Curriculum Overview: Authorizing Compute Workloads

This curriculum is designed for security professionals aiming for the AWS Certified Security - Specialty (SCS-C03). It focuses on the secure authorization of compute workloads, specifically addressing Skill 3.2.2: Applying instance profiles, service roles, and execution roles appropriately.

Prerequisites

Before starting this curriculum, learners should have a solid foundation in the following areas:

• IAM Fundamentals: Understanding of IAM users, groups, and the structure of JSON policy documents (Allow/Deny, Resource, Action, Condition).
• Compute Basics: General familiarity with Amazon EC2 (instances), AWS Lambda (functions), and container concepts (ECS/EKS).
• Security Principles: Knowledge of the Principle of Least Privilege and the risks associated with long-term access keys.
• AWS CLI/SDK: Basic ability to interact with AWS services via terminal or programmatic interfaces.

Module Breakdown

Learning Objectives per Module

Module 1: Workload Identity Foundations

• Explain the mechanism of AWS Security Token Service (STS) in issuing temporary credentials.
• Differentiate between an Identity Policy and a Trust Policy.
• Construct a trust policy that allows a specific service (e.g., ec2.amazonaws.com) to assume a role.

Module 2: EC2 Instance Profiles

• Define the relationship between an IAM Role and an Instance Profile.
• Configure an EC2 instance to access S3 or SQS without hardcoded credentials.
• Implement and troubleshoot Instance Metadata Service Version 2 (IMDSv2) for session-oriented security.

Module 3: Lambda Execution Roles

• Create an Execution Role that allows Lambda to write to CloudWatch Logs and access VPC resources.
• Apply resource-based policies to allow cross-account Lambda triggers.

Module 4: Service & Container Roles

• Distinguish between a Task Role (permissions for the application) and an Execution Role (permissions for the Fargate/ECS agent).
• Identify when to use Service-Linked Roles for automated service interactions.

Module 5: Identity for Hybrid Workloads

• Configure IAM Roles Anywhere to provide AWS credentials to on-premises servers using X.509 certificates.
• Audit authorization failures using IAM Access Analyzer and CloudTrail.

Visual Anchors

Authorization Flow for EC2

Logical Trust Relationship

Success Metrics

• Conceptual Mastery: Ability to explain why instance profiles are used for EC2 but not for Lambda.
• Practical Application: Successful deployment of a compute workload that can interact with S3 without any AWS_ACCESS_KEY_ID present in the environment or code.
• Troubleshooting: Identifying a 403 Forbidden error as a missing Trust Policy vs. a missing Identity Policy using the IAM Policy Simulator.
• SCS-C03 Readiness: Scoring 80%+ on practice questions specifically targeting Domain 3 (Infrastructure Security) and Domain 4 (IAM).

Real-World Application

In a production environment, authorizing compute workloads correctly is the primary defense against credential leakage. By using instance profiles and execution roles:

• Security Compliance: Organizations meet PCI-DSS and SOC2 requirements by avoiding long-term secret storage on disk.
• Automation: Auto-scaling groups can launch thousands of instances that are "born" with the correct permissions, requiring no manual key rotation.
• Blast Radius Reduction: By using specific roles for specific microservices, a compromise of one container does not grant access to the entire AWS environment.

[!IMPORTANT] Always prioritize IMDSv2 on EC2 instances to prevent SSRF (Server-Side Request Forgery) attacks from stealing temporary credentials.