Practice SCS-C02 Identity and Access Management questions with full explanations on every answer.
Start practicing
Identity and Access Management — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A developer needs to grant an IAM user read-only access to an S3 bucket named 'my-bucket'. Which policy should be attached to the IAM user?
2A security engineer notices that an IAM role has a trust policy allowing any AWS account to assume it. Which attack is this misconfiguration most likely to enable?
3An IAM policy includes the following condition: "StringNotEquals": {"aws:SourceArn": "arn:aws:ec2:us-east-1:123456789012:instance/*"}. What is the effect of this condition when attached to an IAM role?
4An IAM user receives an 'AccessDenied' error when trying to list objects in an S3 bucket. The user has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::example-bucket"}]}. What is the most likely reason?
5A company wants to allow users from its corporate Active Directory to access AWS resources. The company has set up an IAM identity provider for SAML. What must be created in IAM to map users to permissions?
6An IAM policy has the following statement: {"Effect":"Deny","Action":"*","Resource":"*","Condition":{"Bool":{"aws:SecureTransport":"false"}}}. What does this policy achieve?
7A solutions architect needs to design a system where an EC2 instance can write logs to CloudWatch Logs. Which IAM entity should be used to grant permissions to the EC2 instance?
8A security administrator discovers that an IAM user has been deleted accidentally. What is the correct way to restore the user's access?
9Which TWO actions can be performed using AWS IAM? (Choose two.)
10Which THREE factors should be considered when designing IAM policies for cross-account access? (Choose three.)
11Which TWO are valid ways to authenticate to AWS for API calls? (Choose two.)
12Refer to the exhibit. An IAM policy is attached to a group. An IAM user in that group attempts to stop an EC2 instance from IP address 198.51.100.10. What will happen?
13Refer to the exhibit. A security engineer runs the command above. Which of the following is true about the role MyRole?
14A company has a multi-account AWS Organization with three accounts: Management, Development, and Production. The Security team uses the Management account to manage IAM policies centrally. They have created a service control policy (SCP) named 'RestrictRootAccess' that denies all actions for the root user in all accounts. The SCP is attached to the root organizational unit. The Development account has an IAM role 'DevAdmin' with full administrator access via an IAM policy. The role's trust policy allows the Management account's 'SecurityAudit' role to assume it. A security engineer in the Management account assumes the 'SecurityAudit' role and then tries to assume the 'DevAdmin' role in the Development account. The assumption fails with an 'AccessDenied' error. What is the most likely cause?
15A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all IAM users in the production account must use multi-factor authentication (MFA) to access the AWS Management Console. Which combination of actions should the security team take to enforce this requirement?
16A developer is trying to upload an object to an S3 bucket named 'my-bucket' using the AWS CLI. The developer has an IAM user with a policy that includes 's3:PutObject' for 'arn:aws:s3:::my-bucket/*'. However, the upload fails with an 'Access Denied' error. The bucket policy is set to allow all principals from the same AWS account to perform 's3:PutObject'. What is the most likely cause of this failure?
17A security administrator is designing a cross-account access strategy. The administrator needs to allow users in Account A to assume an IAM role in Account B to access an S3 bucket. Which TWO of the following statements are true regarding this configuration?
18An IAM policy is attached to a user. The user is trying to change their own password in the IAM console but receives an 'Access Denied' error. The user has an MFA device configured and is logged in with MFA. Why is the password change failing?
19A company has a single AWS account with multiple IAM users. The administrator created an IAM policy that allows all users to launch EC2 instances, but only if they use a specific AMI ID (ami-12345678) and a specific instance type (t3.micro). The policy uses a condition that checks the EC2 instance type and AMI ID. However, a user is able to launch an EC2 instance with a different AMI ID and a larger instance type. The administrator reviews the policy and confirms that the condition is correctly written. What is the most likely reason that the policy is not working as expected?
20A company has an S3 bucket policy that allows cross-account access for a specific IAM role in another account. The bucket policy includes a Principal element with the ARN of the role. However, users in the other account that assume the role are unable to access the bucket. Which of the following is the MOST likely cause?
21A security engineer is designing a solution to allow an external auditor to access logs in an S3 bucket in the company's AWS account. The auditor does not have an AWS account. The engineer needs to grant read-only access to the specific bucket for a limited time. Which TWO actions should the engineer take? (Choose two.)
22Drag and drop the steps to implement AWS KMS key rotation in the correct order.
23Drag and drop the steps to configure AWS CloudTrail for logging across all regions and accounts in the correct order.
24Match each AWS KMS key type to its description.
25Match each AWS CloudHSM feature to its description.
26A company wants to allow an IAM user to manage only their own access keys. Which IAM policy should be attached to the user?
27A security engineer must ensure that cross-account access to an S3 bucket is restricted to only accounts that are part of a specific AWS organization. Which IAM policy condition key should be used in the bucket policy?
28An IAM user reports that they are unable to launch an EC2 instance in us-east-1. The IAM policy attached to the user allows ec2:RunInstances but with a condition that the instance type must be t2.micro. What could be the reason for the failure?
29A company uses IAM roles for EC2 instances. An application running on an EC2 instance needs to read from an S3 bucket in another AWS account. What is the most secure way to grant access?
30A security engineer notices that an IAM user has permissions that are not explicitly granted through any policy. The engineer suspects that the user might have inherited permissions from a group or role. Which IAM feature should the engineer use to identify the source of these permissions?
31An administrator needs to grant an IAM user the ability to change their own password without allowing them to change other users' passwords. Which IAM action should be included in the policy?
32A company has multiple AWS accounts and wants to centrally manage access using IAM Identity Center (AWS SSO). Which feature allows the company to define permissions once and reuse them across multiple accounts?
33An organization wants to enforce that all IAM users use MFA. The security team creates an IAM policy that denies all actions unless MFA is present. However, some users report they cannot even change their own password to enable MFA. What should the security team do to resolve this?
34A developer needs to access AWS resources from a mobile app. Which AWS service allows the app to obtain temporary credentials for authenticated users?
35Which TWO statements are true about IAM roles? (Choose two.)
36Which THREE are valid ways to grant cross-account access to an S3 bucket? (Choose three.)
37Which TWO are IAM best practices? (Choose two.)
38Refer to the exhibit. An IAM policy allows s3:GetObject on an S3 bucket only when the object is encrypted with SSE-KMS. An IAM user with this policy attempts to download an object that is not encrypted. What will happen?
39Refer to the exhibit. A security engineer runs the IAM Policy Simulator with the provided policy input. The result shows 'explicitDeny' for ec2:RunInstances even though the policy only contains an Allow. What is the most likely reason?
40Refer to the exhibit. A KMS key policy allows decryption only when the request comes through S3 in us-east-1. An application in account 111122223333 tries to decrypt an S3 object using the KMS key directly via the KMS API (not through S3). What will happen?
41A developer needs to grant an IAM user access to a specific S3 bucket only. Which IAM policy element should be used to restrict access to that bucket?
42A company uses AWS Organizations with SCPs to restrict services. An administrator creates an SCP that denies access to EC2. A developer in a member account tries to launch an EC2 instance but fails. What is the most likely reason?
43A security engineer is designing a cross-account access solution. An IAM role in Account A needs to be assumed by users from Account B. Which two components are required?
44A company uses IAM roles for EC2 instances to access S3. A security audit reveals that some instances have roles with overly permissive policies. What is the BEST practice to scope down permissions while maintaining functionality?
45An IAM user needs to rotate their own access keys. Which IAM policy action should be allowed?
46A security engineer notices that an IAM role for an EC2 instance has a policy that allows s3:PutObject on a bucket. However, the application reports access denied when trying to upload. The bucket policy does not explicitly deny access. What is a likely cause?
47A company uses AWS IAM Identity Center (AWS SSO) to manage access. A user is assigned to a permission set that grants AdministratorAccess. However, when the user tries to access the AWS console, they receive an error that they are not authorized. What is a possible reason?
48A security engineer needs to ensure that an IAM role can be assumed only from a specific VPC. Which IAM policy condition key should be used?
49A company uses IAM roles for cross-account access. Developers in Account A need to assume a role in Account B. What must be true for the AssumeRole call to succeed?
50Which TWO of the following are valid IAM policy condition keys? (Choose TWO.)
51Which THREE of the following are best practices for managing IAM access keys? (Choose THREE.)
52Which TWO of the following are valid use cases for IAM permissions boundaries? (Choose TWO.)
53A security engineer attaches this policy to an IAM user. The user tries to download an object from the bucket from an IP address 10.1.0.5. What will happen?
54A security engineer reviews the trust policy of an IAM role. Which accounts can assume this role?
55A developer creates this CloudFormation stack. An EC2 instance with this role tries to list objects in the bucket. What will happen?
56A security engineer is reviewing an AWS account and notices that multiple IAM users have full administrative access. The company policy requires that users have only the permissions necessary to perform their job. What is the MOST secure and efficient way to enforce this policy?
57A company uses an IAM role to allow an EC2 instance to access an S3 bucket. The security team wants to ensure that if the EC2 instance is compromised, the attacker cannot use the role credentials to access resources outside the account. What should the security team do?
58A developer needs to grant an IAM user temporary access to an S3 bucket for 15 minutes. Which AWS service should be used to generate temporary credentials?
59A company uses AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any account can create or modify IAM roles. What is the MOST effective way to enforce this?
60A company wants to allow its employees to authenticate to the AWS Management Console using their existing corporate credentials. Which AWS service should be used to integrate with the company's identity provider?
61A security engineer is troubleshooting an issue where an IAM user is unable to list objects in an S3 bucket even though the user has an IAM policy that allows s3:ListBucket. What is the MOST likely cause?
62An application running on an EC2 instance needs to read from an S3 bucket. What is the BEST practice for granting permissions to the EC2 instance?
63A company uses cross-account IAM roles to allow a third-party vendor to access resources in the company's AWS account. The security team wants to ensure that the vendor can only access the specific S3 bucket named 'vendor-bucket'. What should the security team do?
64A security engineer notices that an IAM user has been using an access key that was not rotated for over 90 days. What is the BEST action to take?
65Which TWO of the following are valid ways to grant an IAM user permissions to access an S3 bucket? (Choose 2.)
66Which THREE of the following are characteristics of IAM roles? (Choose 3.)
67Which TWO of the following are AWS best practices for managing access keys? (Choose 2.)
68A company wants to allow an IAM user to list objects in an S3 bucket named 'my-bucket'. Which IAM policy statement grants the minimum required permissions?
69A security engineer needs to enforce that all IAM users in an AWS account use multi-factor authentication (MFA) when making API calls. What is the MOST effective way to enforce this?
70A company uses an IAM role to allow an EC2 instance to access an S3 bucket. The role has an attached policy that grants s3:GetObject on the bucket. However, the application on the EC2 instance is unable to read objects. What is the MOST likely cause?
71A developer needs to allow a Lambda function to write logs to CloudWatch Logs. What is the MINIMUM IAM policy that should be attached to the Lambda execution role?
72A company is using AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any account can create new IAM users. Which approach should be used?
73A company has an IAM policy that allows s3:GetObject on all buckets. However, a specific S3 bucket policy explicitly denies s3:GetObject to all principals. An IAM user with the IAM policy tries to read an object from that bucket. What is the result?
74A company needs to grant cross-account access to an S3 bucket. Which IAM feature should be used?
75A security engineer notices that an IAM role has a trust policy that allows 'sts:AssumeRole' from any AWS account. What is the security risk?
76A company wants to automate the rotation of IAM user access keys every 90 days. Which AWS service can be used to enforce this?
77Which TWO actions can be used to restrict access to an S3 bucket to only requests that originate from a specific VPC?
78Which THREE are best practices for managing IAM roles?
79Which TWO are valid ways to authenticate an IAM user?
80A company requires that all access to its S3 buckets be logged for compliance. Which AWS service should be used to record API calls to S3?
81A security engineer is designing a permissions boundary for an IAM role used by an EC2 instance. The boundary must allow the instance to list all S3 buckets but deny the ability to delete any bucket. Which policy should be used as the permissions boundary?
82An IAM policy attached to a user allows s3:GetObject on bucket 'my-bucket'. The user also has a service control policy (SCP) in the organization that denies s3:GetObject on all resources. The user attempts to download an object from 'my-bucket'. What is the outcome?
83A developer needs to grant an IAM user the ability to launch EC2 instances with specific tags. Which IAM condition key should be used to enforce that the instance is tagged with 'Environment=Production'?
84A security team is troubleshooting an issue where an IAM role assumed by a Lambda function is unable to write logs to CloudWatch Logs. The role has an attached policy that allows logs:CreateLogGroup and logs:PutLogEvents. What is a likely reason for the failure?
85A company uses AWS Organizations and wants to prevent any IAM user from creating access keys for a long period. Which SCP should be applied to the root OU to enforce that IAM users cannot create access keys unless explicitly allowed?
86A company wants to allow users from an external AWS account to assume a role in the company's account. What must be configured in the company's account?
87A security engineer notices that an IAM role allows 'iam:PassRole' to an EC2 instance. What security risk does this present?
88An IAM policy has the following statement: {"Effect":"Allow","Action":"s3:*","Resource":"arn:aws:s3:::my-bucket/*"}. A user with this policy tries to perform s3:ListBucket on 'my-bucket'. Will the request succeed?
89Which TWO AWS services can be used to centrally manage permissions across multiple AWS accounts?
90Which TWO are best practices for managing IAM roles for EC2 instances?
91Which THREE AWS services can be used to authenticate users for accessing AWS resources?
92An IAM policy attached to a user contains the above statements. The user attempts to download an object from 'example-bucket/confidential/report.pdf'. What is the result?
93A security engineer runs the IAM policy simulator with a custom policy. The output shows the above. Which statement is true about the policy?
94An IAM role has the above trust policy. Users from account 123456789012 try to assume the role. What is required for the AssumeRole API call to succeed?
95A company wants to allow an IAM user to manage only their own password in the AWS Management Console. Which IAM policy action should be used?
96A security engineer needs to grant cross-account access to an S3 bucket in Account A to a role in Account B. Which combination of IAM entities must be configured?
97A company has a policy that requires all IAM users to use multi-factor authentication (MFA) to access the AWS Management Console. A user reports that they are unable to sign in even after configuring MFA. What is the most likely cause?
98An organization wants to use AWS Organizations to centrally manage permissions for multiple accounts. Which IAM feature is used to grant cross-account access within the organization?
99A developer needs to grant an EC2 instance access to an S3 bucket. Which is the most secure way to provide credentials to the EC2 instance?
100A security team notices that an IAM user has permissions to launch EC2 instances but should not have access to certain instance types. Which IAM policy condition key should be used to restrict this?
101Which IAM entity can be used to delegate permissions to an AWS service to perform actions on your behalf?
102A company has a policy that all IAM users must rotate their access keys every 90 days. How can this be enforced?
103A security architect is designing a system where an S3 bucket must be accessed by users from multiple AWS accounts. The solution must use the principle of least privilege. Which approach should be used?
104Which TWO actions can be used to restrict access to an S3 bucket to only users who authenticate using multi-factor authentication (MFA)? (Choose TWO.)
105Which THREE statements about IAM roles are correct? (Choose THREE.)
106Which TWO IAM policy conditions can be used to enforce that API calls originate from a specific AWS region? (Choose TWO.)
107A company wants to allow a third-party auditor to read objects in an S3 bucket for a limited time. The auditor does not have an AWS account. What is the most secure way to grant this access?
108A developer needs to allow an EC2 instance to access an S3 bucket. Which is the best practice for granting permissions?
109A security engineer notices that an IAM user has permissions to create new IAM users and attach policies. What is the most effective way to detect if this user created a backdoor user?
110An organization wants to enforce multi-factor authentication (MFA) for all IAM users accessing the AWS Management Console. Which policy should be used?
111A company uses AWS Organizations and wants to restrict all IAM users in member accounts from using the Amazon EC2 RunInstances API unless they have MFA. What is the most efficient way to enforce this?
112A security team wants to grant a Lambda function access to read from a DynamoDB table in the same account. What is the most secure way to do this?
113A company wants to allow users to assume a role in another AWS account to access a specific S3 bucket. What must be configured?
114An administrator is troubleshooting an issue where an IAM user cannot launch an EC2 instance in a specific VPC. The user has the AmazonEC2FullAccess policy attached. What is the most likely cause?
115A company uses AWS SSO to manage access to multiple accounts. An employee leaves the company. What is the most efficient way to revoke all AWS access for that employee?
116A security engineer is designing a system to allow an EC2 instance to write logs to an S3 bucket. Which TWO steps are required?
117An organization wants to enforce that all IAM users must use MFA to access the AWS API. Which TWO steps should be taken?
118A company wants to grant a set of developers the ability to launch EC2 instances but only in a specific subnet. Which THREE steps should be taken?
119A company has an S3 bucket that contains sensitive data. The security team wants to ensure that all objects uploaded to the bucket are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). What should the security team do to enforce this requirement?
120An AWS Lambda function needs to read from a DynamoDB table. What is the best practice for granting the Lambda function the necessary permissions?
121A security engineer is troubleshooting an issue where an IAM policy allows access to S3 but the user is denied access to a specific bucket. The policy has the following statement: { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } What is the most likely cause of the denial?
122A company wants to allow cross-account access to an S3 bucket in Account A for a user in Account B. What is the correct combination of steps?
123An application running on an EC2 instance needs to access an S3 bucket. What is the most secure way to grant the EC2 instance the necessary permissions?
124A security team needs to audit all changes to IAM resources in their AWS account. Which AWS service should they use?
125An IAM user reports that they are unable to launch an EC2 instance in a specific VPC. The user has an IAM policy that allows ec2:RunInstances for all resources. The VPC has a network ACL that allows all inbound and outbound traffic. What is the most likely cause of the failure?
126A company wants to grant an IAM user the ability to rotate their own access keys. What is the least privileged IAM policy that allows this?
127A company uses AWS Organizations and wants to restrict all IAM users in all accounts from using the AWS Management Console. What is the most effective way to achieve this?
128Which TWO actions are valid ways to grant an IAM user in Account A access to an S3 bucket in Account B? (Choose 2.)
129Which TWO are valid IAM identity-based policies? (Choose 2.)
130Which THREE are valid ways to restrict access to an S3 bucket using IAM policies? (Choose 3.)
131Which TWO are characteristics of an IAM role? (Choose 2.)
132A company has a multi-account AWS Organizations setup with a central security account (Account ID: 111122223333) and several member accounts. The security team uses AWS CloudTrail to log all API calls across accounts and stores the logs in an S3 bucket (my-cloudtrail-bucket) in the security account. The team wants to allow the security team members (IAM users in the security account) to access the CloudTrail logs, while denying access to all other users in the organization, including the root user of the security account. The security team has attached the following IAM policy to the IAM group containing the security team members: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-cloudtrail-bucket/*" } ] } However, a security team member reports that they are receiving an AccessDenied error when trying to download a log file. The bucket policy is as follows: { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-cloudtrail-bucket/*", "Condition": { "Bool": { "aws:SecureTransport": "false" } } }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-cloudtrail-bucket/*" }, { "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::my-cloudtrail-bucket/*", "Condition": { "StringNotEquals": { "aws:PrincipalAccount": "111122223333" } } } ] } What is the most likely reason for the AccessDenied error?
133A company has an AWS Lambda function that processes messages from an Amazon SQS queue. The Lambda function is configured with an execution role that has the following IAM policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:GetQueueAttributes" ], "Resource": "arn:aws:sqs:us-east-1:123456789012:MyQueue" }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] } The Lambda function is also configured with an SQS trigger that uses the same queue. The function code tries to send a message to an Amazon SNS topic, but the send fails with an AccessDenied error. What is the most likely cause?
134A company wants to grant a Lambda function access to write logs to CloudWatch Logs in the same AWS account. What is the BEST practice for granting this permission?
135A security engineer notices that an IAM user, 'svc-backup', has full S3 access (s3:*) to all buckets. The engineer wants to restrict the user to only put objects into a specific bucket named 'mycompany-backup' and deny all other S3 actions. Which IAM policy should be attached?
136A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all IAM users in the member accounts must have multi-factor authentication (MFA) enabled to access the AWS Management Console. Which approach should be used?
137A developer needs to allow an EC2 instance to read from a DynamoDB table named 'Orders' in the same account. The security team requires that the permissions be granted using an instance profile. Which steps should be taken?
138A security engineer needs to allow an IAM user to rotate their own access keys. Which TWO IAM actions must be allowed in the user's policy? (Choose TWO.)
139A company has an S3 bucket that contains sensitive data. The security team wants to enforce that all access to the bucket must use HTTPS and that requests originating from outside the corporate network (as defined by a specific IP range 203.0.113.0/24) must be denied. Which THREE conditions should be included in the S3 bucket policy? (Choose THREE.)
140A developer wants to allow an IAM role to be assumed by an EC2 instance that is part of an Auto Scaling group. Which TWO AWS services or features are required? (Choose TWO.)
141A company uses AWS KMS to encrypt objects in an S3 bucket. The security team wants to ensure that only users with the appropriate KMS key permissions can decrypt objects. Which THREE conditions should be included in the S3 bucket policy to enforce this? (Choose THREE.)
142An IAM policy allows a user to pass a specific role and launch EC2 instances. The user tries to launch an EC2 instance with the role 'ec2-full-access' but receives an error: 'You are not authorized to perform iam:PassRole'. What is the MOST likely cause?
143An administrator runs the AWS CLI command shown in the exhibit. What does this command do?
144A company runs a multi-tier web application on AWS. The application consists of an Application Load Balancer (ALB) that distributes traffic to a fleet of EC2 instances in an Auto Scaling group. The EC2 instances need to read from an Amazon RDS MySQL database and write logs to an S3 bucket. The security team wants to ensure that the EC2 instances have only the minimum required permissions. Currently, the EC2 instances are launched with an IAM role that has an attached policy allowing full S3 access (s3:*) and full RDS access (rds:*). The security team has identified that this is overly permissive and wants to restrict access to only the specific resources needed. Additionally, the team wants to ensure that the EC2 instances can only access the RDS database using SSL/TLS. Which combination of actions should the security team take?
145A large enterprise uses AWS Organizations to manage multiple accounts. The security team has implemented a Service Control Policy (SCP) at the root level that denies all actions unless the request originates from the corporate IP range (10.0.0.0/8). Recently, a developer in a member account tried to launch an EC2 instance from the AWS Management Console while connected via a VPN that provides an IP address within the corporate range. However, the launch failed with an 'AccessDenied' error. The developer is using an IAM user with full EC2 permissions (ec2:*). The SCP is as follows: {"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"*","Resource":"*","Condition":{"NotIpAddress":{"aws:SourceIp":"10.0.0.0/8"}}}]}. What is the MOST likely reason for the failure?
146A company has a requirement to grant cross-account access to an S3 bucket named 'shared-data' in Account A (111111111111) to users in Account B (222222222222). The security team has set up a bucket policy in Account A that grants read-only access to the IAM role 'DataReader' in Account B. The bucket policy is as follows: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::222222222222:role/DataReader"},"Action":["s3:GetObject"],"Resource":"arn:aws:s3:::shared-data/*"}]}. A user in Account B assumes the 'DataReader' role, but when trying to read an object from the bucket, they receive an 'Access Denied' error. What is the MOST likely reason for this error?
147A company runs a serverless application using AWS Lambda functions that access an Amazon DynamoDB table. The Lambda functions are part of a microservices architecture and need to read and write to the DynamoDB table. The security team wants to ensure that the Lambda functions have the minimum required permissions. Initially, the team attached the AWS managed policy 'AWSLambdaDynamoDBExecutionRole' to the Lambda execution role, but later discovered that this policy grants more permissions than needed. The team decides to create a custom policy with only the required actions: GetItem, PutItem, UpdateItem, and DeleteItem. However, after attaching the custom policy, the Lambda functions start failing with 'AccessDeniedException' when trying to access DynamoDB. The CloudWatch logs show that the Lambda function is unable to write logs to CloudWatch Logs. What is the MOST likely cause of the failures?
148A company is using Amazon API Gateway to expose a set of REST APIs. The APIs are backed by AWS Lambda functions. The security team wants to control access to the APIs using IAM authorization. The team has created an IAM policy for a group of developers that allows them to invoke the APIs only from within the corporate network (IP range 203.0.113.0/24). The policy is attached to an IAM group, and the developers are members of the group. However, when a developer tries to invoke the API from the corporate network, they receive a '403 Forbidden' error. The API Gateway endpoint is configured with IAM authorization. The IAM policy is as follows: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"execute-api:Invoke","Resource":"arn:aws:execute-api:us-east-1:123456789012:api-id/*","Condition":{"IpAddress":{"aws:SourceIp":"203.0.113.0/24"}}}]}. What is the MOST likely reason for the failure?
149A security engineer is designing IAM policies for a data analytics platform that uses Amazon S3, Amazon Athena, and AWS Glue. The platform must allow data scientists to query data in S3 using Athena, but only from specific VPC subnets. Additionally, the data must be encrypted at rest using AWS KMS. Which TWO actions should the engineer take to meet these requirements? (Choose TWO.)
150A company manages a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all Amazon S3 buckets in the organization are encrypted with AWS KMS customer managed keys (CMKs) and that no unencrypted buckets can be created. They also want to ensure that the encryption settings cannot be changed by account administrators. The team uses AWS CloudTrail to log all S3 API calls and wants to detect any attempts to create unencrypted buckets. The security team creates a service control policy (SCP) that denies s3:PutBucketEncryption and s3:PutBucketPolicy unless the request includes a specific encryption setting. However, they find that a developer in a member account was able to create an unencrypted bucket using the AWS Management Console. The CloudTrail logs show that the bucket was created with the s3:CreateBucket API call without specifying any encryption parameters. What should the security team do to prevent this from happening?
151A company has an AWS Lambda function that processes sensitive data stored in an Amazon S3 bucket. The Lambda function needs to read objects from the S3 bucket and write results to a different S3 bucket. The security engineer is configuring IAM permissions for the Lambda execution role. The engineer wants to follow the principle of least privilege. The Lambda function is triggered by S3 events from the source bucket. The engineer creates an IAM policy that grants s3:GetObject on the source bucket and s3:PutObject on the destination bucket. However, when testing, the Lambda function fails with an access denied error when trying to process an object. The error message indicates that the Lambda function does not have permission to list the objects in the source bucket. The engineer checks the S3 event notification configuration and confirms that the event is configured correctly. What should the engineer do to resolve the issue?
152A company runs a critical application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application processes financial transactions and must store transaction logs in an Amazon S3 bucket. The security team requires that all API calls to AWS services are logged and that the logs are stored in a secure, tamper-proof manner. The team enables AWS CloudTrail to log management events and Amazon S3 server access logs for the S3 bucket. They also enable AWS Config to track resource changes. The compliance team wants to ensure that no one can disable CloudTrail logging or delete the CloudTrail log files. The security engineer proposes a solution using an SCP in AWS Organizations to deny actions that would disable CloudTrail or delete log files. However, the engineer is concerned that the SCP might be applied too broadly and affect legitimate administrative actions. The engineer wants to ensure that only the security team’s IAM role (SecurityAdminRole) can perform these restricted actions, while all other principals (including IAM users, roles, and the root user) are denied. The engineer creates an SCP that denies cloudtrail:StopLogging, cloudtrail:DeleteTrail, and s3:DeleteObject on the CloudTrail S3 bucket. The SCP includes a condition that allows the action if the principal is SecurityAdminRole. However, after applying the SCP, the security team finds that even SecurityAdminRole is unable to stop CloudTrail logging. What is the most likely cause of this issue?
153A company wants to allow its development team to have full access to Amazon S3 buckets that are tagged with 'Environment: Dev'. Which IAM policy element should be used to restrict access based on tags?
154A security engineer is troubleshooting an issue where an IAM role used by an EC2 instance cannot access an S3 bucket, even though the role has an attached policy that grants s3:GetObject on the bucket. The bucket policy does not explicitly deny access. What is the most likely cause?
155A company has multiple AWS accounts managed through AWS Organizations. The security team wants to enforce that all users must use multi-factor authentication (MFA) to access the AWS Management Console. Which combination of actions should the security team take to enforce this requirement?
156A company is designing an IAM policy to grant a group of developers access to manage EC2 instances and RDS databases. Which TWO actions should be included to follow the principle of least privilege?
157A security engineer is reviewing an IAM policy that allows access to an S3 bucket. The policy includes a condition that checks 'aws:SourceIp'. However, users report they can still access the bucket from IP addresses not in the allowed list. Which THREE possible reasons could explain this behavior?
158A company wants to allow a Lambda function to read messages from an SQS queue and write logs to CloudWatch Logs. Which TWO IAM actions should be included in the Lambda execution role?
159Refer to the exhibit. An IAM policy is attached to a user. The user is trying to download an object from 'example-bucket' from an IP address of 10.1.1.1. What will happen?
160Refer to the exhibit. A security engineer runs the 'simulate-custom-policy' command to test a policy. The output shows 'explicitDeny' for ec2:RunInstances. What is the most likely reason?
161Refer to the exhibit. This IAM policy is attached to a user. The user attempts to assume the AdminRole without using MFA. What is the result?
162A company uses AWS Organizations and wants to delegate administration of IAM Access Analyzer to a member account. Which AWS service should be used to enable this delegation?
163A security engineer needs to ensure that an IAM role can only be assumed by a specific EC2 instance. The instance has a tag 'Environment=Production'. Which condition key should be used in the trust policy of the role?
164A company has an S3 bucket with a bucket policy that grants access to a specific IAM role. The role is used by an application running on an EC2 instance. The application is unable to access the bucket, but the role can access other resources. What is the most likely cause?
165Refer to the exhibit. This is an S3 bucket policy. The CrossAccountRole in account 111111111111 has an IAM policy that allows s3:GetObject on 'my-bucket'. A user in account 111111111111 assumes the role and tries to get an object. What will happen?
166A company needs to provide temporary credentials to mobile app users to access AWS resources. Which AWS service should be used to issue these credentials?
167A security engineer discovers that an IAM policy allows 'iam:CreateUser' and 'iam:CreateAccessKey' for all users in the account. Which risk does this pose?
168A company wants to allow an IAM user to list only the objects in a specific S3 bucket named 'my-bucket'. Which IAM policy statement should be used?
169A security engineer is investigating an IAM role that was used to access AWS resources from an external account. The role has a trust policy that allows the external account to assume it. Which of the following is a required step for the external account to use the role?
170A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all IAM users in member accounts must have a password policy that requires a minimum length of 14 characters. How can this be achieved centrally?
171A developer needs to grant an EC2 instance read-only access to an S3 bucket. Which of the following is the most secure way to provide these permissions?
172An IAM policy grants access to a DynamoDB table with a condition that the request must originate from a specific VPC endpoint. However, requests from an EC2 instance in that VPC are being denied. What is the most likely cause?
173A company uses cross-account IAM roles to allow a third-party auditor to access a specific S3 bucket. The auditor reports that they are getting 'Access Denied' errors when trying to list objects. The bucket policy allows access to the auditor's account. What additional configuration is needed?
174A security administrator needs to ensure that all IAM users in the account use multi-factor authentication (MFA) to access the AWS Management Console. What is the most effective way to enforce this?
175A company has an IAM policy that allows a user to launch EC2 instances only in a specific Availability Zone (us-east-1a). The user is able to launch instances, but the instances are launched in us-east-1b instead. What is the most likely reason?
176An organization uses AWS KMS to encrypt S3 objects. They want to allow a developer to decrypt objects only if the request comes from a specific IP address range. Which IAM policy condition should be used?
177A company wants to grant an IAM user the ability to manage (create, update, delete) their own access keys. Which TWO IAM actions must be allowed in the policy?
178A security engineer needs to design a system where an EC2 instance can write logs to a CloudWatch log group. Which TWO steps are required?
179A company wants to enforce that all IAM users in an AWS Organization must have a password policy that includes a minimum length of 12 characters. Which THREE steps are part of implementing this using SCPs?
180An IAM user has the policy shown in the exhibit. The user tries to launch an m5.large instance in us-east-1, but gets an 'AccessDenied' error. Why does this happen?
181An IAM administrator ran the simulate-custom-policy command shown in the exhibit. The result shows an 'explicitDeny' for s3:ListBucket. What is the most likely reason?
182An IAM policy allows the iam:PassRole action for a specific role only when the role is passed to EC2. A developer tries to launch an EC2 instance with this role, but fails. What is the most likely missing permission?
183A security engineer is designing an IAM policy to allow an application running on an EC2 instance to read objects from a specific S3 bucket (my-bucket) and write objects to a different S3 bucket (my-other-bucket). The application uses an IAM role with the following trust policy. Which additional policy should be attached to the role to meet the requirements with least privilege?
184A developer needs to grant an IAM user the ability to manage their own password and access keys, but not any other IAM users. Which IAM policy should be used?
185A company uses AWS Organizations with multiple accounts. The security team wants to enforce that no IAM user can have an access key older than 90 days. What is the MOST efficient way to achieve this?
186A company wants to allow an external auditor to assume a read-only role in their AWS account. The auditor's AWS account ID is 123456789012. Which trust policy should be attached to the role?
187A security engineer needs to design an IAM policy that allows an IAM user to launch EC2 instances only if they specify a specific security group ID (sg-12345) and a specific instance type (t2.micro). Which policy achieves this?
188A company has an S3 bucket with a bucket policy that grants access to a specific IAM role. However, users who assume that role are unable to list objects in the bucket. The bucket policy includes a Principal element set to the role ARN. What is the MOST likely cause?
189An administrator needs to allow a Lambda function to write logs to CloudWatch Logs. What is the BEST way to grant these permissions?
190A company is using AWS Organizations and wants to delegate administrative tasks for a specific OU to another account. Which feature should be used?
191A security engineer is analyzing an IAM policy that is attached to a group. The policy is intended to allow users to manage their own credentials. However, users are reporting that they cannot change their password. The policy is: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["iam:ChangePassword", "iam:GetAccountPasswordPolicy"], "Resource": "*" } ] } What is the issue?
192A company needs to implement a cross-account access strategy where users in Account A can assume a role in Account B. Which TWO steps are necessary? (Choose TWO.)
193A security engineer is designing a permissions boundary for an IAM role used by an EC2 instance. The role must be able to read from an S3 bucket (my-bucket) and write to CloudWatch Logs. Which THREE conditions must be met for the role to have effective permissions? (Choose THREE.)
194Which TWO of the following are best practices for managing IAM user credentials? (Choose TWO.)
195A company has an S3 bucket that stores sensitive data. The security team requires that all access to the bucket be logged in AWS CloudTrail and that all requests must be authenticated using IAM credentials. Which S3 bucket policy statement should be added to enforce these requirements?
196A developer is creating an AWS Lambda function that needs to read items from a DynamoDB table. The function is deployed in a VPC with no internet access. What is the MOST secure way to grant the Lambda function access to DynamoDB?
197An AWS administrator needs to allow an IAM user to manage their own password and access keys. Which IAM policy action should be included?
198A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no IAM user in any account can create access keys. Which policy type should be used to enforce this restriction across all accounts?
199A security engineer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket even though the IAM role attached to the instance has an Allow policy for s3:GetObject. The S3 bucket policy includes a Deny statement with the condition 'aws:SourceIp': ['10.0.0.0/8']. What is the likely cause of the failure?
200A company needs to grant cross-account access to an S3 bucket in Account A to users in Account B. What is the recommended approach?
201An organization is using IAM roles for EC2 instances. The security team needs to ensure that each EC2 instance can only assume a specific role based on tags. Which feature should be used?
202A developer is trying to upload a file to an S3 bucket using the AWS CLI, but receives an 'AccessDenied' error. The IAM policy attached to the user includes 's3:PutObject' on the bucket. The bucket policy has a Deny statement with the condition 'aws:Referer': ['example.com']. The CLI command does not include a referer header. What is the cause of the error?
203A company needs to allow an external auditor to access a specific S3 bucket for 30 days. The auditor does not have an AWS account. What is the MOST secure way to grant temporary access?
204A security engineer is designing a solution to allow a Lambda function to write logs to CloudWatch Logs. Which TWO actions are required in the IAM execution role? (Choose TWO.)
205A company is using AWS Organizations with multiple accounts. The security team wants to enforce that all IAM users must have MFA enabled. Which TWO methods can be used to enforce this? (Choose TWO.)
206Which THREE are valid methods for authenticating to AWS APIs? (Choose THREE.)
207Refer to the exhibit. A user has this IAM policy attached. They attempt to download an object from example-bucket using the AWS CLI without specifying server-side encryption. Will the request succeed?
208Refer to the exhibit. An EC2 instance with an IAM role attached attempts to access an S3 bucket, but receives an 'AccessDenied' error. The role has an attached policy allowing s3:GetObject on the bucket. What is the most likely cause?
209Refer to the exhibit. An IAM user has this policy attached. Can the user create a new IAM user in the us-east-1 region?
210A company hosts a web application on EC2 instances behind an Application Load Balancer. The application accesses an S3 bucket to store user uploads. The security team needs to ensure that the EC2 instances can access the S3 bucket without storing AWS credentials on the instances. What should the security team do?
211A security engineer is designing a cross-account IAM role to allow users in Account A to access resources in Account B. The engineer wants to restrict access to only users who have authenticated with multi-factor authentication (MFA) in Account A. What condition key should the engineer use in the trust policy of the IAM role in Account B?
212A company's security policy requires that all IAM users must use strong passwords. Which IAM feature should be used to enforce this requirement?
213A developer is trying to push an image to Amazon ECR but receives an 'AccessDeniedException' error. The developer's IAM user has the 'AmazonEC2ContainerRegistryPowerUser' managed policy attached. What is the most likely reason for the failure?
214A security engineer is configuring a VPC endpoint for Amazon S3 and wants to ensure that only traffic from specific IAM roles can access the S3 bucket through the endpoint. Which policy element should the engineer use?
215An IAM policy includes the following statement: 'Effect': 'Deny', 'Action': 's3:*', 'Resource': '*', 'Condition': {'Bool': {'aws:SecureTransport': 'false'}}. What does this policy do?
216A company wants to allow users from an external AWS account to assume an IAM role in its account. What must be configured in both accounts?
217A security auditor notices that an IAM role has a policy that grants 'iam:PassRole' to a specific EC2 instance profile. What is the security implication of this permission?
218A company has an S3 bucket with a bucket policy that grants access to an IAM role used by an application running on EC2. The application is unable to read objects from the bucket, even though the IAM role has the necessary permissions. What is the most likely cause?
219A security engineer needs to restrict access to an S3 bucket so that only requests from a specific VPC endpoint are allowed. Which TWO conditions must be configured?
220An IAM policy includes the following statement: 'Effect': 'Allow', 'Action': 's3:GetObject', 'Resource': 'arn:aws:s3:::example-bucket/*', 'Condition': {'IpAddress': {'aws:SourceIp': '192.0.2.0/24'}}. Which TWO statements about this policy are correct?
221A company wants to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. Which THREE steps should the company take?
222Refer to the exhibit. An IAM policy allows running EC2 instances. A developer tries to launch a t2.micro instance but receives an 'AccessDenied' error. What is the most likely reason?
223Refer to the exhibit. A developer is trying to list objects in a Google Cloud Storage bucket from an AWS environment. What is the most likely cause of the error?
224Refer to the exhibit. This trust policy is attached to an IAM role. What does it allow?
225A company is using IAM roles to grant EC2 instances access to an S3 bucket. The security team wants to ensure that the instances can only access their own bucket. Which policy should be attached to the IAM role to enforce this?
226A developer needs to allow an IAM user to manage their own password in the AWS Management Console. Which IAM policy should be attached to the user?
227A company has multiple AWS accounts and wants to allow a user in the production account to assume a role in the development account. The role in the development account has a trust policy that allows the production account to assume it. What additional configuration is required?
228An organization wants to enforce multi-factor authentication (MFA) for all IAM users who perform sensitive actions. Which condition key should be used in an IAM policy to require MFA?
229A security engineer notices that an IAM role allows an EC2 instance to access a DynamoDB table. The instance is compromised. What is the best way to immediately revoke the instance's access without affecting other resources that use the same role?
230A company wants to allow a Lambda function to read objects from an S3 bucket in the same account. What should be done?
231An administrator wants to audit all IAM actions in the account. Which AWS service should be used?
232A company has an S3 bucket with a bucket policy that grants access to an IAM role. The security team wants to restrict access to only requests that originate from the company's VPC. How can this be achieved?
233Which IAM entity can be used to grant temporary access to AWS resources for users from a different AWS account?
234Which TWO actions are valid ways to grant an IAM user access to an S3 bucket owned by another AWS account? (Choose TWO.)
235Which THREE are best practices for securing IAM in an AWS environment? (Choose THREE.)
236Which TWO services can be used to manage identity and access across multiple AWS accounts? (Choose TWO.)
237A company is using AWS Organizations with multiple accounts. The security team wants to ensure that any new account created in the organization automatically has an S3 bucket policy that blocks public access. What is the most efficient way to enforce this requirement?
238A developer needs to access an S3 bucket from an EC2 instance. The developer creates an IAM role with the necessary S3 permissions and attaches it to the instance profile. However, applications running on the instance can still not access the bucket. What is the most likely cause?
239A company wants to allow its users to assume an IAM role in a different AWS account. What must the company configure to enable cross-account access?
240A security engineer notices that a developer's IAM user has full administrator access. The engineer wants to implement the principle of least privilege for the developer. What is the best way to proceed?
241A company uses AWS IAM Identity Center (SSO) for managing access to multiple AWS accounts. A user reports that they can log in to the SSO portal but cannot see any AWS accounts in their dashboard. What is the most likely cause?
242A company wants to allow an external auditor to read all objects in a specific S3 bucket for a limited time. What is the most secure way to grant this access?
243A company has an S3 bucket that contains sensitive data. The security team wants to ensure that all access to the bucket is encrypted in transit. What is the most effective way to enforce this?
244A company uses AWS Organizations with a service control policy (SCP) that denies all IAM actions unless the request comes from a specific IP address range. A security administrator needs to create a new IAM role for a service that runs on-premises, but the request is being denied. What should the administrator do?
245A developer is trying to use the AWS CLI to list objects in an S3 bucket but receives an AccessDenied error. The developer has an IAM user with a policy that allows s3:ListBucket on the bucket. What could be causing the error?
246A security engineer is designing a system to manage access to an S3 bucket containing confidential data. Which TWO actions should the engineer take to implement least privilege?
247A company has a requirement that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. Which TWO steps should the company take to enforce this?
248A company wants to allow an IAM role from Account A to access an S3 bucket in Account B. Which THREE conditions must be met?
249Refer to the exhibit. An IAM user has this policy attached. The user tries to download an object from the S3 bucket using the AWS CLI from an on-premises server with IP address 198.51.100.50. What will happen?
250Refer to the exhibit. An EC2 instance is launched with an instance profile that references this role. The application on the instance tries to list objects in 'my-bucket' but receives an AccessDenied error. What is the most likely cause?
251Refer to the exhibit. An IAM user 'ExternalUser' from account 111111111111 tries to assume the role 'MyRole' in account 123456789012 but receives an error. The user has a policy that allows sts:AssumeRole. What is the most likely reason for the failure?
252A security engineer needs to grant an IAM user in Account A (111111111111) access to an S3 bucket in Account B (222222222222). The bucket policy in Account B allows cross-account access from Account A. Which additional step is required?
253A company uses AWS Organizations with SCPs. The SCP for the production OU denies all actions on DynamoDB. An IAM policy attached to a user in that OU allows dynamodb:PutItem. What is the effective access?
254A developer needs to run an application on an EC2 instance that accesses an S3 bucket. What is the best practice for granting permissions?
255An IAM policy has the following statement: { "Effect": "Deny", "Action": "s3:*", "Resource": "*", "Condition": { "BoolIfExists": { "aws:SecureTransport": "false" } } }. What does this policy do?
256A security engineer is troubleshooting an IAM policy that is not working as expected. The policy allows ec2:StartInstances and ec2:StopInstances but the user gets an access denied error when trying to stop an instance. What is the most likely cause?
257A company wants to grant cross-account access to an S3 bucket. The bucket policy allows access from account 111111111111. An IAM user in account 111111111111 has a policy allowing s3:GetObject on that bucket. However, the user gets AccessDenied. What is the most likely reason?
258Which IAM feature allows you to grant temporary, limited-privilege credentials for a specific role?
259An IAM policy includes: { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/MyRole" }. What does this allow?
260A company wants to enforce that all IAM users use multi-factor authentication (MFA) to access the AWS Management Console. What is the best way to achieve this?
261A company uses an IAM role to allow an EC2 instance to access an S3 bucket. The instance is launched in a VPC with a VPC endpoint for S3. The IAM role has a policy that grants s3:GetObject on the bucket. However, the application on the instance receives 'Access Denied' errors when trying to read objects. What is the MOST likely cause?
262A security engineer is troubleshooting an issue where an IAM user cannot assume a role in another AWS account. The trust policy of the role allows the user's account to assume the role, and the user has a policy that allows sts:AssumeRole. The user receives an error: 'Access denied: User is not authorized to perform sts:AssumeRole.' What is the MOST likely cause?
263A company wants to grant temporary credentials to mobile app users to access their own data in an S3 bucket. Which AWS service should be used to achieve this securely?
264An organization has a production AWS account and a development AWS account. Developers need to access the production account from the development account using IAM roles. What is the MOST secure way to set this up?
265A security engineer is designing a permissions boundary for an IAM user. Which TWO statements about permissions boundaries are correct?
266A company wants to enforce that all IAM users use MFA. Which THREE actions should be taken to achieve this?
267A security engineer needs to restrict access to an S3 bucket so that only requests from a specific VPC are allowed. Which TWO steps are required?
268A company has an S3 bucket with a bucket policy that allows access to a specific IAM role. However, users assume the role but still get access denied. Which THREE factors could cause this?
269Refer to the exhibit. An IAM policy is attached to a group. A user in the group accesses the S3 bucket from an IP address 203.0.113.5 using HTTPS. What will be the result?
270A company uses AWS Organizations with multiple accounts. The security team has created an SCP that denies access to all DynamoDB actions except for the 'prod' account. The SCP is attached to the root OU. The 'prod' account has an IAM role that allows full DynamoDB access. A developer in the 'prod' account tries to create a DynamoDB table but receives an 'AccessDenied' error. The developer has the correct IAM permissions. What is the MOST likely cause and what should be done to resolve the issue?
271A large enterprise has multiple AWS accounts managed via AWS Organizations. The security team wants to enforce that all IAM roles in all accounts must have a maximum session duration of 1 hour. They create an SCP that denies creating or updating roles if the MaxSessionDuration is greater than 3600 seconds. The SCP is attached to the root OU. After applying the SCP, the development team reports that they cannot create any new IAM roles, even with a session duration of 1 hour. They are using CloudFormation to create roles. What is the MOST likely reason for the failure?
272A startup company has a single AWS account and a few IAM users. The CEO wants to ensure that no one can delete an S3 bucket that contains critical data. The security engineer creates an IAM policy that denies s3:DeleteBucket for all users. However, the CEO later finds that the bucket was deleted by a user who had full administrator access. Why did the policy fail to prevent the deletion?
273A company uses cross-account roles to allow developers in the 'dev' account to access resources in the 'prod' account. The trust policy in 'prod' allows the 'dev' account to assume the role. The developers have an IAM policy that allows sts:AssumeRole on the role ARN. However, when a developer tries to assume the role via the AWS CLI, they get an error that the role cannot be assumed. The developer can list the role using IAM. What is the MOST likely cause?
274A company has an S3 bucket that stores sensitive data. The bucket policy allows access only from a specific VPC endpoint. A security engineer notices that an EC2 instance in the same VPC can access the bucket, but an instance in a peered VPC cannot. Both instances have the same IAM role attached. The VPC endpoint is in the first VPC and is shared via a transit gateway. What is the MOST likely reason the second instance cannot access the bucket?
275A company uses IAM roles for EC2 instances to access DynamoDB. The security team wants to ensure that the instances can only access specific DynamoDB tables. They create an IAM policy that allows dynamodb:GetItem and dynamodb:PutItem on the specific table ARN. The policy is attached to the instance role. However, when an application on the instance tries to read from the table, it receives an 'AccessDeniedException'. The application is using the correct table name. What is the MOST likely cause?
276A security engineer is designing a CI/CD pipeline that deploys AWS infrastructure using AWS CloudFormation. The pipeline must assume an IAM role in each target account to create and update stacks. Which TWO steps are required to allow cross-account access for CloudFormation? (Choose TWO.)
277A company has a multi-account AWS organization with centralized logging in a Security account. The Security account contains an S3 bucket that stores CloudTrail logs from all member accounts. The bucket policy allows CloudTrail from member accounts to deliver logs. Recently, a security audit revealed that the bucket is publicly accessible. The security engineer must ensure that only authorized accounts can access the logs. The engineer updates the bucket policy to include a condition that restricts access to specific AWS accounts. However, after the change, member accounts report that CloudTrail is failing to deliver logs to the bucket. The bucket policy currently includes the following statement: { "Effect": "Allow", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::central-logs/*", "Condition": { "StringEquals": { "aws:SourceAccount": "111111111111" } } } The Security account ID is 222222222222. What is the MOST likely cause of the delivery failure, and what should the engineer do to fix it?
278A developer is creating an AWS Lambda function that needs to read items from a DynamoDB table named 'Orders' in the same AWS account. The developer attaches an IAM policy to the Lambda execution role that includes the following statement: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "dynamodb:GetItem", "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders" } ] } When testing the Lambda function, it fails with an access denied error when trying to read from the table. The developer checks the Lambda function's code and confirms it is calling DynamoDB correctly. What is the MOST likely reason for the access denied error?
279A company uses AWS Organizations with all features enabled. The security team wants to enforce that all IAM users in member accounts must use multi-factor authentication (MFA) to access the AWS Management Console. They create an SCP that denies all actions if the user does not have MFA. The SCP is attached to the root organizational unit. After a few days, users in a member account report that they can still access the console without MFA. The security team reviews the SCP and finds it is correctly configured. What is the MOST likely reason the SCP is not being enforced?
The Identity and Access Management domain covers the key concepts tested in this area of the SCS-C02 exam blueprint published by Amazon Web Services. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SCS-C02 domains — no account required.
The Courseiva SCS-C02 question bank contains 279 questions in the Identity and Access Management domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Identity and Access Management domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included