5.1. Authentication on AWS

💡 First Principle: Authentication answers the question "who are you?" — it verifies identity before any access is granted. Think of it like a building security checkpoint: before you can enter any room (authorization), you must first prove you're a recognized person (authentication). Without robust authentication, your data pipeline is an unlocked door — anyone can walk in.

A misconfigured IAM role is one of the fastest paths to a data breach. Imagine a Lambda function with an overly broad role that can access every S3 bucket in the account — if the function is compromised, the attacker inherits all that access. The exam tests your understanding of IAM fundamentals (users, roles, policies), VPC security (how to isolate data resources), and credential management (Secrets Manager for rotating passwords, Parameter Store for configuration).

What's the difference between an IAM user and an IAM role? Users have long-term credentials (username/password, access keys) — suited for humans. Roles have temporary credentials assumed by services (Lambda, Glue, EC2) — suited for machine-to-machine access. The exam almost always prefers roles over users for service authentication.