Designing Secure Access: IAM Best Practices, Roles, and AWS Organizations
Task 1.1 covers how you design access to AWS resources: hardening root and IAM users, choosing roles and temporary credentials over long-lived keys, granting cross-account access with IAM roles or resource-based policies, federating a workforce through IAM Identity Center, and governing many accounts with AWS Organizations, SCPs, and AWS Control Tower. It sits inside Design Secure Architectures, the largest SAA-C03 domain at 30% of scored content, and access design is the part of that domain the exam returns to most often. The questions are rarely about what IAM is — they hand you a working setup and ask which access design is MOST secure, needs the LEAST operational overhead, or follows least privilege. By the end of this lesson you will be able to pick the right identity mechanism for any actor — a human, an EC2 application, another account, or a third-party SaaS — and the right guardrail layer for any organizational restriction, and explain why the alternatives lose.
On this page9 sections
- The hardening baseline: root users, MFA, and least privilege
- How IAM policy evaluation decides: explicit deny, allows, and boundaries
- Roles and STS: temporary credentials beat access keys
- Cross-account access: IAM roles vs resource-based policies
- Federation and IAM Identity Center: workforce access at scale
- Multi-account design: AWS Organizations, OUs, and SCPs
- AWS Control Tower: governed multi-account setup without the assembly
- Decision tables: the right access pattern and the right guardrail
- Worked scenarios: reasoning through Task 1.1 questions
- Choose between IAM roles, IAM users, and IAM Identity Center for any actor that needs AWS access
- Design cross-account access and decide when an assumed role beats a resource-based policy
- Distinguish SCPs, identity-based policies, and permissions boundaries by what each can and cannot do
- Design a multi-account structure with AWS Organizations OUs, SCP guardrails, and AWS Control Tower
- Apply IAM policy evaluation logic — explicit deny wins — to predict the outcome of layered policies
- Harden root users and enforce MFA and least privilege in design scenarios
The hardening baseline: root users, MFA, and least privilege
Every access design starts from the same baseline, and SAA-C03 expects you to apply it reflexively rather than recite it. The root user of each account is hardened first: enable MFA on it, delete any root access keys, and stop using it for daily work. Root exists for the handful of tasks only it can perform — closing the account, changing the support plan, certain billing operations — and everything else runs through IAM identities. When a scenario mentions that administrators "sign in with the root user" or that "root access keys are embedded in a script," that detail is the vulnerability the question wants fixed, regardless of what else is going on.
For human IAM identities, the baseline is MFA everywhere and permissions granted to groups, not individual users. Attaching policies user-by-user is an operational-overhead trap: the design answer assigns users to groups (developers, auditors, operations) and attaches policies to the groups. You should also recognize that an IAM policy can require MFA for sensitive actions using a condition — a common pattern for allowing destructive operations like terminating instances only from MFA-authenticated sessions.
Least privilege at Associate level is a design discipline, not a slogan. It means scoping policies to the specific actions, resources, and conditions a workload needs: an application that reads one DynamoDB table gets dynamodb:GetItem on that table's ARN, not dynamodb:* on *. In answer options, broad managed policies like AdministratorAccess or wildcard resources are almost always the marker of a wrong answer when a tighter option exists.
One framing note: under the shared responsibility model, everything in this lesson is squarely on your side of the line. AWS operates IAM, STS, and Organizations as services, but every identity you create, every policy you write, and every trust relationship you configure is customer responsibility — which is exactly why this task statement exists. The exam tests the baseline indirectly: it buries a root-usage or missing-MFA detail inside a bigger scenario and rewards the option that fixes it with the least disruption.
How IAM policy evaluation decides: explicit deny, allows, and boundaries
You cannot design layered access controls without an intuition for how AWS evaluates a request. The logic you need for the exam compresses to three rules. First, everything is implicitly denied by default — a request is only allowed if some applicable policy explicitly allows it. Second, an explicit deny overrides every allow, no matter where the allow lives. Third, when multiple guardrail layers apply — SCPs, permissions boundaries, session policies — the effective permissions are the intersection: an action must be allowed at every applicable layer to succeed.
Within a single account, identity-based policies (attached to users, groups, roles) and resource-based policies (attached to resources like S3 buckets, SQS queues, KMS keys, Lambda functions) are evaluated together as a union: an allow in either is enough, provided nothing denies it. This is why a bucket policy can grant access to a principal whose identity policy says nothing about S3 — and why an explicit deny in a bucket policy blocks even an account administrator. Across accounts the rule tightens: both sides must agree, which the next sections build on.
A permissions boundary is an advanced feature you need at recognition level: a managed policy attached to a user or role that sets the maximum permissions that identity can have. Like an SCP, a boundary never grants anything — the effective permissions are the intersection of the boundary and the identity policies. The classic use case is delegation: you let developers create their own IAM roles, but every role they create must carry a boundary that caps what those roles can do, so developers cannot escalate their own privileges.
On the exam, this section is the debugging toolkit. When a scenario says a user "has an allow policy but still gets access denied," hunt for the explicit deny — in an SCP, a boundary, or a resource policy. When it asks how to let teams self-serve IAM without risking escalation, the answer is permissions boundaries. And when two options differ only in that one relies on "removing allows" and the other adds an explicit deny for a must-never-happen action, the explicit deny is the stronger, intended control.
Roles and STS: temporary credentials beat access keys
The single most reliable decision rule in Task 1.1: anything that can use an IAM role should use an IAM role, never long-lived access keys. A role is an identity with permissions but no permanent credentials. When a trusted principal assumes it, AWS STS issues temporary credentials — an access key, secret key, and session token — that expire automatically. There is nothing to rotate, nothing to leak into a Git repository, and nothing to revoke user-by-user after an incident. Access keys, by contrast, live until someone deletes them, and scenarios that mention keys "stored in application code," "in a configuration file," or "shared between developers" are describing the problem the correct answer eliminates.
The pattern you will see most is the EC2 instance role: attach a role to an instance via an instance profile, and applications on it retrieve automatically rotated temporary credentials from the instance metadata service. The same principle extends everywhere compute runs — Lambda execution roles, ECS task roles — so "application on AWS compute needs AWS API access" always resolves to a role, and any option that creates an IAM user with access keys for a workload is wrong.
Role switching applies the same mechanism to humans. Instead of giving an administrator standing full access, you give them a modest daily identity plus permission to assume a privileged role when needed — via sts:AssumeRole, gated by the role's trust policy and optionally an MFA condition. Every assumption is a distinct, loggable event in CloudTrail, which gives you an audit story that standing permissions cannot match. Roles also power federation: AssumeRoleWithSAML signs in workforce users from an external identity provider, and AssumeRoleWithWebIdentity does the same for mobile and web app users authenticated by an OIDC provider — the mechanism underneath Amazon Cognito identity pools.
The exam probes this with MOST secure and LEAST overhead qualifiers. Rotating access keys more often is never the best answer when a role can remove the keys entirely; the option that eliminates long-lived credentials beats every option that merely manages them better.
Cross-account access: IAM roles vs resource-based policies
When account A needs to reach a resource in account B, you have two mechanisms, and SAA-C03 loves to make you choose. Option one: account B creates a cross-account IAM role whose trust policy names account A (or a specific principal in it) as trusted; principals in A call sts:AssumeRole and operate in B with the role's permissions. Both sides must agree — B's trust policy admits the caller, and A must allow its principal to perform the assume call. Option two: account B attaches a resource-based policy directly to the resource — a bucket policy, SQS queue policy, KMS key policy, or Lambda function policy — granting account A's principal access to that resource.
The decision hinges on a nuance worth stating precisely. When you assume a role, you temporarily give up your original permissions and take on the role's permissions instead — you become a different principal. With a resource-based policy, you keep your own identity and permissions and simply gain access to the remote resource on top of them. That difference is decisive in the classic Lambda scenario: a function in account A must read a queue or bucket in account B and write results to resources in its own account, in the same invocation. If the function assumes a role in B, it loses access to account A's resources mid-flight. The clean answer is a resource-based policy in B granting the function's execution role access — the function keeps its home permissions and reaches across in one identity.
Two more decision inputs. Not every service supports resource-based policies — where the target doesn't, a cross-account role is the only path, and a role is also the better fit when the external party needs to perform many actions across many resources rather than touch one resource. And when the external party is a third-party SaaS vendor (a monitoring or cost tool), the pattern is a cross-account role whose trust policy requires an external ID — a shared secret the vendor must present on every assume call, defeating the confused-deputy attack where a different customer of that vendor tricks it into using your role. Scenarios that mention granting access to a partner or vendor and an answer option containing "external ID" are pointing you straight at it.
Federation and IAM Identity Center: workforce access at scale
Creating an IAM user per employee per account does not scale and does not survive an audit: credentials multiply, offboarding means chasing users across accounts, and nothing ties access back to the HR system. The design answer for human workforce access is federation — your people authenticate against one identity source, and AWS trusts that source to vouch for them, issuing temporary role credentials via STS rather than storing passwords in IAM.
AWS IAM Identity Center (the successor to AWS Single Sign-On) is the service the exam expects you to reach for. It provides a single sign-on portal across all accounts in an AWS Organization: you define permission sets (collections of policies that materialize as roles in each target account) and assign users or groups to accounts with those permission sets. The identity source can be Identity Center's built-in store, Microsoft Active Directory, or any external SAML 2.0 identity provider such as Okta or Microsoft Entra ID, with SCIM keeping users and groups in sync. Employees get one credential, MFA in one place, and offboarding becomes a single disable in the IdP.
You should also recognize the older building blocks, because scenarios and distractors still use them: SAML 2.0 federation directly to IAM lets an IdP call AssumeRoleWithSAML against a per-account IAM identity provider and role — workable, but you configure it account by account, which is exactly the overhead Identity Center removes. "When to federate a directory service" has a simple answer shape: the company already has AD or another corporate IdP, so you federate it rather than recreate identities in AWS.
Keep one boundary crisp: Identity Center is for your workforce accessing AWS accounts and business applications. Customers of your consumer-facing web or mobile app are not workforce — they belong to Amazon Cognito, covered under Task 1.2. On the exam, "employees," "multiple accounts," and "existing Active Directory / corporate IdP" together mean IAM Identity Center; any answer minting IAM users at scale, or asking you to manage per-account SAML trust when Identity Center is on offer, is there to be eliminated on operational-overhead grounds.
Multi-account design: AWS Organizations, OUs, and SCPs
At Associate level, multiple accounts are the default architecture, not an edge case: separate accounts isolate workloads and blast radius, cap the impact of compromised credentials, and cleanly separate production from development and security tooling from application teams. AWS Organizations is the service that binds them — one management account creates the organization, member accounts join it, and you get consolidated billing and centralized policy control. Accounts are grouped into organizational units (OUs), which can nest, and you design OUs around policy needs (Production, Sandbox, Security) rather than org charts, because OUs are where guardrails attach.
Those guardrails are service control policies (SCPs), and their semantics are the most-tested fact in this section: an SCP never grants a permission — it only sets the maximum available permissions for the accounts it applies to. Think of it as a filter: a principal's effective permissions are the intersection of what its IAM policies allow and what the SCPs permit. Attaching an SCP full of allows to an account gives its users nothing until an IAM policy grants those actions. SCPs attached to an OU inherit down to every account and nested OU beneath it, which is what makes them guardrails: deny leaving the organization, deny disabling CloudTrail, deny regions you don't operate in — once, at the OU, for everything below.
Two precision points the exam checks. SCPs do affect member accounts' root users — the one control that constrains root, which is why "prevent even administrators in member accounts from doing X" resolves to an SCP. But SCPs do not affect the management account at all — no SCP applies to it, root or otherwise, which is both a reason to keep workloads out of the management account and a fact distractors invert.
Scenario-wise, SCP questions wear a uniform: "ensure that no user in any account, including administrators, can …" — disable security tooling, use an unapproved region, delete audit resources. IAM policies can't do it (a member admin could edit them); an SCP on the right OU can. Conversely, if a question asks how to give a team access to something, an SCP is never the answer — it cannot grant.
AWS Control Tower: governed multi-account setup without the assembly
AWS Organizations gives you the raw machinery — accounts, OUs, SCPs — but wiring a well-architected multi-account environment out of it by hand means designing the OU layout, baselining logging and audit accounts, writing the guardrail SCPs, and building an account-creation pipeline yourself. AWS Control Tower packages that work: it sets up a landing zone, a pre-configured, best-practice multi-account environment built on top of Organizations, with a defined OU structure and dedicated accounts for log archive and audit out of the box.
Control Tower manages compliance through controls, historically called guardrails, in two flavors you must be able to tell apart. Preventive controls stop non-compliant actions from happening at all — implemented as SCPs, so a denied action fails at the API. Detective controls detect and flag non-compliant resources after the fact — implemented with AWS Config rules, surfacing violations on the Control Tower dashboard without blocking anything. "Prevent it from ever happening" versus "identify it when it happens" is exactly how questions distinguish the two. Control Tower also provides Account Factory, a standardized, self-service way to provision new accounts that arrive pre-enrolled in the guardrails and baseline configuration, replacing hand-built account setup.
The Organizations-versus-Control-Tower decision is about what the scenario emphasizes. If it needs a specific mechanism — consolidated billing, an SCP to restrict actions — Organizations vocabulary answers it directly. If it describes a company about to scale from a few accounts to many and asks for a governed multi-account environment with the LEAST effort to set up and operate, or mentions provisioning new accounts that are compliant from day one, Control Tower is the answer: it is the managed, opinionated layer, and hand-rolling the same governance with raw Organizations is the higher-overhead distractor. Control Tower uses Organizations underneath, so the two are complementary, not competing — a nuance that eliminates answer options framing them as either/or.
Expect Control Tower questions to be recognition-level: match "landing zone," "Account Factory," and preventive-versus-detective controls to their definitions, and pick Control Tower whenever governed account vending at scale is the requirement.
Decision tables: the right access pattern and the right guardrail
Most Task 1.1 questions reduce to one of two lookups: who needs access, and through what mechanism? — or — what restriction is needed, and at which layer? Internalize these two tables and the majority of scenarios become pattern-matching.
| Who needs access | Correct mechanism | Why it wins |
|---|---|---|
| Human workforce (employees, many accounts, existing IdP or AD) | IAM Identity Center with permission sets, federated to the corporate identity source | One credential per person, central MFA and offboarding, temporary role credentials in every account — no per-account IAM users to manage |
| Application on EC2 / Lambda / ECS | IAM role attached to the compute (instance profile, execution role, task role) | STS-issued temporary credentials, auto-rotated; no keys in code or config to leak or rotate |
| Principal in another AWS account (broad or multi-service access) | Cross-account IAM role in the target account; caller uses sts:AssumeRole | Both accounts must consent (trust policy + caller's IAM policy); every assumption is auditable in CloudTrail |
| Principal in another account needing one resource while keeping its own permissions | Resource-based policy on the target resource (bucket, queue, key, function) | Caller keeps its home-account identity and permissions — the cross-account Lambda pattern |
| Third-party SaaS vendor | Cross-account role with an external ID condition in the trust policy | External ID defeats the confused-deputy attack; no credentials are ever handed to the vendor |
| Consumer users of your web/mobile app | Amazon Cognito (not IAM, not Identity Center) | Customer identity is application-facing — workforce tools are the wrong layer |
The second lookup separates the three policy layers that restrict, grant, or cap permissions:
| SCP | Identity-based IAM policy | Permissions boundary | |
|---|---|---|---|
| Attaches to | Organization root, OU, or account | User, group, or role | A single user or role |
| Can grant permissions? | Never — only limits the maximum | Yes — the only layer here that grants | Never — only caps the maximum |
| Affects root users? | Yes, in member accounts (never the management account) | No — root is not governed by IAM policies | No — applies to IAM identities only |
| Scope of effect | Every principal in the affected accounts | Only the attached identity | Only the attached identity |
| Typical exam trigger | "No one in any account, including admins, may …" | "Grant the team access to …" | "Let developers create roles without escalating privileges" |
Effective permissions are always the intersection of the applicable layers, with any explicit deny winning outright. When answer options mix these layers, ask two questions: does this option need to grant (then only an IAM policy can), and does it need to bind people who could otherwise change the rules (then it must be an SCP, set above their account).
Worked scenarios: reasoning through Task 1.1 questions
Scenario 1. A company runs 40 AWS accounts in AWS Organizations. Security requires that no one in any development account — including account administrators — can disable AWS CloudTrail or create resources outside eu-west-1. What is the MOST effective way to enforce this?
Reasoning: The requirement is a restriction that must bind administrators. An IAM policy in each account fails immediately: member-account admins have iam:* and can edit or detach whatever you deploy. A permissions boundary fails for the same reason at a different layer — it applies per identity, and admins control identities. The phrase "including administrators" plus "any account" is the SCP signature: attach an SCP to the development OU that denies cloudtrail:StopLogging and cloudtrail:DeleteTrail, and denies all actions when the requested region is not eu-west-1 (with the necessary global-service exemptions). It inherits to every account in the OU, constrains even member-account root users, and no principal inside those accounts can lift it — because SCPs are managed from the organization, above the accounts they govern.
Scenario 2. An application running on EC2 instances in account A must read objects from an S3 bucket in account B, and write the processed output to a DynamoDB table in account A. The security team wants the LEAST complex solution with no long-lived credentials. What do you recommend?
Reasoning: "No long-lived credentials" removes every option involving IAM users or access keys, so the instances need an instance role in account A — that part is fixed. The interesting choice is how the role reaches account B's bucket. If it assumes a role in account B, it takes on that role's permissions and temporarily loses its own — including the DynamoDB write access in account A — forcing awkward credential juggling inside one processing flow. The cleaner design: account B attaches a bucket policy granting s3:GetObject to account A's instance role, and the role's own identity policy carries the S3 read and DynamoDB write permissions. One identity, both sides of the job, nothing to rotate. This is the resource-based-policy-over-role rule earning its keep.
Scenario 3. A third-party cost-optimization SaaS needs read access to billing and usage data across a company's accounts. The vendor asks each customer to "create an IAM user and send us the access keys." What should the architect do instead?
Reasoning: Shipping access keys to an external party is the anti-pattern the question exists to punish — keys are long-lived, unauditable in the vendor's hands, and revocation is manual. The correct design: create a cross-account IAM role with a read-only, least-privilege policy, set its trust policy to the vendor's AWS account, and require the vendor-supplied external ID in the trust condition so another customer of the vendor cannot induce it to assume your role — the confused-deputy defense. The vendor assumes the role with STS and receives only temporary credentials; you can cut access at any moment by editing one trust policy.
Tip. SAA-C03 tests this task with constraint-qualified scenarios: a working architecture plus "MOST secure," "LEAST operational overhead," or "following the principle of least privilege," where several options technically function and one best fits the qualifier. Classic shapes include the organization-wide restriction that must bind administrators (SCP), the application holding access keys (replace with a role), the cross-account Lambda or S3 access choice (role vs resource policy), the third-party vendor request (role plus external ID), and the workforce-at-scale question (IAM Identity Center over IAM users). Trap patterns to expect: options that use an SCP to grant access, claim SCPs restrict the management account, rotate access keys instead of eliminating them, or solve a many-account human-access problem by minting IAM users. When two options both work, the one that removes long-lived credentials or centralizes the control above the affected accounts usually wins.
- SCPs never grant permissions — they cap the maximum; effective access is the intersection of SCPs, boundaries, and IAM policies, and an explicit deny always wins.
- SCPs bind member accounts including their root users, but never affect the management account.
- Anything running on AWS compute gets an IAM role, never access keys — temporary STS credentials eliminate rotation and leakage.
- Cross-account: assume a role for broad access; use a resource-based policy when the caller must keep its own permissions (the Lambda pattern).
- Third-party vendor access = cross-account role + external ID (confused-deputy defense) — never shared access keys.
- Workforce across many accounts = IAM Identity Center federated to the corporate IdP; app customers = Cognito; neither gets IAM users.
- Permissions boundaries cap what a delegated identity can do — the answer to "let developers create roles without privilege escalation."
- Control Tower = managed landing zone on top of Organizations: preventive controls are SCPs, detective controls are Config rules, Account Factory vends compliant accounts.
Frequently asked questions
What is the difference between an SCP and an IAM policy?
An IAM policy grants permissions to a specific user, group, or role — it is the only layer that can actually allow an action. A service control policy (SCP) is an AWS Organizations guardrail attached to an OU or account that sets the maximum permissions available inside; it can never grant anything. A principal's effective permissions are the intersection: an action must be allowed by an IAM policy and permitted by every applicable SCP. SCPs also constrain member-account root users, which IAM policies cannot, but SCPs have no effect on the organization's management account.
When should I use a cross-account IAM role vs a resource-based policy?
Use a resource-based policy (bucket policy, queue policy, key policy) when the caller needs access to one specific resource while keeping its own identity and permissions — for example, a Lambda function that reads a bucket in another account and writes to tables in its own account in the same invocation. Use a cross-account IAM role when the caller needs broader access across many resources or services in the target account, or when the target service does not support resource-based policies. Remember: assuming a role temporarily replaces your permissions; a resource policy adds access on top of them.
What is an external ID in AWS and when do I need one?
An external ID is a value the target account requires in a role's trust policy condition: anyone assuming the role must present it in the AssumeRole call. You need one whenever you grant a third party — typically a SaaS vendor — access to your account via a cross-account role. It prevents the confused-deputy problem, where a different customer of that same vendor tricks the vendor's systems into assuming your role instead of theirs. The vendor generates a unique external ID per customer, so a request on behalf of the wrong customer fails the condition.
Should I use IAM users or IAM Identity Center for employees?
IAM Identity Center, almost always. IAM users carry long-lived passwords and access keys that you must rotate, monitor, and delete per account — for a workforce across multiple accounts, that operational load and offboarding risk make them the wrong tool. Identity Center gives every employee single sign-on into all organization accounts through permission sets backed by temporary role credentials, and it federates with an existing identity source like Active Directory, Okta, or Microsoft Entra ID. IAM users remain acceptable only for narrow edge cases, such as a legacy tool that genuinely cannot use roles or federation.
Do SCPs apply to the AWS Organizations management account?
No. SCPs have no effect whatsoever on the management account — not on its IAM users, its roles, or its root user. They apply only to member accounts, where they do constrain every principal including the member account's root user. This is precisely why AWS recommends keeping workloads and day-to-day activity out of the management account: it is the one account your organization-wide guardrails cannot reach. Exam options sometimes claim an SCP will restrict the management account or that member root users are exempt — both are the inverse of the truth.
How does AWS decide whether a request is allowed when multiple policies apply?
Evaluation starts from implicit deny: nothing is allowed until a policy explicitly allows it. An explicit deny anywhere — identity policy, resource policy, SCP, permissions boundary — overrides all allows and ends the evaluation. Within one account, identity-based and resource-based policies work as a union: an allow in either is sufficient. Guardrail layers work as an intersection: the action must also be permitted by every applicable SCP and by the permissions boundary if one is attached. So the practical checklist is: any explicit deny? Denied. Allowed by IAM or resource policy, and inside every guardrail? Allowed.
What is the difference between AWS Organizations and AWS Control Tower?
AWS Organizations is the foundational service: it groups accounts under a management account, arranges them into OUs, applies SCPs, and consolidates billing. AWS Control Tower is a managed governance layer built on top of Organizations: it sets up a best-practice landing zone with log archive and audit accounts, enforces preventive controls (implemented as SCPs) and detective controls (implemented as AWS Config rules), and provisions new, pre-governed accounts through Account Factory. Choose Organizations vocabulary when a question needs a specific mechanism like an SCP; choose Control Tower when it asks for a governed multi-account environment with minimal setup and ongoing effort.
Sign up free to mark lessons complete, bookmark topics and track your exam readiness.