AWS Certified Security - Specialty (SCS-C03) Domain 4
Identity and Access Management
Official Exam Guide: Domain 4: Identity and Access Management
Skill Builder: AWS Certified Security - Specialty Exam Prep
Domain Overview
Domain 4 (20% - largest domain) focuses on authentication strategies and authorization strategies.
Task 4.1: Design and implement authentication strategies
Key Skills:
- Design identity solutions for human, application, system authentication
- Configure temporary credential mechanisms
- Troubleshoot authentication issues
Essential Documentation:
- AWS IAM Identity Center User Guide
- Amazon Cognito Developer Guide
- Using Multi-Factor Authentication (MFA)
- AWS STS API Reference
- S3 Presigned URLs
- AWS Directory Service Administration Guide
Task 4.2: Design and implement authorization strategies
Key Skills:
- Design authorization controls for human, application, system access
- Design ABAC and RBAC strategies
- Implement IAM policies with least privilege
- Analyze authorization failures
- Investigate unintended permissions
Essential Documentation:
- AWS IAM User Guide
- Amazon Verified Permissions
- IAM Roles Anywhere
- Permissions Boundaries
- IAM Policy Simulator
- IAM Access Analyzer
- Access Analyzer Policy Generation
AWS Service FAQs
Study Tips
-
Master IAM policy structure - Principal, Action, Resource, Effect, Condition elements. Identity-based vs resource-based policies.
-
Learn ABAC implementation - Tag-based access control, principal tags, resource tags, request condition tags, session tags.
-
Understand permission boundaries - Maximum permissions for IAM entities, prevent privilege escalation, delegate administration safely.
-
Practice with Access Analyzer - Identify resources shared with external entities, validate policies, generate policies from CloudTrail logs.
-
Study federation patterns - SAML 2.0 federation, OIDC providers, IAM Identity Center (SSO), Cognito user pools and identity pools.
Note: This is Domain 4 of 6, representing 20% (largest domain) of exam content.