3.4.1. Identity & Access Management

IAM is the front door, side door, and every internal door of your AWS environment. Without proper identity controls, a single compromised credential can cascade into full account takeover — and unlike a physical break-in, you might not notice for weeks. Think of IAM like a building access system: users get keycards (credentials), roles define which floors and rooms they can enter (permissions), and policies enforce the rules even when no guard is watching (automated enforcement).

This section covers IAM entities, identity federation, permissions boundaries, and policy design patterns. The exam heavily tests IAM policy evaluation logic — can you trace the allow/deny path through SCPs, resource policies, identity policies, and permissions boundaries?