Domain 4 of 4 · Chapter 1 of 5

Authentication

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing AWS Certified Data Engineer - Associate premium course — no separate purchase.

Included in this chapter:

  • Roles, not keys: how a pipeline component proves who it is
  • Wiring identity into compute and databases
  • Network-level authentication: who can even connect
  • Exam-pattern recognition

Authentication and connectivity mechanisms for a data pipeline

MechanismWhat it authenticates / gatesCredential lifetimeTypical use in DEA
IAM role (service role / instance profile)A compute component's identity to AWSTemporary (auto-expiring session)Lambda, Glue, EMR, EC2 calling S3/DDB/Redshift
IAM user access keyA person or external client to AWSLong-lived until rotatedOnly when roles cannot be used
Secrets Manager secretApp-to-database username/passwordRotated on a scheduleJDBC to RDS/Aurora/Redshift
Security groupWhich network sources may connectN/A (network rule)Gate inbound to RDS/Redshift/EC2
VPC endpoint (PrivateLink / gateway)Private path to an AWS serviceN/A (network path)Reach S3, DynamoDB, APIs without public internet

Decision tree

What does the component need?authentication / connectivityCall an AWS service(S3, DynamoDB, Redshift API)Connect to a DB byusername / passwordReach it privatelyoff the public internetIAM roleexec role / instance profileSecrets Managerstore + auto-rotateGatewayS3 / DynamoDBInterfacePrivateLink ENIAlways: security group gates the connectionallow only known sources; IAM never uses static keysAWS APIDB loginprivate pathS3/DDBother

Cheat sheet

  • Give compute an IAM role, never an embedded access key
  • A role's trust policy decides who may assume it; the permissions policy decides what it can do
  • A service role's trust policy names a service principal like glue.amazonaws.com
  • An :root principal in a trust policy means the whole account, not the root user
  • EC2 attaches an instance profile, which contains the role
  • Lambda, Glue, EMR, and Step Functions each take their own service role
  • Managed vs unmanaged services differ in who runs the runtime, not how identity works
  • Keep database credentials in Secrets Manager and fetch them at runtime
  • Managed rotation needs no Lambda for RDS, Aurora, Redshift, and a few others
  • A custom rotation Lambda runs four steps in order
  • Pick alternating-users rotation to avoid a credential gap
  • Security groups are stateful, so the return traffic is allowed automatically
  • Gateway endpoints serve only S3 and DynamoDB; everything else needs an interface endpoint
  • A VPC endpoint keeps traffic on the AWS network, unlike a NAT gateway
  • A VPC endpoint policy restricts which principals or resources the endpoint may reach
  • Use an S3 Access Point per consumer instead of one giant bucket policy
  • Role chaining caps the session at one hour
  • GetClusterCredentialsWithIAM auto-maps the IAM identity 1:1, so you pass no DbUser
  • The IAMA: prefix means AutoCreate made a new Redshift user; IAM: means it already existed
  • Force traffic through one VPC endpoint with a Deny on aws:sourceVpce StringNotEquals
  • Network ACLs are stateless and operate at the subnet, so they need explicit rules both ways

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. AssumeRole — AWS Security Token Service API Reference
  2. IAM roles (trust policy)
  3. IAM roles terms and concepts (role chaining)
  4. Use instance profiles (roles for Amazon EC2)
  5. Rotate AWS Secrets Manager secrets
  6. AWS PrivateLink concepts
  7. Managing access to shared datasets with S3 access points