Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSCS-C02TopicsIdentity and Access Management
Free · No Signup RequiredAmazon Web Services · SCS-C02

SCS-C02 Identity and Access Management Practice Questions

20+ practice questions focused on Identity and Access Management — one of the most tested topics on the AWS Certified Security Specialty SCS-C02 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Identity and Access Management Practice

Exam Domains

Threat Detection and Incident ResponseSecurity Logging and MonitoringIdentity and Access ManagementManagement and Security GovernanceInfrastructure SecurityData ProtectionAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Identity and Access Management Questions

Practice all 20+ →
1.

A developer needs to grant an IAM user read-only access to an S3 bucket named 'my-bucket'. Which policy should be attached to the IAM user?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::my-bucket"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:*","Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:PutObject","Resource":"arn:aws:s3:::my-bucket/*"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}

Explanation: Option D is correct because it grants the s3:GetObject permission on the 'my-bucket/*' resource, which allows the IAM user to read (download) objects from the bucket. For read-only access, the user needs both s3:ListBucket (to list objects) and s3:GetObject (to retrieve objects), but the question asks for a policy that grants read-only access; while D alone is insufficient for full read-only access (it lacks ListBucket), it is the only option that provides a read action on the bucket's objects. The other options either grant write access, full access, or only list permissions without read capability.

2.

A security engineer notices that an IAM role has a trust policy allowing any AWS account to assume it. Which attack is this misconfiguration most likely to enable?

A.Logging bypass via CloudTrail
B.Cross-service confused deputy attack
C.Unauthorized access by an external attacker
D.Privilege escalation by attaching additional policies

Explanation: Option C is correct because an IAM role trust policy that allows any AWS account (i.e., `"Principal": {"AWS": "*"}`) to assume the role means that any user or service in any AWS account can call the STS `AssumeRole` API to obtain temporary credentials for the role. This directly enables unauthorized access by an external attacker who can discover the role ARN and assume it, gaining all permissions attached to the role.

3.

An IAM policy includes the following condition: "StringNotEquals": {"aws:SourceArn": "arn:aws:ec2:us-east-1:123456789012:instance/*"}. What is the effect of this condition when attached to an IAM role?

A.Denies all requests from EC2 instances
B.Allows the role to be assumed only by EC2 instances in the specified account and region
C.Denies requests that do not originate from an EC2 instance in the specified account and region
D.Allows any request that comes from an EC2 instance regardless of account

Explanation: The condition uses `StringNotEquals` with `aws:SourceArn`, meaning it denies access when the source ARN does NOT match the specified pattern. Since the condition is attached to a role's trust policy, it restricts which principals can assume the role. The correct effect is that requests not originating from an EC2 instance in account 123456789012 and region us-east-1 are denied.

4.

An IAM user receives an 'AccessDenied' error when trying to list objects in an S3 bucket. The user has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::example-bucket"}]}. What is the most likely reason?

A.The policy is missing a condition
B.The bucket policy explicitly denies the action
C.The policy does not include s3:GetObject
D.The policy has a syntax error

Explanation: The IAM policy grants the s3:ListBucket action on the bucket, which should allow listing objects. However, an explicit deny in a bucket policy overrides any allow, including those from IAM policies. Since the user receives an 'AccessDenied' error, the most likely cause is that the bucket policy explicitly denies the s3:ListBucket action for this user, as explicit denies take precedence over all allows.

5.

A company wants to allow users from its corporate Active Directory to access AWS resources. The company has set up an IAM identity provider for SAML. What must be created in IAM to map users to permissions?

A.An IAM role with a trust policy for the SAML provider
B.An OIDC identity provider
C.An IAM user for each Active Directory user
D.A federation role type

Explanation: A is correct because when using SAML-based federation, IAM roles are the mechanism to grant permissions to federated users. The role must have a trust policy that specifies the SAML identity provider as the principal, allowing users authenticated by the corporate Active Directory to assume the role and obtain temporary AWS credentials. This maps the SAML assertion attributes (such as the user's group or role) to IAM permissions via the role's permissions policy.

+15 more Identity and Access Management questions available

Practice all Identity and Access Management questions

How to master Identity and Access Management for SCS-C02

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Identity and Access Management. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Identity and Access Management questions on the SCS-C02 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many SCS-C02 Identity and Access Management questions are on the real exam?

The exact number varies per candidate. Identity and Access Management is tested as part of the AWS Certified Security Specialty SCS-C02 blueprint. Practicing with targeted Identity and Access Management questions ensures you can handle any format or difficulty that appears.

Are these SCS-C02 Identity and Access Management practice questions free?

Yes. Courseiva provides free SCS-C02 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Identity and Access Management one of the harder SCS-C02 topics?

Difficulty is subjective, but Identity and Access Management is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Identity and Access Management practice session with instant scoring and detailed explanations.

Start Identity and Access Management Practice →

Topic Info

Topic

Identity and Access Management

Exam

SCS-C02

Questions available

20+