Skip to main content
VVMExam

AWS Security for Developers: IAM, Encryption, and Secrets Management

AWS security for developers centers on IAM policies and roles, encryption at rest and in transit, and secure handling of credentials using services like Secrets Manager and Parameter Store.

2 min read

Understanding AWS security is essential for the DVA-C02 exam. Key areas include identity and access management, encryption, and secrets management.

IAM Fundamentals

  • Policies: JSON documents attached to users, groups, or roles that define allowed or denied actions on resources.
  • Roles: Preferred over long-term access keys for granting permissions to AWS services (e.g., Lambda, EC2) or cross-account access.
  • Least Privilege: Grant only the permissions required for a task. Exam questions often test whether a role has unnecessary permissions.
  • STS (Security Token Service): Issues temporary credentials via AssumeRole. Used for cross-account access and identity federation.

Resource-based policies (e.g., S3 bucket policies, Lambda resource policies) allow access from other accounts or services without assuming a role.

Encryption

  • KMS (Key Management Service): Used to encrypt data at rest in services like S3, DynamoDB, RDS, and EBS. Supports AWS-managed keys and customer-managed keys (CMKs).
  • Envelope Encryption: KMS encrypts a data key, which is then used to encrypt the actual data locally. This avoids sending large payloads to KMS.
  • S3 Encryption Options: SSE-S3 (AWS-managed), SSE-KMS (customer visibility via KMS), SSE-C (customer-provided keys), and client-side encryption.
  • In Transit: Use HTTPS/TLS for all API calls. AWS SDKs default to HTTPS.

Secrets and Configuration Management

  • Secrets Manager: Stores and automatically rotates secrets (database passwords, API keys). Integrates with RDS natively. Charges per secret per month.
  • Systems Manager Parameter Store: Stores configuration values and secrets. Standard tier is free; Advanced tier supports larger values and policies. SecureString parameters are encrypted via KMS.
  • Key difference: Secrets Manager supports automatic rotation; Parameter Store does not rotate secrets natively but is lower cost.

Application-Level Security

  • Cognito User Pools: Handles user authentication (sign-up, sign-in). Returns JWTs.
  • Cognito Identity Pools: Exchanges tokens (from User Pools or third-party IdPs) for temporary AWS credentials via STS.
  • API Gateway Authorization: Supports IAM authorization, Lambda authorizers (custom logic), and Cognito User Pool authorizers.

Never hard-code credentials in application code or store them in source control. Use IAM roles for compute resources and Secrets Manager or Parameter Store for sensitive values.

Ready to practice this topic?