📋 IAM & Access Control Cheat Sheet

Quick-reference for IAM policies, roles, permission boundaries, policy evaluation, cross-account access, and identity federation.

Policy Evaluation Order

  • 1. Explicit Deny (any policy) → DENY
  • 2. SCP allows? If not → implicit DENY
  • 3. Resource policy allows? → ALLOW (same account) or continue
  • 4. Permission boundary allows? If not → implicit DENY
  • 5. Session policy allows? If not → implicit DENY
  • 6. Identity policy allows? → ALLOW, else implicit DENY

Cross-Account Access

  • Role assumption: source account assumes role in target account via STS
  • Resource policy: target resource grants access to source account principal
  • Both approaches: role assumption + resource policy on the target
  • Key difference: resource policy does not require AssumeRole (direct access)

Permission Boundaries

  • Sets maximum permissions — effective = intersection of boundary + identity policy
  • Used to delegate role/user creation without escalation
  • Only IAM policies (not resource policies) are limited by boundaries
  • Attached to users/roles, not groups

IAM Access Analyzer

  • Zone of trust: account or organization
  • Finds resources shared externally (S3, IAM roles, KMS, Lambda, SQS)
  • Policy validation: checks syntax, security warnings, suggestions
  • Policy generation: creates policy from CloudTrail activity

Practice IAM Questions

Put your knowledge to the test with practice questions.

IAM Questions →Full SCS-C02 Quiz

More SCS-C02 Cheat Sheets

📋KMS & Encryption Cheat Sheet📋GuardDuty & Threat Detection Cheat Sheet📋S3 Security Cheat Sheet📋Security Incident Response Cheat Sheet📋Compliance & Governance Cheat Sheet
← SCS-C02 Study HubFree Mock Exam7-Day Study Plan