If we tie together everything from the past four days in one line, it becomes: "For anything to work on AWS, all of the following must line up — (1) where (Region/AZ), (2) who (Principal), (3) what (Action), (4) on what (Resource), (5) under what conditions (Condition)." This sentence determines 90% of the answers in the DVA exam's security and troubleshooting domains (44% combined).
Today we re-bundle Week 1's key concepts into scenarios and classify the trap patterns that frequently appear on the exam. This is a review session, not new material, so the questions and explanations go deeper. It is organized in a form that is good to skim one more time right before the actual exam.
[ AWS Global Infrastructure ]
└─ Region (isolated infrastructure unit)
└─ AZ (group of 3+ physical DCs)
└─ Actual resources: EC2/Lambda/RDS, etc.
└─ IAM (who can do what)
├─ User (long-term credentials)
├─ Group (permission bundle)
├─ Role (temporary credential issuer)
└─ Policy (JSON specification)
└─ Condition (ABAC engine)
If any link in this chain breaks, the call fails. When solving exam scenarios, identifying which link is the problem is the fast path to the answer.
To emphasize once more: AWS's entire security model is deny-by-default. Without an explicit Allow for any resource, access is denied. Higher-level guardrails like SCPs can add further blocking, but they cannot create permissions. Once you internalize this model, the question "why don't I have permission?" always resolves into the search "where is the Allow missing?".
The most common scenario. Simply "attach an IAM Role" is not always the answer. Let's cover all the possible causes.
| Cause | Symptom | Fix |
|---|---|---|
| IAM Role not attached | "Unable to locate credentials" | Grant an instance profile |
| Role policy lacks S3 permissions | AccessDenied | Add s3:GetObject etc. |
| Explicit Deny in the S3 bucket policy | AccessDenied |
Click a choice to reveal the answer and explanation.
Question 1
A company issues IAM Users to all employees, who use access keys with the CLI. Following a security audit, the CISO has ordered "no more long-term keys". What is the most appropriate migration?
Question 2
What is the effect of the following IAM policy? ```json { "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::project-${aws:PrincipalTag/Project}/*", "Condition": {"Null": {"aws:PrincipalTag/Project": "false"}} } ```
Question 3
After moving a workload from EC2 to Lambda, you want it to run with the same IAM policies without code changes. What changes?
Question 4
Which of the following is NOT included in an STS AssumeRole response?
Question 5
A company has set an SCP allowing "only us-east-1 and ap-northeast-2". An IAM User has `AdministratorAccess`. This User attempts to launch an EC2 in eu-west-1. What happens?
Question 6
What is the most appropriate first debugging step in this scenario? "boto3 code on EC2 returns `An error occurred (AccessDenied) when calling the GetObject operation`."
Question 7
A developer configured a dev profile in `~/.aws/credentials`, but unless `--profile dev` is specified on the CLI command, the default profile's credentials are used. How can the dev profile be applied automatically to every command?
Question 8
In an IAM Policy's `"Resource": "arn:aws:s3:::my-bucket/${aws:username}/*"`, when is the `${aws:username}` variable evaluated?
Question 9
What error appears when SigV4 signature timestamp validation fails?
Question 10
A company separates prod and dev accounts with AWS Organizations, and developers can assume Roles in both accounts via IAM Identity Center. Why is prod protected even if a major incident happens in the dev account?
Question 11
A Lambda function received a `LimitExceededException`. What is the SDK's default retry behavior?
Question 12
A company wants to let a SaaS monitoring tool read CloudWatch metrics from its AWS account. What is the safest configuration?
| Review the bucket policy |
| S3 Block Public Access + wrong policy | AccessDenied | Reconfigure BPA or the policy |
| Private subnet without a VPC Endpoint | timeout | Add an S3 Gateway Endpoint |
| Object encrypted with a KMS key + no KMS permission | AccessDenied (KMS) | KMS Key Policy + IAM kms:Decrypt |
⚠️ Trap: An S3 object encrypted with SSE-KMS cannot be read with IAM's
s3:GetObjectalone. The same Principal must also havekms:Decrypt, and the Principal must also appear in the KMS Key Policy's grants. On the exam, the scenario "S3 permissions are in place but GetObject fails" is almost always answered by KMS.
🔍 Going deeper: The VPC Endpoint scenario is a network-layer problem, so IAM debugging won't solve it. For an EC2 in a private subnet to reach S3, it must either (1) go out to the internet via a NAT Gateway, or (2) go over the AWS internal network via an S3 Gateway Endpoint (adding the prefix-list to the route table) or an Interface Endpoint (PrivateLink). With no NAT and no Endpoint, you get a timeout. The fact that it's a timeout rather than AccessDenied is the diagnostic clue.
Cross-account follows the principle of "agreement from both sides". The Lambda function's execution role needs (1) the sts:AssumeRole permission with the target account's Role ARN specified, and (2) the target account Role's Trust Policy must name our Role as a Principal. Both are required.
# Cross-account call inside Lambda code
import boto3
sts = boto3.client('sts')
resp = sts.assume_role(
RoleArn='arn:aws:iam::222222222222:role/CrossAccountReadRole',
RoleSessionName='lambda-cross-account'
)
creds = resp['Credentials']
s3 = boto3.client('s3',
aws_access_key_id=creds['AccessKeyId'],
aws_secret_access_key=creds['SecretAccessKey'],
aws_session_token=creds['SessionToken']
)
s3.list_objects_v2(Bucket='other-account-bucket')The trap in this code: the received temporary credentials expire after 1 hour, and if the Lambda holds onto them inside a workflow and reuses them, calls fail after expiration. The clean approach is to assume fresh on every invocation, or delegate automatic refresh to the SDK's RefreshableCredentials.
sts.amazonaws.com (global) vs sts.ap-northeast-2.amazonaws.com (regional). When an exam scenario says "during a us-east-1 outage, workloads in other regions fail to obtain credentials", suspect the global STS endpoint. Switch with AWS_STS_REGIONAL_ENDPOINTS=regional.
The Permission Boundary is a mechanism that defines the effective maximum permissions of an IAM User/Role. Actions absent from the Boundary are blocked even if present in the Identity Policy. It is commonly used so that "an administrator can delegate IAM management to developers without excessive permissions leaking out". Example: enforce a Boundary on every Role a developer can create, and you can prevent those Roles from touching IAM itself.
⚠️ Trap: The difference between SCP, Permission Boundary, and Session Policy is an exam staple. The SCP is an Organizations guardrail applied to the entire account, the Permission Boundary is the maximum permission cap on a specific IAM entity, and the Session Policy is a one-shot guardrail narrowing scope inline at AssumeRole time. All three share the trait of "subtracting only, never granting permissions".
| Domain | Weight | Areas covered in Week 1 |
|---|---|---|
| Development | 32% | SDK, CLI, credential chain |
| Security | 26% | All of IAM, STS, SigV4 |
| Deployment | 24% | (not covered yet) |
| Troubleshooting | 18% | IAM policy simulation, --debug, get-caller-identity |
Week 1's importance is overwhelming given that more than half of security's 26% + troubleshooting's 18% on the exam is IAM-related. Master Week 1 completely and you get more than 30% of the exam essentially for free.
An ARN (Amazon Resource Name) has the format arn:partition:service:region:account-id:resource. Memorize the patterns that appear frequently on the exam.
| Resource | ARN example |
|---|---|
| IAM User | arn:aws:iam::123456789012:user/Alice |
| IAM Role | arn:aws:iam::123456789012:role/MyRole |
| S3 Bucket | arn:aws:s3:::my-bucket (no region/account) |
| S3 Object | arn:aws:s3:::my-bucket/path/to/file |
| Lambda Function | arn:aws:lambda:ap-northeast-2:123456789012:function:MyFn |
| Lambda Layer | arn:aws:lambda:ap-northeast-2:123456789012:layer:MyLayer:3 (includes version number) |
| DynamoDB Table | arn:aws:dynamodb:ap-northeast-2:123456789012:table/MyTable |
| SQS Queue | arn:aws:sqs:ap-northeast-2:123456789012:MyQueue |
| SNS Topic | arn:aws:sns:ap-northeast-2:123456789012:MyTopic |
| KMS Key | arn:aws:kms:ap-northeast-2:123456789012:key/uuid |
| Secrets Manager | arn:aws:secretsmanager:ap-northeast-2:123456789012:secret:Name-randomSuffix |
| Parameter Store | arn:aws:ssm:ap-northeast-2:123456789012:parameter/path/to/param |
💡 Memorization tip: S3 and IAM are global services, so the region field in their ARNs is empty (
arn:aws:s3:::). Other services have the region filled in. Also, IAM includes the account-id but S3 does not (the bucket name itself is globally unique). And the partition isawsfor regular AWS,aws-us-govfor GovCloud, andaws-cnfor China regions. Copying policies cross-partition without changing the partition prefix is a known failure mode.
Week 1 lays AWS's "foundation". On top of the infrastructure map sits the chain of trust that is IAM, and your code's SDK calls are bound to that chain. Starting next week, the real compute (EC2, Lambda, ECS), data (S3, DynamoDB, RDS), integration (API Gateway, SQS, EventBridge), and deployment (CodePipeline, etc.) go on top of this.
The key mindset to remember: on AWS, the question "why doesn't this work?" almost always reduces to "at which IAM evaluation stage was it blocked?". SCP, Resource Policy, Identity Policy, Permission Boundary, Session Policy, Explicit Deny — one of these six layers is the answer. And the starting point for finding that answer is aws sts get-caller-identity and the IAM Policy Simulator.