Study DVA-C02 Federated Access and App Authorization: key concepts, common traps, and exam decision cues.
This lesson covers the identity and permission logic that AWS expects application developers to get right. The exam often mixes user login, token-based access, IAM roles, and signed AWS requests into one scenario so that weak candidates confuse authentication with authorization.
Bearer token: Token presented by the client to prove authenticated access, where possession of the token is enough to use it.
Federated access: Access model where an external or managed identity provider authenticates the user and the application trusts that identity assertion.
AWS wants you to distinguish:
| Requirement | Strong lane | Why |
|---|---|---|
| users log in through an identity provider | federated identity pattern | The requirement is human identity, not service credentials. |
| app code needs AWS permissions without embedded keys | IAM role assumption | Temporary credentials are safer than stored access keys. |
| application calls AWS APIs directly | signed AWS requests with the correct principal | The request must prove AWS identity, not just app identity. |
one signed service call works but another gets AccessDenied |
policy scope or trust-path problem | The auth path exists, but permissions are not wide enough or assumed correctly. |
| tenant A must not see tenant B data | application-level authorization and access filtering | Authentication alone does not enforce record-level boundaries. |
flowchart TD
A["User or workload needs access"] --> B{"Who is calling?"}
B -->|"Human user"| C["Use identity provider or federated login"]
B -->|"AWS-hosted workload"| D["Assume IAM role with temporary credentials"]
C --> E["Authenticate successfully"]
D --> F["Sign AWS requests correctly"]
E --> G["Apply application-level authorization"]
F --> G
Strong answers usually split the problem into:
If a candidate answers only the first question, they usually miss the real control.
For developer questions, DVA-C02 strongly prefers temporary credentials through roles over embedding static access keys in config or source. If the stem says an application on AWS needs to call another AWS service, the stronger default is usually an assumed role or service role with the narrowest needed permissions.
Authentication only proves identity. Authorization decides what that identity may do. DVA-C02 often uses this distinction in multi-tenant or user-specific access questions. A valid bearer token does not automatically mean the user should see every record.
| Trap | Better thinking |
|---|---|
| user login succeeded, so authorization is done | Authentication and authorization are separate control questions. |
| any AWS-hosted app can just use stored keys | Roles and temporary credentials are the stronger default. |
| bearer token for user auth solves AWS API auth too | Signed AWS calls and app auth are related but not identical lanes. |
| multi-tenant leak means encryption failed | The first likely problem is record-level authorization or tenant filtering. |