Below are the bare essentials you need to know to answer the IAM & STS DVA-C02 quiz. Focus on these concepts—they cover the patterns repeatedly tested in the quiz. fileciteturn0file0


AWS IAM & STS – DVA-C02 Bare Essentials

1. IAM (Identity and Access Management)

What it is

IAM controls who can do what in AWS.

Think: - Authentication → Who are you? - Authorization → What are you allowed to do?


2. IAM Users

What they are

Permanent identities for people.

Exam Tip

Avoid IAM users for applications.

Use IAM Roles instead.


3. IAM Groups

Groups simplify permissions.

Example

Developers Group

Attach one policy to the group instead of every user.


4. IAM Roles

Roles provide temporary credentials.

Used by:

Golden Rule

Applications should use IAM Roles, never hardcoded keys.


5. IAM Policies

Policies are JSON documents that define permissions.

They contain

Example

Allow

s3:GetObject

on

arn:aws:s3:::mybucket/*

6. Explicit Deny Wins

Evaluation order:

Explicit Deny
        ↓
Overrides everything

Allow
        ↓
Only works if no Deny exists

Implicit Deny
(Default)

Remember

Explicit Deny ALWAYS wins.


7. Least Privilege

Give only the permissions required.

Not

s3:*

Instead

s3:GetObject

if reading only.

AWS loves Least Privilege questions.


8. IAM Policy Variables

Useful variable

${aws:username}

Example

bucket/users/${aws:username}/*

One policy works for every user.


9. IAM Roles for AWS Services

EC2

Attach an

Instance Profile

SDK automatically gets credentials.


Lambda

Attach an

Execution Role

Lambda automatically gets temporary credentials.


Elastic Beanstalk

Uses an

Instance Profile Role


CodeBuild

Uses a

Service Role


Exam Rule

Never store AWS keys inside:

Use Roles.


10. Instance Metadata Service (IMDS)

EC2 retrieves temporary credentials from

169.254.169.254

AWS SDK does this automatically.

No code required.


11. STS (Security Token Service)

STS issues

Temporary Credentials

Contains

Credentials expire automatically.


12. AssumeRole

Most important STS API.

Used for

Flow

Role
↓

STS AssumeRole

↓

Temporary credentials

13. Cross-Account Access

Correct solution

Account B

Create Role

Trust Policy

Allows Account A Role

Application calls

AssumeRole()

Never share keys.


14. Trust Policy

Trust policy answers

Who can assume this role?

Permission policy answers

What can this role do?

Remember the difference.


15. Session Policies

Session Policy

Can only reduce permissions.

Never increase permissions.

Effective permission

Role Policy
      ∩
Session Policy

Intersection only.


16. STS GetSessionToken

Used when

MFA is required.

Returns temporary credentials that prove MFA was performed.

Common exam scenario

High-value banking transaction.


17. STS AssumeRoleWithSAML

Used with

Enterprise login

Examples

No IAM users required.


18. Federation

Employees login with corporate credentials.

Identity Provider authenticates

STS issues temporary AWS credentials

No IAM users.


19. Cognito vs IAM

Cognito User Pool

Authentication

"Who are you?"

Supports


Cognito Identity Pool

Authorization

Provides temporary AWS credentials.

Internally uses STS.


20. Guest Access

Identity Pools support

Unauthenticated identities.

Guest users receive limited temporary credentials.


21. MFA

Adds

Password

+

One Time Code

Used for


22. Policy Simulator

Useful before deployment.

Console

IAM Policy Simulator

CLI

aws iam simulate-principal-policy

Tests permissions without performing actions.


23. get-caller-identity

CLI

aws sts get-caller-identity

Shows

Great debugging command.


24. Resource Policies

Some AWS resources have policies.

Examples

These work together with IAM.


25. S3 Bucket Policy

Controls access to bucket.

Useful for


26. KMS Permissions

For auditing encryption

Use

SSE-KMS

Benefits


27. Secrets

Never hardcode

Store in


28. Organizations SCP

Service Control Policy

Works at

Organization

OU

Account

SCP limits maximum permissions.

Even Admin cannot bypass an SCP Deny.


29. IAM Permission Evaluation

Final permission depends on

And

Explicit Deny always wins.


30. Common Exam Patterns

Use IAM Role when


Use STS AssumeRole when


Use Federation when


Use Cognito when


Use IAM Users only for

Not for applications.


DVA-C02 Memory Sheet

Situation Correct Answer
EC2 needs AWS access IAM Role (Instance Profile)
Lambda needs AWS access Execution Role
Cross-account access STS AssumeRole
Corporate login SAML Federation
Mobile app Cognito
Temporary credentials STS
Test permissions IAM Policy Simulator
MFA temporary credentials STS GetSessionToken
Who can assume role? Trust Policy
Role permissions Permission Policy
Role + Session Policy Intersection
Explicit Deny Always wins
Secrets Secrets Manager / Parameter Store
Audit encryption SSE-KMS
Organization-wide restriction SCP
Personal S3 folders ${aws:username}
Never store keys Use IAM Roles

These concepts cover the core IAM and STS knowledge repeatedly tested in Developer Associate exams and directly address the patterns found throughout your 37-question quiz.