5.3. Phase 5 Reflection Checkpoint

Key Takeaways:

1. IAM Identity Center for human workforce access, Cognito for customer-facing apps, IAM roles for service access
2. IAM Roles Anywhere extends temporary credential-based access to on-premises workloads using X.509 certificates
3. Verified Permissions provides application-level authorization using Cedar policies — separate from IAM
4. ABAC scales better than RBAC for dynamic environments but requires tag governance controls
5. Policy evaluation follows: Default Deny → SCPs → Resource Policies → Identity Policies → Boundaries → Session Policies → Explicit Deny wins

Connecting Forward: In Phase 6, you'll learn Data Protection — designing encryption in transit and at rest, managing secrets and key materials, and implementing the new C03 content on data masking and multi-Region key management.

Self-Check Questions:

• Can you trace the policy evaluation order and explain where permissions boundaries fit?
• Can you explain when to use Verified Permissions vs. IAM policies?
• Can you describe how IAM Roles Anywhere eliminates long-term keys for on-premises workloads?