Authorization
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing AWS Certified Data Engineer - Associate premium course — no separate purchase.
Included in this chapter:
- The policy evaluation model: deny-by-default, explicit deny wins
- Custom least-privilege policies, RBAC, and ABAC
- Fine-grained data permissions: Lake Formation, Redshift GRANT, secret stores
- Exam-pattern recognition: reading the authorization question
Choosing the authorization mechanism
| Mechanism | What it controls | Granularity | Best for |
|---|---|---|---|
| IAM identity/resource policy | AWS API actions on AWS resources | Action + resource ARN + Condition | Service-level access (call Athena, read an S3 prefix) |
| Permission boundary / SCP | Ceiling on max permissions | Action + resource, deny-or-cap only | Capping what an identity or account can ever be granted |
| ABAC (tag-based) | Actions where principal tag matches resource tag | Per-tag, any matching resource | Scaling access as projects and resources grow |
| Lake Formation grant | Catalog database / table / column / row / cell | Down to a single cell via data filters | Fine-grained access to S3 data-lake tables |
| Redshift SQL GRANT | In-database schemas, tables, columns | Database object level, via roles | Permissions inside a Redshift database |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
References
- Policy evaluation logic
- Permissions boundaries for IAM entities
- Service control policies (SCPs)
- IAM JSON policy elements: Condition
- Security best practices in IAM
- Define permissions based on attributes with ABAC authorization
- AWS Lake Formation: How it works
- Data filtering and cell-level security in Lake Formation
- Role-based access control (RBAC) in Amazon Redshift
- What is AWS Secrets Manager?