20+ practice questions focused on Identity and Access Management — one of the most tested topics on the AWS Certified Security Specialty SCS-C02 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Identity and Access Management PracticeA developer needs to grant an IAM user read-only access to an S3 bucket named 'my-bucket'. Which policy should be attached to the IAM user?
Explanation: Option D is correct because it grants the s3:GetObject permission on the 'my-bucket/*' resource, which allows the IAM user to read (download) objects from the bucket. For read-only access, the user needs both s3:ListBucket (to list objects) and s3:GetObject (to retrieve objects), but the question asks for a policy that grants read-only access; while D alone is insufficient for full read-only access (it lacks ListBucket), it is the only option that provides a read action on the bucket's objects. The other options either grant write access, full access, or only list permissions without read capability.
A security engineer notices that an IAM role has a trust policy allowing any AWS account to assume it. Which attack is this misconfiguration most likely to enable?
Explanation: Option C is correct because an IAM role trust policy that allows any AWS account (i.e., `"Principal": {"AWS": "*"}`) to assume the role means that any user or service in any AWS account can call the STS `AssumeRole` API to obtain temporary credentials for the role. This directly enables unauthorized access by an external attacker who can discover the role ARN and assume it, gaining all permissions attached to the role.
An IAM policy includes the following condition: "StringNotEquals": {"aws:SourceArn": "arn:aws:ec2:us-east-1:123456789012:instance/*"}. What is the effect of this condition when attached to an IAM role?
Explanation: The condition uses `StringNotEquals` with `aws:SourceArn`, meaning it denies access when the source ARN does NOT match the specified pattern. Since the condition is attached to a role's trust policy, it restricts which principals can assume the role. The correct effect is that requests not originating from an EC2 instance in account 123456789012 and region us-east-1 are denied.
An IAM user receives an 'AccessDenied' error when trying to list objects in an S3 bucket. The user has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::example-bucket"}]}. What is the most likely reason?
Explanation: The IAM policy grants the s3:ListBucket action on the bucket, which should allow listing objects. However, an explicit deny in a bucket policy overrides any allow, including those from IAM policies. Since the user receives an 'AccessDenied' error, the most likely cause is that the bucket policy explicitly denies the s3:ListBucket action for this user, as explicit denies take precedence over all allows.
A company wants to allow users from its corporate Active Directory to access AWS resources. The company has set up an IAM identity provider for SAML. What must be created in IAM to map users to permissions?
Explanation: A is correct because when using SAML-based federation, IAM roles are the mechanism to grant permissions to federated users. The role must have a trust policy that specifies the SAML identity provider as the principal, allowing users authenticated by the corporate Active Directory to assume the role and obtain temporary AWS credentials. This maps the SAML assertion attributes (such as the user's group or role) to IAM permissions via the role's permissions policy.
+15 more Identity and Access Management questions available
Practice all Identity and Access Management questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Identity and Access Management. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Identity and Access Management questions on the SCS-C02 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Identity and Access Management is tested as part of the AWS Certified Security Specialty SCS-C02 blueprint. Practicing with targeted Identity and Access Management questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free SCS-C02 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Identity and Access Management is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Identity and Access Management practice session with instant scoring and detailed explanations.
Start Identity and Access Management Practice →