Account Security Essentials
MFA, credential types, IAM Identity Center, and the layered access practices every AWS account should follow.
Authentication factors and credentials
Key points
- Passwords sign humans into the console; enforce complexity with an IAM password policy.
- Access keys (key ID + secret) are for programmatic access via CLI/SDK — rotate them, never commit them to code.
- Multi-factor authentication (MFA) adds a second factor (authenticator app, hardware key). Enable for root and all human users.
- Temporary credentials come from roles via AWS STS — preferred over long-term keys everywhere.
Least privilege and its friends
The principle of least privilege — grant only the permissions a task requires, and nothing more — is the exam's favorite security phrase. Start narrow and widen as needed, not the reverse. Complementary practices: use groups to assign permissions, review and remove unused credentials, and require MFA for sensitive operations.
Sign-in at scale
Single sign-on (SSO) for your workforce across multiple AWS accounts and business apps — the modern replacement for per-account IAM users.
Issues the short-lived credentials behind every role assumption and federation.
Sign-up/sign-in and identity management for your application's end users (customers), including social logins.
Managed Microsoft Active Directory in the cloud for AD-dependent workloads.
Employee/workforce single sign-on across accounts → IAM Identity Center. Sign-in for your app's *customers* → Cognito. Don't mix these up — it's a frequent distractor pair.
The IAM credential report lists every user and the status of their passwords, keys, and MFA — the quick way to audit account credentials. IAM Access Analyzer flags resources shared with outside entities.
Granting a user ONLY the permissions required to perform their specific job is known as…