Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Identity and Access Management practice sets

SCS-C02 Identity and Access Management • Complete Question Bank

SCS-C02 Identity and Access Management — All Questions With Answers

Complete SCS-C02 Identity and Access Management question bank — all 0 questions with answers and detailed explanations.

279
Questions
Free
No signup
Certifications/SCS-C02/Practice Test/Identity and Access Management/All Questions
Question 1easymultiple choice
Read the full Identity and Access Management explanation →

A developer needs to grant an IAM user read-only access to an S3 bucket named 'my-bucket'. Which policy should be attached to the IAM user?

Question 2mediummultiple choice
Read the full Identity and Access Management explanation →

A security engineer notices that an IAM role has a trust policy allowing any AWS account to assume it. Which attack is this misconfiguration most likely to enable?

Question 3hardmultiple choice
Read the full Identity and Access Management explanation →

An IAM policy includes the following condition: "StringNotEquals": {"aws:SourceArn": "arn:aws:ec2:us-east-1:123456789012:instance/*"}. What is the effect of this condition when attached to an IAM role?

Question 4easymultiple choice
Read the full Identity and Access Management explanation →

An IAM user receives an 'AccessDenied' error when trying to list objects in an S3 bucket. The user has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::example-bucket"}]}. What is the most likely reason?

Question 5mediummultiple choice
Read the full Identity and Access Management explanation →

A company wants to allow users from its corporate Active Directory to access AWS resources. The company has set up an IAM identity provider for SAML. What must be created in IAM to map users to permissions?

Question 6hardmultiple choice
Read the full Identity and Access Management explanation →

An IAM policy has the following statement: {"Effect":"Deny","Action":"*","Resource":"*","Condition":{"Bool":{"aws:SecureTransport":"false"}}}. What does this policy achieve?

Question 7easymultiple choice
Read the full Identity and Access Management explanation →

A solutions architect needs to design a system where an EC2 instance can write logs to CloudWatch Logs. Which IAM entity should be used to grant permissions to the EC2 instance?

Question 8mediummultiple choice
Read the full Identity and Access Management explanation →

A security administrator discovers that an IAM user has been deleted accidentally. What is the correct way to restore the user's access?

Question 9mediummulti select
Read the full Identity and Access Management explanation →

Which TWO actions can be performed using AWS IAM? (Choose two.)

Question 10hardmulti select
Read the full Identity and Access Management explanation →

Which THREE factors should be considered when designing IAM policies for cross-account access? (Choose three.)

Question 11easymulti select
Read the full Identity and Access Management explanation →

Which TWO are valid ways to authenticate to AWS for API calls? (Choose two.)

Question 12mediummultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. An IAM policy is attached to a group. An IAM user in that group attempts to stop an EC2 instance from IP address 198.51.100.10. What will happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}
Question 13hardmultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. A security engineer runs the command above. Which of the following is true about the role MyRole?

Network Topology
$ aws iam get-rolerole-name MyRoleRefer to the exhibit."Role": {"Path": "/","RoleName": "MyRole","Arn": "arn:aws:iam::123456789012:role/MyRole","AssumeRolePolicyDocument": {"Version": "2012-10-17","Statement": ["Effect": "Allow","Principal": {"Service": "ec2.amazonaws.com"},"Action": "sts:AssumeRole"
Question 14hardmultiple choice
Read the full Identity and Access Management explanation →

A company has a multi-account AWS Organization with three accounts: Management, Development, and Production. The Security team uses the Management account to manage IAM policies centrally. They have created a service control policy (SCP) named 'RestrictRootAccess' that denies all actions for the root user in all accounts. The SCP is attached to the root organizational unit. The Development account has an IAM role 'DevAdmin' with full administrator access via an IAM policy. The role's trust policy allows the Management account's 'SecurityAudit' role to assume it. A security engineer in the Management account assumes the 'SecurityAudit' role and then tries to assume the 'DevAdmin' role in the Development account. The assumption fails with an 'AccessDenied' error. What is the most likely cause?

Question 15mediummultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all IAM users in the production account must use multi-factor authentication (MFA) to access the AWS Management Console. Which combination of actions should the security team take to enforce this requirement?

Question 16hardmultiple choice
Read the full Identity and Access Management explanation →

A developer is trying to upload an object to an S3 bucket named 'my-bucket' using the AWS CLI. The developer has an IAM user with a policy that includes 's3:PutObject' for 'arn:aws:s3:::my-bucket/*'. However, the upload fails with an 'Access Denied' error. The bucket policy is set to allow all principals from the same AWS account to perform 's3:PutObject'. What is the most likely cause of this failure?

Question 17mediummulti select
Read the full Identity and Access Management explanation →

A security administrator is designing a cross-account access strategy. The administrator needs to allow users in Account A to assume an IAM role in Account B to access an S3 bucket. Which TWO of the following statements are true regarding this configuration?

Question 18hardmultiple choice
Read the full Identity and Access Management explanation →

An IAM policy is attached to a user. The user is trying to change their own password in the IAM console but receives an 'Access Denied' error. The user has an MFA device configured and is logged in with MFA. Why is the password change failing?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "iam:ChangePassword",
      "Resource": "*"
    }
  ]
}
Question 19easymultiple choice
Read the full Identity and Access Management explanation →

A company has a single AWS account with multiple IAM users. The administrator created an IAM policy that allows all users to launch EC2 instances, but only if they use a specific AMI ID (ami-12345678) and a specific instance type (t3.micro). The policy uses a condition that checks the EC2 instance type and AMI ID. However, a user is able to launch an EC2 instance with a different AMI ID and a larger instance type. The administrator reviews the policy and confirms that the condition is correctly written. What is the most likely reason that the policy is not working as expected?

Question 20mediummultiple choice
Read the full Identity and Access Management explanation →

A company has an S3 bucket policy that allows cross-account access for a specific IAM role in another account. The bucket policy includes a Principal element with the ARN of the role. However, users in the other account that assume the role are unable to access the bucket. Which of the following is the MOST likely cause?

Question 21hardmulti select
Read the full Identity and Access Management explanation →

A security engineer is designing a solution to allow an external auditor to access logs in an S3 bucket in the company's AWS account. The auditor does not have an AWS account. The engineer needs to grant read-only access to the specific bucket for a limited time. Which TWO actions should the engineer take? (Choose two.)

Question 22mediumdrag order
Read the full Identity and Access Management explanation →

Drag and drop the steps to implement AWS KMS key rotation in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 23mediumdrag order
Read the full Identity and Access Management explanation →

Drag and drop the steps to configure AWS CloudTrail for logging across all regions and accounts in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 24mediummatching
Read the full Identity and Access Management explanation →

Match each AWS KMS key type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Managed by AWS for use with specific services

Managed by customer with full control

Used internally by AWS, not visible to customers

Key store backed by AWS CloudHSM

Question 25mediummatching
Read the full Identity and Access Management explanation →

Match each AWS CloudHSM feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hardware security module

Cryptographic token interface standard

Java Cryptography Extension provider

Security standard for cryptographic modules

Question 26mediummultiple choice
Read the full Identity and Access Management explanation →

A company wants to allow an IAM user to manage only their own access keys. Which IAM policy should be attached to the user?

Question 27hardmultiple choice
Read the full Identity and Access Management explanation →

A security engineer must ensure that cross-account access to an S3 bucket is restricted to only accounts that are part of a specific AWS organization. Which IAM policy condition key should be used in the bucket policy?

Question 28easymultiple choice
Read the full Identity and Access Management explanation →

An IAM user reports that they are unable to launch an EC2 instance in us-east-1. The IAM policy attached to the user allows ec2:RunInstances but with a condition that the instance type must be t2.micro. What could be the reason for the failure?

Question 29mediummultiple choice
Read the full Identity and Access Management explanation →

A company uses IAM roles for EC2 instances. An application running on an EC2 instance needs to read from an S3 bucket in another AWS account. What is the most secure way to grant access?

Question 30hardmultiple choice
Read the full Identity and Access Management explanation →

A security engineer notices that an IAM user has permissions that are not explicitly granted through any policy. The engineer suspects that the user might have inherited permissions from a group or role. Which IAM feature should the engineer use to identify the source of these permissions?

Question 31easymultiple choice
Read the full Identity and Access Management explanation →

An administrator needs to grant an IAM user the ability to change their own password without allowing them to change other users' passwords. Which IAM action should be included in the policy?

Question 32mediummultiple choice
Read the full Identity and Access Management explanation →

A company has multiple AWS accounts and wants to centrally manage access using IAM Identity Center (AWS SSO). Which feature allows the company to define permissions once and reuse them across multiple accounts?

Question 33hardmultiple choice
Read the full Identity and Access Management explanation →

An organization wants to enforce that all IAM users use MFA. The security team creates an IAM policy that denies all actions unless MFA is present. However, some users report they cannot even change their own password to enable MFA. What should the security team do to resolve this?

Question 34easymultiple choice
Read the full Identity and Access Management explanation →

A developer needs to access AWS resources from a mobile app. Which AWS service allows the app to obtain temporary credentials for authenticated users?

Question 35mediummulti select
Read the full Identity and Access Management explanation →

Which TWO statements are true about IAM roles? (Choose two.)

Question 36hardmulti select
Read the full Identity and Access Management explanation →

Which THREE are valid ways to grant cross-account access to an S3 bucket? (Choose three.)

Question 37easymulti select
Read the full Identity and Access Management explanation →

Which TWO are IAM best practices? (Choose two.)

Question 38mediummultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. An IAM policy allows s3:GetObject on an S3 bucket only when the object is encrypted with SSE-KMS. An IAM user with this policy attempts to download an object that is not encrypted. What will happen?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    }
  ]
}
```
Question 39hardmultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. A security engineer runs the IAM Policy Simulator with the provided policy input. The result shows 'explicitDeny' for ec2:RunInstances even though the policy only contains an Allow. What is the most likely reason?

Network Topology
$ aws iam simulate-custom-policypolicy-input-list '{"Version":"2012-10-17"action-names ec2:DescribeInstances ec2:RunInstancesresource-arns 'arn:aws:ec2:us-east-1:123456789012:instance/*'Refer to the exhibit.```"EvaluationResults": ["EvalActionName": "ec2:DescribeInstances","EvalResourceName": "arn:aws:ec2:us-east-1:123456789012:instance/*","EvalDecision": "allowed"},"EvalActionName": "ec2:RunInstances","EvalDecision": "explicitDeny"
Question 40mediummultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. A KMS key policy allows decryption only when the request comes through S3 in us-east-1. An application in account 111122223333 tries to decrypt an S3 object using the KMS key directly via the KMS API (not through S3). What will happen?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      },
      "Action": "kms:Decrypt",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:ViaService": "s3.us-east-1.amazonaws.com"
        }
      }
    }
  ]
}
```
Question 41easymultiple choice
Read the full Identity and Access Management explanation →

A developer needs to grant an IAM user access to a specific S3 bucket only. Which IAM policy element should be used to restrict access to that bucket?

Question 42mediummultiple choice
Read the full Identity and Access Management explanation →

A company uses AWS Organizations with SCPs to restrict services. An administrator creates an SCP that denies access to EC2. A developer in a member account tries to launch an EC2 instance but fails. What is the most likely reason?

Question 43hardmultiple choice
Read the full Identity and Access Management explanation →

A security engineer is designing a cross-account access solution. An IAM role in Account A needs to be assumed by users from Account B. Which two components are required?

Question 44mediummultiple choice
Read the full Identity and Access Management explanation →

A company uses IAM roles for EC2 instances to access S3. A security audit reveals that some instances have roles with overly permissive policies. What is the BEST practice to scope down permissions while maintaining functionality?

Question 45easymultiple choice
Read the full Identity and Access Management explanation →

An IAM user needs to rotate their own access keys. Which IAM policy action should be allowed?

Question 46hardmultiple choice
Read the full Identity and Access Management explanation →

A security engineer notices that an IAM role for an EC2 instance has a policy that allows s3:PutObject on a bucket. However, the application reports access denied when trying to upload. The bucket policy does not explicitly deny access. What is a likely cause?

Question 47mediummultiple choice
Read the full Identity and Access Management explanation →

A company uses AWS IAM Identity Center (AWS SSO) to manage access. A user is assigned to a permission set that grants AdministratorAccess. However, when the user tries to access the AWS console, they receive an error that they are not authorized. What is a possible reason?

Question 48hardmultiple choice
Read the full Identity and Access Management explanation →

A security engineer needs to ensure that an IAM role can be assumed only from a specific VPC. Which IAM policy condition key should be used?

Question 49mediummultiple choice
Read the full Identity and Access Management explanation →

A company uses IAM roles for cross-account access. Developers in Account A need to assume a role in Account B. What must be true for the AssumeRole call to succeed?

Question 50easymulti select
Read the full Identity and Access Management explanation →

Which TWO of the following are valid IAM policy condition keys? (Choose TWO.)

Question 51mediummulti select
Read the full Identity and Access Management explanation →

Which THREE of the following are best practices for managing IAM access keys? (Choose THREE.)

Question 52hardmulti select
Read the full Identity and Access Management explanation →

Which TWO of the following are valid use cases for IAM permissions boundaries? (Choose TWO.)

Question 53hardmultiple choice
Read the full Identity and Access Management explanation →

A security engineer attaches this policy to an IAM user. The user tries to download an object from the bucket from an IP address 10.1.0.5. What will happen?

Exhibit

Refer to the exhibit. IAM policy JSON:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    }
  ]
}
Question 54mediummultiple choice
Read the full Identity and Access Management explanation →

A security engineer reviews the trust policy of an IAM role. Which accounts can assume this role?

Network Topology
$ aws iam get-rolerole-name MyRole"Role": {"Path": "/","RoleName": "MyRole","Arn": "arn:aws:iam::123456789012:role/MyRole","AssumeRolePolicyDocument": {"Version": "2012-10-17","Statement": ["Effect": "Allow","Principal": {"AWS": "arn:aws:iam::111111111111:root"},"Action": "sts:AssumeRole"
Question 55mediummultiple choice
Read the full Identity and Access Management explanation →

A developer creates this CloudFormation stack. An EC2 instance with this role tries to list objects in the bucket. What will happen?

Exhibit

Refer to the exhibit. CloudFormation snippet:
Resources:
  MyRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: S3Access
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: s3:ListBucket
                Resource: arn:aws:s3:::example-bucket
Question 56mediummultiple choice
Read the full Identity and Access Management explanation →

A security engineer is reviewing an AWS account and notices that multiple IAM users have full administrative access. The company policy requires that users have only the permissions necessary to perform their job. What is the MOST secure and efficient way to enforce this policy?

Question 57hardmultiple choice
Read the full Identity and Access Management explanation →

A company uses an IAM role to allow an EC2 instance to access an S3 bucket. The security team wants to ensure that if the EC2 instance is compromised, the attacker cannot use the role credentials to access resources outside the account. What should the security team do?

Question 58easymultiple choice
Read the full Identity and Access Management explanation →

A developer needs to grant an IAM user temporary access to an S3 bucket for 15 minutes. Which AWS service should be used to generate temporary credentials?

Question 59hardmultiple choice
Read the full Identity and Access Management explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any account can create or modify IAM roles. What is the MOST effective way to enforce this?

Question 60mediummultiple choice
Read the full Identity and Access Management explanation →

A company wants to allow its employees to authenticate to the AWS Management Console using their existing corporate credentials. Which AWS service should be used to integrate with the company's identity provider?

Question 61mediummultiple choice
Read the full Identity and Access Management explanation →

A security engineer is troubleshooting an issue where an IAM user is unable to list objects in an S3 bucket even though the user has an IAM policy that allows s3:ListBucket. What is the MOST likely cause?

Question 62easymultiple choice
Read the full Identity and Access Management explanation →

An application running on an EC2 instance needs to read from an S3 bucket. What is the BEST practice for granting permissions to the EC2 instance?

Question 63hardmultiple choice
Read the full Identity and Access Management explanation →

A company uses cross-account IAM roles to allow a third-party vendor to access resources in the company's AWS account. The security team wants to ensure that the vendor can only access the specific S3 bucket named 'vendor-bucket'. What should the security team do?

Question 64mediummultiple choice
Read the full Identity and Access Management explanation →

A security engineer notices that an IAM user has been using an access key that was not rotated for over 90 days. What is the BEST action to take?

Question 65mediummulti select
Read the full Identity and Access Management explanation →

Which TWO of the following are valid ways to grant an IAM user permissions to access an S3 bucket? (Choose 2.)

Question 66hardmulti select
Read the full Identity and Access Management explanation →

Which THREE of the following are characteristics of IAM roles? (Choose 3.)

Question 67easymulti select
Read the full Identity and Access Management explanation →

Which TWO of the following are AWS best practices for managing access keys? (Choose 2.)

Question 68easymultiple choice
Read the full Identity and Access Management explanation →

A company wants to allow an IAM user to list objects in an S3 bucket named 'my-bucket'. Which IAM policy statement grants the minimum required permissions?

Question 69mediummultiple choice
Read the full Identity and Access Management explanation →

A security engineer needs to enforce that all IAM users in an AWS account use multi-factor authentication (MFA) when making API calls. What is the MOST effective way to enforce this?

Question 70hardmultiple choice
Read the full Identity and Access Management explanation →

A company uses an IAM role to allow an EC2 instance to access an S3 bucket. The role has an attached policy that grants s3:GetObject on the bucket. However, the application on the EC2 instance is unable to read objects. What is the MOST likely cause?

Question 71easymultiple choice
Read the full Identity and Access Management explanation →

A developer needs to allow a Lambda function to write logs to CloudWatch Logs. What is the MINIMUM IAM policy that should be attached to the Lambda execution role?

Question 72mediummultiple choice
Read the full Identity and Access Management explanation →

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any account can create new IAM users. Which approach should be used?

Question 73hardmultiple choice
Read the full Identity and Access Management explanation →

A company has an IAM policy that allows s3:GetObject on all buckets. However, a specific S3 bucket policy explicitly denies s3:GetObject to all principals. An IAM user with the IAM policy tries to read an object from that bucket. What is the result?

Question 74easymultiple choice
Read the full Identity and Access Management explanation →

A company needs to grant cross-account access to an S3 bucket. Which IAM feature should be used?

Question 75hardmultiple choice
Read the full Identity and Access Management explanation →

A security engineer notices that an IAM role has a trust policy that allows 'sts:AssumeRole' from any AWS account. What is the security risk?

Question 76mediummultiple choice
Read the full Identity and Access Management explanation →

A company wants to automate the rotation of IAM user access keys every 90 days. Which AWS service can be used to enforce this?

Question 77mediummulti select
Read the full NAT/PAT explanation →

Which TWO actions can be used to restrict access to an S3 bucket to only requests that originate from a specific VPC?

Question 78hardmulti select
Read the full Identity and Access Management explanation →

Which THREE are best practices for managing IAM roles?

Question 79easymulti select
Read the full Identity and Access Management explanation →

Which TWO are valid ways to authenticate an IAM user?

Question 80easymultiple choice
Read the full Identity and Access Management explanation →

A company requires that all access to its S3 buckets be logged for compliance. Which AWS service should be used to record API calls to S3?

Question 81mediummultiple choice
Read the full Identity and Access Management explanation →

A security engineer is designing a permissions boundary for an IAM role used by an EC2 instance. The boundary must allow the instance to list all S3 buckets but deny the ability to delete any bucket. Which policy should be used as the permissions boundary?

Question 82hardmultiple choice
Read the full Identity and Access Management explanation →

An IAM policy attached to a user allows s3:GetObject on bucket 'my-bucket'. The user also has a service control policy (SCP) in the organization that denies s3:GetObject on all resources. The user attempts to download an object from 'my-bucket'. What is the outcome?

Question 83easymultiple choice
Read the full Identity and Access Management explanation →

A developer needs to grant an IAM user the ability to launch EC2 instances with specific tags. Which IAM condition key should be used to enforce that the instance is tagged with 'Environment=Production'?

Question 84mediummultiple choice
Read the full Identity and Access Management explanation →

A security team is troubleshooting an issue where an IAM role assumed by a Lambda function is unable to write logs to CloudWatch Logs. The role has an attached policy that allows logs:CreateLogGroup and logs:PutLogEvents. What is a likely reason for the failure?

Question 85hardmultiple choice
Read the full Identity and Access Management explanation →

A company uses AWS Organizations and wants to prevent any IAM user from creating access keys for a long period. Which SCP should be applied to the root OU to enforce that IAM users cannot create access keys unless explicitly allowed?

Question 86easymultiple choice
Read the full Identity and Access Management explanation →

A company wants to allow users from an external AWS account to assume a role in the company's account. What must be configured in the company's account?

Question 87mediummultiple choice
Read the full Identity and Access Management explanation →

A security engineer notices that an IAM role allows 'iam:PassRole' to an EC2 instance. What security risk does this present?

Question 88hardmultiple choice
Read the full Identity and Access Management explanation →

An IAM policy has the following statement: {"Effect":"Allow","Action":"s3:*","Resource":"arn:aws:s3:::my-bucket/*"}. A user with this policy tries to perform s3:ListBucket on 'my-bucket'. Will the request succeed?

Question 89easymulti select
Read the full Identity and Access Management explanation →

Which TWO AWS services can be used to centrally manage permissions across multiple AWS accounts?

Question 90mediummulti select
Read the full Identity and Access Management explanation →

Which TWO are best practices for managing IAM roles for EC2 instances?

Question 91hardmulti select
Read the full Identity and Access Management explanation →

Which THREE AWS services can be used to authenticate users for accessing AWS resources?

Question 92easymultiple choice
Read the full Identity and Access Management explanation →

An IAM policy attached to a user contains the above statements. The user attempts to download an object from 'example-bucket/confidential/report.pdf'. What is the result?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    },
    {
      "Effect": "Deny",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/confidential/*"
    }
  ]
}
Question 93mediummultiple choice
Read the full Identity and Access Management explanation →

A security engineer runs the IAM policy simulator with a custom policy. The output shows the above. Which statement is true about the policy?

Network Topology
aws iam simulate-custom-policypolicy-input-list file://policy.jsonaction-names iam:CreateUser iam:DeleteUserRefer to the exhibit."EvaluationResults": ["EvalActionName": "iam:CreateUser","EvalDecision": "allowed","EvalResourceName": "*"},"EvalActionName": "iam:DeleteUser","EvalDecision": "explicitDeny",
Question 94hardmultiple choice
Read the full Identity and Access Management explanation →

An IAM role has the above trust policy. Users from account 123456789012 try to assume the role. What is required for the AssumeRole API call to succeed?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}
Question 95easymultiple choice
Read the full Identity and Access Management explanation →

A company wants to allow an IAM user to manage only their own password in the AWS Management Console. Which IAM policy action should be used?

Question 96mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer needs to grant cross-account access to an S3 bucket in Account A to a role in Account B. Which combination of IAM entities must be configured?

Question 97hardmultiple choice
Read the full Identity and Access Management explanation →

A company has a policy that requires all IAM users to use multi-factor authentication (MFA) to access the AWS Management Console. A user reports that they are unable to sign in even after configuring MFA. What is the most likely cause?

Question 98easymultiple choice
Read the full Identity and Access Management explanation →

An organization wants to use AWS Organizations to centrally manage permissions for multiple accounts. Which IAM feature is used to grant cross-account access within the organization?

Question 99mediummultiple choice
Read the full Identity and Access Management explanation →

A developer needs to grant an EC2 instance access to an S3 bucket. Which is the most secure way to provide credentials to the EC2 instance?

Question 100hardmultiple choice
Read the full Identity and Access Management explanation →

A security team notices that an IAM user has permissions to launch EC2 instances but should not have access to certain instance types. Which IAM policy condition key should be used to restrict this?

Question 101easymultiple choice
Read the full Identity and Access Management explanation →

Which IAM entity can be used to delegate permissions to an AWS service to perform actions on your behalf?

Question 102mediummultiple choice
Read the full Identity and Access Management explanation →

A company has a policy that all IAM users must rotate their access keys every 90 days. How can this be enforced?

Question 103hardmultiple choice
Read the full Identity and Access Management explanation →

A security architect is designing a system where an S3 bucket must be accessed by users from multiple AWS accounts. The solution must use the principle of least privilege. Which approach should be used?

Question 104mediummulti select
Read the full Identity and Access Management explanation →

Which TWO actions can be used to restrict access to an S3 bucket to only users who authenticate using multi-factor authentication (MFA)? (Choose TWO.)

Question 105mediummulti select
Read the full Identity and Access Management explanation →

Which THREE statements about IAM roles are correct? (Choose THREE.)

Question 106hardmulti select
Read the full NAT/PAT explanation →

Which TWO IAM policy conditions can be used to enforce that API calls originate from a specific AWS region? (Choose TWO.)

Question 107mediummultiple choice
Read the full Identity and Access Management explanation →

A company wants to allow a third-party auditor to read objects in an S3 bucket for a limited time. The auditor does not have an AWS account. What is the most secure way to grant this access?

Question 108easymultiple choice
Read the full Identity and Access Management explanation →

A developer needs to allow an EC2 instance to access an S3 bucket. Which is the best practice for granting permissions?

Question 109hardmultiple choice
Read the full Identity and Access Management explanation →

A security engineer notices that an IAM user has permissions to create new IAM users and attach policies. What is the most effective way to detect if this user created a backdoor user?

Question 110mediummultiple choice
Read the full Identity and Access Management explanation →

An organization wants to enforce multi-factor authentication (MFA) for all IAM users accessing the AWS Management Console. Which policy should be used?

Question 111easymultiple choice
Read the full Identity and Access Management explanation →

A company uses AWS Organizations and wants to restrict all IAM users in member accounts from using the Amazon EC2 RunInstances API unless they have MFA. What is the most efficient way to enforce this?

Question 112hardmultiple choice
Read the full Identity and Access Management explanation →

A security team wants to grant a Lambda function access to read from a DynamoDB table in the same account. What is the most secure way to do this?

Question 113easymultiple choice
Read the full Identity and Access Management explanation →

A company wants to allow users to assume a role in another AWS account to access a specific S3 bucket. What must be configured?

Question 114mediummultiple choice
Read the full Identity and Access Management explanation →

An administrator is troubleshooting an issue where an IAM user cannot launch an EC2 instance in a specific VPC. The user has the AmazonEC2FullAccess policy attached. What is the most likely cause?

Question 115hardmultiple choice
Read the full Identity and Access Management explanation →

A company uses AWS SSO to manage access to multiple accounts. An employee leaves the company. What is the most efficient way to revoke all AWS access for that employee?

Question 116mediummulti select
Read the full Identity and Access Management explanation →

A security engineer is designing a system to allow an EC2 instance to write logs to an S3 bucket. Which TWO steps are required?

Question 117hardmulti select
Read the full Identity and Access Management explanation →

An organization wants to enforce that all IAM users must use MFA to access the AWS API. Which TWO steps should be taken?

Question 118easymulti select
Review the full subnetting walkthrough →

A company wants to grant a set of developers the ability to launch EC2 instances but only in a specific subnet. Which THREE steps should be taken?

Question 119mediummultiple choice
Read the full Identity and Access Management explanation →

A company has an S3 bucket that contains sensitive data. The security team wants to ensure that all objects uploaded to the bucket are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). What should the security team do to enforce this requirement?

Question 120easymultiple choice
Read the full Identity and Access Management explanation →

An AWS Lambda function needs to read from a DynamoDB table. What is the best practice for granting the Lambda function the necessary permissions?

Question 121hardmultiple choice
Read the full Identity and Access Management explanation →

A security engineer is troubleshooting an issue where an IAM policy allows access to S3 but the user is denied access to a specific bucket. The policy has the following statement:

{
  "Effect": "Allow",
  "Action": "s3:*",
  "Resource": "*"
}

What is the most likely cause of the denial?

Question 122mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to allow cross-account access to an S3 bucket in Account A for a user in Account B. What is the correct combination of steps?

Question 123easymultiple choice
Read the full Identity and Access Management explanation →

An application running on an EC2 instance needs to access an S3 bucket. What is the most secure way to grant the EC2 instance the necessary permissions?

Question 124mediummultiple choice
Read the full Identity and Access Management explanation →

A security team needs to audit all changes to IAM resources in their AWS account. Which AWS service should they use?

Question 125hardmultiple choice
Study the full ACL explanation →

An IAM user reports that they are unable to launch an EC2 instance in a specific VPC. The user has an IAM policy that allows ec2:RunInstances for all resources. The VPC has a network ACL that allows all inbound and outbound traffic. What is the most likely cause of the failure?

Question 126easymultiple choice
Read the full Identity and Access Management explanation →

A company wants to grant an IAM user the ability to rotate their own access keys. What is the least privileged IAM policy that allows this?

Question 127mediummultiple choice
Read the full Identity and Access Management explanation →

A company uses AWS Organizations and wants to restrict all IAM users in all accounts from using the AWS Management Console. What is the most effective way to achieve this?

Question 128mediummulti select
Read the full Identity and Access Management explanation →

Which TWO actions are valid ways to grant an IAM user in Account A access to an S3 bucket in Account B? (Choose 2.)

Question 129easymulti select
Read the full Identity and Access Management explanation →

Which TWO are valid IAM identity-based policies? (Choose 2.)

Question 130hardmulti select
Read the full Identity and Access Management explanation →

Which THREE are valid ways to restrict access to an S3 bucket using IAM policies? (Choose 3.)

Question 131mediummulti select
Read the full Identity and Access Management explanation →

Which TWO are characteristics of an IAM role? (Choose 2.)

Question 132hardmultiple choice
Read the full Identity and Access Management explanation →

A company has a multi-account AWS Organizations setup with a central security account (Account ID: 111122223333) and several member accounts. The security team uses AWS CloudTrail to log all API calls across accounts and stores the logs in an S3 bucket (my-cloudtrail-bucket) in the security account. The team wants to allow the security team members (IAM users in the security account) to access the CloudTrail logs, while denying access to all other users in the organization, including the root user of the security account. The security team has attached the following IAM policy to the IAM group containing the security team members:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-cloudtrail-bucket/*"
    }
  ]
}

However, a security team member reports that they are receiving an AccessDenied error when trying to download a log file. The bucket policy is as follows:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-cloudtrail-bucket/*",
      "Condition": {
        "Bool": {

"aws:SecureTransport": "false"

}
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-cloudtrail-bucket/*"
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::my-cloudtrail-bucket/*",
      "Condition": {
        "StringNotEquals": {

"aws:PrincipalAccount": "111122223333"

}
      }
    }
  ]
}

What is the most likely reason for the AccessDenied error?

Question 133mediummultiple choice
Read the full Identity and Access Management explanation →

A company has an AWS Lambda function that processes messages from an Amazon SQS queue. The Lambda function is configured with an execution role that has the following IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [

"sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:GetQueueAttributes"

],
      "Resource": "arn:aws:sqs:us-east-1:123456789012:MyQueue"
    },
    {
      "Effect": "Allow",
      "Action": [

"logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"

],
      "Resource": "*"
    }
  ]
}

The Lambda function is also configured with an SQS trigger that uses the same queue. The function code tries to send a message to an Amazon SNS topic, but the send fails with an AccessDenied error. What is the most likely cause?

Question 134easymultiple choice
Read the full Identity and Access Management explanation →

A company wants to grant a Lambda function access to write logs to CloudWatch Logs in the same AWS account. What is the BEST practice for granting this permission?

Question 135mediummultiple choice
Read the full Identity and Access Management explanation →

A security engineer notices that an IAM user, 'svc-backup', has full S3 access (s3:*) to all buckets. The engineer wants to restrict the user to only put objects into a specific bucket named 'mycompany-backup' and deny all other S3 actions. Which IAM policy should be attached?

Question 136hardmultiple choice
Read the full Identity and Access Management explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all IAM users in the member accounts must have multi-factor authentication (MFA) enabled to access the AWS Management Console. Which approach should be used?

Question 137mediummultiple choice
Read the full Identity and Access Management explanation →

A developer needs to allow an EC2 instance to read from a DynamoDB table named 'Orders' in the same account. The security team requires that the permissions be granted using an instance profile. Which steps should be taken?

Question 138mediummulti select
Read the full Identity and Access Management explanation →

A security engineer needs to allow an IAM user to rotate their own access keys. Which TWO IAM actions must be allowed in the user's policy? (Choose TWO.)

Question 139hardmulti select
Read the full NAT/PAT explanation →

A company has an S3 bucket that contains sensitive data. The security team wants to enforce that all access to the bucket must use HTTPS and that requests originating from outside the corporate network (as defined by a specific IP range 203.0.113.0/24) must be denied. Which THREE conditions should be included in the S3 bucket policy? (Choose THREE.)

Question 140easymulti select
Read the full Identity and Access Management explanation →

A developer wants to allow an IAM role to be assumed by an EC2 instance that is part of an Auto Scaling group. Which TWO AWS services or features are required? (Choose TWO.)

Question 141hardmulti select
Read the full Identity and Access Management explanation →

A company uses AWS KMS to encrypt objects in an S3 bucket. The security team wants to ensure that only users with the appropriate KMS key permissions can decrypt objects. Which THREE conditions should be included in the S3 bucket policy to enforce this? (Choose THREE.)

Question 142hardmultiple choice
Read the full Identity and Access Management explanation →

An IAM policy allows a user to pass a specific role and launch EC2 instances. The user tries to launch an EC2 instance with the role 'ec2-full-access' but receives an error: 'You are not authorized to perform iam:PassRole'. What is the MOST likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "arn:aws:iam::123456789012:role/ec2-full-access"
    },
    {
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": "*"
    }
  ]
}
Question 143easymultiple choice
Read the full Identity and Access Management explanation →

An administrator runs the AWS CLI command shown in the exhibit. What does this command do?

Network Topology
$ aws iam list-attached-role-policiesrole-name MyRoleRefer to the exhibit."AttachedPolicies": ["PolicyName": "S3ReadOnly","PolicyArn": "arn:aws:iam::123456789012:policy/S3ReadOnly"},"PolicyName": "DynamoDBWriteOnly","PolicyArn": "arn:aws:iam::123456789012:policy/DynamoDBWriteOnly"
Question 144mediummultiple choice
Read the full NAT/PAT explanation →

A company runs a multi-tier web application on AWS. The application consists of an Application Load Balancer (ALB) that distributes traffic to a fleet of EC2 instances in an Auto Scaling group. The EC2 instances need to read from an Amazon RDS MySQL database and write logs to an S3 bucket. The security team wants to ensure that the EC2 instances have only the minimum required permissions. Currently, the EC2 instances are launched with an IAM role that has an attached policy allowing full S3 access (s3:*) and full RDS access (rds:*). The security team has identified that this is overly permissive and wants to restrict access to only the specific resources needed. Additionally, the team wants to ensure that the EC2 instances can only access the RDS database using SSL/TLS. Which combination of actions should the security team take?

Question 145hardmultiple choice
Read the full VPN explanation →

A large enterprise uses AWS Organizations to manage multiple accounts. The security team has implemented a Service Control Policy (SCP) at the root level that denies all actions unless the request originates from the corporate IP range (10.0.0.0/8). Recently, a developer in a member account tried to launch an EC2 instance from the AWS Management Console while connected via a VPN that provides an IP address within the corporate range. However, the launch failed with an 'AccessDenied' error. The developer is using an IAM user with full EC2 permissions (ec2:*). The SCP is as follows: {"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"*","Resource":"*","Condition":{"NotIpAddress":{"aws:SourceIp":"10.0.0.0/8"}}}]}. What is the MOST likely reason for the failure?

Question 146mediummultiple choice
Read the full Identity and Access Management explanation →

A company has a requirement to grant cross-account access to an S3 bucket named 'shared-data' in Account A (111111111111) to users in Account B (222222222222). The security team has set up a bucket policy in Account A that grants read-only access to the IAM role 'DataReader' in Account B. The bucket policy is as follows: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::222222222222:role/DataReader"},"Action":["s3:GetObject"],"Resource":"arn:aws:s3:::shared-data/*"}]}. A user in Account B assumes the 'DataReader' role, but when trying to read an object from the bucket, they receive an 'Access Denied' error. What is the MOST likely reason for this error?

Question 147hardmultiple choice
Read the full Identity and Access Management explanation →

A company runs a serverless application using AWS Lambda functions that access an Amazon DynamoDB table. The Lambda functions are part of a microservices architecture and need to read and write to the DynamoDB table. The security team wants to ensure that the Lambda functions have the minimum required permissions. Initially, the team attached the AWS managed policy 'AWSLambdaDynamoDBExecutionRole' to the Lambda execution role, but later discovered that this policy grants more permissions than needed. The team decides to create a custom policy with only the required actions: GetItem, PutItem, UpdateItem, and DeleteItem. However, after attaching the custom policy, the Lambda functions start failing with 'AccessDeniedException' when trying to access DynamoDB. The CloudWatch logs show that the Lambda function is unable to write logs to CloudWatch Logs. What is the MOST likely cause of the failures?

Question 148mediummultiple choice
Read the full Identity and Access Management explanation →

A company is using Amazon API Gateway to expose a set of REST APIs. The APIs are backed by AWS Lambda functions. The security team wants to control access to the APIs using IAM authorization. The team has created an IAM policy for a group of developers that allows them to invoke the APIs only from within the corporate network (IP range 203.0.113.0/24). The policy is attached to an IAM group, and the developers are members of the group. However, when a developer tries to invoke the API from the corporate network, they receive a '403 Forbidden' error. The API Gateway endpoint is configured with IAM authorization. The IAM policy is as follows: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"execute-api:Invoke","Resource":"arn:aws:execute-api:us-east-1:123456789012:api-id/*","Condition":{"IpAddress":{"aws:SourceIp":"203.0.113.0/24"}}}]}. What is the MOST likely reason for the failure?

Question 149mediummulti select
Review the full subnetting walkthrough →

A security engineer is designing IAM policies for a data analytics platform that uses Amazon S3, Amazon Athena, and AWS Glue. The platform must allow data scientists to query data in S3 using Athena, but only from specific VPC subnets. Additionally, the data must be encrypted at rest using AWS KMS. Which TWO actions should the engineer take to meet these requirements? (Choose TWO.)

Question 150hardmultiple choice
Read the full Identity and Access Management explanation →

A company manages a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all Amazon S3 buckets in the organization are encrypted with AWS KMS customer managed keys (CMKs) and that no unencrypted buckets can be created. They also want to ensure that the encryption settings cannot be changed by account administrators. The team uses AWS CloudTrail to log all S3 API calls and wants to detect any attempts to create unencrypted buckets. The security team creates a service control policy (SCP) that denies s3:PutBucketEncryption and s3:PutBucketPolicy unless the request includes a specific encryption setting. However, they find that a developer in a member account was able to create an unencrypted bucket using the AWS Management Console. The CloudTrail logs show that the bucket was created with the s3:CreateBucket API call without specifying any encryption parameters. What should the security team do to prevent this from happening?

Question 151easymultiple choice
Read the full NAT/PAT explanation →

A company has an AWS Lambda function that processes sensitive data stored in an Amazon S3 bucket. The Lambda function needs to read objects from the S3 bucket and write results to a different S3 bucket. The security engineer is configuring IAM permissions for the Lambda execution role. The engineer wants to follow the principle of least privilege. The Lambda function is triggered by S3 events from the source bucket. The engineer creates an IAM policy that grants s3:GetObject on the source bucket and s3:PutObject on the destination bucket. However, when testing, the Lambda function fails with an access denied error when trying to process an object. The error message indicates that the Lambda function does not have permission to list the objects in the source bucket. The engineer checks the S3 event notification configuration and confirms that the event is configured correctly. What should the engineer do to resolve the issue?

Question 152hardmultiple choice
Read the full Identity and Access Management explanation →

A company runs a critical application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application processes financial transactions and must store transaction logs in an Amazon S3 bucket. The security team requires that all API calls to AWS services are logged and that the logs are stored in a secure, tamper-proof manner. The team enables AWS CloudTrail to log management events and Amazon S3 server access logs for the S3 bucket. They also enable AWS Config to track resource changes. The compliance team wants to ensure that no one can disable CloudTrail logging or delete the CloudTrail log files. The security engineer proposes a solution using an SCP in AWS Organizations to deny actions that would disable CloudTrail or delete log files. However, the engineer is concerned that the SCP might be applied too broadly and affect legitimate administrative actions. The engineer wants to ensure that only the security team’s IAM role (SecurityAdminRole) can perform these restricted actions, while all other principals (including IAM users, roles, and the root user) are denied. The engineer creates an SCP that denies cloudtrail:StopLogging, cloudtrail:DeleteTrail, and s3:DeleteObject on the CloudTrail S3 bucket. The SCP includes a condition that allows the action if the principal is SecurityAdminRole. However, after applying the SCP, the security team finds that even SecurityAdminRole is unable to stop CloudTrail logging. What is the most likely cause of this issue?

Question 153easymultiple choice
Read the full Identity and Access Management explanation →

A company wants to allow its development team to have full access to Amazon S3 buckets that are tagged with 'Environment: Dev'. Which IAM policy element should be used to restrict access based on tags?

Question 154mediummultiple choice
Read the full Identity and Access Management explanation →

A security engineer is troubleshooting an issue where an IAM role used by an EC2 instance cannot access an S3 bucket, even though the role has an attached policy that grants s3:GetObject on the bucket. The bucket policy does not explicitly deny access. What is the most likely cause?

Question 155hardmultiple choice
Read the full NAT/PAT explanation →

A company has multiple AWS accounts managed through AWS Organizations. The security team wants to enforce that all users must use multi-factor authentication (MFA) to access the AWS Management Console. Which combination of actions should the security team take to enforce this requirement?

Question 156mediummulti select
Read the full Identity and Access Management explanation →

A company is designing an IAM policy to grant a group of developers access to manage EC2 instances and RDS databases. Which TWO actions should be included to follow the principle of least privilege?

Question 157hardmulti select
Read the full Identity and Access Management explanation →

A security engineer is reviewing an IAM policy that allows access to an S3 bucket. The policy includes a condition that checks 'aws:SourceIp'. However, users report they can still access the bucket from IP addresses not in the allowed list. Which THREE possible reasons could explain this behavior?

Question 158easymulti select
Read the full Identity and Access Management explanation →

A company wants to allow a Lambda function to read messages from an SQS queue and write logs to CloudWatch Logs. Which TWO IAM actions should be included in the Lambda execution role?

Question 159easymultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. An IAM policy is attached to a user. The user is trying to download an object from 'example-bucket' from an IP address of 10.1.1.1. What will happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    }
  ]
}
Question 160mediummultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. A security engineer runs the 'simulate-custom-policy' command to test a policy. The output shows 'explicitDeny' for ec2:RunInstances. What is the most likely reason?

Network Topology
$ aws iam simulate-custom-policypolicy-input-list '{"Version":"2012-10-17"action-names ec2:DescribeInstances ec2:RunInstancesRefer to the exhibit."EvaluationResults": ["EvalActionName": "ec2:DescribeInstances","EvalDecision": "allowed"},"EvalActionName": "ec2:RunInstances","EvalDecision": "explicitDeny"
Question 161hardmultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. This IAM policy is attached to a user. The user attempts to assume the AdminRole without using MFA. What is the result?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::123456789012:role/AdminRole"
    },
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
}
Question 162easymultiple choice
Read the full Identity and Access Management explanation →

A company uses AWS Organizations and wants to delegate administration of IAM Access Analyzer to a member account. Which AWS service should be used to enable this delegation?

Question 163mediummultiple choice
Read the full Identity and Access Management explanation →

A security engineer needs to ensure that an IAM role can only be assumed by a specific EC2 instance. The instance has a tag 'Environment=Production'. Which condition key should be used in the trust policy of the role?

Question 164hardmultiple choice
Read the full Identity and Access Management explanation →

A company has an S3 bucket with a bucket policy that grants access to a specific IAM role. The role is used by an application running on an EC2 instance. The application is unable to access the bucket, but the role can access other resources. What is the most likely cause?

Question 165mediummultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. This is an S3 bucket policy. The CrossAccountRole in account 111111111111 has an IAM policy that allows s3:GetObject on 'my-bucket'. A user in account 111111111111 assumes the role and tries to get an object. What will happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:role/CrossAccountRole"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}
Question 166easymultiple choice
Read the full Identity and Access Management explanation →

A company needs to provide temporary credentials to mobile app users to access AWS resources. Which AWS service should be used to issue these credentials?

Question 167mediummultiple choice
Read the full Identity and Access Management explanation →

A security engineer discovers that an IAM policy allows 'iam:CreateUser' and 'iam:CreateAccessKey' for all users in the account. Which risk does this pose?

Question 168easymultiple choice
Read the full Identity and Access Management explanation →

A company wants to allow an IAM user to list only the objects in a specific S3 bucket named 'my-bucket'. Which IAM policy statement should be used?

Question 169mediummultiple choice
Read the full Identity and Access Management explanation →

A security engineer is investigating an IAM role that was used to access AWS resources from an external account. The role has a trust policy that allows the external account to assume it. Which of the following is a required step for the external account to use the role?

Question 170hardmultiple choice
Read the full Identity and Access Management explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all IAM users in member accounts must have a password policy that requires a minimum length of 14 characters. How can this be achieved centrally?

Question 171easymultiple choice
Read the full Identity and Access Management explanation →

A developer needs to grant an EC2 instance read-only access to an S3 bucket. Which of the following is the most secure way to provide these permissions?

Question 172mediummultiple choice
Read the full NAT/PAT explanation →

An IAM policy grants access to a DynamoDB table with a condition that the request must originate from a specific VPC endpoint. However, requests from an EC2 instance in that VPC are being denied. What is the most likely cause?

Question 173hardmultiple choice
Read the full Identity and Access Management explanation →

A company uses cross-account IAM roles to allow a third-party auditor to access a specific S3 bucket. The auditor reports that they are getting 'Access Denied' errors when trying to list objects. The bucket policy allows access to the auditor's account. What additional configuration is needed?

Question 174easymultiple choice
Read the full Identity and Access Management explanation →

A security administrator needs to ensure that all IAM users in the account use multi-factor authentication (MFA) to access the AWS Management Console. What is the most effective way to enforce this?

Question 175mediummultiple choice
Read the full Identity and Access Management explanation →

A company has an IAM policy that allows a user to launch EC2 instances only in a specific Availability Zone (us-east-1a). The user is able to launch instances, but the instances are launched in us-east-1b instead. What is the most likely reason?

Question 176hardmultiple choice
Read the full Identity and Access Management explanation →

An organization uses AWS KMS to encrypt S3 objects. They want to allow a developer to decrypt objects only if the request comes from a specific IP address range. Which IAM policy condition should be used?

Question 177easymulti select
Read the full Identity and Access Management explanation →

A company wants to grant an IAM user the ability to manage (create, update, delete) their own access keys. Which TWO IAM actions must be allowed in the policy?

Question 178mediummulti select
Read the full Identity and Access Management explanation →

A security engineer needs to design a system where an EC2 instance can write logs to a CloudWatch log group. Which TWO steps are required?

Question 179hardmulti select
Read the full Identity and Access Management explanation →

A company wants to enforce that all IAM users in an AWS Organization must have a password policy that includes a minimum length of 12 characters. Which THREE steps are part of implementing this using SCPs?

Question 180mediummultiple choice
Read the full Identity and Access Management explanation →

An IAM user has the policy shown in the exhibit. The user tries to launch an m5.large instance in us-east-1, but gets an 'AccessDenied' error. Why does this happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:Describe*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
      "Condition": {
        "StringEquals": {
          "ec2:InstanceType": "t2.micro"
        }
      }
    }
  ]
}
Question 181hardmultiple choice
Read the full Identity and Access Management explanation →

An IAM administrator ran the simulate-custom-policy command shown in the exhibit. The result shows an 'explicitDeny' for s3:ListBucket. What is the most likely reason?

Network Topology
$ aws iam simulate-custom-policypolicy-input-list '{"Version":"2012-10-17"action-names s3:GetObject s3:ListBucketcaller-arn arn:aws:iam::123456789012:user/BobRefer to the exhibit."EvaluationResults": ["EvalActionName": "s3:GetObject","EvalResourceName": "arn:aws:s3:::example-bucket/*","EvalDecision": "allowed"},"EvalActionName": "s3:ListBucket","EvalResourceName": "arn:aws:s3:::example-bucket","EvalDecision": "explicitDeny"
Question 182easymultiple choice
Read the full Identity and Access Management explanation →

An IAM policy allows the iam:PassRole action for a specific role only when the role is passed to EC2. A developer tries to launch an EC2 instance with this role, but fails. What is the most likely missing permission?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "arn:aws:iam::123456789012:role/MyEC2Role",
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": "ec2.amazonaws.com"
        }
      }
    }
  ]
}
Question 183hardmultiple choice
Read the full Identity and Access Management explanation →

A security engineer is designing an IAM policy to allow an application running on an EC2 instance to read objects from a specific S3 bucket (my-bucket) and write objects to a different S3 bucket (my-other-bucket). The application uses an IAM role with the following trust policy. Which additional policy should be attached to the role to meet the requirements with least privilege?

Question 184easymultiple choice
Read the full Identity and Access Management explanation →

A developer needs to grant an IAM user the ability to manage their own password and access keys, but not any other IAM users. Which IAM policy should be used?

Question 185mediummultiple choice
Read the full Identity and Access Management explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that no IAM user can have an access key older than 90 days. What is the MOST efficient way to achieve this?

Question 186easymultiple choice
Read the full Identity and Access Management explanation →

A company wants to allow an external auditor to assume a read-only role in their AWS account. The auditor's AWS account ID is 123456789012. Which trust policy should be attached to the role?

Question 187hardmultiple choice
Read the full Identity and Access Management explanation →

A security engineer needs to design an IAM policy that allows an IAM user to launch EC2 instances only if they specify a specific security group ID (sg-12345) and a specific instance type (t2.micro). Which policy achieves this?

Question 188mediummultiple choice
Read the full Identity and Access Management explanation →

A company has an S3 bucket with a bucket policy that grants access to a specific IAM role. However, users who assume that role are unable to list objects in the bucket. The bucket policy includes a Principal element set to the role ARN. What is the MOST likely cause?

Question 189easymultiple choice
Read the full Identity and Access Management explanation →

An administrator needs to allow a Lambda function to write logs to CloudWatch Logs. What is the BEST way to grant these permissions?

Question 190mediummultiple choice
Read the full Identity and Access Management explanation →

A company is using AWS Organizations and wants to delegate administrative tasks for a specific OU to another account. Which feature should be used?

Question 191hardmultiple choice
Read the full Identity and Access Management explanation →

A security engineer is analyzing an IAM policy that is attached to a group. The policy is intended to allow users to manage their own credentials. However, users are reporting that they cannot change their password. The policy is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["iam:ChangePassword", "iam:GetAccountPasswordPolicy"],
      "Resource": "*"
    }
  ]
}

What is the issue?

Question 192mediummulti select
Read the full Identity and Access Management explanation →

A company needs to implement a cross-account access strategy where users in Account A can assume a role in Account B. Which TWO steps are necessary? (Choose TWO.)

Question 193hardmulti select
Read the full Identity and Access Management explanation →

A security engineer is designing a permissions boundary for an IAM role used by an EC2 instance. The role must be able to read from an S3 bucket (my-bucket) and write to CloudWatch Logs. Which THREE conditions must be met for the role to have effective permissions? (Choose THREE.)

Question 194easymulti select
Read the full Identity and Access Management explanation →

Which TWO of the following are best practices for managing IAM user credentials? (Choose TWO.)

Question 195mediummultiple choice
Read the full Identity and Access Management explanation →

A company has an S3 bucket that stores sensitive data. The security team requires that all access to the bucket be logged in AWS CloudTrail and that all requests must be authenticated using IAM credentials. Which S3 bucket policy statement should be added to enforce these requirements?

Question 196hardmultiple choice
Read the full Identity and Access Management explanation →

A developer is creating an AWS Lambda function that needs to read items from a DynamoDB table. The function is deployed in a VPC with no internet access. What is the MOST secure way to grant the Lambda function access to DynamoDB?

Question 197easymultiple choice
Read the full Identity and Access Management explanation →

An AWS administrator needs to allow an IAM user to manage their own password and access keys. Which IAM policy action should be included?

Question 198mediummultiple choice
Read the full Identity and Access Management explanation →

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no IAM user in any account can create access keys. Which policy type should be used to enforce this restriction across all accounts?

Question 199hardmultiple choice
Read the full Identity and Access Management explanation →

A security engineer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket even though the IAM role attached to the instance has an Allow policy for s3:GetObject. The S3 bucket policy includes a Deny statement with the condition 'aws:SourceIp': ['10.0.0.0/8']. What is the likely cause of the failure?

Question 200easymultiple choice
Read the full Identity and Access Management explanation →

A company needs to grant cross-account access to an S3 bucket in Account A to users in Account B. What is the recommended approach?

Question 201mediummultiple choice
Read the full Identity and Access Management explanation →

An organization is using IAM roles for EC2 instances. The security team needs to ensure that each EC2 instance can only assume a specific role based on tags. Which feature should be used?

Question 202hardmultiple choice
Read the full Identity and Access Management explanation →

A developer is trying to upload a file to an S3 bucket using the AWS CLI, but receives an 'AccessDenied' error. The IAM policy attached to the user includes 's3:PutObject' on the bucket. The bucket policy has a Deny statement with the condition 'aws:Referer': ['example.com']. The CLI command does not include a referer header. What is the cause of the error?

Question 203mediummultiple choice
Read the full Identity and Access Management explanation →

A company needs to allow an external auditor to access a specific S3 bucket for 30 days. The auditor does not have an AWS account. What is the MOST secure way to grant temporary access?

Question 204mediummulti select
Read the full Identity and Access Management explanation →

A security engineer is designing a solution to allow a Lambda function to write logs to CloudWatch Logs. Which TWO actions are required in the IAM execution role? (Choose TWO.)

Question 205hardmulti select
Read the full Identity and Access Management explanation →

A company is using AWS Organizations with multiple accounts. The security team wants to enforce that all IAM users must have MFA enabled. Which TWO methods can be used to enforce this? (Choose TWO.)

Question 206easymulti select
Read the full Identity and Access Management explanation →

Which THREE are valid methods for authenticating to AWS APIs? (Choose THREE.)

Question 207hardmultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. A user has this IAM policy attached. They attempt to download an object from example-bucket using the AWS CLI without specifying server-side encryption. Will the request succeed?

Exhibit

Refer to the exhibit. IAM policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}
Question 208mediummultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. An EC2 instance with an IAM role attached attempts to access an S3 bucket, but receives an 'AccessDenied' error. The role has an attached policy allowing s3:GetObject on the bucket. What is the most likely cause?

Network Topology
$ aws iam get-rolerole-name MyRole"Role": {"Path": "/","RoleName": "MyRole","AssumeRolePolicyDocument": {"Version": "2012-10-17","Statement": ["Effect": "Allow","Principal": {"Service": "ec2.amazonaws.com"},"Action": "sts:AssumeRole"
Question 209easymultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. An IAM user has this policy attached. Can the user create a new IAM user in the us-east-1 region?

Exhibit

Refer to the exhibit. IAM policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:CreateUser",
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "iam:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "us-east-1"
        }
      }
    }
  ]
}
Question 210mediummultiple choice
Read the full Identity and Access Management explanation →

A company hosts a web application on EC2 instances behind an Application Load Balancer. The application accesses an S3 bucket to store user uploads. The security team needs to ensure that the EC2 instances can access the S3 bucket without storing AWS credentials on the instances. What should the security team do?

Question 211hardmultiple choice
Read the full Identity and Access Management explanation →

A security engineer is designing a cross-account IAM role to allow users in Account A to access resources in Account B. The engineer wants to restrict access to only users who have authenticated with multi-factor authentication (MFA) in Account A. What condition key should the engineer use in the trust policy of the IAM role in Account B?

Question 212easymultiple choice
Read the full Identity and Access Management explanation →

A company's security policy requires that all IAM users must use strong passwords. Which IAM feature should be used to enforce this requirement?

Question 213mediummultiple choice
Read the full Identity and Access Management explanation →

A developer is trying to push an image to Amazon ECR but receives an 'AccessDeniedException' error. The developer's IAM user has the 'AmazonEC2ContainerRegistryPowerUser' managed policy attached. What is the most likely reason for the failure?

Question 214hardmultiple choice
Read the full Identity and Access Management explanation →

A security engineer is configuring a VPC endpoint for Amazon S3 and wants to ensure that only traffic from specific IAM roles can access the S3 bucket through the endpoint. Which policy element should the engineer use?

Question 215easymultiple choice
Read the full Identity and Access Management explanation →

An IAM policy includes the following statement: 'Effect': 'Deny', 'Action': 's3:*', 'Resource': '*', 'Condition': {'Bool': {'aws:SecureTransport': 'false'}}. What does this policy do?

Question 216mediummultiple choice
Read the full Identity and Access Management explanation →

A company wants to allow users from an external AWS account to assume an IAM role in its account. What must be configured in both accounts?

Question 217hardmultiple choice
Read the full Identity and Access Management explanation →

A security auditor notices that an IAM role has a policy that grants 'iam:PassRole' to a specific EC2 instance profile. What is the security implication of this permission?

Question 218mediummultiple choice
Read the full Identity and Access Management explanation →

A company has an S3 bucket with a bucket policy that grants access to an IAM role used by an application running on EC2. The application is unable to read objects from the bucket, even though the IAM role has the necessary permissions. What is the most likely cause?

Question 219hardmulti select
Read the full Identity and Access Management explanation →

A security engineer needs to restrict access to an S3 bucket so that only requests from a specific VPC endpoint are allowed. Which TWO conditions must be configured?

Question 220mediummulti select
Read the full Identity and Access Management explanation →

An IAM policy includes the following statement: 'Effect': 'Allow', 'Action': 's3:GetObject', 'Resource': 'arn:aws:s3:::example-bucket/*', 'Condition': {'IpAddress': {'aws:SourceIp': '192.0.2.0/24'}}. Which TWO statements about this policy are correct?

Question 221mediummulti select
Read the full Identity and Access Management explanation →

A company wants to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. Which THREE steps should the company take?

Question 222hardmultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. An IAM policy allows running EC2 instances. A developer tries to launch a t2.micro instance but receives an 'AccessDenied' error. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
      "Condition": {
        "StringEquals": {
          "ec2:InstanceType": "t2.micro"
        }
      }
    }
  ]
}
Question 223mediummultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. A developer is trying to list objects in a Google Cloud Storage bucket from an AWS environment. What is the most likely cause of the error?

Exhibit

Refer to the exhibit.

gsutil ls gs://my-bucket
AccessDeniedException: 403 my-user@domain.com does not have storage.objects.list access to the Google Cloud Storage bucket.
Question 224easymultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. This trust policy is attached to an IAM role. What does it allow?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}
Question 225mediummultiple choice
Read the full Identity and Access Management explanation →

A company is using IAM roles to grant EC2 instances access to an S3 bucket. The security team wants to ensure that the instances can only access their own bucket. Which policy should be attached to the IAM role to enforce this?

Question 226easymultiple choice
Read the full Identity and Access Management explanation →

A developer needs to allow an IAM user to manage their own password in the AWS Management Console. Which IAM policy should be attached to the user?

Question 227hardmultiple choice
Read the full Identity and Access Management explanation →

A company has multiple AWS accounts and wants to allow a user in the production account to assume a role in the development account. The role in the development account has a trust policy that allows the production account to assume it. What additional configuration is required?

Question 228mediummultiple choice
Read the full Identity and Access Management explanation →

An organization wants to enforce multi-factor authentication (MFA) for all IAM users who perform sensitive actions. Which condition key should be used in an IAM policy to require MFA?

Question 229hardmultiple choice
Read the full Identity and Access Management explanation →

A security engineer notices that an IAM role allows an EC2 instance to access a DynamoDB table. The instance is compromised. What is the best way to immediately revoke the instance's access without affecting other resources that use the same role?

Question 230easymultiple choice
Read the full Identity and Access Management explanation →

A company wants to allow a Lambda function to read objects from an S3 bucket in the same account. What should be done?

Question 231mediummultiple choice
Read the full Identity and Access Management explanation →

An administrator wants to audit all IAM actions in the account. Which AWS service should be used?

Question 232hardmultiple choice
Read the full NAT/PAT explanation →

A company has an S3 bucket with a bucket policy that grants access to an IAM role. The security team wants to restrict access to only requests that originate from the company's VPC. How can this be achieved?

Question 233easymultiple choice
Read the full Identity and Access Management explanation →

Which IAM entity can be used to grant temporary access to AWS resources for users from a different AWS account?

Question 234mediummulti select
Read the full Identity and Access Management explanation →

Which TWO actions are valid ways to grant an IAM user access to an S3 bucket owned by another AWS account? (Choose TWO.)

Question 235hardmulti select
Read the full Identity and Access Management explanation →

Which THREE are best practices for securing IAM in an AWS environment? (Choose THREE.)

Question 236easymulti select
Read the full Identity and Access Management explanation →

Which TWO services can be used to manage identity and access across multiple AWS accounts? (Choose TWO.)

Question 237mediummultiple choice
Read the full Identity and Access Management explanation →

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that any new account created in the organization automatically has an S3 bucket policy that blocks public access. What is the most efficient way to enforce this requirement?

Question 238hardmultiple choice
Read the full Identity and Access Management explanation →

A developer needs to access an S3 bucket from an EC2 instance. The developer creates an IAM role with the necessary S3 permissions and attaches it to the instance profile. However, applications running on the instance can still not access the bucket. What is the most likely cause?

Question 239easymultiple choice
Read the full Identity and Access Management explanation →

A company wants to allow its users to assume an IAM role in a different AWS account. What must the company configure to enable cross-account access?

Question 240hardmultiple choice
Read the full Identity and Access Management explanation →

A security engineer notices that a developer's IAM user has full administrator access. The engineer wants to implement the principle of least privilege for the developer. What is the best way to proceed?

Question 241mediummultiple choice
Read the full Identity and Access Management explanation →

A company uses AWS IAM Identity Center (SSO) for managing access to multiple AWS accounts. A user reports that they can log in to the SSO portal but cannot see any AWS accounts in their dashboard. What is the most likely cause?

Question 242easymultiple choice
Read the full Identity and Access Management explanation →

A company wants to allow an external auditor to read all objects in a specific S3 bucket for a limited time. What is the most secure way to grant this access?

Question 243mediummultiple choice
Read the full Identity and Access Management explanation →

A company has an S3 bucket that contains sensitive data. The security team wants to ensure that all access to the bucket is encrypted in transit. What is the most effective way to enforce this?

Question 244hardmultiple choice
Read the full Identity and Access Management explanation →

A company uses AWS Organizations with a service control policy (SCP) that denies all IAM actions unless the request comes from a specific IP address range. A security administrator needs to create a new IAM role for a service that runs on-premises, but the request is being denied. What should the administrator do?

Question 245easymultiple choice
Read the full Identity and Access Management explanation →

A developer is trying to use the AWS CLI to list objects in an S3 bucket but receives an AccessDenied error. The developer has an IAM user with a policy that allows s3:ListBucket on the bucket. What could be causing the error?

Question 246mediummulti select
Read the full Identity and Access Management explanation →

A security engineer is designing a system to manage access to an S3 bucket containing confidential data. Which TWO actions should the engineer take to implement least privilege?

Question 247hardmulti select
Read the full Identity and Access Management explanation →

A company has a requirement that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. Which TWO steps should the company take to enforce this?

Question 248mediummulti select
Read the full Identity and Access Management explanation →

A company wants to allow an IAM role from Account A to access an S3 bucket in Account B. Which THREE conditions must be met?

Question 249hardmultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. An IAM user has this policy attached. The user tries to download an object from the S3 bucket using the AWS CLI from an on-premises server with IP address 198.51.100.50. What will happen?

Exhibit

Refer to the exhibit.

IAM Policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}
Question 250easymultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. An EC2 instance is launched with an instance profile that references this role. The application on the instance tries to list objects in 'my-bucket' but receives an AccessDenied error. What is the most likely cause?

Exhibit

Refer to the exhibit.

CloudFormation snippet:
Resources:
  MyRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: S3Access
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: s3:ListBucket
                Resource: arn:aws:s3:::my-bucket
Question 251mediummultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. An IAM user 'ExternalUser' from account 111111111111 tries to assume the role 'MyRole' in account 123456789012 but receives an error. The user has a policy that allows sts:AssumeRole. What is the most likely reason for the failure?

Network Topology
$ aws iam get-rolerole-name MyRoleRefer to the exhibit.CLI output:"Role": {"Path": "/","RoleName": "MyRole","Arn": "arn:aws:iam::123456789012:role/MyRole","AssumeRolePolicyDocument": {"Version": "2012-10-17","Statement": ["Effect": "Allow","Principal": {"AWS": "arn:aws:iam::111111111111:user/ExternalUser"},"Action": "sts:AssumeRole"
Question 252mediummultiple choice
Read the full Identity and Access Management explanation →

A security engineer needs to grant an IAM user in Account A (111111111111) access to an S3 bucket in Account B (222222222222). The bucket policy in Account B allows cross-account access from Account A. Which additional step is required?

Question 253hardmultiple choice
Read the full Identity and Access Management explanation →

A company uses AWS Organizations with SCPs. The SCP for the production OU denies all actions on DynamoDB. An IAM policy attached to a user in that OU allows dynamodb:PutItem. What is the effective access?

Question 254easymultiple choice
Read the full Identity and Access Management explanation →

A developer needs to run an application on an EC2 instance that accesses an S3 bucket. What is the best practice for granting permissions?

Question 255mediummultiple choice
Read the full Identity and Access Management explanation →

An IAM policy has the following statement: { "Effect": "Deny", "Action": "s3:*", "Resource": "*", "Condition": { "BoolIfExists": { "aws:SecureTransport": "false" } } }. What does this policy do?

Question 256mediummultiple choice
Read the full Identity and Access Management explanation →

A security engineer is troubleshooting an IAM policy that is not working as expected. The policy allows ec2:StartInstances and ec2:StopInstances but the user gets an access denied error when trying to stop an instance. What is the most likely cause?

Question 257hardmultiple choice
Read the full Identity and Access Management explanation →

A company wants to grant cross-account access to an S3 bucket. The bucket policy allows access from account 111111111111. An IAM user in account 111111111111 has a policy allowing s3:GetObject on that bucket. However, the user gets AccessDenied. What is the most likely reason?

Question 258easymultiple choice
Read the full Identity and Access Management explanation →

Which IAM feature allows you to grant temporary, limited-privilege credentials for a specific role?

Question 259hardmultiple choice
Read the full Identity and Access Management explanation →

An IAM policy includes: { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/MyRole" }. What does this allow?

Question 260easymultiple choice
Read the full Identity and Access Management explanation →

A company wants to enforce that all IAM users use multi-factor authentication (MFA) to access the AWS Management Console. What is the best way to achieve this?

Question 261mediummultiple choice
Read the full Identity and Access Management explanation →

A company uses an IAM role to allow an EC2 instance to access an S3 bucket. The instance is launched in a VPC with a VPC endpoint for S3. The IAM role has a policy that grants s3:GetObject on the bucket. However, the application on the instance receives 'Access Denied' errors when trying to read objects. What is the MOST likely cause?

Question 262hardmultiple choice
Read the full Identity and Access Management explanation →

A security engineer is troubleshooting an issue where an IAM user cannot assume a role in another AWS account. The trust policy of the role allows the user's account to assume the role, and the user has a policy that allows sts:AssumeRole. The user receives an error: 'Access denied: User is not authorized to perform sts:AssumeRole.' What is the MOST likely cause?

Question 263easymultiple choice
Read the full Identity and Access Management explanation →

A company wants to grant temporary credentials to mobile app users to access their own data in an S3 bucket. Which AWS service should be used to achieve this securely?

Question 264mediummultiple choice
Read the full Identity and Access Management explanation →

An organization has a production AWS account and a development AWS account. Developers need to access the production account from the development account using IAM roles. What is the MOST secure way to set this up?

Question 265hardmulti select
Read the full Identity and Access Management explanation →

A security engineer is designing a permissions boundary for an IAM user. Which TWO statements about permissions boundaries are correct?

Question 266mediummulti select
Read the full Identity and Access Management explanation →

A company wants to enforce that all IAM users use MFA. Which THREE actions should be taken to achieve this?

Question 267mediummulti select
Read the full Identity and Access Management explanation →

A security engineer needs to restrict access to an S3 bucket so that only requests from a specific VPC are allowed. Which TWO steps are required?

Question 268hardmulti select
Read the full Identity and Access Management explanation →

A company has an S3 bucket with a bucket policy that allows access to a specific IAM role. However, users assume the role but still get access denied. Which THREE factors could cause this?

Question 269hardmultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. An IAM policy is attached to a group. A user in the group accesses the S3 bucket from an IP address 203.0.113.5 using HTTPS. What will be the result?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "192.0.2.0/24",
            "198.51.100.0/24"
          ]
        },
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    }
  ]
}
Question 270mediummultiple choice
Read the full Identity and Access Management explanation →

A company uses AWS Organizations with multiple accounts. The security team has created an SCP that denies access to all DynamoDB actions except for the 'prod' account. The SCP is attached to the root OU. The 'prod' account has an IAM role that allows full DynamoDB access. A developer in the 'prod' account tries to create a DynamoDB table but receives an 'AccessDenied' error. The developer has the correct IAM permissions. What is the MOST likely cause and what should be done to resolve the issue?

Question 271hardmultiple choice
Read the full Identity and Access Management explanation →

A large enterprise has multiple AWS accounts managed via AWS Organizations. The security team wants to enforce that all IAM roles in all accounts must have a maximum session duration of 1 hour. They create an SCP that denies creating or updating roles if the MaxSessionDuration is greater than 3600 seconds. The SCP is attached to the root OU. After applying the SCP, the development team reports that they cannot create any new IAM roles, even with a session duration of 1 hour. They are using CloudFormation to create roles. What is the MOST likely reason for the failure?

Question 272easymultiple choice
Read the full Identity and Access Management explanation →

A startup company has a single AWS account and a few IAM users. The CEO wants to ensure that no one can delete an S3 bucket that contains critical data. The security engineer creates an IAM policy that denies s3:DeleteBucket for all users. However, the CEO later finds that the bucket was deleted by a user who had full administrator access. Why did the policy fail to prevent the deletion?

Question 273mediummultiple choice
Read the full Identity and Access Management explanation →

A company uses cross-account roles to allow developers in the 'dev' account to access resources in the 'prod' account. The trust policy in 'prod' allows the 'dev' account to assume the role. The developers have an IAM policy that allows sts:AssumeRole on the role ARN. However, when a developer tries to assume the role via the AWS CLI, they get an error that the role cannot be assumed. The developer can list the role using IAM. What is the MOST likely cause?

Question 274hardmultiple choice
Read the full Identity and Access Management explanation →

A company has an S3 bucket that stores sensitive data. The bucket policy allows access only from a specific VPC endpoint. A security engineer notices that an EC2 instance in the same VPC can access the bucket, but an instance in a peered VPC cannot. Both instances have the same IAM role attached. The VPC endpoint is in the first VPC and is shared via a transit gateway. What is the MOST likely reason the second instance cannot access the bucket?

Question 275easymultiple choice
Read the full Identity and Access Management explanation →

A company uses IAM roles for EC2 instances to access DynamoDB. The security team wants to ensure that the instances can only access specific DynamoDB tables. They create an IAM policy that allows dynamodb:GetItem and dynamodb:PutItem on the specific table ARN. The policy is attached to the instance role. However, when an application on the instance tries to read from the table, it receives an 'AccessDeniedException'. The application is using the correct table name. What is the MOST likely cause?

Question 276mediummulti select
Read the full Identity and Access Management explanation →

A security engineer is designing a CI/CD pipeline that deploys AWS infrastructure using AWS CloudFormation. The pipeline must assume an IAM role in each target account to create and update stacks. Which TWO steps are required to allow cross-account access for CloudFormation? (Choose TWO.)

Question 277hardmultiple choice
Read the full Identity and Access Management explanation →

A company has a multi-account AWS organization with centralized logging in a Security account. The Security account contains an S3 bucket that stores CloudTrail logs from all member accounts. The bucket policy allows CloudTrail from member accounts to deliver logs. Recently, a security audit revealed that the bucket is publicly accessible. The security engineer must ensure that only authorized accounts can access the logs. The engineer updates the bucket policy to include a condition that restricts access to specific AWS accounts. However, after the change, member accounts report that CloudTrail is failing to deliver logs to the bucket. The bucket policy currently includes the following statement: { "Effect": "Allow", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::central-logs/*", "Condition": { "StringEquals": { "aws:SourceAccount": "111111111111" } } } The Security account ID is 222222222222. What is the MOST likely cause of the delivery failure, and what should the engineer do to fix it?

Question 278easymultiple choice
Read the full Identity and Access Management explanation →

A developer is creating an AWS Lambda function that needs to read items from a DynamoDB table named 'Orders' in the same AWS account. The developer attaches an IAM policy to the Lambda execution role that includes the following statement: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "dynamodb:GetItem", "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders" } ] } When testing the Lambda function, it fails with an access denied error when trying to read from the table. The developer checks the Lambda function's code and confirms it is calling DynamoDB correctly. What is the MOST likely reason for the access denied error?

Question 279mediummultiple choice
Read the full Identity and Access Management explanation →

A company uses AWS Organizations with all features enabled. The security team wants to enforce that all IAM users in member accounts must use multi-factor authentication (MFA) to access the AWS Management Console. They create an SCP that denies all actions if the user does not have MFA. The SCP is attached to the root organizational unit. After a few days, users in a member account report that they can still access the console without MFA. The security team reviews the SCP and finds it is correctly configured. What is the MOST likely reason the SCP is not being enforced?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SCS-C02 Practice Test 1 — 10 Questions→SCS-C02 Practice Test 2 — 10 Questions→SCS-C02 Practice Test 3 — 10 Questions→SCS-C02 Practice Test 4 — 10 Questions→SCS-C02 Practice Test 5 — 10 Questions→SCS-C02 Practice Exam 1 — 20 Questions→SCS-C02 Practice Exam 2 — 20 Questions→SCS-C02 Practice Exam 3 — 20 Questions→SCS-C02 Practice Exam 4 — 20 Questions→Free SCS-C02 Practice Test 1 — 30 Questions→Free SCS-C02 Practice Test 2 — 30 Questions→Free SCS-C02 Practice Test 3 — 30 Questions→SCS-C02 Practice Questions 1 — 50 Questions→SCS-C02 Practice Questions 2 — 50 Questions→SCS-C02 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Threat Detection and Incident ResponseSecurity Logging and MonitoringIdentity and Access ManagementManagement and Security GovernanceInfrastructure SecurityData Protection

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Identity and Access Management setsAll Identity and Access Management questionsSCS-C02 Practice Hub