Authentication
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing AWS Certified Data Engineer - Associate premium course — no separate purchase.
Included in this chapter:
- Roles, not keys: how a pipeline component proves who it is
- Wiring identity into compute and databases
- Network-level authentication: who can even connect
- Exam-pattern recognition
Authentication and connectivity mechanisms for a data pipeline
| Mechanism | What it authenticates / gates | Credential lifetime | Typical use in DEA |
|---|---|---|---|
| IAM role (service role / instance profile) | A compute component's identity to AWS | Temporary (auto-expiring session) | Lambda, Glue, EMR, EC2 calling S3/DDB/Redshift |
| IAM user access key | A person or external client to AWS | Long-lived until rotated | Only when roles cannot be used |
| Secrets Manager secret | App-to-database username/password | Rotated on a schedule | JDBC to RDS/Aurora/Redshift |
| Security group | Which network sources may connect | N/A (network rule) | Gate inbound to RDS/Redshift/EC2 |
| VPC endpoint (PrivateLink / gateway) | Private path to an AWS service | N/A (network path) | Reach S3, DynamoDB, APIs without public internet |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.