AWS Developer Associate Dva C02

The division of security responsibilities between AWS (security OF the cloud: infrastructure, hardware, regions, services) and the customer (security IN the cloud: data, IAM, OS patching, network/firewall config, encryption).

An AMI (Amazon Machine Image), an instance type, a VPC with subnet, a security group, an IAM role/credentials, and optionally key pair and EBS volume.

An IAM user is a permanent identity with long-lived credentials. An IAM role is an identity with no long-lived credentials that is assumed temporarily by users, services, or external identities to obtain temporary STS tokens.

5,120 characters for managed policies attached to a user/group/role; service-specific quotas apply (e.g. inline user policy up to 2,048 chars, group 5,120, role 10,240).

Security Token Service — issues short-lived temporary credentials (access key, secret key, session token) for federated identities, assumed roles, or cross-account access.

Attach an IAM instance profile (a container for an IAM role) to the EC2 instance. The SDK/CLI automatically retrieves credentials from IMDS on the instance.

A managed policy is a standalone, reusable policy that can be attached to many identities (AWS- or customer-managed). An inline policy is embedded in a single identity and removed when the identity is deleted.

From 15 minutes up to a maximum of 12 hours (the absolute STS session duration hard cap); the role's MaxSessionDuration must be set within that range.

Attach an IAM execution role to the Lambda function. Lambda automatically populates environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN.

AWS CloudTrail — records every API call made in the account, including identity, time, source IP, and request/response details, stored in S3 and optionally CloudWatch Logs.

CloudTrail records API activity (who called what and when) for governance/audit. CloudWatch collects metrics, logs, and events for monitoring, alarming, and operational response.

A service to ingest, monitor, store, and access log files from EC2, Lambda, VPC Flow Logs, CloudTrail, Route 53, and custom sources. Retention is configurable from 1 day to indefinitely.