CLF-C02 Identity, Access and Root-Account Protection Guide

CLF-C02 does not require deep IAM policy writing, but it does expect you to know the safest access habits. Strong answers usually remove long-term credential sprawl, protect the root account, and give people or workloads only the access they need.

Least privilege: Access model where identities receive only the permissions needed for the current job.

Federation: Using an external identity source to authenticate users instead of creating separate local credentials for every application.

The identity building blocks

At the CLF-C02 level, the key insight is that roles and centralized sign-in are usually cleaner than spreading long-term credentials everywhere.

Root account protection

AWS treats the root user as special because it has the highest authority in the account. That means CLF-C02 expects these habits:

• use the root user rarely
• enable MFA
• do not use root for daily administration
• protect the credentials carefully

If the answer choice uses the root user for routine work, it is almost always weak.

Roles versus long-term access keys

The exam often rewards the answer that removes embedded long-term credentials.

If a workload runs on AWS and one answer says “store permanent access keys on the server” while another says “use a role,” the role answer is usually stronger.

Authentication and access hardening

CLF-C02 expects you to recognize:

• MFA for stronger login protection
• federated access for workforce sign-in
• least privilege for permission scope
• cross-account roles as a safer access pattern than sharing one account’s long-term keys broadly

Decision order that usually wins

Use this order when identity answers look similar:

1. Decide whether the identity is a person, a workload, or a special account-level authority.
2. If it is a workload running on AWS, prefer an IAM role over stored long-term access keys.
3. If it is workforce access across accounts, prefer centralized sign-in such as IAM Identity Center.
4. If the root user appears in an answer for routine administration, treat that answer as weak immediately.
5. If the question asks about safer permissions, prefer MFA, least privilege, and temporary credentials over convenience.

Common traps

• confusing users, groups, roles, and policies
• assuming the root user is the normal admin account
• storing secrets in plaintext configuration files
• assuming least privilege means “no access until a problem occurs” instead of “right-sized access”

A practical exam example

1Need: an EC2 workload must read from S3.
2Strong lane: give the workload a role.
3Weak lane: create an IAM user, copy access keys onto the instance, and rotate them manually.

CLF-C02 likes this pattern because it tests whether you understand the safer AWS-native access method without needing advanced IAM syntax.

Harder scenario question

A company wants employees to access multiple AWS accounts without maintaining separate IAM usernames and passwords in each account. Which answer is strongest first?

• A. Create a root user in every account for shared admin access
• B. Create one long-lived IAM user in each account and email the passwords to staff
• C. Use centralized workforce access with IAM Identity Center and account-level permission assignments
• D. Store all account access keys in a spreadsheet protected by a password

Correct answer: C. CLF-C02 prefers centralized sign-in and modern access patterns over repeated account-local credentials.

Quiz