Domain 4 of 4 · Chapter 2 of 5

Authorization

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing AWS Certified Data Engineer - Associate premium course — no separate purchase.

Included in this chapter:

  • The policy evaluation model: deny-by-default, explicit deny wins
  • Custom least-privilege policies, RBAC, and ABAC
  • Fine-grained data permissions: Lake Formation, Redshift GRANT, secret stores
  • Exam-pattern recognition: reading the authorization question

Choosing the authorization mechanism

MechanismWhat it controlsGranularityBest for
IAM identity/resource policyAWS API actions on AWS resourcesAction + resource ARN + ConditionService-level access (call Athena, read an S3 prefix)
Permission boundary / SCPCeiling on max permissionsAction + resource, deny-or-cap onlyCapping what an identity or account can ever be granted
ABAC (tag-based)Actions where principal tag matches resource tagPer-tag, any matching resourceScaling access as projects and resources grow
Lake Formation grantCatalog database / table / column / row / cellDown to a single cell via data filtersFine-grained access to S3 data-lake tables
Redshift SQL GRANTIn-database schemas, tables, columnsDatabase object level, via rolesPermissions inside a Redshift database

Decision tree

Capping max permissions (a ceiling)? yes Permission boundary or SCP identity / org ceiling no Authorizing data inside a store? no Least-privilege IAM policy ABAC if resources grow yes S3 lake table in the Glue Data Catalog? yes Lake Formation grant + data filter column / row / cell; LF-Tags to scale no (Redshift) Redshift SQL GRANT / REVOKE on roles schema / table / column Always: explicit Deny wins; store credentials in Secrets Manager (rotation) or Parameter Store SecureString (no rotation), never in code.

Cheat sheet

  • An IAM policy statement is Effect, Action, Resource, and an optional Condition
  • A request is denied by default, and an explicit Deny overrides every Allow
  • Identity and resource policies union in the same account; cross-account needs both sides
  • A permission boundary intersects identity policies; it caps, never grants
  • An SCP caps permissions for member accounts and never touches the management account
  • Write a customer-managed least-privilege policy when no managed policy fits
  • ABAC matches a principal tag to a resource tag, so new resources need no policy edit
  • RBAC lists specific resources, so a new resource means editing the policy
  • Pass corporate attributes into ABAC with IAM session tags from your IdP
  • Lake Formation grants replace S3 bucket and IAM policies for catalog data
  • Lake Formation data filters give column, row, and cell-level security on SELECT
  • Scale Lake Formation grants across many tables with LF-Tags
  • Lake Formation vends temporary credentials; unregistered tables fall back to S3 and IAM
  • Authorize inside Redshift with SQL GRANT on roles, then grant the role to users
  • Redshift ships system-defined roles to delegate former superuser tasks
  • Use Secrets Manager when credentials need rotation, Parameter Store SecureString when they don't
  • Hybrid access mode lets new principals use Lake Formation while old ones keep IAM
  • Bucket owner enforced disables ACLs so the bucket owner owns every uploaded object
  • Guard a service-principal bucket policy with aws:SourceArn and aws:SourceAccount

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. Policy evaluation logic
  2. Permissions boundaries for IAM entities
  3. Service control policies (SCPs)
  4. IAM JSON policy elements: Condition
  5. Security best practices in IAM
  6. Define permissions based on attributes with ABAC authorization
  7. AWS Lake Formation: How it works
  8. Data filtering and cell-level security in Lake Formation
  9. Role-based access control (RBAC) in Amazon Redshift
  10. What is AWS Secrets Manager?