# Data Access & Governance

Data access and governance ensure that **only authorized users and services** can interact with SecureCart’s data while maintaining **security, compliance, and operational efficiency**.

✔ **Why does SecureCart focus on Data Access & Governance?**

* **Protects customer transactions, payment info, and order history.**
* **Prevents unauthorized data exposure and access.**
* **Ensures compliance with industry standards like PCI DSS & GDPR.**
* **Maintains data integrity and prevents accidental deletions or modifications.**

***

### **🔹 Step 1: Defining Data Access Controls**

#### **Who Needs Access to Data?**

| **Role**                         | **Access Level**   | **Data Type**                   |
| -------------------------------- | ------------------ | ------------------------------- |
| **Developers**                   | Read-only access   | Logs, application data.         |
| **Security Team**                | Full visibility    | Security logs, IAM policies.    |
| **Database Administrators**      | Read/Write         | RDS & DynamoDB databases.       |
| **Application Services**         | Controlled access  | Order history, product catalog. |
| **Third-Party Payment Provider** | Limited API access | Transaction details.            |

✅ **Best Practices:**\
✔ **Follow the principle of least privilege** – Grant only the necessary permissions.\
✔ **Enforce role-based access control (RBAC)** using IAM roles and permissions.\
✔ **Use resource policies to control access at the AWS service level.**

***

### **🔹 Step 2: Implementing Data Access Policies**

✔ **Why?** – To enforce **who can access what data** and prevent unauthorized actions.

#### **A. IAM Identity-Based Policies**

* **Attached to IAM users, groups, or roles** to define allowed/denied actions.
* SecureCart uses **IAM roles instead of IAM users** to manage data access dynamically.

| **Service**   | **IAM Policy Use Case**                                                       |
| ------------- | ----------------------------------------------------------------------------- |
| **Amazon S3** | Developers can read product images but **cannot delete** them.                |
| **DynamoDB**  | Backend APIs can query order history but **cannot modify payment info**.      |
| **RDS MySQL** | Only database administrators have write access to SecureCart’s customer data. |

✅ **Best Practices:**\
✔ Use **IAM roles instead of long-term credentials** for applications.\
✔ Regularly audit **IAM policies with AWS IAM Access Analyzer**.

***

#### **B. AWS Resource Policies**

* **Attached directly to AWS resources** (S3 buckets, DynamoDB tables, etc.).
* Used to control access **without modifying IAM roles**.

| **Service**          | **Resource Policy Use Case**                            |
| -------------------- | ------------------------------------------------------- |
| **S3 Bucket Policy** | Restricts access to **only SecureCart’s AWS accounts**. |
| **DynamoDB Policy**  | Allows read/write access **only from VPC endpoints**.   |

✅ **Best Practices:**\
✔ Always **deny public access to S3 buckets**.\
✔ Use **AWS PrivateLink instead of exposing services via the public internet**.

***

#### **C. Attribute-Based Access Control (ABAC)**

* SecureCart uses **IAM session tags** to grant **dynamic permissions** based on user attributes.
* **Example:** A **developer with the "SecureCart-Dev" tag** gets access **only to development data**.

✅ **Best Practices:**\
✔ Use **tags for dynamic access control** instead of static IAM roles.\
✔ Combine **IAM policies with tags for granular permissions**.

***

### **🔹 Step 3: Data Governance with AWS Organizations & SCPs**

✔ **Why?** – To ensure **consistent security policies** across all SecureCart AWS accounts.

| **Governance Mechanism**            | **Description**                                    | **Use Case in SecureCart**                                                |
| ----------------------------------- | -------------------------------------------------- | ------------------------------------------------------------------------- |
| **AWS Organizations**               | Manages multiple AWS accounts under one structure. | SecureCart **groups accounts by environment** (Dev, Staging, Production). |
| **Service Control Policies (SCPs)** | Restrict AWS service usage across all accounts.    | Prevents **IAM user creation in production**.                             |
| **IAM Permission Boundaries**       | Limits the max permissions an IAM role can have.   | Developers **cannot grant themselves admin access**.                      |

✅ **Best Practices:**\
✔ Use **AWS Organizations** to enforce global security policies.\
✔ Apply **SCPs to prevent accidental security misconfigurations**.

***

### **🔹 Step 4: Data Encryption & Key Management**

✔ **Why?** – Protects **sensitive data from unauthorized access**.

#### **A. Encrypting Data at Rest**

| **Service**         | **Encryption Method**           | **Use Case in SecureCart**                                  |
| ------------------- | ------------------------------- | ----------------------------------------------------------- |
| **Amazon S3**       | S3 Default Encryption (AES-256) | Encrypts order invoices stored in SecureCart’s S3 buckets.  |
| **Amazon RDS**      | KMS-Managed Encryption          | Protects SecureCart’s MySQL database with customer details. |
| **Amazon DynamoDB** | Server-Side Encryption (SSE)    | Ensures order transactions remain encrypted.                |

#### **B. Encrypting Data in Transit**

| **Encryption Type**               | **Use Case in SecureCart**                      |
| --------------------------------- | ----------------------------------------------- |
| **TLS 1.2+ (HTTPS)**              | Encrypts API calls between frontend & backend.  |
| **AWS PrivateLink**               | Ensures private access to third-party APIs.     |
| **AWS Certificate Manager (ACM)** | Manages SSL certificates for ALB & API Gateway. |

✅ **Best Practices:**\
✔ Use **AWS Key Management Service (KMS) for encryption key lifecycle management**.\
✔ Enforce **TLS 1.2 or later for all network communications**.

***

### **🔹 Step 5: Implementing Data Retention & Lifecycle Policies**

✔ **Why?** – To manage **data lifecycle and optimize costs**.

| **Data Type**     | **Lifecycle Policy**  | **Storage Class**            |
| ----------------- | --------------------- | ---------------------------- |
| **Order Logs**    | Archive after 30 days | Amazon S3 Glacier.           |
| **Customer Data** | Delete after 5 years  | Amazon RDS backup retention. |
| **Security Logs** | Retain for 1 year     | Amazon S3 Standard-IA.       |

✅ **Best Practices:**\
✔ Define **clear data retention policies** for compliance.\
✔ Use **S3 Lifecycle Rules** to automatically transition data to cheaper storage.

***

### **🔹 Step 6: Monitoring & Auditing Data Access**

✔ **Why?** – Detects **unauthorized access & security misconfigurations**.

| **AWS Security Tool** | **Purpose**                      | **Use Case in SecureCart**            |
| --------------------- | -------------------------------- | ------------------------------------- |
| **AWS CloudTrail**    | Logs all AWS API calls           | Detects unauthorized database access. |
| **Amazon Macie**      | Scans S3 for sensitive data      | Identifies exposed customer data.     |
| **Amazon GuardDuty**  | Monitors for suspicious behavior | Alerts on anomalous access patterns.  |
| **AWS Security Hub**  | Centralized security monitoring  | Aggregates security findings.         |

✅ **Best Practices:**\
✔ **Enable CloudTrail logging across all AWS accounts**.\
✔ Use **Macie to classify and detect sensitive data in S3**.\
✔ Regularly **review IAM activity logs for anomalies**.

***

## **🚀 Summary**

✔ **Use IAM & Resource Policies to enforce least privilege**.\
✔ **Implement AWS Organizations & SCPs for centralized governance**.\
✔ **Encrypt all data at rest and in transit using AWS KMS & TLS**.\
✔ **Apply S3 Lifecycle Policies to manage data retention and cost**.\
✔ **Monitor security logs with CloudTrail, GuardDuty, and Macie**.

Would you like **a hands-on lab, Terraform template, or AWS CLI script** for **SecureCart’s data governance setup**? 🔐🚀

window.\_\_oai\_logHTML?window.\_\_oai\_logHTML():window.\_\_oai\_SSR\_HTML=window.\_\_oai\_SSR\_HTML||Date.now();requestAnimationFrame((function(){window.\_\_oai\_logTTI?window.\_\_oai\_logTTI():window.\_\_oai\_SSR\_TTI=window.\_\_oai\_SSR\_TTI||Date.now()}))

<br>

OSearchDeep research

#### **Scenario:**

SecureCart needs to **restrict data access to authorized users and services** while ensuring **compliance with regulatory policies**.

#### **Key Learning Objectives:**

✅ Implement **fine-grained access control for data**\
✅ Apply **IAM Policies & Resource-Based Policies**\
✅ Use **AWS Organizations & SCPs for Data Governance**\
✅ Enforce **least privilege and compliance policies**

#### **Hands-on Labs:**

1️⃣ **Apply IAM Policies to Restrict Access to Sensitive Data**\
2️⃣ **Use S3 Bucket Policies to Prevent Public Access**\
3️⃣ **Configure AWS Organizations & SCPs for Data Governance**

🔹 **Outcome:** SecureCart ensures **only authorized users** can access **sensitive data**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://awsinpractice.itassist.com/study-group/aws-certified-solutions-architect-associate/domain-1-design-secure-architectures/task-statement-1.3-determine-appropriate-data-security-controls/data-access-and-governance.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.