- A
Attach the approved permissions boundary to every role created by the teams.
A permissions boundary caps the maximum permissions a role can ever receive, even if the role's inline or managed policies are broader. It is the right mechanism for defining a permission ceiling.
- B
Use an SCP that denies iam:CreateRole or iam:PutRolePermissionsBoundary unless the approved boundary ARN is specified.
An SCP can enforce governance at the account or OU level by blocking role creation or boundary changes unless the approved boundary is used. This prevents teams from bypassing or removing the required boundary.
- C
Use an S3 bucket policy to prevent the roles from gaining extra privileges.
Why wrong: S3 bucket policies control access to S3 resources only. They do not control the permissions granted to IAM roles across the account.
- D
Rely on a role trust policy to limit the permissions the role can have.
Why wrong: Trust policies determine who can assume a role, not what the role can do after assumption. They cannot enforce an account-wide permission ceiling.
- E
Use a session policy attached to one assumed-role session to enforce the ceiling permanently.
Why wrong: Session policies are temporary and apply only to a single STS session. They do not provide a permanent control over future role creation or role updates.
Quick Answer
The answer is to use an SCP that denies iam:CreateRole or iam:PutRolePermissionsBoundary unless the approved boundary ARN is specified, combined with attaching that permissions boundary to every new role. This works because a permissions boundary acts as an IAM feature that enforces a permission ceiling, capping the maximum permissions any role can have regardless of attached policies, while the SCP ensures teams cannot bypass or remove that boundary later. On the SAA-C03 exam, this scenario tests your understanding of how SCPs and permissions boundaries work together to delegate authority safely—a common trap is thinking a single policy alone suffices, but the SCP is needed to lock the boundary in place. Remember the mnemonic: “SCP locks the door, boundary sets the floor.”
SAA-C03 Design Secure Architectures Practice Question
This SAA-C03 practice question tests your understanding of design secure architectures. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
An organization lets application teams create IAM roles in member accounts. Security wants every newly created role to stay within an approved permission ceiling, and teams must not be able to remove that ceiling later. Which two controls best meet the requirement? Select two.
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"best"Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Attach the approved permissions boundary to every role created by the teams.
Option A is correct because a permissions boundary is an IAM feature that sets the maximum permissions a role can have. By attaching an approved permissions boundary to every newly created role, the organization enforces a permission ceiling that cannot be exceeded, even if the role has additional policies attached. This directly meets the requirement of keeping roles within an approved ceiling.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
Attach the approved permissions boundary to every role created by the teams.
Why this is correct
A permissions boundary caps the maximum permissions a role can ever receive, even if the role's inline or managed policies are broader. It is the right mechanism for defining a permission ceiling.
Clue confirmation
The clue word "best" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
- ✓
Use an SCP that denies iam:CreateRole or iam:PutRolePermissionsBoundary unless the approved boundary ARN is specified.
Why this is correct
An SCP can enforce governance at the account or OU level by blocking role creation or boundary changes unless the approved boundary is used. This prevents teams from bypassing or removing the required boundary.
Clue confirmation
The clue word "best" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Use an S3 bucket policy to prevent the roles from gaining extra privileges.
Why it's wrong here
S3 bucket policies control access to S3 resources only. They do not control the permissions granted to IAM roles across the account.
- ✗
Rely on a role trust policy to limit the permissions the role can have.
Why it's wrong here
Trust policies determine who can assume a role, not what the role can do after assumption. They cannot enforce an account-wide permission ceiling.
- ✗
Use a session policy attached to one assumed-role session to enforce the ceiling permanently.
Why it's wrong here
Session policies are temporary and apply only to a single STS session. They do not provide a permanent control over future role creation or role updates.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates may think a session policy or trust policy can permanently restrict permissions, but session policies are temporary and trust policies only control who can assume the role, not the role's maximum permissions.
Detailed technical explanation
How to think about this question
Permissions boundaries are implemented as a separate IAM entity (policy) that defines the maximum permissions for a role or user. When a permissions boundary is attached, the effective permissions are the intersection of the boundary and the identity-based policies, ensuring the role cannot exceed the boundary even if additional policies are attached. In AWS Organizations, SCPs can also enforce permissions boundaries by denying role creation unless a specific boundary ARN is specified, providing a preventive control at the account level.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Design Secure Architectures — study guide chapter
Learn the concepts, then practise the questions
- →
Design Secure Architectures practice questions
Targeted practice on this topic area only
- →
All SAA-C03 questions
1,040 questions across all exam domains
- →
SAA-C03 study guide
Full concept coverage aligned to exam objectives
- →
SAA-C03 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related SAA-C03 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Design Secure Architectures practice questions
Practise SAA-C03 questions linked to Design Secure Architectures.
Design Resilient Architectures practice questions
Practise SAA-C03 questions linked to Design Resilient Architectures.
Design High-Performing Architectures practice questions
Practise SAA-C03 questions linked to Design High-Performing Architectures.
Design Cost-Optimized Architectures practice questions
Practise SAA-C03 questions linked to Design Cost-Optimized Architectures.
SAA-C03 VPC practice questions
Practise SAA-C03 questions linked to SAA-C03 VPC.
SAA-C03 S3 lifecycle policy questions
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
SAA-C03 RDS Multi-AZ questions
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
SAA-C03 IAM policy practice questions
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
SAA-C03 Route 53 failover questions
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
SAA-C03 CloudFront practice questions
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
SAA-C03 NAT gateway questions
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
SAA-C03 VPC endpoint questions
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
Practice this exam
Start a free SAA-C03 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this SAA-C03 question test?
Design Secure Architectures — This question tests Design Secure Architectures — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Attach the approved permissions boundary to every role created by the teams. — Option A is correct because a permissions boundary is an IAM feature that sets the maximum permissions a role can have. By attaching an approved permissions boundary to every newly created role, the organization enforces a permission ceiling that cannot be exceeded, even if the role has additional policies attached. This directly meets the requirement of keeping roles within an approved ceiling.
What should I do if I get this SAA-C03 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
2 more ways this is tested on SAA-C03
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. Based on the exhibit, an automation pipeline in several member accounts creates IAM roles for application deployments. Security says no future role may exceed the approved boundary arn:aws:iam::123456789012:policy/DeployBoundary, even if someone later attaches AdministratorAccess. What should you implement to enforce this across the organization?
hard- A.Attach DeployBoundary to the automation role only, because that automatically forces every created role to inherit the same boundary.
- B.Create an SCP that denies iam:CreateRole and iam:PutRolePermissionsBoundary unless aws:RequestTag equals DeployBoundary.
- ✓ C.Create an SCP that denies iam:CreateRole unless iam:PermissionsBoundary equals arn:aws:iam::123456789012:policy/DeployBoundary, and also deny removing that boundary from created roles.
- D.Use AWS Access Analyzer to automatically attach the approved boundary whenever a role is created without one.
Why C: Option C is correct because it uses an SCP to enforce that any IAM role creation must include the specific permissions boundary `arn:aws:iam::123456789012:policy/DeployBoundary`, and also prevents removal or modification of that boundary from existing roles. This ensures that even if an attacker or administrator later attaches a policy like AdministratorAccess, the effective permissions are still limited by the boundary, meeting the security requirement across all member accounts in the organization.
Variation 2. Based on the exhibit, a development team in member accounts can create IAM roles, but one team created a role without the required permissions boundary. Security wants to ensure that no future role in the organization can exceed the approved boundary, even if a developer has broad IAM permissions. What is the best control to add?
hard- A.Add a permission boundary to the developer role that points to ApprovedAppBoundary.
- ✓ B.Add an SCP that denies iam:CreateRole and iam:PutRolePermissionsBoundary unless the request specifies the ApprovedAppBoundary ARN.
- C.Use an S3 bucket policy to block policy documents that grant AdministratorAccess.
- D.Require team members to use STS session policies when they create new roles.
Why B: Option B is correct because a Service Control Policy (SCP) at the organization root or in the member account's OU can deny IAM actions unless the required permissions boundary (ApprovedAppBoundary) is specified. This prevents any role creation or modification that would bypass the boundary, even if the developer has full IAM permissions in their account. SCPs are the only control that can enforce this across all principals in an account, including the account root user.
Keep practising
More SAA-C03 practice questions
- A content publishing system uses Lambda functions that call an unreliable third-party API. Failed events must be retaine…
- A startup runs two EC2-based workloads in the same AWS Region. Its customer-facing API is always on, and its nightly vid…
- A warehouse integration service must use shared file storage across Linux EC2 instances in multiple Availability Zones.…
- A team runs a stateless web app on Amazon EC2 behind an Application Load Balancer. During traffic spikes, new EC2 instan…
- A service in private subnets downloads product images from Amazon S3 and stores job state in DynamoDB. A NAT Gateway is…
- A static site is hosted in Amazon S3 and delivered by CloudFront. After a frontend release, the same JavaScript bundles…
Last reviewed: Jun 11, 2026
This SAA-C03 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SAA-C03 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.