# AWS SECURITY - Domain 4 - 50X - QUESTIONS and ANSWERS
## Domain 4: Identity and Access Management
### Task Statement 4.1: Design, implement, and troubleshoot authentication for AWS resources.
**Knowledge of:**
- 4.1.1 Methods and services for creating and managing identities (for example, federation, identity providers, AWS IAM Identity Center [AWS Single Sign-On], Amazon Cognito)
- 4.1.2 Long-term and temporary credentialing mechanisms
- 4.1.3 How to troubleshoot authentication issues (for example, by using CloudTrail, IAM Access Advisor, and IAM policy simulator)
**Skills in:**
- 4.1.4 Establishing identity through an authentication system, based on requirements
- 4.1.5 Setting up multi-factor authentication (MFA)
- 4.1.6 Determining when to use AWS Security Token Service (AWS STS) to issue temporary credentials
## Task Statement 4.2: Design, implement, and troubleshoot authorization for AWS resources.
**Knowledge of:**
- 4.2.1 Different IAM policies (for example, managed policies, inline policies, identity-based policies, resource-based policies, session control policies)
- 4.2.2 Components and impact of a policy (for example, Principal, Action, Resource, Condition)
- 4.2.3 How to troubleshoot authorization issues (for example, by using CloudTrail, IAM Access Advisor, and IAM policy simulator)
**Skills in:**
- 4.2.4 Constructing attribute-based access control (ABAC) and role-based access control (RBAC) strategies
- 4.2.5 Evaluating IAM policy types for given requirements and workloads
- 4.2.6 Interpreting an IAM policy’s effect on environments and workloads
- 4.2.7 Applying the principle of least privilege across an environment
- 4.2.8 Enforcing proper separation of duties
- 4.2.9 Analyzing access or authorization errors to determine cause or effect
- 4.2.10 Investigating unintended permissions, authorization, or privileges granted to a resource, service, or entity
