Exam Cram: AWS Authorization Strategies (SCS-C03)

This cram sheet focuses on Domain 4.2 of the AWS Certified Security - Specialty exam. It covers the design, implementation, and troubleshooting of complex authorization logic, including multi-account environments and attribute-based access control.

Topic Weighting

Domain Section	Exam Weighting (Approx.)	Importance
Domain 4: IAM	16% of total exam	High
4.2: Authorization Strategies	~8-10% of total exam	Critical

[!IMPORTANT] Authorization is the most heavily tested sub-topic within the IAM domain. Expect complex policy evaluation questions involving SCPs and Permission Boundaries.

Key Concepts Summary

RBAC (Role-Based Access Control): Permissions assigned to roles/groups. Scalable for standard jobs but can lead to "role explosion."
ABAC (Attribute-Based Access Control): Permissions based on tags (e.g., Project: X). Scalable and dynamic; reduces the number of roles needed.
Permission Boundaries: A managed policy that sets the maximum permissions an IAM entity can have. It does not grant permissions on its own.
Service Control Policies (SCPs): Guardrails for AWS Organizations. They limit the maximum permissions for member accounts (even the root user).
Session Policies: Advanced policies passed during AssumeRole to further restrict the temporary session.
Resource-Based Policies: Attached directly to resources (S3 buckets, KMS keys). Unlike identity policies, they can allow cross-account access without a role.

Policy Evaluation Logic Flow

Loading Diagram...

Common Pitfalls

Implicit vs. Explicit Deny: Everything is denied by default (Implicit). An Explicit Deny in any policy (SCP, Identity, Resource) overrides all allows.
Confusing Boundaries with Roles: A permission boundary limits a role; it does not replace the identity policy. Both must allow the action.
Cross-Account Trust: For cross-account access using Roles, you need TWO policies: A Trust Policy (on the resource role) and an Identity Policy (on the requester).
S3 Public Access: Forgetting that S3 Block Public Access settings override even the most permissive bucket policies.
KMS Key Policies: If a KMS key policy doesn't explicitly allow the root user or a specific role, even the account admin cannot access the key.

Mnemonics / Memory Triggers

PARC (Policy Elements): Principal, Action, Resource, Condition.
D-S-B-I-R (Evaluation Order): Deny (Explicit) > SCP > Boundary > Identity > Resource.
ABAC is for Tags: Think Attribute = Asset Tag.

Formula / Equation Sheet

Concept	Logical "Formula" for Access
Same Account Access	(Identity Policy OR Resource Policy) AND NOT Explicit Deny
Cross-Account Access	(Identity Policy AND Resource Policy) AND NOT Explicit Deny
Permission Boundary	Identity Policy ∩ Permission Boundary (Intersection)
Organization Access	SCP ∩ Permission Boundary ∩ Identity Policy

Worked Examples

Example 1: The Intersection of Policies

Scenario: An IAM User has an identity policy allowing s3:*. They have a Permission Boundary allowing s3:Get*. There is an SCP allowing s3:Put* and s3:Get*.

Question: Can the user PutObject?
Answer: No. Although the Identity Policy and SCP allow it, the Permission Boundary does not. Access is the intersection of all three.

Example 2: ABAC Implementation

Requirement: Allow developers to stop EC2 instances ONLY if the instance's Project tag matches the user's Project tag.

json

{
  "Effect": "Allow",
  "Action": "ec2:StopInstances",
  "Resource": "arn:aws:ec2:*:*:instance/*",
  "Condition": {
    "StringEquals": {
      "aws:ResourceTag/Project": "${aws:PrincipalTag/Project}"
    }
  }
}

Practice Set

Which tool allows you to test IAM policies against specific API calls without actually running the command? (Ans: IAM Policy Simulator)
Does an SCP grant permissions to a user in a member account? (Ans: No, it only filters/limits permissions granted by IAM policies).
A user is blocked by a Permission Boundary. Where should you look to find the specific failure? (Ans: IAM Policy Simulator or CloudTrail errorMessage for "implicit deny in a permission boundary").
True/False: A resource-based policy can grant access to a principal in the same account even if that principal has no identity-based permissions. (Ans: True, except for IAM roles where trust is required).
Which service helps identify resources shared with external entities? (Ans: IAM Access Analyzer).

Fact Recall Blanks

The default decision for any request is an ______________ (Answer: Implicit Deny).
To allow an EC2 instance to call AWS APIs, you must attach an ______________ to the instance (Answer: IAM Instance Profile).
______________ policies are used to allow a different account to assume a role (Answer: Trust).
The ______________ element in a policy defines who the policy applies to (Answer: Principal).
KMS keys can use ______________ policies to delegate permissions to the IAM service within an account (Answer: Key).