# Content Domain 4: Identity and Access Management
<a name="security-specialty-03-domain4"></a>

**Topics**
+ [Task 4.1: Design, implement, and troubleshoot authentication strategies](#security-specialty-03-domain4-task1)
+ [Task 4.2: Design, implement, and troubleshoot authorization strategies](#security-specialty-03-domain4-task2)

## Task 4.1: Design, implement, and troubleshoot authentication strategies
<a name="security-specialty-03-domain4-task1"></a>

Skills in:
+ Skill 4.1.1: Design and establish identity solutions for human, application, and system authentication (for example, AWS IAM Identity Center, Amazon Cognito, multi-factor authentication [MFA], identity provider [IdP] integration).
+ Skill 4.1.2: Configure mechanisms to issue temporary credentials (for example, AWS STS, Amazon S3 presigned URLs).
+ Skill 4.1.3: Troubleshooting authentication issues (for example, CloudTrail, Amazon Cognito, IAM Identity Center permission sets, AWS Directory Service).

## Task 4.2: Design, implement, and troubleshoot authorization strategies
<a name="security-specialty-03-domain4-task2"></a>

Skills in:
+ Skill 4.2.1: Design and evaluate authorization controls for human, application, and system access (for example, Amazon Verified Permissions, IAM paths, IAM Roles Anywhere, resource policies for cross-account access, IAM role trust policies).
+ Skill 4.2.2: Design attribute-based access control (ABAC) and role-based access control (RBAC) strategies (for example, by configuring resource access based on tags or attributes).
+ Skill 4.2.3: Design, interpret, and implement IAM policies by following the principle of least privilege (for example, permission boundaries, session policies).
+ Skill 4.2.4: Analyze authorization failures to determine causes or effects (for example, IAM Policy Simulator, IAM Access Analyzer).
+ Skill 4.2.5: Investigate and correct unintended permissions, authorizations, or privileges granted to a resource, service, or entity (for example, IAM Access Analyzer).