multi-factor authentication, on privileged users. You can also create access keys for individual users so that they can make programmatic calls to access AWS resources. If they do not need this access, there is no need to create access keys. Insuring that users have least privileged permissions to access the resources you have in your account is an important part of your security management. You can use IAM to help preform this function. You can create IAM users under your AWS account and then assign them permissions directly. Or assign them to groups, which you can then assign permissions to. IAM policies define relationships between principals and resources. A principal is a user, a group, or an AWS service, like an EC2 instance. A resource can mean an S3 bucket or its contents, or an EC2 instance in a data that services our provider to it. A policy is a way to control who can read, write, create or delete an object or a service. We associate either directly or indirectly IAM policies with users, groups, and roles. Using IAM, you can define the way users access AWS through passwords, access keys, Multi-factor authentication or identity providers. When users are associated with groups, any policies attached to the group by definition, are now binding on all the users who are part of that group. A role is not associated with the user, or a group, but with a service, like an EC2 instance. Okay, so let's walk through 12 IAM best practices. Number one. Place Multi-factor authentication on the root account and remove the access keys. Number two. Create individual IAM users so that you have more control over account access. Number three. Use groups to assign permissions to IAM users. Cause groups make in much easier to manage accounts at scale. Number four. Grant least privilege. Start by using, or allowing users to do as little as possible. And only allow access to services on a needs basis. Number five. Configure a strong password policy for your users. Number six. Enable multi-factor authentication for privileged users. Now that protects those users and reduces the blast radius should say that privileged or admin user lose their machine or their account is compromised. Number 7. Use roles for accounts that run on Amazon EC2 instances. So setting the role at launch enables you to control what instances can and can't do once they're running. Eight. Delegate by using roles instead of sharing credentials. Now roles reduce the need to share credentials when you need systems to talk to each other. Number nine. Rotate credentials regularly. Number ten. Remove unnecessary credentials and users. So regularly download the credentials report and remove any account or keys that you're not using. Number 11. Use policy conditions for extra security. These are great. So for example, only allow users to terminate or delete if that user is logged in with Multi-factor authentication. Or could even be where a tag exists. Number 12. Monitor activity in your AWS Account. Amazon CloudWatch, Amazon CloudTrail, AWS Config are all great tools to help with detection and monitoring.

About the Author
Andrew Larkin
Head of Content
Learning Paths

Head of Content

Andrew is an AWS certified professional who is passionate about helping others learn how to use and gain benefit from AWS technologies. Andrew has worked for AWS and for AWS technology partners Ooyala and Adobe.  His favorite Amazon leadership principle is "Customer Obsession" as everything AWS starts with the customer. Passions around work are cycling and surfing, and having a laugh about the lessons learnt trying to launch two daughters and a few start ups.