5.1. Authentication Strategies

Authentication answers the question "who are you?" before any authorization decision can be made. Without strong authentication, authorization is meaningless — a perfectly scoped IAM policy applied to an identity that anyone can assume provides zero protection. Think of authentication like the ID check at a building entrance: the guard doesn't care what rooms you're allowed in until they've confirmed who you are. What fails when authentication is weak? Shared credentials mean you can't attribute actions to individuals (destroying audit trails), no MFA means a single stolen password compromises everything, and long-term access keys that never rotate are just data breaches waiting to happen.

This section covers how to design and implement authentication for humans, applications, and systems — including federation, MFA, temporary credentials, and troubleshooting authentication failures.

Scenario: A security audit reveals 150 IAM users with long-term access keys, 40% of which haven't been rotated in over a year. Some keys are embedded in application code on GitHub. How does this authentication posture create risk?

Reflection Question: Why does the exam expect you to recommend federation and temporary credentials over IAM users with access keys in nearly every scenario?