CLF-C02 · topic practice

IAM practice questions

Practise AWS Certified Cloud Practitioner CLF-C02 IAM practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security

What the exam tests

What to know about IAM

IAM questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common IAM exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

IAM questions

20 questions · select your answer, then reveal the explanation

Question 1easymultiple choice
Read the full IAM explanation →

A security auditor needs to know which IAM user deleted a specific S3 bucket last week, from which IP address the action was taken, and at what exact time. Which AWS service captures this information?

Question 2mediummultiple choice
Read the full IAM explanation →

An application running on an Amazon EC2 instance needs to access an Amazon S3 bucket. The security team requires that no long-term access keys be stored on the instance. Which IAM feature should be used to grant the EC2 instance permission to access S3?

Question 3easymultiple choice
Read the full IAM explanation →

A company wants all IAM users to verify their identity with both a password and a one-time code from an authenticator app before accessing the AWS Management Console. Which security control should the company enable?

Question 4mediummultiple choice
Read the full IAM explanation →

A solutions architect implements IAM least-privilege policies, enables encryption for all data at rest and in transit, configures VPC security groups and NACLs to limit network access, and sets up automated security incident detection. Which Well-Architected Framework pillar covers these activities?

Question 5mediummultiple choice
Read the full IAM explanation →

A company uses AWS Organizations to centrally manage multiple AWS accounts. The security team requires a mechanism to prevent any IAM user or role in any member account from modifying Amazon S3 bucket policies to grant public access. The solution must be enforced centrally and cannot be overridden by account administrators. Which AWS feature should the company use?

Question 6mediummultiple choice
Read the full IAM explanation →

A company discovered that an IAM user's access keys were accidentally committed to a public GitHub repository. Which immediate action should they take first?

Question 7mediummultiple choice
Read the full NAT/PAT explanation →

A company has 50 IAM users in a single AWS account. The security policy requires that every IAM user must have a virtual MFA device enabled for AWS Management Console access. The company wants to automatically detect any user who disables or has an inactive MFA device and immediately revoke that user's ability to access AWS resources by disabling their access keys. The solution must be fully managed, require no custom scripts, and use native AWS services. Which AWS service should the company use to define the compliance rule and automatically trigger the remediation action?

Question 8easymultiple choice
Read the full IAM explanation →

Which AWS Well-Architected Framework pillar focuses on protecting information, systems, and assets while delivering business value through risk assessments and mitigation strategies?

Question 9mediummultiple choice
Read the full IAM explanation →

A company manages user access to AWS resources using IAM users. The security team wants to automatically detect if an IAM user's access key is being used from a geographic location that is unusual for that user, which could indicate a compromised credential. The team needs a managed threat detection service that monitors API activity and raises alerts for such anomalies. Which AWS service should the security team use?

Question 10mediummultiple choice
Read the full IAM explanation →

A company manages multiple AWS accounts using AWS Organizations and maintains hundreds of Amazon S3 buckets across these accounts. The security team wants a service that automatically scans all S3 bucket policies and identifies any bucket that grants access to an external AWS account (an account outside the organization). The team needs to receive findings when such policies are detected and wants to review the findings in a centralized dashboard. Which AWS service should the security team use to meet these requirements?

Question 11mediummultiple choice
Read the full IAM explanation →

A company manages multiple AWS accounts under AWS Organizations. The security team wants to enforce a policy that prohibits launching Amazon EC2 instances of instance families g (GPU) and p (GPU) across all accounts to control costs. The team needs a centralized method to block these instance types at the organization level, and the policy must be applied proactively before any instance is launched. Which AWS solution should the team use?

Question 12mediummultiple choice
Read the full IAM explanation →

Which AWS service is used to centrally manage and enforce policies across multiple AWS accounts in an organization, such as restricting which AWS services member accounts can use?

Question 13mediummultiple choice
Read the full NAT/PAT explanation →

A company runs development and test environments on Amazon EC2 instances in separate AWS accounts. The finance team wants to automatically stop all non-production EC2 instances if the monthly development account costs exceed $1,000. The team needs a solution that requires no manual intervention and uses only AWS-native features. Which AWS feature should the team configure to meet these requirements?

Question 14mediummultiple choice
Read the full IAM explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to enforce a policy that prevents any user, including account administrators, from creating Amazon S3 buckets that are publicly accessible across the entire organization. The policy must be centrally managed and cannot be overridden by individual account administrators. Which AWS feature should the security team use?

Question 15mediummultiple choice
Read the full IAM explanation →

A company uses AWS Organizations to centrally manage multiple AWS accounts. The security team requires that no IAM users can be created in any member account. All access must use federated identities from the company's existing identity provider. The security team needs a single, centralized mechanism to enforce this restriction across all existing and future member accounts. Which AWS feature should the security team use to meet this requirement?

Question 16mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare company stores sensitive patient data in Amazon S3. The company must comply with a regulation that requires encryption keys to be rotated automatically every 12 months. The security team also needs to use IAM policies to control which users and roles can decrypt specific S3 objects. Which encryption solution should the company use for the S3 objects?

Question 17mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization stores sensitive patient records in Amazon S3. The organization's compliance team learns that AWS stores data from multiple customers on the same physical hardware. They are concerned that data from different customers could be mixed or accessed by another customer. Which fundamental characteristic of cloud computing explains how AWS allows customers to share physical infrastructure while keeping each customer's data logically isolated?

Question 18mediummultiple choice
Read the full IAM explanation →

A company needs to integrate their on-premises Active Directory with AWS to enable SSO for employees accessing AWS services. Which AWS service provides this federation capability?

Question 19mediummultiple choice
Read the full IAM explanation →

A company needs to grant an EC2 instance permission to write to an S3 bucket. What is the most secure way to accomplish this?

Question 20mediummultiple choice
Read the full IAM explanation →

According to the AWS Shared Responsibility Model, which of the following is the customer's responsibility when using AWS Lambda?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused IAM sessions

Start a IAM only practice session

Every question in these sessions is drawn from the IAM domain — nothing else.

Related practice questions

Related CLF-C02 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CLF-C02 exam test about IAM?
IAM questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just IAM questions in a focused session?
Yes — the session launcher on this page draws every question from the IAM domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CLF-C02 topics?
Use the topic links above to move to related areas, or go back to the CLF-C02 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CLF-C02 exam covers. They are not copied from any real exam or dump site.