Design Secure Access to AWS Resources for SAA-C03
Understand IAM roles, federation, cross-account access, root-user controls, and least-privilege patterns for the secure-access questions on SAA-C03.
SAA-C03 does not want a trivia recital about IAM. It wants to know whether you can design access that is secure, flexible, and realistic for multi-account AWS environments. The best answer is usually the one that uses temporary credentials, role-based access, and the smallest workable blast radius.
What AWS is explicitly testing
The current exam guide ties this task to access controls across multiple accounts, federated identity, AWS global infrastructure, least privilege, the shared responsibility model, MFA, role-based access strategies such as STS and cross-account access, security strategy for multiple AWS accounts, and the right use of resource policies.
The mental model that prevents weak answers
Separate the access question into three parts:
- Who is the principal? Human user, workload, service, or external account.
- How should they authenticate? Federation, IAM Identity Center, or role assumption rather than long-term keys.
- What should they be allowed to do? Least-privilege permissions scoped to the specific task.
Candidates lose points when they jump straight to “attach a policy” before deciding whether the principal should even exist as an IAM user.
Identity chooser
| Requirement | Strongest first fit | Why |
|---|---|---|
| Employee access across multiple AWS accounts | IAM Identity Center plus permission sets | Centralized federation and cleaner account-level authorization |
| AWS workload access to another AWS service | IAM role on the workload | Removes embedded long-term keys |
| Cross-account administration or automation | sts:AssumeRole with trust boundary | Temporary credentials and clearer blast-radius control |
| Public access to one specific S3 resource or queue | Resource policy with tightly scoped principal and conditions | The resource itself can enforce the boundary |
Secure access defaults that usually win
| Requirement | Strongest first fit | Why |
|---|---|---|
| Workforce access across accounts | IAM Identity Center plus permission sets | Centralizes sign-in and reduces long-term IAM user sprawl |
| Service-to-service permissions | IAM role attached to the workload | Avoids embedded keys |
| Cross-account administration | AssumeRole with trust policy | Gives temporary access and clear boundaries |
| Root user protection | Minimal use plus MFA | Root is for account-level emergencies, not daily work |
Why cross-account roles matter so much
AWS organizations, shared services, and production isolation all push architects toward multiple accounts. That means secure access design is usually a trust-policy problem plus a permission-policy problem, not a question of where to create another IAM user.
If an answer uses access keys for one AWS account to administer another account long term, it is usually weaker than a role-assumption pattern.
Temporary-credential path you should recognize
flowchart LR
P["User or workload"] --> F["Federation or role assumption"]
F --> S["STS issues temporary credentials"]
S --> R["Role session"]
R --> X["AWS resource access"]
What to notice:
- the security boundary is the role and its trust plus permission model
- STS-issued temporary credentials are the preferred path over shared long-term access keys
- SAA-C03 often wants you to redesign the identity flow, not just tighten one policy statement
Multi-account guardrails matter above IAM
SAA-C03 also wants you to notice when the problem is bigger than one role or one policy. In multi-account environments, guardrails often live at a higher level:
| Control layer | What it does |
|---|---|
| IAM policy | Grants or denies permissions to a principal in the account context |
| Trust policy | Controls who may assume a role |
| Resource policy | Lets the service resource itself enforce who may access it |
| SCP | Sets an account- or OU-level permission boundary across AWS Organizations |
If an answer says “allow it in IAM” but the organization wants to prevent whole classes of actions across accounts, an SCP or broader account strategy may be the real control AWS is testing.
IAM trust policy example
This is the kind of configuration shape SAA-C03 expects you to read correctly:
1{
2 "Version": "2012-10-17",
3 "Statement": [
4 {
5 "Effect": "Allow",
6 "Principal": {
7 "AWS": "arn:aws:iam::111122223333:root"
8 },
9 "Action": "sts:AssumeRole"
10 }
11 ]
12}
What to notice:
- the trust policy answers who may assume the role
- it does not define the full data-plane permissions on its own
- the final result still depends on the permissions attached to the role being assumed
Federation and root-user decisions
Two recurring exam habits matter here:
- if the principal is a workforce user, prefer federation and centralized sign-in over fleets of IAM users
- if the answer uses the root user for normal operations, it is almost certainly wrong
Root credentials are for rare account-level actions, with MFA and minimal use. SAA-C03 likes answer choices that sound “powerful” but violate this rule.
Resource policies and roles solve different problems
Roles are often the strongest answer for workloads. Resource policies matter when the service itself must enforce access, especially across accounts or from public/request-specific contexts.
| If the question is really about… | Look first at… |
|---|---|
| workload identity | IAM role |
| account-to-account delegation | trust policy plus role permissions |
| service resource boundary | resource policy |
| organization-wide prevention | SCP |
Common traps
- creating many IAM users for workloads that should use roles
- confusing a trust policy with a permission policy
- assuming an IAM allow beats every other control, even when SCPs or key policies exist
- forgetting MFA and root-user hardening in “most secure” answer choices
- using access keys for cross-account administration when role assumption is available
Fast decision rule
When the prompt says employees, think centralized workforce access. When it says application, think instance, task, or Lambda role. When it says another account, think cross-account role assumption. When it says most secure, remove long-term credentials whenever possible.
Quiz
Continue with 1.2 Secure Workloads & Applications to connect identity decisions to VPC boundaries and application-facing controls.