Source · AWS SAA-C03 Exam Guide + AWS Security documentation
Why this matters
SAA-C03 Exam Guide, Domain 3Design Secure Architectures is one of the highest-weighted exam domains, and security threads through every other question. A design that works but grants overly broad permissions is a wrong answer.
The exam consistently rewards least privilege, temporary credentials, and encryption — and punishes long-lived access keys and wildcard policies.
The concept
AWS IAM and KMS documentationIAM governs who can do what. Policies are JSON documents granting or denying actions on resources. Roles are identities with policies that can be assumed to obtain temporary credentials — the preferred way for EC2, Lambda, and cross-account access to call AWS, because there are no long-lived keys to leak.
Least privilege means granting only the permissions a task actually needs, scoped to specific resources — never a wildcard unless truly required.
Encryption has two axes. At rest: KMS manages keys used by S3 (SSE-KMS), EBS, RDS, and more. In transit: TLS/HTTPS protects data moving over the network. AWS-managed keys are simplest; customer-managed KMS keys give you control over rotation and policies.
Worked scenario
AWS IAM Roles for EC2 documentationAn EC2 instance needs to read objects from one specific S3 bucket. A developer proposes storing an IAM user's access keys on the instance. What's the secure design?
Attach an IAM role to the instance with a policy allowing s3:GetObject on that bucket only. The instance receives rotating temporary credentials automatically — no keys to store or leak, and access is scoped by least privilege.
Contrast the wrong answers: hard-coded access keys can leak and never expire; an s3: wildcard policy violates least privilege. The exam almost always prefers roles over keys and specific resources over wildcards*.
How it connects
AWS Well-Architected — Security PillarSecurity wraps every domain. IAM roles let EC2 (compute) and Lambda call other services safely. KMS integrates with S3, EBS, and RDS (storage and databases) for encryption at rest. Security groups and NACLs (networking) filter traffic, while IAM controls the API plane.
Guardrails like enabling MFA, using AWS Organizations SCPs, and turning on CloudTrail for auditing round out the shared-responsibility model — AWS secures the cloud, you secure what you put in it.
- Prefer IAM roles (temporary credentials) over long-lived access keys stored on instances.
- Least privilege means specific actions on specific resources — avoid s3: on unless truly required.
- KMS handles encryption keys; it is not a network firewall — don't confuse it with security groups.
- Use roles for EC2/Lambda/cross-account to get rotating temporary credentials.
- Grant least privilege: minimum actions, scoped resources, no needless wildcards.
- Encrypt at rest with KMS and in transit with TLS/HTTPS.