On the SAA exam, the security domain (Domain 1) carries the largest weight at 30% of the total. Yet many test-takers approach this domain as "memorizing service names like IAM, KMS, WAF, and GuardDuty" and then collapse on the scenario questions. The reason is simple. What the exam asks is not a service name but a verdict: "Is this request allowed or blocked, and why?" And that verdict almost always reduces to a single algorithm — the IAM policy evaluation logic