Account Security Essentials

MFA, credential types, IAM Identity Center, and the layered access practices every AWS account should follow.

8 min read

Authentication factors and credentials

Key points

  • Passwords sign humans into the console; enforce complexity with an IAM password policy.
  • Access keys (key ID + secret) are for programmatic access via CLI/SDK — rotate them, never commit them to code.
  • Multi-factor authentication (MFA) adds a second factor (authenticator app, hardware key). Enable for root and all human users.
  • Temporary credentials come from roles via AWS STS — preferred over long-term keys everywhere.

Least privilege and its friends

The principle of least privilege — grant only the permissions a task requires, and nothing more — is the exam's favorite security phrase. Start narrow and widen as needed, not the reverse. Complementary practices: use groups to assign permissions, review and remove unused credentials, and require MFA for sensitive operations.

Sign-in at scale

AWS IAM Identity Center

Single sign-on (SSO) for your workforce across multiple AWS accounts and business apps — the modern replacement for per-account IAM users.

AWS Security Token Service (STS)

Issues the short-lived credentials behind every role assumption and federation.

Amazon Cognito

Sign-up/sign-in and identity management for your application's end users (customers), including social logins.

AWS Directory Service

Managed Microsoft Active Directory in the cloud for AD-dependent workloads.

Exam tip

Employee/workforce single sign-on across accounts → IAM Identity Center. Sign-in for your app's *customers* → Cognito. Don't mix these up — it's a frequent distractor pair.

Tip

The IAM credential report lists every user and the status of their passwords, keys, and MFA — the quick way to audit account credentials. IAM Access Analyzer flags resources shared with outside entities.

Knowledge check
Question 1 of 3

Granting a user ONLY the permissions required to perform their specific job is known as…