Cheat sheetAWS-05

Security & IAM

AWS SAA / Security & IAM

Grant least privilege with IAM roles and temporary credentials, and encrypt data at rest and in transit.

Role
IAM roleAssumable identity giving rotating temporary credentials — no stored keys.
LP
Least privilegeMinimum actions on specific resources; avoid wildcards.
KMS
Key managementManages encryption keys for S3, EBS, RDS at rest.
TLS
In transitHTTPS/TLS protects data moving across the network.

Attach a role scoped to the exact bucket/action instead of storing access keys on instances.

EC2 reads S3Instance role with s3:GetObject on one bucket — temporary, rotating creds.
Encrypt at restEnable SSE-KMS on the bucket and EBS/RDS encryption with a KMS key.
EC2 instance role > hard-coded access keys
Policy: allow only needed actions on specific ARNs
SSE-KMS (at rest) + TLS (in transit)
iamrolesleast-privilegekmsencryptionsecurity
review in 6d