Question 1hardmulti select
Full question →SAA-C03 · topic practice
IAM Policy practice questions
Use this page to practise SAA-C03 IAM Policy practice questions. The goal is not to memorise dumps, but to understand the concept, review the explanation and improve your exam readiness.
What the exam tests
What to know about IAM Policy
IAM Policy questions test whether you can apply the concept in context, not just recognise a definition.
How the topic appears in realistic exam-style scenarios.
Which detail in the question changes the correct answer.
How to eliminate plausible but wrong options.
How to connect the question back to the wider exam objective.
Practice set
IAM Policy questions
20 questions · select your answer, then reveal the explanation
Question 2hardmulti select
Full question →A company is encrypting sensitive S3 data for a mobile banking backend with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals?
Question 3hardmulti select
Full question →A company is encrypting sensitive S3 data for a order processing API with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals? The design must avoid adding custom operational scripts.
Question 4mediummultiple choice
Full question →A CI/CD system creates an IAM role (CICDRole) used for deployments. Your organization uses IAM permission boundaries to prevent developers from granting themselves higher privileges. After an incident, you discover that CICDRole can perform unintended IAM actions because the role’s identity policy includes broad permissions. Which change most directly ensures permission boundaries continue to restrict CICDRole regardless of what is later added to the role’s identity policies?
Question 5mediummulti select
Full question →A central security account stores encrypted log files in S3 using a customer managed AWS KMS key. A partner account already has S3 bucket access through an assumed role and now must also be able to encrypt and decrypt objects that use the same KMS key. Which two actions are required? Select two.
Question 6mediummultiple choice
Full question →A backend service in AWS uses an IAM role to upload large files to an S3 bucket using multipart upload. The upload typically succeeds, but it intermittently fails during cleanup with this error: "AccessDenied: User is not authorized to perform: s3:AbortMultipartUpload" The role identity policy currently allows only: - s3:PutObject on arn:aws:s3:::my-bucket/uploads/* - s3:ListBucket on arn:aws:s3:::my-bucket with a prefix condition What is the best least-privilege change to fix the cleanup failure?
Question 7mediummultiple choice
Full question →A batch process uploads artifacts to an Amazon S3 bucket using multipart uploads. The bucket policy contains a statement that explicitly denies PutObject and CreateMultipartUpload unless the request uses server-side encryption with AWS KMS (SSE-KMS) and includes these request headers/parameters: x-amz-server-side-encryption=aws:kms and x-amz-server-side-encryption-aws-kms-key-id set to a specific CMK. After the process was updated, uploads intermittently fail with AccessDenied errors. Which change is the best way to make uploads succeed while still meeting the bucket policy's encryption requirement?
Question 8easymultiple choice
Full question →A CI/CD pipeline needs to deploy to your production environment. Security requires that the pipeline uses temporary credentials (not long-lived access keys) and only has permissions to read a specific set of parameters from AWS Systems Manager Parameter Store and write application logs to CloudWatch Logs. What is the best AWS approach?
Question 9mediummultiple choice
Full question →A CI pipeline in account A uploads build artifacts to an S3 bucket (arn:aws:s3:::build-artifacts-prod) under the prefix teamA/. The pipeline must not be able to list other prefixes, and it must only upload objects under teamA/. Which IAM policy design best enforces least privilege for this requirement?
Question 10easymultiple choice
Full question →A CI/CD pipeline needs to deploy to your production environment. Security requires that the pipeline uses temporary credentials (not long-lived access keys) and only has permissions to read a specific set of parameters from AWS Systems Manager Parameter Store and write application logs to CloudWatch Logs. What is the best AWS approach?
Question 11mediummulti select
Full question →A central security account stores encrypted log files in S3 using a customer managed AWS KMS key. A partner account already has S3 bucket access through an assumed role and now must also be able to encrypt and decrypt objects that use the same KMS key. Which two actions are required? Select two.
Question 12mediummultiple choice
Full question →A backend service uses an IAM role to read files from an S3 bucket. It must only read objects under s3://prod-reporting/incoming/ but currently receives AccessDenied (403) on GetObject for that prefix.
The role already has this statement: - Action: s3:ListBucket - Resource: arn:aws:s3:::prod-reporting
Which policy statement would most directly follow least privilege to allow only the required reads under the incoming prefix?
Question 13hardmulti select
Full question →A company is encrypting sensitive S3 data for a IoT ingestion API with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals? The design must avoid adding custom operational scripts.
Question 14hardmulti select
Full question →A company is encrypting sensitive S3 data for a healthcare document service with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals?
Question 15mediummultiple choice
Full question →A company uses IAM permission boundaries to prevent developers from escalating privileges. The security team created a permission boundary that allows only read-only actions on most AWS services, but teams can still manage their own resources. A developer can create an IAM role with broad permissions, and the boundary does not appear to be restricting it. Which corrective action best aligns with how permission boundaries work?
Question 16easymultiple choice
Full question →A CI pipeline needs to upload build artifacts only to s3://ci-artifacts/uploads/*. You also want the pipeline to list only objects under uploads/ to verify that the upload succeeded. Which IAM policy approach is the best fit for least privilege?
Question 17hardmulti select
Full question →A company is encrypting sensitive S3 data for a IoT ingestion API with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals?
Question 18hardmulti select
Full question →A company is encrypting sensitive S3 data for a claims portal with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals?
Question 19easymultiple choice
Full question →A company’s private workload in a VPC uploads objects to an S3 bucket. Security requires that S3 requests are allowed only when they traverse a specific S3 Gateway VPC Endpoint (vpce-0abc123example). Which change best enforces this restriction at the S3 bucket level?
Question 20easymultiple choice
Full question →A cross-account IAM role in Account B reads encrypted S3 objects from Account A. The objects use SSE-KMS with a customer-managed KMS key in Account A. Account B can successfully call s3:GetObject, but decryption fails with an AccessDeniedException from KMS. What change most directly fixes the issue?
Watch out for
Common IAM Policy exam traps
- ▸Answering from memory before reading the full scenario.
- ▸Missing a constraint such as cost, availability, security, scope or command context.
- ▸Choosing a broad answer when the question asks for the most specific fix.
- ▸Ignoring why the wrong options are tempting.
Free account
Track your progress over time
Create a free account to save your results and see which topics improve across sessions.
Focused IAM Policy sessions
Start a IAM Policy only practice session
Every question in these sessions is drawn from the IAM Policy domain — nothing else.
Related practice questions
Related SAA-C03 topic practice pages
Move into related areas when this topic feels solid.
SAA-C03 VPC practice questions
Practise SAA-C03 questions linked to SAA-C03 VPC.
SAA-C03 S3 lifecycle policy questions
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
SAA-C03 RDS Multi-AZ questions
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
SAA-C03 IAM policy practice questions
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
SAA-C03 Route 53 failover questions
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
SAA-C03 CloudFront practice questions
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
SAA-C03 NAT gateway questions
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
SAA-C03 VPC endpoint questions
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
SAA-C03 Auto Scaling practice questions
Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.
SAA-C03 disaster recovery questions
Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.
SAA-C03 high availability questions
Practise SAA-C03 questions linked to SAA-C03 high availability questions.
SAA-C03 cost optimization questions
Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.
Frequently asked questions
- What does the SAA-C03 exam test about IAM Policy?
- IAM Policy questions test whether you can apply the concept in context, not just recognise a definition.
- How should I use these practice questions?
- Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
- Can I practise just IAM Policy questions in a focused session?
- Yes — the session launcher on this page draws every question from the IAM Policy domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
- Where can I practise other SAA-C03 topics?
- Use the topic links above to move to related areas, or go back to the SAA-C03 question bank to see all topics.
- Are these real exam questions or dumps?
- These are original practice questions written to test the same concepts the SAA-C03 exam covers. They are not copied from any real exam or dump site.
Track your progress
A free account saves results across sessions and highlights which topics need work.
Sign up freeExam traps to avoid
- ▸Answering from memory before reading the full scenario.
- ▸Missing a constraint such as cost, availability, security, scope or command context.
- ▸Choosing a broad answer when the question asks for the most specific fix.
- ▸Ignoring why the wrong options are tempting.