Design Secure Architectures
Study cheat sheet Β· SAA-C03)
Generated May 15, 2026
Practice This Topic
Key Concepts
- Least Privilege: Grant only the minimum permissions needed β applies to IAM users, roles, and policies
- IAM Roles vs Users: Roles are preferred for AWS services (EC2, Lambda, etc.); users for humans; never hardcode credentials
- Resource-based vs Identity-based policies: Resource-based policies (S3 bucket policy, KMS key policy) attach to the resource; identity-based attach to the principal
- SCPs (Service Control Policies): Applied at AWS Organizations level β they limit what accounts can do, but don't grant permissions
- Permission Boundaries: Set the maximum permissions an IAM entity can have β useful for delegating admin without over-permissioning
- Encryption at rest: Use KMS (managed keys) or SSE for S3, EBS, RDS, etc.
- Encryption in transit: TLS/HTTPS β use ACM for certificates, enforce via bucket policies or ALB listeners
- VPC Security Layers: Security Groups (stateful, instance level) + NACLs (stateless, subnet level)
- Private vs Public Subnets: Public = internet-facing (IGW route); Private = no direct internet access, use NAT Gateway for outbound
- Secrets Management: Use Secrets Manager (auto-rotation) or Parameter Store (cheaper, no auto-rotation natively)
- WAF: Protects against Layer 7 attacks (SQLi, XSS) β attach to CloudFront, ALB, or API Gateway
- Shield: DDoS protection β Standard (free, always on) vs Advanced (paid, 24/7 response team)
- GuardDuty: Threat detection using logs (CloudTrail, VPC Flow Logs, DNS) β no agents needed
- CloudTrail: Logs all API calls β critical for auditing and forensics; enable in all regions
How It Works
Request Authorization Flow: 1. AWS evaluates all applicable policies (SCP β Permission Boundary β Identity Policy β Resource Policy) 2. Explicit Deny always wins β anywhere in the chain 3. Default is implicit deny β nothing is allowed unless explicitly permitted
VPC Traffic Flow: - Inbound: Internet β IGW β NACL (subnet) β Security Group (instance) - Security Groups are stateful (return traffic auto-allowed) - NACLs are stateless (must explicitly allow inbound AND outbound rules)
KMS Envelope Encryption: - Data is encrypted with a data key, which is itself encrypted by the KMS CMK - Decryption requires calling KMS to unwrap the data key first
Commands / Syntax / Key Values
| Service / Feature | Key Detail |
|---|---|
| S3 Block Public Access | Account-level setting overrides bucket policies |
| S3 Server-Side Encryption | SSE-S3 (AWS managed), SSE-KMS (audit trail), SSE-C (customer key) |
| Security Group rules | Stateful β allow inbound = return traffic automatic |
| NACL rules | Stateless β need explicit allow for BOTH directions; evaluated in number order |
| KMS Key rotation | Automatic annual rotation for CMKs (enable manually) |
| IAM policy evaluation | Deny > Allow; no policy = implicit deny |
| Secrets Manager | Supports auto-rotation via Lambda |
| Parameter Store | SecureString type = KMS encrypted |
| VPC Endpoint | Gateway (S3, DynamoDB β free) vs Interface (most services β uses PrivateLink, has cost) |
Exam Gotchas
- SCPs don't grant permissions β even if SCP allows something, IAM policies must also allow it. An SCP is a guardrail, not a grant.
- NACLs are stateless β a common trap is allowing inbound traffic but forgetting the outbound rule (especially ephemeral ports 1024β65535 for responses).
- Security Groups can't explicitly deny β you can only allow; to block specific IPs you need NACLs.
- Secrets Manager β Parameter Store β if the question mentions automatic rotation, answer is Secrets Manager. If cost-sensitive or simple config, use Parameter Store.
- **IAM
My Notes
Edit your saved notes here. Saving replaces what is stored.
Add More Notes
Paste new content here. It will be added below your existing notes β nothing gets overwritten.