Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSCS-C02DomainsIdentity and Access Management
SCS-C02Free — No Signup

Identity and Access Management

Practice SCS-C02 Identity and Access Management questions with full explanations on every answer.

279questions

Start practicing

Identity and Access Management — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SCS-C02 Domains

Threat Detection and Incident ResponseSecurity Logging and MonitoringIdentity and Access ManagementManagement and Security GovernanceInfrastructure SecurityData Protection

Practice Identity and Access Management questions

10Q20Q30Q50Q

All SCS-C02 Identity and Access Management questions (279)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A developer needs to grant an IAM user read-only access to an S3 bucket named 'my-bucket'. Which policy should be attached to the IAM user?

2

A security engineer notices that an IAM role has a trust policy allowing any AWS account to assume it. Which attack is this misconfiguration most likely to enable?

3

An IAM policy includes the following condition: "StringNotEquals": {"aws:SourceArn": "arn:aws:ec2:us-east-1:123456789012:instance/*"}. What is the effect of this condition when attached to an IAM role?

4

An IAM user receives an 'AccessDenied' error when trying to list objects in an S3 bucket. The user has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::example-bucket"}]}. What is the most likely reason?

5

A company wants to allow users from its corporate Active Directory to access AWS resources. The company has set up an IAM identity provider for SAML. What must be created in IAM to map users to permissions?

6

An IAM policy has the following statement: {"Effect":"Deny","Action":"*","Resource":"*","Condition":{"Bool":{"aws:SecureTransport":"false"}}}. What does this policy achieve?

7

A solutions architect needs to design a system where an EC2 instance can write logs to CloudWatch Logs. Which IAM entity should be used to grant permissions to the EC2 instance?

8

A security administrator discovers that an IAM user has been deleted accidentally. What is the correct way to restore the user's access?

9

Which TWO actions can be performed using AWS IAM? (Choose two.)

10

Which THREE factors should be considered when designing IAM policies for cross-account access? (Choose three.)

11

Which TWO are valid ways to authenticate to AWS for API calls? (Choose two.)

12

Refer to the exhibit. An IAM policy is attached to a group. An IAM user in that group attempts to stop an EC2 instance from IP address 198.51.100.10. What will happen?

13

Refer to the exhibit. A security engineer runs the command above. Which of the following is true about the role MyRole?

14

A company has a multi-account AWS Organization with three accounts: Management, Development, and Production. The Security team uses the Management account to manage IAM policies centrally. They have created a service control policy (SCP) named 'RestrictRootAccess' that denies all actions for the root user in all accounts. The SCP is attached to the root organizational unit. The Development account has an IAM role 'DevAdmin' with full administrator access via an IAM policy. The role's trust policy allows the Management account's 'SecurityAudit' role to assume it. A security engineer in the Management account assumes the 'SecurityAudit' role and then tries to assume the 'DevAdmin' role in the Development account. The assumption fails with an 'AccessDenied' error. What is the most likely cause?

15

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all IAM users in the production account must use multi-factor authentication (MFA) to access the AWS Management Console. Which combination of actions should the security team take to enforce this requirement?

16

A developer is trying to upload an object to an S3 bucket named 'my-bucket' using the AWS CLI. The developer has an IAM user with a policy that includes 's3:PutObject' for 'arn:aws:s3:::my-bucket/*'. However, the upload fails with an 'Access Denied' error. The bucket policy is set to allow all principals from the same AWS account to perform 's3:PutObject'. What is the most likely cause of this failure?

17

A security administrator is designing a cross-account access strategy. The administrator needs to allow users in Account A to assume an IAM role in Account B to access an S3 bucket. Which TWO of the following statements are true regarding this configuration?

18

An IAM policy is attached to a user. The user is trying to change their own password in the IAM console but receives an 'Access Denied' error. The user has an MFA device configured and is logged in with MFA. Why is the password change failing?

19

A company has a single AWS account with multiple IAM users. The administrator created an IAM policy that allows all users to launch EC2 instances, but only if they use a specific AMI ID (ami-12345678) and a specific instance type (t3.micro). The policy uses a condition that checks the EC2 instance type and AMI ID. However, a user is able to launch an EC2 instance with a different AMI ID and a larger instance type. The administrator reviews the policy and confirms that the condition is correctly written. What is the most likely reason that the policy is not working as expected?

20

A company has an S3 bucket policy that allows cross-account access for a specific IAM role in another account. The bucket policy includes a Principal element with the ARN of the role. However, users in the other account that assume the role are unable to access the bucket. Which of the following is the MOST likely cause?

21

A security engineer is designing a solution to allow an external auditor to access logs in an S3 bucket in the company's AWS account. The auditor does not have an AWS account. The engineer needs to grant read-only access to the specific bucket for a limited time. Which TWO actions should the engineer take? (Choose two.)

22

Drag and drop the steps to implement AWS KMS key rotation in the correct order.

23

Drag and drop the steps to configure AWS CloudTrail for logging across all regions and accounts in the correct order.

24

Match each AWS KMS key type to its description.

25

Match each AWS CloudHSM feature to its description.

26

A company wants to allow an IAM user to manage only their own access keys. Which IAM policy should be attached to the user?

27

A security engineer must ensure that cross-account access to an S3 bucket is restricted to only accounts that are part of a specific AWS organization. Which IAM policy condition key should be used in the bucket policy?

28

An IAM user reports that they are unable to launch an EC2 instance in us-east-1. The IAM policy attached to the user allows ec2:RunInstances but with a condition that the instance type must be t2.micro. What could be the reason for the failure?

29

A company uses IAM roles for EC2 instances. An application running on an EC2 instance needs to read from an S3 bucket in another AWS account. What is the most secure way to grant access?

30

A security engineer notices that an IAM user has permissions that are not explicitly granted through any policy. The engineer suspects that the user might have inherited permissions from a group or role. Which IAM feature should the engineer use to identify the source of these permissions?

31

An administrator needs to grant an IAM user the ability to change their own password without allowing them to change other users' passwords. Which IAM action should be included in the policy?

32

A company has multiple AWS accounts and wants to centrally manage access using IAM Identity Center (AWS SSO). Which feature allows the company to define permissions once and reuse them across multiple accounts?

33

An organization wants to enforce that all IAM users use MFA. The security team creates an IAM policy that denies all actions unless MFA is present. However, some users report they cannot even change their own password to enable MFA. What should the security team do to resolve this?

34

A developer needs to access AWS resources from a mobile app. Which AWS service allows the app to obtain temporary credentials for authenticated users?

35

Which TWO statements are true about IAM roles? (Choose two.)

36

Which THREE are valid ways to grant cross-account access to an S3 bucket? (Choose three.)

37

Which TWO are IAM best practices? (Choose two.)

38

Refer to the exhibit. An IAM policy allows s3:GetObject on an S3 bucket only when the object is encrypted with SSE-KMS. An IAM user with this policy attempts to download an object that is not encrypted. What will happen?

39

Refer to the exhibit. A security engineer runs the IAM Policy Simulator with the provided policy input. The result shows 'explicitDeny' for ec2:RunInstances even though the policy only contains an Allow. What is the most likely reason?

40

Refer to the exhibit. A KMS key policy allows decryption only when the request comes through S3 in us-east-1. An application in account 111122223333 tries to decrypt an S3 object using the KMS key directly via the KMS API (not through S3). What will happen?

41

A developer needs to grant an IAM user access to a specific S3 bucket only. Which IAM policy element should be used to restrict access to that bucket?

42

A company uses AWS Organizations with SCPs to restrict services. An administrator creates an SCP that denies access to EC2. A developer in a member account tries to launch an EC2 instance but fails. What is the most likely reason?

43

A security engineer is designing a cross-account access solution. An IAM role in Account A needs to be assumed by users from Account B. Which two components are required?

44

A company uses IAM roles for EC2 instances to access S3. A security audit reveals that some instances have roles with overly permissive policies. What is the BEST practice to scope down permissions while maintaining functionality?

45

An IAM user needs to rotate their own access keys. Which IAM policy action should be allowed?

46

A security engineer notices that an IAM role for an EC2 instance has a policy that allows s3:PutObject on a bucket. However, the application reports access denied when trying to upload. The bucket policy does not explicitly deny access. What is a likely cause?

47

A company uses AWS IAM Identity Center (AWS SSO) to manage access. A user is assigned to a permission set that grants AdministratorAccess. However, when the user tries to access the AWS console, they receive an error that they are not authorized. What is a possible reason?

48

A security engineer needs to ensure that an IAM role can be assumed only from a specific VPC. Which IAM policy condition key should be used?

49

A company uses IAM roles for cross-account access. Developers in Account A need to assume a role in Account B. What must be true for the AssumeRole call to succeed?

50

Which TWO of the following are valid IAM policy condition keys? (Choose TWO.)

51

Which THREE of the following are best practices for managing IAM access keys? (Choose THREE.)

52

Which TWO of the following are valid use cases for IAM permissions boundaries? (Choose TWO.)

53

A security engineer attaches this policy to an IAM user. The user tries to download an object from the bucket from an IP address 10.1.0.5. What will happen?

54

A security engineer reviews the trust policy of an IAM role. Which accounts can assume this role?

55

A developer creates this CloudFormation stack. An EC2 instance with this role tries to list objects in the bucket. What will happen?

56

A security engineer is reviewing an AWS account and notices that multiple IAM users have full administrative access. The company policy requires that users have only the permissions necessary to perform their job. What is the MOST secure and efficient way to enforce this policy?

57

A company uses an IAM role to allow an EC2 instance to access an S3 bucket. The security team wants to ensure that if the EC2 instance is compromised, the attacker cannot use the role credentials to access resources outside the account. What should the security team do?

58

A developer needs to grant an IAM user temporary access to an S3 bucket for 15 minutes. Which AWS service should be used to generate temporary credentials?

59

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any account can create or modify IAM roles. What is the MOST effective way to enforce this?

60

A company wants to allow its employees to authenticate to the AWS Management Console using their existing corporate credentials. Which AWS service should be used to integrate with the company's identity provider?

61

A security engineer is troubleshooting an issue where an IAM user is unable to list objects in an S3 bucket even though the user has an IAM policy that allows s3:ListBucket. What is the MOST likely cause?

62

An application running on an EC2 instance needs to read from an S3 bucket. What is the BEST practice for granting permissions to the EC2 instance?

63

A company uses cross-account IAM roles to allow a third-party vendor to access resources in the company's AWS account. The security team wants to ensure that the vendor can only access the specific S3 bucket named 'vendor-bucket'. What should the security team do?

64

A security engineer notices that an IAM user has been using an access key that was not rotated for over 90 days. What is the BEST action to take?

65

Which TWO of the following are valid ways to grant an IAM user permissions to access an S3 bucket? (Choose 2.)

66

Which THREE of the following are characteristics of IAM roles? (Choose 3.)

67

Which TWO of the following are AWS best practices for managing access keys? (Choose 2.)

68

A company wants to allow an IAM user to list objects in an S3 bucket named 'my-bucket'. Which IAM policy statement grants the minimum required permissions?

69

A security engineer needs to enforce that all IAM users in an AWS account use multi-factor authentication (MFA) when making API calls. What is the MOST effective way to enforce this?

70

A company uses an IAM role to allow an EC2 instance to access an S3 bucket. The role has an attached policy that grants s3:GetObject on the bucket. However, the application on the EC2 instance is unable to read objects. What is the MOST likely cause?

71

A developer needs to allow a Lambda function to write logs to CloudWatch Logs. What is the MINIMUM IAM policy that should be attached to the Lambda execution role?

72

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any account can create new IAM users. Which approach should be used?

73

A company has an IAM policy that allows s3:GetObject on all buckets. However, a specific S3 bucket policy explicitly denies s3:GetObject to all principals. An IAM user with the IAM policy tries to read an object from that bucket. What is the result?

74

A company needs to grant cross-account access to an S3 bucket. Which IAM feature should be used?

75

A security engineer notices that an IAM role has a trust policy that allows 'sts:AssumeRole' from any AWS account. What is the security risk?

76

A company wants to automate the rotation of IAM user access keys every 90 days. Which AWS service can be used to enforce this?

77

Which TWO actions can be used to restrict access to an S3 bucket to only requests that originate from a specific VPC?

78

Which THREE are best practices for managing IAM roles?

79

Which TWO are valid ways to authenticate an IAM user?

80

A company requires that all access to its S3 buckets be logged for compliance. Which AWS service should be used to record API calls to S3?

81

A security engineer is designing a permissions boundary for an IAM role used by an EC2 instance. The boundary must allow the instance to list all S3 buckets but deny the ability to delete any bucket. Which policy should be used as the permissions boundary?

82

An IAM policy attached to a user allows s3:GetObject on bucket 'my-bucket'. The user also has a service control policy (SCP) in the organization that denies s3:GetObject on all resources. The user attempts to download an object from 'my-bucket'. What is the outcome?

83

A developer needs to grant an IAM user the ability to launch EC2 instances with specific tags. Which IAM condition key should be used to enforce that the instance is tagged with 'Environment=Production'?

84

A security team is troubleshooting an issue where an IAM role assumed by a Lambda function is unable to write logs to CloudWatch Logs. The role has an attached policy that allows logs:CreateLogGroup and logs:PutLogEvents. What is a likely reason for the failure?

85

A company uses AWS Organizations and wants to prevent any IAM user from creating access keys for a long period. Which SCP should be applied to the root OU to enforce that IAM users cannot create access keys unless explicitly allowed?

86

A company wants to allow users from an external AWS account to assume a role in the company's account. What must be configured in the company's account?

87

A security engineer notices that an IAM role allows 'iam:PassRole' to an EC2 instance. What security risk does this present?

88

An IAM policy has the following statement: {"Effect":"Allow","Action":"s3:*","Resource":"arn:aws:s3:::my-bucket/*"}. A user with this policy tries to perform s3:ListBucket on 'my-bucket'. Will the request succeed?

89

Which TWO AWS services can be used to centrally manage permissions across multiple AWS accounts?

90

Which TWO are best practices for managing IAM roles for EC2 instances?

91

Which THREE AWS services can be used to authenticate users for accessing AWS resources?

92

An IAM policy attached to a user contains the above statements. The user attempts to download an object from 'example-bucket/confidential/report.pdf'. What is the result?

93

A security engineer runs the IAM policy simulator with a custom policy. The output shows the above. Which statement is true about the policy?

94

An IAM role has the above trust policy. Users from account 123456789012 try to assume the role. What is required for the AssumeRole API call to succeed?

95

A company wants to allow an IAM user to manage only their own password in the AWS Management Console. Which IAM policy action should be used?

96

A security engineer needs to grant cross-account access to an S3 bucket in Account A to a role in Account B. Which combination of IAM entities must be configured?

97

A company has a policy that requires all IAM users to use multi-factor authentication (MFA) to access the AWS Management Console. A user reports that they are unable to sign in even after configuring MFA. What is the most likely cause?

98

An organization wants to use AWS Organizations to centrally manage permissions for multiple accounts. Which IAM feature is used to grant cross-account access within the organization?

99

A developer needs to grant an EC2 instance access to an S3 bucket. Which is the most secure way to provide credentials to the EC2 instance?

100

A security team notices that an IAM user has permissions to launch EC2 instances but should not have access to certain instance types. Which IAM policy condition key should be used to restrict this?

101

Which IAM entity can be used to delegate permissions to an AWS service to perform actions on your behalf?

102

A company has a policy that all IAM users must rotate their access keys every 90 days. How can this be enforced?

103

A security architect is designing a system where an S3 bucket must be accessed by users from multiple AWS accounts. The solution must use the principle of least privilege. Which approach should be used?

104

Which TWO actions can be used to restrict access to an S3 bucket to only users who authenticate using multi-factor authentication (MFA)? (Choose TWO.)

105

Which THREE statements about IAM roles are correct? (Choose THREE.)

106

Which TWO IAM policy conditions can be used to enforce that API calls originate from a specific AWS region? (Choose TWO.)

107

A company wants to allow a third-party auditor to read objects in an S3 bucket for a limited time. The auditor does not have an AWS account. What is the most secure way to grant this access?

108

A developer needs to allow an EC2 instance to access an S3 bucket. Which is the best practice for granting permissions?

109

A security engineer notices that an IAM user has permissions to create new IAM users and attach policies. What is the most effective way to detect if this user created a backdoor user?

110

An organization wants to enforce multi-factor authentication (MFA) for all IAM users accessing the AWS Management Console. Which policy should be used?

111

A company uses AWS Organizations and wants to restrict all IAM users in member accounts from using the Amazon EC2 RunInstances API unless they have MFA. What is the most efficient way to enforce this?

112

A security team wants to grant a Lambda function access to read from a DynamoDB table in the same account. What is the most secure way to do this?

113

A company wants to allow users to assume a role in another AWS account to access a specific S3 bucket. What must be configured?

114

An administrator is troubleshooting an issue where an IAM user cannot launch an EC2 instance in a specific VPC. The user has the AmazonEC2FullAccess policy attached. What is the most likely cause?

115

A company uses AWS SSO to manage access to multiple accounts. An employee leaves the company. What is the most efficient way to revoke all AWS access for that employee?

116

A security engineer is designing a system to allow an EC2 instance to write logs to an S3 bucket. Which TWO steps are required?

117

An organization wants to enforce that all IAM users must use MFA to access the AWS API. Which TWO steps should be taken?

118

A company wants to grant a set of developers the ability to launch EC2 instances but only in a specific subnet. Which THREE steps should be taken?

119

A company has an S3 bucket that contains sensitive data. The security team wants to ensure that all objects uploaded to the bucket are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). What should the security team do to enforce this requirement?

120

An AWS Lambda function needs to read from a DynamoDB table. What is the best practice for granting the Lambda function the necessary permissions?

121

A security engineer is troubleshooting an issue where an IAM policy allows access to S3 but the user is denied access to a specific bucket. The policy has the following statement: { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } What is the most likely cause of the denial?

122

A company wants to allow cross-account access to an S3 bucket in Account A for a user in Account B. What is the correct combination of steps?

123

An application running on an EC2 instance needs to access an S3 bucket. What is the most secure way to grant the EC2 instance the necessary permissions?

124

A security team needs to audit all changes to IAM resources in their AWS account. Which AWS service should they use?

125

An IAM user reports that they are unable to launch an EC2 instance in a specific VPC. The user has an IAM policy that allows ec2:RunInstances for all resources. The VPC has a network ACL that allows all inbound and outbound traffic. What is the most likely cause of the failure?

126

A company wants to grant an IAM user the ability to rotate their own access keys. What is the least privileged IAM policy that allows this?

127

A company uses AWS Organizations and wants to restrict all IAM users in all accounts from using the AWS Management Console. What is the most effective way to achieve this?

128

Which TWO actions are valid ways to grant an IAM user in Account A access to an S3 bucket in Account B? (Choose 2.)

129

Which TWO are valid IAM identity-based policies? (Choose 2.)

130

Which THREE are valid ways to restrict access to an S3 bucket using IAM policies? (Choose 3.)

131

Which TWO are characteristics of an IAM role? (Choose 2.)

132

A company has a multi-account AWS Organizations setup with a central security account (Account ID: 111122223333) and several member accounts. The security team uses AWS CloudTrail to log all API calls across accounts and stores the logs in an S3 bucket (my-cloudtrail-bucket) in the security account. The team wants to allow the security team members (IAM users in the security account) to access the CloudTrail logs, while denying access to all other users in the organization, including the root user of the security account. The security team has attached the following IAM policy to the IAM group containing the security team members: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-cloudtrail-bucket/*" } ] } However, a security team member reports that they are receiving an AccessDenied error when trying to download a log file. The bucket policy is as follows: { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-cloudtrail-bucket/*", "Condition": { "Bool": { "aws:SecureTransport": "false" } } }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-cloudtrail-bucket/*" }, { "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::my-cloudtrail-bucket/*", "Condition": { "StringNotEquals": { "aws:PrincipalAccount": "111122223333" } } } ] } What is the most likely reason for the AccessDenied error?

133

A company has an AWS Lambda function that processes messages from an Amazon SQS queue. The Lambda function is configured with an execution role that has the following IAM policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:GetQueueAttributes" ], "Resource": "arn:aws:sqs:us-east-1:123456789012:MyQueue" }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] } The Lambda function is also configured with an SQS trigger that uses the same queue. The function code tries to send a message to an Amazon SNS topic, but the send fails with an AccessDenied error. What is the most likely cause?

134

A company wants to grant a Lambda function access to write logs to CloudWatch Logs in the same AWS account. What is the BEST practice for granting this permission?

135

A security engineer notices that an IAM user, 'svc-backup', has full S3 access (s3:*) to all buckets. The engineer wants to restrict the user to only put objects into a specific bucket named 'mycompany-backup' and deny all other S3 actions. Which IAM policy should be attached?

136

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all IAM users in the member accounts must have multi-factor authentication (MFA) enabled to access the AWS Management Console. Which approach should be used?

137

A developer needs to allow an EC2 instance to read from a DynamoDB table named 'Orders' in the same account. The security team requires that the permissions be granted using an instance profile. Which steps should be taken?

138

A security engineer needs to allow an IAM user to rotate their own access keys. Which TWO IAM actions must be allowed in the user's policy? (Choose TWO.)

139

A company has an S3 bucket that contains sensitive data. The security team wants to enforce that all access to the bucket must use HTTPS and that requests originating from outside the corporate network (as defined by a specific IP range 203.0.113.0/24) must be denied. Which THREE conditions should be included in the S3 bucket policy? (Choose THREE.)

140

A developer wants to allow an IAM role to be assumed by an EC2 instance that is part of an Auto Scaling group. Which TWO AWS services or features are required? (Choose TWO.)

141

A company uses AWS KMS to encrypt objects in an S3 bucket. The security team wants to ensure that only users with the appropriate KMS key permissions can decrypt objects. Which THREE conditions should be included in the S3 bucket policy to enforce this? (Choose THREE.)

142

An IAM policy allows a user to pass a specific role and launch EC2 instances. The user tries to launch an EC2 instance with the role 'ec2-full-access' but receives an error: 'You are not authorized to perform iam:PassRole'. What is the MOST likely cause?

143

An administrator runs the AWS CLI command shown in the exhibit. What does this command do?

144

A company runs a multi-tier web application on AWS. The application consists of an Application Load Balancer (ALB) that distributes traffic to a fleet of EC2 instances in an Auto Scaling group. The EC2 instances need to read from an Amazon RDS MySQL database and write logs to an S3 bucket. The security team wants to ensure that the EC2 instances have only the minimum required permissions. Currently, the EC2 instances are launched with an IAM role that has an attached policy allowing full S3 access (s3:*) and full RDS access (rds:*). The security team has identified that this is overly permissive and wants to restrict access to only the specific resources needed. Additionally, the team wants to ensure that the EC2 instances can only access the RDS database using SSL/TLS. Which combination of actions should the security team take?

145

A large enterprise uses AWS Organizations to manage multiple accounts. The security team has implemented a Service Control Policy (SCP) at the root level that denies all actions unless the request originates from the corporate IP range (10.0.0.0/8). Recently, a developer in a member account tried to launch an EC2 instance from the AWS Management Console while connected via a VPN that provides an IP address within the corporate range. However, the launch failed with an 'AccessDenied' error. The developer is using an IAM user with full EC2 permissions (ec2:*). The SCP is as follows: {"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"*","Resource":"*","Condition":{"NotIpAddress":{"aws:SourceIp":"10.0.0.0/8"}}}]}. What is the MOST likely reason for the failure?

146

A company has a requirement to grant cross-account access to an S3 bucket named 'shared-data' in Account A (111111111111) to users in Account B (222222222222). The security team has set up a bucket policy in Account A that grants read-only access to the IAM role 'DataReader' in Account B. The bucket policy is as follows: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::222222222222:role/DataReader"},"Action":["s3:GetObject"],"Resource":"arn:aws:s3:::shared-data/*"}]}. A user in Account B assumes the 'DataReader' role, but when trying to read an object from the bucket, they receive an 'Access Denied' error. What is the MOST likely reason for this error?

147

A company runs a serverless application using AWS Lambda functions that access an Amazon DynamoDB table. The Lambda functions are part of a microservices architecture and need to read and write to the DynamoDB table. The security team wants to ensure that the Lambda functions have the minimum required permissions. Initially, the team attached the AWS managed policy 'AWSLambdaDynamoDBExecutionRole' to the Lambda execution role, but later discovered that this policy grants more permissions than needed. The team decides to create a custom policy with only the required actions: GetItem, PutItem, UpdateItem, and DeleteItem. However, after attaching the custom policy, the Lambda functions start failing with 'AccessDeniedException' when trying to access DynamoDB. The CloudWatch logs show that the Lambda function is unable to write logs to CloudWatch Logs. What is the MOST likely cause of the failures?

148

A company is using Amazon API Gateway to expose a set of REST APIs. The APIs are backed by AWS Lambda functions. The security team wants to control access to the APIs using IAM authorization. The team has created an IAM policy for a group of developers that allows them to invoke the APIs only from within the corporate network (IP range 203.0.113.0/24). The policy is attached to an IAM group, and the developers are members of the group. However, when a developer tries to invoke the API from the corporate network, they receive a '403 Forbidden' error. The API Gateway endpoint is configured with IAM authorization. The IAM policy is as follows: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"execute-api:Invoke","Resource":"arn:aws:execute-api:us-east-1:123456789012:api-id/*","Condition":{"IpAddress":{"aws:SourceIp":"203.0.113.0/24"}}}]}. What is the MOST likely reason for the failure?

149

A security engineer is designing IAM policies for a data analytics platform that uses Amazon S3, Amazon Athena, and AWS Glue. The platform must allow data scientists to query data in S3 using Athena, but only from specific VPC subnets. Additionally, the data must be encrypted at rest using AWS KMS. Which TWO actions should the engineer take to meet these requirements? (Choose TWO.)

150

A company manages a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all Amazon S3 buckets in the organization are encrypted with AWS KMS customer managed keys (CMKs) and that no unencrypted buckets can be created. They also want to ensure that the encryption settings cannot be changed by account administrators. The team uses AWS CloudTrail to log all S3 API calls and wants to detect any attempts to create unencrypted buckets. The security team creates a service control policy (SCP) that denies s3:PutBucketEncryption and s3:PutBucketPolicy unless the request includes a specific encryption setting. However, they find that a developer in a member account was able to create an unencrypted bucket using the AWS Management Console. The CloudTrail logs show that the bucket was created with the s3:CreateBucket API call without specifying any encryption parameters. What should the security team do to prevent this from happening?

151

A company has an AWS Lambda function that processes sensitive data stored in an Amazon S3 bucket. The Lambda function needs to read objects from the S3 bucket and write results to a different S3 bucket. The security engineer is configuring IAM permissions for the Lambda execution role. The engineer wants to follow the principle of least privilege. The Lambda function is triggered by S3 events from the source bucket. The engineer creates an IAM policy that grants s3:GetObject on the source bucket and s3:PutObject on the destination bucket. However, when testing, the Lambda function fails with an access denied error when trying to process an object. The error message indicates that the Lambda function does not have permission to list the objects in the source bucket. The engineer checks the S3 event notification configuration and confirms that the event is configured correctly. What should the engineer do to resolve the issue?

152

A company runs a critical application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application processes financial transactions and must store transaction logs in an Amazon S3 bucket. The security team requires that all API calls to AWS services are logged and that the logs are stored in a secure, tamper-proof manner. The team enables AWS CloudTrail to log management events and Amazon S3 server access logs for the S3 bucket. They also enable AWS Config to track resource changes. The compliance team wants to ensure that no one can disable CloudTrail logging or delete the CloudTrail log files. The security engineer proposes a solution using an SCP in AWS Organizations to deny actions that would disable CloudTrail or delete log files. However, the engineer is concerned that the SCP might be applied too broadly and affect legitimate administrative actions. The engineer wants to ensure that only the security team’s IAM role (SecurityAdminRole) can perform these restricted actions, while all other principals (including IAM users, roles, and the root user) are denied. The engineer creates an SCP that denies cloudtrail:StopLogging, cloudtrail:DeleteTrail, and s3:DeleteObject on the CloudTrail S3 bucket. The SCP includes a condition that allows the action if the principal is SecurityAdminRole. However, after applying the SCP, the security team finds that even SecurityAdminRole is unable to stop CloudTrail logging. What is the most likely cause of this issue?

153

A company wants to allow its development team to have full access to Amazon S3 buckets that are tagged with 'Environment: Dev'. Which IAM policy element should be used to restrict access based on tags?

154

A security engineer is troubleshooting an issue where an IAM role used by an EC2 instance cannot access an S3 bucket, even though the role has an attached policy that grants s3:GetObject on the bucket. The bucket policy does not explicitly deny access. What is the most likely cause?

155

A company has multiple AWS accounts managed through AWS Organizations. The security team wants to enforce that all users must use multi-factor authentication (MFA) to access the AWS Management Console. Which combination of actions should the security team take to enforce this requirement?

156

A company is designing an IAM policy to grant a group of developers access to manage EC2 instances and RDS databases. Which TWO actions should be included to follow the principle of least privilege?

157

A security engineer is reviewing an IAM policy that allows access to an S3 bucket. The policy includes a condition that checks 'aws:SourceIp'. However, users report they can still access the bucket from IP addresses not in the allowed list. Which THREE possible reasons could explain this behavior?

158

A company wants to allow a Lambda function to read messages from an SQS queue and write logs to CloudWatch Logs. Which TWO IAM actions should be included in the Lambda execution role?

159

Refer to the exhibit. An IAM policy is attached to a user. The user is trying to download an object from 'example-bucket' from an IP address of 10.1.1.1. What will happen?

160

Refer to the exhibit. A security engineer runs the 'simulate-custom-policy' command to test a policy. The output shows 'explicitDeny' for ec2:RunInstances. What is the most likely reason?

161

Refer to the exhibit. This IAM policy is attached to a user. The user attempts to assume the AdminRole without using MFA. What is the result?

162

A company uses AWS Organizations and wants to delegate administration of IAM Access Analyzer to a member account. Which AWS service should be used to enable this delegation?

163

A security engineer needs to ensure that an IAM role can only be assumed by a specific EC2 instance. The instance has a tag 'Environment=Production'. Which condition key should be used in the trust policy of the role?

164

A company has an S3 bucket with a bucket policy that grants access to a specific IAM role. The role is used by an application running on an EC2 instance. The application is unable to access the bucket, but the role can access other resources. What is the most likely cause?

165

Refer to the exhibit. This is an S3 bucket policy. The CrossAccountRole in account 111111111111 has an IAM policy that allows s3:GetObject on 'my-bucket'. A user in account 111111111111 assumes the role and tries to get an object. What will happen?

166

A company needs to provide temporary credentials to mobile app users to access AWS resources. Which AWS service should be used to issue these credentials?

167

A security engineer discovers that an IAM policy allows 'iam:CreateUser' and 'iam:CreateAccessKey' for all users in the account. Which risk does this pose?

168

A company wants to allow an IAM user to list only the objects in a specific S3 bucket named 'my-bucket'. Which IAM policy statement should be used?

169

A security engineer is investigating an IAM role that was used to access AWS resources from an external account. The role has a trust policy that allows the external account to assume it. Which of the following is a required step for the external account to use the role?

170

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all IAM users in member accounts must have a password policy that requires a minimum length of 14 characters. How can this be achieved centrally?

171

A developer needs to grant an EC2 instance read-only access to an S3 bucket. Which of the following is the most secure way to provide these permissions?

172

An IAM policy grants access to a DynamoDB table with a condition that the request must originate from a specific VPC endpoint. However, requests from an EC2 instance in that VPC are being denied. What is the most likely cause?

173

A company uses cross-account IAM roles to allow a third-party auditor to access a specific S3 bucket. The auditor reports that they are getting 'Access Denied' errors when trying to list objects. The bucket policy allows access to the auditor's account. What additional configuration is needed?

174

A security administrator needs to ensure that all IAM users in the account use multi-factor authentication (MFA) to access the AWS Management Console. What is the most effective way to enforce this?

175

A company has an IAM policy that allows a user to launch EC2 instances only in a specific Availability Zone (us-east-1a). The user is able to launch instances, but the instances are launched in us-east-1b instead. What is the most likely reason?

176

An organization uses AWS KMS to encrypt S3 objects. They want to allow a developer to decrypt objects only if the request comes from a specific IP address range. Which IAM policy condition should be used?

177

A company wants to grant an IAM user the ability to manage (create, update, delete) their own access keys. Which TWO IAM actions must be allowed in the policy?

178

A security engineer needs to design a system where an EC2 instance can write logs to a CloudWatch log group. Which TWO steps are required?

179

A company wants to enforce that all IAM users in an AWS Organization must have a password policy that includes a minimum length of 12 characters. Which THREE steps are part of implementing this using SCPs?

180

An IAM user has the policy shown in the exhibit. The user tries to launch an m5.large instance in us-east-1, but gets an 'AccessDenied' error. Why does this happen?

181

An IAM administrator ran the simulate-custom-policy command shown in the exhibit. The result shows an 'explicitDeny' for s3:ListBucket. What is the most likely reason?

182

An IAM policy allows the iam:PassRole action for a specific role only when the role is passed to EC2. A developer tries to launch an EC2 instance with this role, but fails. What is the most likely missing permission?

183

A security engineer is designing an IAM policy to allow an application running on an EC2 instance to read objects from a specific S3 bucket (my-bucket) and write objects to a different S3 bucket (my-other-bucket). The application uses an IAM role with the following trust policy. Which additional policy should be attached to the role to meet the requirements with least privilege?

184

A developer needs to grant an IAM user the ability to manage their own password and access keys, but not any other IAM users. Which IAM policy should be used?

185

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that no IAM user can have an access key older than 90 days. What is the MOST efficient way to achieve this?

186

A company wants to allow an external auditor to assume a read-only role in their AWS account. The auditor's AWS account ID is 123456789012. Which trust policy should be attached to the role?

187

A security engineer needs to design an IAM policy that allows an IAM user to launch EC2 instances only if they specify a specific security group ID (sg-12345) and a specific instance type (t2.micro). Which policy achieves this?

188

A company has an S3 bucket with a bucket policy that grants access to a specific IAM role. However, users who assume that role are unable to list objects in the bucket. The bucket policy includes a Principal element set to the role ARN. What is the MOST likely cause?

189

An administrator needs to allow a Lambda function to write logs to CloudWatch Logs. What is the BEST way to grant these permissions?

190

A company is using AWS Organizations and wants to delegate administrative tasks for a specific OU to another account. Which feature should be used?

191

A security engineer is analyzing an IAM policy that is attached to a group. The policy is intended to allow users to manage their own credentials. However, users are reporting that they cannot change their password. The policy is: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["iam:ChangePassword", "iam:GetAccountPasswordPolicy"], "Resource": "*" } ] } What is the issue?

192

A company needs to implement a cross-account access strategy where users in Account A can assume a role in Account B. Which TWO steps are necessary? (Choose TWO.)

193

A security engineer is designing a permissions boundary for an IAM role used by an EC2 instance. The role must be able to read from an S3 bucket (my-bucket) and write to CloudWatch Logs. Which THREE conditions must be met for the role to have effective permissions? (Choose THREE.)

194

Which TWO of the following are best practices for managing IAM user credentials? (Choose TWO.)

195

A company has an S3 bucket that stores sensitive data. The security team requires that all access to the bucket be logged in AWS CloudTrail and that all requests must be authenticated using IAM credentials. Which S3 bucket policy statement should be added to enforce these requirements?

196

A developer is creating an AWS Lambda function that needs to read items from a DynamoDB table. The function is deployed in a VPC with no internet access. What is the MOST secure way to grant the Lambda function access to DynamoDB?

197

An AWS administrator needs to allow an IAM user to manage their own password and access keys. Which IAM policy action should be included?

198

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no IAM user in any account can create access keys. Which policy type should be used to enforce this restriction across all accounts?

199

A security engineer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket even though the IAM role attached to the instance has an Allow policy for s3:GetObject. The S3 bucket policy includes a Deny statement with the condition 'aws:SourceIp': ['10.0.0.0/8']. What is the likely cause of the failure?

200

A company needs to grant cross-account access to an S3 bucket in Account A to users in Account B. What is the recommended approach?

201

An organization is using IAM roles for EC2 instances. The security team needs to ensure that each EC2 instance can only assume a specific role based on tags. Which feature should be used?

202

A developer is trying to upload a file to an S3 bucket using the AWS CLI, but receives an 'AccessDenied' error. The IAM policy attached to the user includes 's3:PutObject' on the bucket. The bucket policy has a Deny statement with the condition 'aws:Referer': ['example.com']. The CLI command does not include a referer header. What is the cause of the error?

203

A company needs to allow an external auditor to access a specific S3 bucket for 30 days. The auditor does not have an AWS account. What is the MOST secure way to grant temporary access?

204

A security engineer is designing a solution to allow a Lambda function to write logs to CloudWatch Logs. Which TWO actions are required in the IAM execution role? (Choose TWO.)

205

A company is using AWS Organizations with multiple accounts. The security team wants to enforce that all IAM users must have MFA enabled. Which TWO methods can be used to enforce this? (Choose TWO.)

206

Which THREE are valid methods for authenticating to AWS APIs? (Choose THREE.)

207

Refer to the exhibit. A user has this IAM policy attached. They attempt to download an object from example-bucket using the AWS CLI without specifying server-side encryption. Will the request succeed?

208

Refer to the exhibit. An EC2 instance with an IAM role attached attempts to access an S3 bucket, but receives an 'AccessDenied' error. The role has an attached policy allowing s3:GetObject on the bucket. What is the most likely cause?

209

Refer to the exhibit. An IAM user has this policy attached. Can the user create a new IAM user in the us-east-1 region?

210

A company hosts a web application on EC2 instances behind an Application Load Balancer. The application accesses an S3 bucket to store user uploads. The security team needs to ensure that the EC2 instances can access the S3 bucket without storing AWS credentials on the instances. What should the security team do?

211

A security engineer is designing a cross-account IAM role to allow users in Account A to access resources in Account B. The engineer wants to restrict access to only users who have authenticated with multi-factor authentication (MFA) in Account A. What condition key should the engineer use in the trust policy of the IAM role in Account B?

212

A company's security policy requires that all IAM users must use strong passwords. Which IAM feature should be used to enforce this requirement?

213

A developer is trying to push an image to Amazon ECR but receives an 'AccessDeniedException' error. The developer's IAM user has the 'AmazonEC2ContainerRegistryPowerUser' managed policy attached. What is the most likely reason for the failure?

214

A security engineer is configuring a VPC endpoint for Amazon S3 and wants to ensure that only traffic from specific IAM roles can access the S3 bucket through the endpoint. Which policy element should the engineer use?

215

An IAM policy includes the following statement: 'Effect': 'Deny', 'Action': 's3:*', 'Resource': '*', 'Condition': {'Bool': {'aws:SecureTransport': 'false'}}. What does this policy do?

216

A company wants to allow users from an external AWS account to assume an IAM role in its account. What must be configured in both accounts?

217

A security auditor notices that an IAM role has a policy that grants 'iam:PassRole' to a specific EC2 instance profile. What is the security implication of this permission?

218

A company has an S3 bucket with a bucket policy that grants access to an IAM role used by an application running on EC2. The application is unable to read objects from the bucket, even though the IAM role has the necessary permissions. What is the most likely cause?

219

A security engineer needs to restrict access to an S3 bucket so that only requests from a specific VPC endpoint are allowed. Which TWO conditions must be configured?

220

An IAM policy includes the following statement: 'Effect': 'Allow', 'Action': 's3:GetObject', 'Resource': 'arn:aws:s3:::example-bucket/*', 'Condition': {'IpAddress': {'aws:SourceIp': '192.0.2.0/24'}}. Which TWO statements about this policy are correct?

221

A company wants to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. Which THREE steps should the company take?

222

Refer to the exhibit. An IAM policy allows running EC2 instances. A developer tries to launch a t2.micro instance but receives an 'AccessDenied' error. What is the most likely reason?

223

Refer to the exhibit. A developer is trying to list objects in a Google Cloud Storage bucket from an AWS environment. What is the most likely cause of the error?

224

Refer to the exhibit. This trust policy is attached to an IAM role. What does it allow?

225

A company is using IAM roles to grant EC2 instances access to an S3 bucket. The security team wants to ensure that the instances can only access their own bucket. Which policy should be attached to the IAM role to enforce this?

226

A developer needs to allow an IAM user to manage their own password in the AWS Management Console. Which IAM policy should be attached to the user?

227

A company has multiple AWS accounts and wants to allow a user in the production account to assume a role in the development account. The role in the development account has a trust policy that allows the production account to assume it. What additional configuration is required?

228

An organization wants to enforce multi-factor authentication (MFA) for all IAM users who perform sensitive actions. Which condition key should be used in an IAM policy to require MFA?

229

A security engineer notices that an IAM role allows an EC2 instance to access a DynamoDB table. The instance is compromised. What is the best way to immediately revoke the instance's access without affecting other resources that use the same role?

230

A company wants to allow a Lambda function to read objects from an S3 bucket in the same account. What should be done?

231

An administrator wants to audit all IAM actions in the account. Which AWS service should be used?

232

A company has an S3 bucket with a bucket policy that grants access to an IAM role. The security team wants to restrict access to only requests that originate from the company's VPC. How can this be achieved?

233

Which IAM entity can be used to grant temporary access to AWS resources for users from a different AWS account?

234

Which TWO actions are valid ways to grant an IAM user access to an S3 bucket owned by another AWS account? (Choose TWO.)

235

Which THREE are best practices for securing IAM in an AWS environment? (Choose THREE.)

236

Which TWO services can be used to manage identity and access across multiple AWS accounts? (Choose TWO.)

237

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that any new account created in the organization automatically has an S3 bucket policy that blocks public access. What is the most efficient way to enforce this requirement?

238

A developer needs to access an S3 bucket from an EC2 instance. The developer creates an IAM role with the necessary S3 permissions and attaches it to the instance profile. However, applications running on the instance can still not access the bucket. What is the most likely cause?

239

A company wants to allow its users to assume an IAM role in a different AWS account. What must the company configure to enable cross-account access?

240

A security engineer notices that a developer's IAM user has full administrator access. The engineer wants to implement the principle of least privilege for the developer. What is the best way to proceed?

241

A company uses AWS IAM Identity Center (SSO) for managing access to multiple AWS accounts. A user reports that they can log in to the SSO portal but cannot see any AWS accounts in their dashboard. What is the most likely cause?

242

A company wants to allow an external auditor to read all objects in a specific S3 bucket for a limited time. What is the most secure way to grant this access?

243

A company has an S3 bucket that contains sensitive data. The security team wants to ensure that all access to the bucket is encrypted in transit. What is the most effective way to enforce this?

244

A company uses AWS Organizations with a service control policy (SCP) that denies all IAM actions unless the request comes from a specific IP address range. A security administrator needs to create a new IAM role for a service that runs on-premises, but the request is being denied. What should the administrator do?

245

A developer is trying to use the AWS CLI to list objects in an S3 bucket but receives an AccessDenied error. The developer has an IAM user with a policy that allows s3:ListBucket on the bucket. What could be causing the error?

246

A security engineer is designing a system to manage access to an S3 bucket containing confidential data. Which TWO actions should the engineer take to implement least privilege?

247

A company has a requirement that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. Which TWO steps should the company take to enforce this?

248

A company wants to allow an IAM role from Account A to access an S3 bucket in Account B. Which THREE conditions must be met?

249

Refer to the exhibit. An IAM user has this policy attached. The user tries to download an object from the S3 bucket using the AWS CLI from an on-premises server with IP address 198.51.100.50. What will happen?

250

Refer to the exhibit. An EC2 instance is launched with an instance profile that references this role. The application on the instance tries to list objects in 'my-bucket' but receives an AccessDenied error. What is the most likely cause?

251

Refer to the exhibit. An IAM user 'ExternalUser' from account 111111111111 tries to assume the role 'MyRole' in account 123456789012 but receives an error. The user has a policy that allows sts:AssumeRole. What is the most likely reason for the failure?

252

A security engineer needs to grant an IAM user in Account A (111111111111) access to an S3 bucket in Account B (222222222222). The bucket policy in Account B allows cross-account access from Account A. Which additional step is required?

253

A company uses AWS Organizations with SCPs. The SCP for the production OU denies all actions on DynamoDB. An IAM policy attached to a user in that OU allows dynamodb:PutItem. What is the effective access?

254

A developer needs to run an application on an EC2 instance that accesses an S3 bucket. What is the best practice for granting permissions?

255

An IAM policy has the following statement: { "Effect": "Deny", "Action": "s3:*", "Resource": "*", "Condition": { "BoolIfExists": { "aws:SecureTransport": "false" } } }. What does this policy do?

256

A security engineer is troubleshooting an IAM policy that is not working as expected. The policy allows ec2:StartInstances and ec2:StopInstances but the user gets an access denied error when trying to stop an instance. What is the most likely cause?

257

A company wants to grant cross-account access to an S3 bucket. The bucket policy allows access from account 111111111111. An IAM user in account 111111111111 has a policy allowing s3:GetObject on that bucket. However, the user gets AccessDenied. What is the most likely reason?

258

Which IAM feature allows you to grant temporary, limited-privilege credentials for a specific role?

259

An IAM policy includes: { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/MyRole" }. What does this allow?

260

A company wants to enforce that all IAM users use multi-factor authentication (MFA) to access the AWS Management Console. What is the best way to achieve this?

261

A company uses an IAM role to allow an EC2 instance to access an S3 bucket. The instance is launched in a VPC with a VPC endpoint for S3. The IAM role has a policy that grants s3:GetObject on the bucket. However, the application on the instance receives 'Access Denied' errors when trying to read objects. What is the MOST likely cause?

262

A security engineer is troubleshooting an issue where an IAM user cannot assume a role in another AWS account. The trust policy of the role allows the user's account to assume the role, and the user has a policy that allows sts:AssumeRole. The user receives an error: 'Access denied: User is not authorized to perform sts:AssumeRole.' What is the MOST likely cause?

263

A company wants to grant temporary credentials to mobile app users to access their own data in an S3 bucket. Which AWS service should be used to achieve this securely?

264

An organization has a production AWS account and a development AWS account. Developers need to access the production account from the development account using IAM roles. What is the MOST secure way to set this up?

265

A security engineer is designing a permissions boundary for an IAM user. Which TWO statements about permissions boundaries are correct?

266

A company wants to enforce that all IAM users use MFA. Which THREE actions should be taken to achieve this?

267

A security engineer needs to restrict access to an S3 bucket so that only requests from a specific VPC are allowed. Which TWO steps are required?

268

A company has an S3 bucket with a bucket policy that allows access to a specific IAM role. However, users assume the role but still get access denied. Which THREE factors could cause this?

269

Refer to the exhibit. An IAM policy is attached to a group. A user in the group accesses the S3 bucket from an IP address 203.0.113.5 using HTTPS. What will be the result?

270

A company uses AWS Organizations with multiple accounts. The security team has created an SCP that denies access to all DynamoDB actions except for the 'prod' account. The SCP is attached to the root OU. The 'prod' account has an IAM role that allows full DynamoDB access. A developer in the 'prod' account tries to create a DynamoDB table but receives an 'AccessDenied' error. The developer has the correct IAM permissions. What is the MOST likely cause and what should be done to resolve the issue?

271

A large enterprise has multiple AWS accounts managed via AWS Organizations. The security team wants to enforce that all IAM roles in all accounts must have a maximum session duration of 1 hour. They create an SCP that denies creating or updating roles if the MaxSessionDuration is greater than 3600 seconds. The SCP is attached to the root OU. After applying the SCP, the development team reports that they cannot create any new IAM roles, even with a session duration of 1 hour. They are using CloudFormation to create roles. What is the MOST likely reason for the failure?

272

A startup company has a single AWS account and a few IAM users. The CEO wants to ensure that no one can delete an S3 bucket that contains critical data. The security engineer creates an IAM policy that denies s3:DeleteBucket for all users. However, the CEO later finds that the bucket was deleted by a user who had full administrator access. Why did the policy fail to prevent the deletion?

273

A company uses cross-account roles to allow developers in the 'dev' account to access resources in the 'prod' account. The trust policy in 'prod' allows the 'dev' account to assume the role. The developers have an IAM policy that allows sts:AssumeRole on the role ARN. However, when a developer tries to assume the role via the AWS CLI, they get an error that the role cannot be assumed. The developer can list the role using IAM. What is the MOST likely cause?

274

A company has an S3 bucket that stores sensitive data. The bucket policy allows access only from a specific VPC endpoint. A security engineer notices that an EC2 instance in the same VPC can access the bucket, but an instance in a peered VPC cannot. Both instances have the same IAM role attached. The VPC endpoint is in the first VPC and is shared via a transit gateway. What is the MOST likely reason the second instance cannot access the bucket?

275

A company uses IAM roles for EC2 instances to access DynamoDB. The security team wants to ensure that the instances can only access specific DynamoDB tables. They create an IAM policy that allows dynamodb:GetItem and dynamodb:PutItem on the specific table ARN. The policy is attached to the instance role. However, when an application on the instance tries to read from the table, it receives an 'AccessDeniedException'. The application is using the correct table name. What is the MOST likely cause?

276

A security engineer is designing a CI/CD pipeline that deploys AWS infrastructure using AWS CloudFormation. The pipeline must assume an IAM role in each target account to create and update stacks. Which TWO steps are required to allow cross-account access for CloudFormation? (Choose TWO.)

277

A company has a multi-account AWS organization with centralized logging in a Security account. The Security account contains an S3 bucket that stores CloudTrail logs from all member accounts. The bucket policy allows CloudTrail from member accounts to deliver logs. Recently, a security audit revealed that the bucket is publicly accessible. The security engineer must ensure that only authorized accounts can access the logs. The engineer updates the bucket policy to include a condition that restricts access to specific AWS accounts. However, after the change, member accounts report that CloudTrail is failing to deliver logs to the bucket. The bucket policy currently includes the following statement: { "Effect": "Allow", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::central-logs/*", "Condition": { "StringEquals": { "aws:SourceAccount": "111111111111" } } } The Security account ID is 222222222222. What is the MOST likely cause of the delivery failure, and what should the engineer do to fix it?

278

A developer is creating an AWS Lambda function that needs to read items from a DynamoDB table named 'Orders' in the same AWS account. The developer attaches an IAM policy to the Lambda execution role that includes the following statement: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "dynamodb:GetItem", "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders" } ] } When testing the Lambda function, it fails with an access denied error when trying to read from the table. The developer checks the Lambda function's code and confirms it is calling DynamoDB correctly. What is the MOST likely reason for the access denied error?

279

A company uses AWS Organizations with all features enabled. The security team wants to enforce that all IAM users in member accounts must use multi-factor authentication (MFA) to access the AWS Management Console. They create an SCP that denies all actions if the user does not have MFA. The SCP is attached to the root organizational unit. After a few days, users in a member account report that they can still access the console without MFA. The security team reviews the SCP and finds it is correctly configured. What is the MOST likely reason the SCP is not being enforced?

Practice all 279 Identity and Access Management questions

Other SCS-C02 exam domains

Threat Detection and Incident ResponseSecurity Logging and MonitoringManagement and Security GovernanceInfrastructure SecurityData Protection

Frequently asked questions

What does the Identity and Access Management domain cover on the SCS-C02 exam?

The Identity and Access Management domain covers the key concepts tested in this area of the SCS-C02 exam blueprint published by Amazon Web Services. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SCS-C02 domains — no account required.

How many Identity and Access Management questions are in the SCS-C02 question bank?

The Courseiva SCS-C02 question bank contains 279 questions in the Identity and Access Management domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Identity and Access Management for SCS-C02?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Identity and Access Management questions for SCS-C02?

Yes — the session launcher on this page draws questions exclusively from the Identity and Access Management domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SCS-C02 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

SAA-C03SY0-701CISSP