SAA-C03 - Design Secure Architectures - Section 1.3
Determine when to use resource-based policies, permission boundaries and cross-account roles to control access to shared resources.
Distinguish resource-based policies (attached to the resource, such as S3 bucket policies) from identity-based policies, and explain how permission boundaries cap the maximum permissions an IAM entity can exercise. Choose cross-account roles over resource-based policies when the calling principal needs to assume a temporary identity, and recognise when both mechanisms must grant access for a cross-account action to succeed.
Resource-based policiesPermission boundariesCross-account rolesS3 bucket policies
More in this domain
Back to all Design Secure Architectures objectives, or the SAA-C03 cert hub.
Examworthy is not affiliated with or endorsed by Amazon Web Services. Original, blueprint-aligned practice material only.