Bash, the Crucial Exams Chat Bot
AI Bot
Identity & Access Management Fundamentals (SCS-C03) Flashcards
AWS Certified Security Specialty SCS-C03 Flashcards
Study our Identity & Access Management Fundamentals (SCS-C03) flashcards for the AWS Certified Security Specialty SCS-C03 exam with 32+ flashcards. View as flashcards, a searchable table, or as a fun matching game.
| Front | Back |
| Best practice for cross account access | Use roles with limited permissions and MFA and avoid sharing long term credentials |
| Describe the AWS policy evaluation logic | Step 1 Explicit deny wins Step 2 Explicit allow next Step 3 Otherwise implicit deny |
| Difference between managed policy and inline policy | Managed policies are standalone reusable objects Inline policies are embedded directly on a single principal or resource |
| Give an ABAC example | Granting access to S3 objects when the user's department tag matches the object's department tag |
| How do permission boundaries work | They cap the union of allowed permissions so a principal must have both identity policy allow and boundary allow to perform actions |
| How does IAM Access Analyzer work | It evaluates policies and resource configurations using automated reasoning to identify potential unintended access paths |
| How to audit IAM changes | Use AWS CloudTrail IAM Access Analyzer and configuration history to track policy and principal changes and detect anomalies |
| How to design least privilege for roles | Start with deny all then add specific allows test with real tasks and iterate by tightening permissions |
| What are session duration limits | Maximum time temporary credentials from AssumeRole remain valid and should be minimized for security |
| What is a permission boundary | A maximum permissions boundary that limits the effective permissions an IAM principal can have regardless of its policies |
| What is a resource based policy | A policy attached directly to a resource that specifies which principals can access that resource |
| What is a session policy | Policies passed during AssumeRole that further restrict the permissions of the temporary credentials |
| What is ABAC | Attribute Based Access Control that grants permissions based on attributes such as tags or user attributes instead of explicit resource lists |
| What is access key rotation best practice | Rotate and retire access keys regularly and prefer temporary credentials and roles instead of long term keys |
| What is an explicit deny | An explicit deny in any policy overrides any allow and immediately prevents access |
| What is an external ID and why use it | An identifier provided by the trusting account to prevent confused deputy attacks when third parties assume roles |
| What is an IAM group | A collection of IAM users used to assign the same managed policies to multiple users at once |
| What is an IAM role | A set of permissions that can be assumed by trusted principals and provides temporary credentials |
| What is an IAM user | An identity representing a person or service with long term credentials and policies that define permissions |
| What is an identity based policy | A policy attached to a principal such as a user group or role that grants permissions to act on resources |
| What is AssumeRole | An API that lets a principal assume a role and receive temporary credentials with the role permissions |
| What is AssumeRoleWithSAML | An API that lets SAML federated users assume a role using assertions from an identity provider |
| What is AWS IAM Access Analyzer | Tool that analyzes resource based policies and generates findings for potential external access including cross account risks |
| What is AWS STS | Security Token Service that issues temporary security credentials for federated access and cross account roles |
| What is cross account access | A pattern where principals from one AWS account access resources in another account typically via roles or resource based policies |
| What is federation in IAM | Allowing external identities such as corporate users or third party providers to access AWS without long term credentials |
| What is implicit deny | Any action not explicitly allowed is implicitly denied by default |
| What is least privilege | Granting only the minimum permissions required to perform a task and nothing more |
| What is policy simulator | Tool that tests and evaluates the effective permissions of a principal by simulating API calls |
| What is role trust policy | A policy attached to a role that defines which principals are allowed to assume the role |
| What is the Principal element in a resource policy | It specifies the AWS account user role or service that is allowed or denied access to the resource |
| Why use temporary credentials | Reduce risk of long term key compromise enforce session duration and apply session policies |
About the Flashcards
Flashcards for the AWS Certified Security Specialty exam focus on core AWS Identity and Access Management skills. Refresh how users, groups, and roles are created, grouped, and assumed, compare managed versus inline policies, identity- versus resource-based permissions, and follow the explicit-deny-first evaluation chain that decides what every principal can or cannot do.
Build exam confidence by exploring permission boundaries, least-privilege design, temporary credentials from STS, SAML and web federation workflows, session policies, and secure cross-account patterns with external IDs. Cards also cover ABAC tagging strategies, Access Analyzer findings, key rotation, and auditing with CloudTrail so you can recognize and remediate risky configurations.
Topics covered in this flashcard deck:
- IAM users, groups, roles
- Policies & evaluation logic
- STS and federation
- Permission boundaries, least privilege
- Cross-account access controls
- Access Analyzer & auditing