SAA-C03 · topic practice

IAM Policy practice questions

Practise SAA-C03 IAM Policy practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: IAM Policy

What the exam tests

What to know about IAM Policy

IAM Policy questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common IAM Policy exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

IAM Policy questions

20 questions · select your answer, then reveal the explanation

Question 1easymultiple choice
Read the full IAM Policy explanation →

A team wants to delegate IAM management to developers, but must ensure developers can never grant themselves permissions beyond a specific limit. Which AWS mechanism best matches this requirement?

Question 2mediummultiple choice
Read the full IAM Policy explanation →

A CI pipeline in account A uploads build artifacts to an S3 bucket (arn:aws:s3:::build-artifacts-prod) under the prefix teamA/. The pipeline must not be able to list other prefixes, and it must only upload objects under teamA/. Which IAM policy design best enforces least privilege for this requirement?

Question 3mediummultiple choice
Read the full IAM Policy explanation →

Account C wants engineers to access a role (RoleInAccountA) in account A using STS AssumeRole. Security policy requires that (1) only engineers from account C can assume the role, (2) they must provide an external ID value, and (3) the session must be MFA-authenticated. Which change is most appropriate in the RoleInAccountA trust policy to meet all three requirements?

Question 4hardmultiple choice
Read the full IAM Policy explanation →

Based on the exhibit, a development team in member accounts can create IAM roles, but one team created a role without the required permissions boundary. Security wants to ensure that no future role in the organization can exceed the approved boundary, even if a developer has broad IAM permissions. What is the best control to add?

Exhibit

{
  "current_state": {
    "approved_boundary": "arn:aws:iam::111122223333:policy/ApprovedAppBoundary",
    "developer_role_policy": ["iam:CreateRole", "iam:PutRolePolicy", "iam:AttachRolePolicy"],
    "incident": "A new role was created without a permissions boundary and attached an overly permissive policy"
  },
  "desired_state": "All future roles must be created with ApprovedAppBoundary"
}
Question 5mediummultiple choice
Read the full IAM Policy explanation →

A customer-managed KMS key (CMK) encrypts SQS messages. A consumer service uses an IAM role that includes kms:Decrypt permission for that CMK. After a security change, the consumer fails with: "AccessDeniedException: kms:Decrypt is not allowed" CloudTrail indicates the KMS request is reaching KMS, but the CMK key policy no longer includes the consumer role (or its principal). What is the best fix?

Question 6mediummultiple choice
Read the full IAM Policy explanation →

A retail company lets developers deploy ECS services but they must never be able to modify IAM. The team currently uses an IAM user per developer with an admin-like policy, and several access keys have been leaked. You are asked to redesign access so that: (1) developers authenticate with temporary credentials, (2) they can create/update ECS services and related autoscaling resources, and (3) IAM changes are impossible even if a developer tries to attach new policies.

Which design best meets all requirements?

Question 7mediummultiple choice
Read the full IAM Policy explanation →

Account B has an IAM role that includes kms:Decrypt for a specific KMS key ARN in account A. However, when the role tries to read an S3 object encrypted with that CMK, the application fails with AccessDenied: not authorized to perform kms:Decrypt. CloudTrail shows the KMS API call is denied by key policy. What is the most secure and correct fix?

Question 8mediummultiple choice
Read the full IAM Policy explanation →

A SaaS vendor needs temporary access to an S3 bucket in your AWS account to read customer exports. The vendor will assume an IAM role you created. During integration testing, the vendor reports that their AssumeRole requests succeed, but your security team is concerned about the possibility of confused-deputy attacks. Which trust policy approach most directly mitigates this risk?

Question 9easymultiple choice
Read the full IAM Policy explanation →

A service role has an IAM policy granting kms:Decrypt for a specific AWS KMS key. The application still fails to decrypt with an AccessDenied error. What change most directly fixes this when the KMS key policy is missing the role’s permissions?

Question 10mediummultiple choice
Read the full IAM Policy explanation →

A server assumes an IAM role and must read export objects only from this prefix in an S3 bucket: s3://customer-data/exports/acme/ . The application also needs to list the objects under that exact prefix so it can discover which export folders exist. The application performs ListBucket requests with Prefix set to exactly "exports/acme/".

The current role policy allows s3:ListBucket on the bucket ARN without a prefix condition, and security reports the role can list other tenants’ export object keys.

Which IAM policy change best enforces least privilege for both ListBucket and GetObject?

Question 11mediummultiple choice
Read the full IAM Policy explanation →

A SOC analyst needs an immutable, centralized audit record of configuration and API changes across multiple AWS accounts. Recently, an operator changed an IAM role trust policy, and investigators must determine exactly which principal made the change and which parameters were used.

Your current setup sends application logs to CloudWatch Logs, but there is no organization-level API audit logging.

Which approach best satisfies the requirement?

Question 12mediummultiple choice
Read the full IAM Policy explanation →

An application in account A needs to use an encrypted EBS volume whose snapshots were copied from account B. The EBS volume is encrypted with a customer-managed KMS key in account B. After attaching the volume, the instance fails to mount it and logs show KMS access errors (kms:Decrypt) for the instance role. The instance role in account A already has an IAM policy allowing kms:Decrypt on that key ARN, but the mount still fails. What must be updated in account B to allow the mount to succeed?

Question 13hardmultiple choice
Read the full IAM Policy explanation →

Based on the exhibit, a central deployment role in Account A is assumed by several CI/CD pipelines from Account B. The role must remain reusable, but the team wants the TeamA pipeline to upload artifacts only to s3://artifact-bucket/teamA/prod/ without creating a separate IAM role. What is the best approach?

Network Topology
"assume_role_command": "aws sts assume-rolerole-arn arn:aws:iam::111122223333:role/CentralDeployRolerole-session-name teamA-ci","role_policy": {"Version": "2012-10-17","Statement": ["Effect": "Allow","Action": "s3:PutObject","Resource": "arn:aws:s3:::artifact-bucket/*"},
Question 14hardmultiple choice
Read the full IAM Policy explanation →

Based on the exhibit, a workload in Account B must assume a role in Account A. Security requires that only the specific role arn:aws:iam::444455556666:role/PipelineExecRole can assume it, and only when the caller supplies the external ID acct-b-prod-7788. Which change best satisfies the requirement with the least privilege?

Exhibit

Current trust policy in Account A:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::444455556666:root"},
      "Action": "sts:AssumeRole"
    }
  ]
}

CloudTrail entry from Account A:
{
  "eventSource": "sts.amazonaws.com",
  "eventName": "AssumeRole",
  "userIdentity": {
    "type": "AssumedRole",
    "arn": "arn:aws:sts::444455556666:assumed-role/OtherRole/automation"
  },
  "errorCode": "AccessDenied"
}
Question 15hardmultiple choice
Read the full IAM Policy explanation →

Based on the exhibit, a partner account uploads encrypted objects to a central S3 bucket and later reads them back. The S3 permissions are correct, but the requests still fail. What change is required so the partner workload can use the customer-managed KMS key safely?

Exhibit

CloudTrail event summary:
- eventSource: kms.amazonaws.com
- eventName: Decrypt
- errorCode: AccessDeniedException
- userIdentity: arn:aws:sts::444455556666:assumed-role/PartnerUploadRole/partner-app
- requestParameters.keyId: arn:aws:kms:us-east-1:111122223333:key/6b2f-9a7c

Current CMK key policy excerpt in account 111122223333:
{
  "Sid": "EnableRootPermissionsOnly",
  "Effect": "Allow",
  "Principal": { "AWS": "arn:aws:iam::111122223333:root" },
  "Action": "kms:*",
  "Resource": "*"
}
Question 16mediummultiple choice
Read the full IAM Policy explanation →

Based on the exhibit, what should the security team implement so developers can create AWS Lambda execution roles, but no developer-created role can ever exceed the approved permission set?

Network Topology
$ aws iam create-rolerole-name dev-lambda-role \$ aws iam attach-role-policyassume-role-policy-document file://trust-lambda.jsonpolicy-arn arn:aws:iam::aws:policy/AdministratorAccessDeveloper workflow output:Security requirement:
Question 17hardmultiple choice
Study the full ACL explanation →

Based on the exhibit, the company has one shared S3 bucket for many internal teams. Security wants each team to access only its own prefix, ACLs must remain disabled, and the current bucket policy has become too large and error-prone. What is the best redesign?

Exhibit

Bucket configuration for arn:aws:s3:::corp-shared-data:
- S3 Block Public Access: enabled
- Object Ownership: BucketOwnerEnforced
- ACLs: disabled

Bucket policy excerpt:
- 17 separate statements grant GetObject and PutObject to different team roles
- Each statement uses a team-specific prefix condition

Audit note:
"A recent policy edit granted Team B access to Team C's uploads for 18 minutes before rollback."
Question 18mediummultiple choice
Read the full IAM Policy explanation →

An S3 bucket in account A uses default server-side encryption with an AWS KMS customer-managed key (CMK) in account A. A team created an IAM role in account B that is allowed by IAM policy to perform s3:GetObject on the bucket. When the account B role tries to read objects, it fails with: AccessDeniedException: 'User is not authorized to perform kms:Decrypt'. Which change is most likely to fix the issue?

Question 19easymultiple choice
Read the full IAM Policy explanation →

Company A must allow workloads in Company B to assume an IAM role in Company A (RoleInA). To mitigate confused-deputy attacks, a Security requirement is to use an External ID. Company A should restrict who can assume RoleInA. Which trust-policy configuration is the best choice?

Question 20mediummultiple choice
Read the full IAM Policy explanation →

In AWS Organizations, a Service Control Policy (SCP) denies kms:Decrypt on a production CMK for all principals in the Finance OU. A developer in the Finance OU created/updated an IAM policy that allows secrets access, but the application still fails with AccessDenied due to the SCP. You must enable only the Finance OU to decrypt that specific CMK while keeping the SCP restrictions for other OUs. What is the correct remediation?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused IAM Policy sessions

Start a IAM Policy only practice session

Every question in these sessions is drawn from the IAM Policy domain — nothing else.

Related practice questions

Related SAA-C03 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SAA-C03 exam test about IAM Policy?
IAM Policy questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just IAM Policy questions in a focused session?
Yes — the session launcher on this page draws every question from the IAM Policy domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SAA-C03 topics?
Use the topic links above to move to related areas, or go back to the SAA-C03 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SAA-C03 exam covers. They are not copied from any real exam or dump site.