SAA-C03 RUNBOOK DAY 01 / 21
01
Week 1 · Security Foundation

Account, IAM & Billing Guardrails

~2.5 h session Domain 1 · Secure — 30% of exam drill bank: 02-IAM · 20 Q
0%
B

Brief

~10 min read

IAM is AWS's global authentication and authorization service. Everything is deny by default; policies are JSON documents evaluated in one fixed order: explicit deny → allow → implicit deny. Users are people, roles are hats anyone (or any service) can wear temporarily, and STS is the machine that mints those temporary credentials.

Today you also install the two guardrails the rest of the plan depends on: a budget alarm so a forgotten resource can't quietly bill you, and an admin identity so the root user goes in a drawer and stays there.

Why today matters: policy-evaluation-order and roles-vs-users questions are guaranteed on the exam — and every later lab assumes these guardrails exist.
AI ▸ copies a state-loaded prompt — paste into Claude / any AI
1

Build

~90 min lab · target state below
MANAGEMENT ACCOUNT prod · vector/jobhound box ⛔ NO LABS HERE ✓ root MFA · ✓ pays the bill AWS ORGANIZATIONS (day 2) LAB MEMBER ACCOUNT everything gets built here 👤 iam admin · MFA · no root 🔔 budget alarm · $10 🪣 policy lab: 2× S3 + role
Target state · end of day 1
AI ▸
2

Verify

~10 min · say each answer out loud
AI ▸
3

Decommission

nothing bills hourly today — still practice the habit
⚠ drill unlocks when decommission is confirmed
D

Drill

6 questions · 4 from the bank + 2 on what you just built
🔒 confirm decommission to unlock
■ Day 01 Completeguardrails installed · IAM drilled · nothing left running