Why This Cheat Sheet Matters for SCS-C02
This cheat sheet covers the most important IAM & Access Control concepts tested on the SCS-C02 (AWS Security Specialty) certification exam. It contains 4 sections with 18 key points that you should memorize before exam day. Master IAM policies, roles, permission boundaries, policy evaluation logic, cross-account access, identity federation, and least privilege principles for the SCS-C02 exam. Use this as a quick-reference guide during your final review sessions.
4Sections
18Key Points
Policy Evaluation Order
- 1. Explicit Deny (any policy) → DENY
- 2. SCP allows? If not → implicit DENY
- 3. Resource policy allows? → ALLOW (same account) or continue
- 4. Permission boundary allows? If not → implicit DENY
- 5. Session policy allows? If not → implicit DENY
- 6. Identity policy allows? → ALLOW, else implicit DENY
Cross-Account Access
- Role assumption: source account assumes role in target account via STS
- Resource policy: target resource grants access to source account principal
- Both approaches: role assumption + resource policy on the target
- Key difference: resource policy does not require AssumeRole (direct access)
Permission Boundaries
- Sets maximum permissions — effective = intersection of boundary + identity policy
- Used to delegate role/user creation without escalation
- Only IAM policies (not resource policies) are limited by boundaries
- Attached to users/roles, not groups
IAM Access Analyzer
- Zone of trust: account or organization
- Finds resources shared externally (S3, IAM roles, KMS, Lambda, SQS)
- Policy validation: checks syntax, security warnings, suggestions
- Policy generation: creates policy from CloudTrail activity
Practice IAM Questions
Put your knowledge to the test with practice questions.