5. Identity and Access Management (20%)

Identity and Access Management is the highest-weighted domain on the SCS-C03 at 20% — and for good reason. IAM is the gateway to everything in AWS: every API call, every resource access, every cross-account interaction is governed by identity and permissions. Get IAM right, and your other security controls reinforce a solid foundation. Get IAM wrong, and even the best network segmentation and encryption are undermined — an overly permissive IAM role lets an attacker bypass every layer you've built. Think of IAM like the master key system in a building: the locks on each door (network controls, encryption) are meaningless if someone has a master key (AdminAccess). The SCS-C03 splits IAM into authentication (proving who you are) and authorization (proving what you can do), and expects deep understanding of both — including the new services Verified Permissions, Roles Anywhere, and advanced policy evaluation.

The First Principle is that identity is the new perimeter — in a cloud environment without physical boundaries, controlling who can do what (and proving it) is the most fundamental security control.

Scenario: A company with 5,000 employees and 200 AWS accounts needs to manage human access (SSO), application access (service roles), and machine access (cross-account automation). Each access type requires different authentication and authorization patterns.

Reflection Question: Why does the SCS-C03 weight IAM at 20% — higher than any other domain — and what does this tell you about where real-world AWS security most often fails?