Below are the bare essentials you need to know to answer the IAM & STS DVA-C02 quiz. Focus on these concepts—they cover the patterns repeatedly tested in the quiz. fileciteturn0file0
IAM controls who can do what in AWS.
Think: - Authentication → Who are you? - Authorization → What are you allowed to do?
Permanent identities for people.
Exam Tip
Avoid IAM users for applications.
Use IAM Roles instead.
Groups simplify permissions.
Example
Developers Group
Attach one policy to the group instead of every user.
Roles provide temporary credentials.
Used by:
Golden Rule
Applications should use IAM Roles, never hardcoded keys.
Policies are JSON documents that define permissions.
They contain
Example
Allow
s3:GetObjecton
arn:aws:s3:::mybucket/*Evaluation order:
Explicit Deny
↓
Overrides everything
Allow
↓
Only works if no Deny exists
Implicit Deny
(Default)Remember
Explicit Deny ALWAYS wins.
Give only the permissions required.
Not
s3:*Instead
s3:GetObjectif reading only.
AWS loves Least Privilege questions.
Useful variable
${aws:username}Example
bucket/users/${aws:username}/*One policy works for every user.
Attach an
Instance Profile
SDK automatically gets credentials.
Attach an
Execution Role
Lambda automatically gets temporary credentials.
Uses an
Instance Profile Role
Uses a
Service Role
Exam Rule
Never store AWS keys inside:
Use Roles.
EC2 retrieves temporary credentials from
169.254.169.254AWS SDK does this automatically.
No code required.
STS issues
Temporary Credentials
Contains
Credentials expire automatically.
Most important STS API.
Used for
Flow
Role
↓
STS AssumeRole
↓
Temporary credentialsCorrect solution
Account B
↓
Create Role
↓
Trust Policy
↓
Allows Account A Role
↓
Application calls
AssumeRole()
Never share keys.
Trust policy answers
Who can assume this role?
Permission policy answers
What can this role do?
Remember the difference.
Session Policy
Can only reduce permissions.
Never increase permissions.
Effective permission
Role Policy
∩
Session PolicyIntersection only.
Used when
MFA is required.
Returns temporary credentials that prove MFA was performed.
Common exam scenario
High-value banking transaction.
Used with
Enterprise login
Examples
No IAM users required.
Employees login with corporate credentials.
↓
Identity Provider authenticates
↓
STS issues temporary AWS credentials
No IAM users.
Authentication
"Who are you?"
Supports
Authorization
Provides temporary AWS credentials.
Internally uses STS.
Identity Pools support
Unauthenticated identities.
Guest users receive limited temporary credentials.
Adds
Password
+
One Time CodeUsed for
Useful before deployment.
Console
IAM Policy Simulator
CLI
aws iam simulate-principal-policyTests permissions without performing actions.
CLI
aws sts get-caller-identityShows
Great debugging command.
Some AWS resources have policies.
Examples
These work together with IAM.
Controls access to bucket.
Useful for
For auditing encryption
Use
SSE-KMS
Benefits
Never hardcode
Store in
Service Control Policy
Works at
Organization
↓
OU
↓
Account
SCP limits maximum permissions.
Even Admin cannot bypass an SCP Deny.
Final permission depends on
And
Explicit Deny always wins.
Not for applications.
| Situation | Correct Answer |
|---|---|
| EC2 needs AWS access | IAM Role (Instance Profile) |
| Lambda needs AWS access | Execution Role |
| Cross-account access | STS AssumeRole |
| Corporate login | SAML Federation |
| Mobile app | Cognito |
| Temporary credentials | STS |
| Test permissions | IAM Policy Simulator |
| MFA temporary credentials | STS GetSessionToken |
| Who can assume role? | Trust Policy |
| Role permissions | Permission Policy |
| Role + Session Policy | Intersection |
| Explicit Deny | Always wins |
| Secrets | Secrets Manager / Parameter Store |
| Audit encryption | SSE-KMS |
| Organization-wide restriction | SCP |
| Personal S3 folders | ${aws:username} |
| Never store keys | Use IAM Roles |
These concepts cover the core IAM and STS knowledge repeatedly tested in Developer Associate exams and directly address the patterns found throughout your 37-question quiz.