Study DEA-C01 Authentication, Secrets and Network Access: key concepts, common traps, and exam decision cues.
DEA-C01 expects access design to be part of the platform. This includes IAM roles, service endpoints, credentials handling, and network-level access boundaries for pipelines and data stores.
IAM role: AWS identity attached to a workload or service so it can call other AWS services without hardcoded long-lived credentials.
Least privilege: Grant only the actions and resources the workload actually needs.
VPC endpoint: Private path from a VPC to supported AWS services without ordinary internet-style routing.
AWS wants you to separate:
| Need | Strongest first fit | Why |
|---|---|---|
| AWS workload needs to call another AWS service | IAM role | Avoids hardcoded long-lived credentials |
| app needs a database password, token, or API secret | AWS Secrets Manager | Built for secret retrieval and rotation workflows |
| simple configuration value with less secret-management overhead | Systems Manager Parameter Store | Useful for parameters, with secure-string options where needed |
| encrypt data or secrets at rest | AWS KMS | KMS is the encryption lane, not the main secret-storage lane |
| Requirement | Strongest first fit | Why |
|---|---|---|
| private access from a VPC to a supported AWS service | VPC endpoint | Keeps the path private and reduces ordinary internet exposure |
| restrict which resources can reach the data platform | security groups, subnet design, and endpoint policy | DEA-C01 expects network boundaries to reinforce IAM design |
| broad internet-style access is not acceptable | private path design first | The requirement is about private reachability before convenience |
The diagram below is the fastest way to remember the order of secure data access decisions.
flowchart TD
Workload["Workload"] --> Role["IAM Role"]
Role --> Secret["Secrets Manager or Parameter Store"]
Role --> Network["Private Network Path / VPC Endpoint"]
Secret --> Store["Data Store"]
Network --> Store
The key thing to notice is that these controls stack rather than replace one another. IAM does not make the network private. A VPC endpoint does not replace secret management. A secret store does not remove the need for least-privilege access.
When access controls overlap, use this order:
| Trap | Better reading |
|---|---|
| “KMS is where the app should store passwords.” | KMS is the encryption lane, not the main secret-storage product. |
| “If the app has the right IAM role, network controls no longer matter.” | DEA-C01 expects both identity and network boundaries to be correct. |
| “A secret in source control is acceptable if the repo is private.” | The exam expects managed secret storage, not plaintext embedding. |
| “A public path is fine if the credentials are strong.” | If the requirement emphasizes private access, design the private path first. |
1Need: "A Glue job must read from a private data service and use a database credential safely."
2Strong lane:
3- IAM role for the job
4- Secrets Manager for the credential
5- private network path such as a VPC endpoint or controlled subnet path
That pattern is stronger than hardcoding credentials or assuming one control can do every job.
A pipeline running inside AWS needs to call an AWS-managed data service privately and also retrieve a database password safely. Which reading is strongest first?
Correct answer: B. DEA-C01 expects stacked controls: identity, secret handling, and network access each solve a different part of the problem.