Courseiva
SAA-C03
Full test
easymultiple choiceObjective-mapped

Your company allows application teams to create IAM roles. Each team must be prevented from granting permissions beyond a defined per-role baseline, even if they attach overly permissive identity-based policies to the role. Which AWS feature best enforces this ceiling at the IAM role level?

Question 1easymultiple choice
Full question →

Your company allows application teams to create IAM roles. Each team must be prevented from granting permissions beyond a defined per-role baseline, even if they attach overly permissive identity-based policies to the role. Which AWS feature best enforces this ceiling at the IAM role level?

Full question →

Answer choices

Why each option matters

Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.

A

Distractor review

Use an Organizations service control policy (SCP) to cap the maximum permissions for role creation in each account

SCPs limit what principals in a member account can do, but they are applied at the account/organization level. They are not the most direct control to enforce a per-role permissions ceiling defined by the baseline that applies to each role the teams create.

B

Best answer

Attach a permission boundary to every role that teams create so the boundary limits the role’s maximum effective permissions

A permission boundary acts as a permissions ceiling for the role. Even if the team attaches an identity-based policy that grants broader permissions, the role’s effective permissions are only those allowed by both the identity policy and the permission boundary. This prevents privilege escalation by role policy changes while still allowing teams to manage which policies are attached, within the boundary.

C

Distractor review

Rely on KMS key policies to restrict permissions because IAM policies cannot override KMS restrictions

KMS key policies primarily govern usage of specific KMS keys (for example, Encrypt/Decrypt) and do not provide a general, cross-service cap on what an IAM role can do.

D

Distractor review

Require multi-factor authentication (MFA) for all role creation requests and deny any request without MFA

MFA strengthens authentication for the person creating the role, but it does not limit the permissions the role can actually exercise after it is created. Permission boundaries specifically enforce a maximum set of allowed actions for the role.

Common exam trap

Common exam trap: ACLs stop at the first match

ACLs are processed top to bottom. The first matching entry wins, and an implicit deny usually exists at the end.

Technical deep dive

How to think about this question

ACL questions test precision: source, destination, protocol, port and direction. A generally correct ACL can still fail if it is applied on the wrong interface or in the wrong direction.

KKey Concepts to Remember

  • Standard ACLs match source addresses.
  • Extended ACLs can match source, destination, protocol and ports.
  • The first matching ACL entry is used.
  • There is usually an implicit deny at the end.

TExam Day Tips

  • Check inbound versus outbound direction.
  • Read the ACL from top to bottom.
  • Look for a broader permit or deny above the intended line.

Related practice questions

Related SAA-C03 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

SAA-C03 VPC practice questions

Practise SAA-C03 questions linked to SAA-C03 VPC.

SAA-C03 S3 lifecycle policy questions

Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.

SAA-C03 RDS Multi-AZ questions

Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.

SAA-C03 IAM policy practice questions

Practise SAA-C03 questions linked to SAA-C03 IAM policy.

SAA-C03 Route 53 failover questions

Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.

SAA-C03 CloudFront practice questions

Practise SAA-C03 questions linked to SAA-C03 CloudFront.

SAA-C03 NAT gateway questions

Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.

SAA-C03 VPC endpoint questions

Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.

SAA-C03 Auto Scaling practice questions

Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.

SAA-C03 disaster recovery questions

Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.

SAA-C03 high availability questions

Practise SAA-C03 questions linked to SAA-C03 high availability questions.

SAA-C03 cost optimization questions

Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.

More questions from this exam

Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.

Question 1

A team needs to distribute TCP traffic (not HTTP) across multiple services. The services must see the original client source IP for auditing. Which AWS load balancer is the best fit?

Question 2

A team wants to run containerized services with AWS-managed orchestration and autoscaling. They do NOT require Kubernetes compatibility. Which AWS service choice is most appropriate to meet these goals?

Question 3

A solutions architect is designing an S3 bucket for a IoT ingestion API. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure? The design must avoid adding custom operational scripts.

Question 4

A solutions architect is designing an S3 bucket for a claims portal. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?

Question 5

A team wants to delegate IAM management to developers, but must ensure developers can never grant themselves permissions beyond a specific limit. Which AWS mechanism best matches this requirement?

Question 6

A solutions architect is designing an S3 bucket for a healthcare document service. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?

FAQ

Questions learners often ask

What does this SAA-C03 question test?

Standard ACLs match source addresses.

What is the correct answer to this question?

The correct answer is: Attach a permission boundary to every role that teams create so the boundary limits the role’s maximum effective permissions — Attach a permission boundary to each role. Permission boundaries are evaluated as an upper limit on what the role can do: the role’s effective permissions are the intersection of (1) the identity-based policies attached to the role and (2) the permissions allowed by the boundary. Therefore, even if teams attach overly permissive policies to a role, the boundary prevents the role from exceeding the defined baseline. Why others are wrong: SCPs are organization/account-level guardrails, not a per-role permissions ceiling. KMS key policies restrict KMS operations for specific keys rather than enforcing a general IAM permissions cap across services. MFA controls who can create the role, not what the role can do once created.

What should I do if I get this SAA-C03 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.

Discussion

Loading comments…

Sign in to join the discussion.