Courseiva

CLF-C02 · topic practice

IAM practice questions

Use this page to practise CLF-C02 IAM practice questions. The goal is not to memorise dumps, but to understand the concept, review the explanation and improve your exam readiness.

20 questionsDomain: IAM
Practice 10 questionsBrowse domain →

What the exam tests

What to know about IAM

IAM questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Practice set

IAM questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Full question →

A company uses AWS Organizations to manage multiple accounts. The security team needs to enforce a policy that restricts SSH access (port 22) from the internet (0.0.0.0/0) in all VPCs across all accounts. The team wants to centrally define the allowed rules and automatically apply them to newly created VPCs and security groups, while also automatically remediating any existing non-compliant security groups. Which AWS service should the team use?

Full question →
Question 2mediummultiple choice
Full question →

A company has 200 IAM users. The security team needs to automatically verify that every IAM user has enabled multi-factor authentication (MFA) for console access. They also need to receive a notification whenever a new user is created without MFA so they can enforce the policy. Which AWS service should the security team use to meet these requirements?

Full question →
Question 3mediummultiple choice
Full question →

A company has 50 IAM users in a single AWS account. The security policy requires that every IAM user must have a virtual MFA device enabled for AWS Management Console access. The company wants to automatically detect any user who disables or has an inactive MFA device and immediately revoke that user's ability to access AWS resources by disabling their access keys. The solution must be fully managed, require no custom scripts, and use native AWS services. Which AWS service should the company use to define the compliance rule and automatically trigger the remediation action?

Full question →
Question 4mediummultiple choice
Full question →

A company has a development environment running on Amazon EC2 instances. To control costs, the team wants to set a monthly budget of $5,000 for this environment. If the forecasted cost for the month exceeds $6,000 (20% over budget), they want AWS to automatically stop all non-critical EC2 instances to prevent further spending. Which AWS feature should the team use to implement this automated cost control?

Full question →
Question 5mediummultiple choice
Full question →

A company has a strict security policy requiring that no Amazon S3 bucket or IAM role should be accessible to external AWS accounts unless explicitly approved. The security team needs a service that continuously analyzes resource-based policies and can generate findings when an S3 bucket policy allows access to a principal from outside the company's AWS Organization. Which AWS service should the team use?

Full question →
Question 6mediummultiple choice
Full question →

A company has a security policy that requires all SSH connections to Amazon EC2 instances to originate from the company's corporate network IP range (203.0.113.0/24). An administrator is creating an IAM policy to enforce this restriction. Which IAM policy element should the administrator use to specify the allowed IP address range?

Full question →
Question 7mediummultiple choice
Full question →

A company has multiple AWS accounts consolidated under AWS Organizations. The finance team wants to set a hard monthly cost limit for a development account. If the forecasted costs for the month exceed that limit, the team wants AWS to automatically stop all non-critical Amazon EC2 instances in that account to prevent overspending. The team also needs to receive an email alert when the cost threshold is first crossed. Which AWS service or feature should the team use to define the budget and configure the automated action?

Full question →
Question 8mediummultiple choice
Full question →

A company manages multiple AWS accounts under a single AWS Organizations organization. The security team wants to implement a preventive control that blocks any action that would disable AWS CloudTrail or delete CloudTrail log files across all accounts, including the management account. The solution must be centrally managed and must not require changes to individual account permissions. Which AWS feature should the security team use?

Full question →
Question 9mediummultiple choice
Full question →

A company has multiple IAM users. The security policy requires that every user must have an MFA device assigned and must use it for console sign-in. The security team wants to automatically detect any IAM user that does not have MFA enabled and receive an email alert. Which combination of AWS services should the team use to meet these requirements?

Full question →
Question 10mediummultiple choice
Full question →

A company is expanding its AWS environment from a single account to multiple accounts using AWS Organizations. The security team wants to enforce a baseline set of permissions across all accounts, ensuring that users in any account cannot disable AWS CloudTrail or modify Amazon S3 bucket policies that prevent public access. Which feature of AWS Organizations should the security team use to achieve this control?

Full question →
Question 11mediummultiple choice
Full question →

A company manages user access to AWS resources using IAM users. The security team wants to automatically detect if an IAM user's access key is being used from a geographic location that is unusual for that user, which could indicate a compromised credential. The team needs a managed threat detection service that monitors API activity and raises alerts for such anomalies. Which AWS service should the security team use?

Full question →
Question 12mediummultiple choice
Full question →

A company is migrating a legacy application from an on-premises server to AWS Lambda. The Lambda function needs to connect to an Amazon RDS for MySQL database that stores sensitive customer data. The security team requires that database credentials are never stored in the function's code, environment variables, or configuration files. The solution must follow AWS best practices for securing database access. Which approach should the company use?

Full question →
Question 13mediummultiple choice
Full question →

A company manages multiple AWS accounts using AWS Organizations and maintains hundreds of Amazon S3 buckets across these accounts. The security team wants a service that automatically scans all S3 bucket policies and identifies any bucket that grants access to an external AWS account (an account outside the organization). The team needs to receive findings when such policies are detected and wants to review the findings in a centralized dashboard. Which AWS service should the security team use to meet these requirements?

Full question →
Question 14mediummultiple choice
Full question →

A company manages multiple AWS accounts using AWS Organizations. The company wants employees to sign in using their existing corporate credentials from an on-premises Microsoft Active Directory. The company also needs a single sign-on (SSO) experience so that each employee can access the AWS Management Console for any authorized account without needing separate passwords. Additionally, the company wants to centrally manage permissions across all accounts. Which AWS service should the company use to meet these requirements?

Full question →
Question 15mediummultiple choice
Full question →

A company has a compliance requirement that all Amazon S3 buckets must have server-side encryption (SSE) enabled and must block all public access. The company has hundreds of existing S3 buckets and creates new ones regularly. The security team needs a centralized AWS service that can continuously evaluate all buckets against these two rules, automatically detect noncompliant buckets, and then automatically remediate them by enabling SSE and blocking public access. Additionally, the team wants to receive notifications when compliance changes occur. Which AWS service should the security team use?

Full question →
Question 16mediummultiple choice
Full question →

A company is using AWS Organizations to manage multiple AWS accounts. The security team wants to ensure that users in the development accounts cannot disable AWS CloudTrail logging or delete CloudTrail trails, even if those users have full administrator permissions within their own accounts. The team needs a central mechanism that is enforced across all development accounts regardless of individual IAM policies. Which AWS feature should the security team use to meet this requirement?

Full question →
Question 17mediummultiple choice
Full question →

A company manages multiple AWS accounts using AWS Organizations. The security team needs to enforce a policy that prevents any user, including the root user, in any member account from disabling the 'Block Public Access' setting on Amazon S3 buckets. The policy must be centrally managed and automatically applied to all existing and future member accounts. Which AWS feature should the security team use?

Full question →
Question 18mediummultiple choice
Full question →

A company manages multiple AWS accounts using AWS Organizations. The company has an on-premises Microsoft Active Directory (AD) that contains employee credentials and group memberships. The company wants to grant employees access to the AWS Management Console and command-line interface (CLI) using their existing AD credentials, without creating IAM users for each employee. Additionally, the company wants to centrally manage permissions across all accounts by assigning policies to AD groups. Which AWS service should the company use to meet these requirements?

Full question →
Question 19mediummultiple choice
Full question →

A company is migrating its customer-facing web application to AWS. The Chief Information Security Officer (CISO) is reviewing the division of security responsibilities. The CISO understands that AWS is responsible for the security of the physical data centers, hardware, and network infrastructure. The company, as the customer, is responsible for securing the application code, customer data, and operating system patches on Amazon EC2 instances. This division of security responsibilities is an example of which fundamental cloud computing concept?

Full question →
Question 20mediummultiple choice
Full question →

A company runs a web application behind an Application Load Balancer (ALB) in a VPC. The application must comply with a security standard that requires encryption in transit for all web traffic. The company needs a service to centrally manage SSL/TLS certificates, automatically renew them, and deploy them to the ALB without manual intervention. Which AWS service should the company use to meet these requirements?

Full question →
Continue with 20-question session →

Watch out for

Common IAM exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Sign up freeLog in

Focused IAM sessions

Start a IAM only practice session

Every question in these sessions is drawn from the IAM domain — nothing else.

10 questions20 questions30 questions50 questions
Browse all IAM questions →Mixed CLF-C02 session

Related practice questions

Related CLF-C02 topic practice pages

Move into related areas when this topic feels solid.

AWS shared responsibility model practice questions

Practise CLF-C02 questions linked to AWS shared responsibility model.

AWS Cloud Practitioner cloud concepts practice questions

Practise CLF-C02 questions linked to AWS Cloud Practitioner cloud concepts.

AWS IAM practice questions

Practise CLF-C02 questions linked to AWS IAM.

AWS pricing practice questions

Practise CLF-C02 questions linked to AWS pricing.

AWS support plans practice questions

Practise CLF-C02 questions linked to AWS support plans.

AWS S3 practice questions

Practise CLF-C02 questions linked to AWS S3.

AWS EC2 practice questions

Practise CLF-C02 questions linked to AWS EC2.

Frequently asked questions

What does the CLF-C02 exam test about IAM?
IAM questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just IAM questions in a focused session?
Yes — the session launcher on this page draws every question from the IAM domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CLF-C02 topics?
Use the topic links above to move to related areas, or go back to the CLF-C02 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CLF-C02 exam covers. They are not copied from any real exam or dump site.