Security is possibly the most discussed topic as far as the cloud is concerned. Whether it is about securing your services on the network, making sure your applications are secure, encrypting your data or securing your users—when it comes to cloud, it always seems to be discussed with caution. We have learned that we are able to secure our cloud-based applications to the same or higher level as our on-premise systems. When being tested on your knowledge of security in AWS, you should remember these key points: 

• Always apply permissions with the least privilege approach by only giving the permissions that are necessary to perform a task.
• Prefer applying IAM policies to groups rather than individual users.
• Use roles when automating access to AWS on your EC2 instances, Lambda functions, and so on.
• Remember that access can be granted to other accounts with cross-account roles.
• Remember the limitations of IAM.
• When you see high numbers of users, federation is the correct approach.
• Differentiate between the AssumeRole and AssumeRoleWithWebIdentity operations.
• You can federate IAM with LDAP, but sometimes a LDAP replica in AWS is the right option.
• Understand encryption in transit and encryption at rest in AWS. Understand which service provides which type of encryption and what protocol or encryption mechanism it uses.