Quick answer: AWS IAM (Identity and Access Management) is the most tested individual service on the CLF-C02 exam. It controls who can access your AWS resources and what they can do. Master users, groups, roles, policies, the least privilege principle, root account security, MFA, and service-linked roles to pass. Use real-world scenarios to lock in concepts, then test yourself with the included AWS IAM CLF-C02 practice questions.
Why IAM Dominates the CLF-C02 Exam
AWS IAM is not just a service—it’s the security foundation of AWS. On the CLF-C02 exam, you’ll see IAM in at least 15-20% of questions, often disguised inside scenarios about S3, EC2, or Lambda. The exam expects you to know how IAM components work together, not just definitions.
Think of IAM as a permissions guard. Every AWS API call passes through IAM first. If IAM denies it, the action fails—no exceptions. That’s why AWS invests heavily in IAM, and why the CLF-C02 tests it so thoroughly.
Users, Groups, and Roles: The Core Entities
IAM Users
An IAM user is a permanent identity for a person or application that needs long-term AWS access. Each user has a unique name, password (for the AWS Console), and optionally access keys (for CLI/SDK).
Example: Your DevOps engineer, Alice, gets an IAM user named alice-dev. She logs into the console with her password and uses access keys to run Terraform scripts.
IAM Groups
A group is a container for users. You attach policies to a group, and all users in that group inherit those permissions. This simplifies management—never attach policies directly to individual users.
Example: Create a group Developers with full EC2 access. Add Alice, Bob, and Charlie. When a new developer joins, just add them to the group—no policy changes needed.
IAM Roles
A role is a temporary identity that you assume when needed. Roles have no permanent credentials (no password or access keys). Instead, AWS issues temporary security credentials via the Security Token Service (STS). Roles are used for:
- AWS services (e.g., EC2 instances reading from S3)
- Federated users (e.g., your corporate Active Directory)
- Cross-account access
Key difference: Users are for people; roles are for services or cross-account scenarios.
| Entity | Credentials | Use Case |
|---|---|---|
| User | Permanent (password + keys) | Human administrators, CI/CD pipelines |
| Group | None (inherits from users) | Organizing users by job function |
| Role | Temporary (STS tokens) | EC2 instances, Lambda, cross-account access |
Policies: Identity-Based vs. Resource-Based
Identity-Based Policies
These are attached to users, groups, or roles. They define what that identity can do. Most exam questions focus here.
Example policy (allow EC2 start/stop):
{
"Effect": "Allow",
"Action": ["ec2:StartInstances", "ec2:StopInstances"],
"Resource": "*"
}
Resource-Based Policies
These are attached directly to the resource (e.g., S3 bucket, SQS queue). They define who can access that resource. They’re less common but critical for cross-account access.
Example: An S3 bucket policy that allows another AWS account to read objects:
{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::123456789012:root" },
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
Exam tip: If a question mentions cross-account S3 access, think resource-based policy. For EC2 or Lambda, think identity-based.
Least Privilege Principle
Least privilege means granting only the minimum permissions needed to perform a job—nothing more. This is the single most important security concept in AWS.
Bad practice: Attaching AdministratorAccess to a developer who only needs to read S3 buckets.
Good practice: Create a policy with s3:GetObject on specific buckets. If they later need write access, add it explicitly.
How AWS enforces it: IAM evaluates all policies (identity + resource) and if any denies the action, the request is denied. AWS defaults to implicit deny—if no policy allows an action, it’s denied.
Root Account Security: Non-Negotiable
The root user is the email address you used to sign up for AWS. It has unrestricted access to everything—including billing and account closure. The CLF-C02 exam expects you to know these root account security best practices:
- Never use root for daily tasks. Create IAM users with admin permissions.
- Enable MFA on root. Use a hardware TOTP token or virtual MFA app.
- Don’t share root credentials. Store them in a secure vault (e.g., AWS Secrets Manager).
- Lock away root access keys. If you created any, delete them. Use IAM roles for programmatic access.
Scenario: Your CTO wants to change the AWS support plan. Should they log in as root? No. They should use an IAM admin user with support:CreateCase permissions. Root is only for account-level changes like closing the account or changing the root email.
Multi-Factor Authentication (MFA)
MFA adds a second authentication factor (something you have, like a phone app or hardware key) to your password (something you know). AWS supports:
- Virtual MFA (Google Authenticator, Authy)
- Hardware TOTP key fob
- U2F security key (YubiKey)
Exam focus: Know that MFA must be enabled on the root account. For IAM users, MFA is optional but strongly recommended. Also know that MFA can be used to protect specific API calls (e.g., s3:DeleteBucket) via a condition in the policy.
Service-Linked Roles
A service-linked role is a predefined IAM role that AWS creates for a specific service. It includes all permissions that service needs to call other AWS services on your behalf.
Example: When you enable Amazon GuardDuty, it creates a service-linked role AWSServiceRoleForGuardDuty that allows GuardDuty to read CloudTrail logs and VPC flow logs.
Why they matter for CLF-C02: The exam tests whether you understand that service-linked roles are automatically created and cannot be deleted manually (unless you disable the service). They reduce management overhead—you don’t need to write custom policies.
Concrete Scenarios for Exam Success
Scenario 1: EC2 instance reads from S3
- Wrong approach: Store access keys on the EC2 instance.
- Correct approach: Create an IAM role with
s3:GetObjectpermissions. Attach the role to the EC2 instance profile. The instance automatically gets temporary credentials.
Scenario 2: Cross-account S3 access
- Company A wants Company B to write logs to an S3 bucket.
- Solution: Company A attaches a resource-based policy to the S3 bucket allowing Company B’s root account. Company B creates an IAM user/role with
s3:PutObjectpermission and uses that to write.
Scenario 3: Federated users (corporate SSO)
- Your company uses Okta. Employees should log into AWS without an IAM user.
- Solution: Create an IAM identity provider (SAML 2.0). Map Okta groups to IAM roles. Users assume the role via SAML assertion.
8 AWS IAM CLF-C02 Practice Questions with Rationale
Test your understanding. These are similar to what you’ll see on the real exam.
Question 1: Which IAM entity should you use to grant an EC2 instance access to an S3 bucket?
- A) IAM user with access keys
- B) IAM group
- C) IAM role
- D) Service-linked role
Answer: C. IAM roles provide temporary credentials to AWS services via instance profiles. Access keys on EC2 are insecure.
Question 2: What is the default behavior when no IAM policy explicitly allows an action?
- A) The action is allowed
- B) The action is denied
- C) The action is allowed if root user approves
- D) The action is evaluated by AWS Support
Answer: B. AWS uses implicit deny. If no policy allows it, the action is denied.
Question 3: A developer needs to restart EC2 instances. Which policy effect should you use?
- A) Deny
- B) Allow
- C) Allow with condition
- D) Explicit deny
Answer: B. Use an explicit allow for
ec2:RebootInstances. Deny is for explicitly blocking actions.
Question 4: Which action requires root user credentials?
- A) Creating an IAM user
- B) Changing the AWS support plan
- C) Closing the AWS account
- D) Enabling MFA on an IAM user
Answer: C. Closing the account requires root. All others can be done by IAM admins.
Question 5: What is the primary benefit of using IAM groups?
- A) Groups can be used across accounts
- B) Groups simplify permission management for multiple users
- C) Groups provide temporary credentials
- D) Groups support MFA automatically
Answer: B. Groups let you attach policies once and apply them to all members.
Question 6: Which policy type is attached directly to an S3 bucket?
- A) Identity-based policy
- B) Resource-based policy
- C) Service-linked role
- D) Permissions boundary
Answer: B. Resource-based policies are attached to resources like S3 buckets or SQS queues.
Question 7: A company wants to enforce MFA for all console users. Which IAM feature should they use?
- A) Password policy
- B) IAM role with MFA condition
- C) Service-linked role
- D) IAM group with MFA requirement
Answer: B. Use a condition in the policy (e.g.,
aws:MultiFactorAuthPresent: true) to require MFA.
Question 8: What happens when you delete a service-linked role?
- A) The role is permanently removed
- B) AWS recreates it automatically
- C) The associated service stops working
- D) You cannot delete it manually
Answer: D. Service-linked roles are managed by AWS. You must disable the associated service first.
Key Takeaway for CLF-C02 Success
IAM is the backbone of AWS security. On the CLF-C02 exam, expect scenario-based questions that test your ability to choose between users, roles, groups, and policies. Memorize the root account rules, least privilege, and MFA. Practice with real scenarios—not just definitions.
For more AWS IAM CLF-C02 practice questions and full-length mock exams, visit Courseiva.com. Our free practice tests mirror the real exam format with detailed rationales. No sign-up required—start preparing today.