Why This Cheat Sheet Matters for SAA-C03
This cheat sheet covers the most important AWS Identity and Access Management concepts tested on the SAA-C03 (AWS Solutions Architect Associate) certification exam. It contains 4 sections with 21 key points that you should memorize before exam day. IAM enables you to manage access to AWS services securely. Learn about users, groups, roles, policies, MFA, identity federation, and the principle of least privilege. Use this as a quick-reference guide during your final review sessions.
4Sections
21Key Points
Core Concepts
- IAM is global — not region-specific.
- Root account should never be used for daily tasks. Enable MFA immediately.
- Users, Groups, Roles, and Policies are the four building blocks.
- Policies are JSON documents that define permissions (Effect, Action, Resource).
- By default, all permissions are implicitly denied.
Policies
- Identity-based policies are attached to users, groups, or roles.
- Resource-based policies are attached to resources (e.g., S3 bucket policy).
- AWS managed policies cover common use cases. Customer managed for custom needs.
- Inline policies have a 1:1 relationship with the principal.
- Explicit Deny always overrides any Allow.
- Policy evaluation: Deny by default → Evaluate all → Explicit Deny wins.
Roles
- Roles are assumed temporarily using STS (Security Token Service).
- EC2 instance profiles attach IAM roles to instances.
- Cross-account access: create role in target account, assume from source.
- Service-linked roles are predefined by AWS services.
- Maximum session duration: 1 hour (default) to 12 hours.
Security Best Practices
- Enable MFA on root and all IAM users.
- Use IAM Access Analyzer to identify unused access.
- Rotate access keys regularly; prefer roles over long-term keys.
- Use AWS Organizations SCPs for account-level guardrails.
- Implement least privilege principle — start with minimum permissions.
Practice IAM Questions
Put your knowledge to the test with practice questions.