SAP-C02 · topic practice

IAM Policy practice questions

Practise AWS Certified Solutions Architect Professional SAP-C02 IAM Policy practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: IAM Policy

What the exam tests

What to know about IAM Policy

IAM Policy questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common IAM Policy exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

IAM Policy questions

20 questions · select your answer, then reveal the explanation

Question 1mediummulti select
Read the full IAM Policy explanation →

A company is using AWS Organizations with multiple accounts. The central IT team wants to deploy a set of common VPCs in each account using AWS CloudFormation StackSets. The StackSets must be managed from the management account. Which THREE permissions are required for the StackSets to successfully deploy stacks into member accounts?

Question 2hardmultiple choice
Read the full IAM Policy explanation →

A company has a centralized logging account that receives VPC Flow Logs from all accounts in the organization. The logs are stored in an S3 bucket. A security analyst needs to query the logs to identify traffic to a specific IP address. The analyst has been granted read-only access to the S3 bucket. However, the analyst cannot access the logs. What is the MOST likely cause?

Question 3hardmultiple choice
Read the full NAT/PAT explanation →

A multinational company is implementing AWS Organizations to manage multiple accounts across business units. The security team requires that all IAM users in member accounts must use a specific password policy and must have MFA enabled. Which combination of actions should the company take to enforce these requirements?

Question 4mediummultiple choice
Read the full IAM Policy explanation →

Refer to the exhibit. An IAM role trust policy is shown. A user from account 123456789012 tries to assume this role but receives an 'AccessDenied' error. The user has MFA enabled and is passing the MFA token. What is the MOST likely reason for the failure?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}
Question 5mediummultiple choice
Read the full IAM Policy explanation →

A company uses AWS Organizations with multiple OUs. The finance team needs to have read-only access to billing data across all accounts. The security team wants to ensure that no IAM user can modify billing preferences. Which policy should be attached to the root OU to achieve this?

Question 6hardmultiple choice
Read the full IAM Policy explanation →

A company has a management account in AWS Organizations and several member accounts. The security team wants to ensure that any IAM user created in any member account must have a password policy that enforces a minimum length of 14 characters. The team wants a preventive control that is enforced automatically. Which approach should be used?

Question 7hardmultiple choice
Read the full IAM Policy explanation →

A solutions architect is designing a new serverless application using AWS Lambda to process orders from an API Gateway endpoint and store them in DynamoDB. The architect creates the IAM role shown in the exhibit. When testing, the Lambda function fails to write to DynamoDB with an AccessDeniedException. What is the MOST likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:PutItem"
      ],
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders"
    }
  ]
}

A company is deploying a new application on AWS and wants to implement a least-privilege IAM policy for an EC2 instance that needs to read from an S3 bucket (my-bucket) and write logs to CloudWatch Logs. Which THREE statements should be included in the IAM policy? (Choose three.)

Question 9hardmultiple choice
Read the full IAM Policy explanation →

A company uses AWS CodePipeline to automate deployments of a microservices application to Amazon ECS. The pipeline builds a Docker image, pushes it to Amazon ECR, and updates the ECS service. Recently, deployments have failed because insufficient IAM permissions cause the pipeline to fail when updating the ECS service. The development team wants to implement least privilege permissions. Which IAM policy statement should be added to the CodePipeline service role to allow it to update the ECS service?

Question 10hardmultiple choice
Read the full NAT/PAT explanation →

An IAM policy is attached to a group. A user in the group tries to terminate an EC2 instance in us-east-1 using the AWS CLI. What will happen?

Exhibit

Refer to the exhibit.

iam-policy.json:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:Describe*",
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "ec2:TerminateInstances",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"
    }
  ]
}
Question 11hardmultiple choice
Read the full IAM Policy explanation →

Refer to the exhibit. A company uses this IAM policy to allow an automation script to manage Amazon EBS snapshots. The script runs on an EC2 instance with this attached IAM role. The script is failing when trying to create a snapshot from a volume and tag it. The error message indicates an authorization failure. What is the root cause?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:DescribeVolumes"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateSnapshot",
        "ec2:CreateTags"
      ],
      "Resource": "arn:aws:ec2:us-west-2::snapshot/*"
    }
  ]
}
```
Question 12hardmultiple choice
Read the full IAM Policy explanation →

A company has a data lake in AWS using S3 and Glue. The security team requires that all data in the data lake be encrypted at rest using a customer-managed KMS key. However, some users are able to upload data without encryption. What is the most effective way to enforce encryption?

Question 13hardmulti select
Read the full IAM Policy explanation →

A company is designing a multi-account strategy using AWS Organizations. They need to enforce that all IAM users in member accounts must use multi-factor authentication (MFA) to access the AWS Management Console. Which TWO approaches should they combine to enforce this requirement?

Question 14easymultiple choice
Read the full IAM Policy explanation →

A company's IT team uses AWS CloudFormation to deploy infrastructure. They want to enforce tagging standards across all stacks. Which approach should they use?

Question 15easymultiple choice
Read the full IAM Policy explanation →

A company wants to centralize logging from multiple AWS accounts into a single Amazon S3 bucket. The logging accounts are part of an AWS Organization. Which approach should be used to allow CloudTrail to deliver logs from all accounts to the central bucket?

Question 16easymultiple choice
Read the full IAM Policy explanation →

A company wants to ensure that no IAM user in any account can create access keys. The company uses AWS Organizations. Which approach should be used?

Question 17mediummultiple choice
Read the full IAM Policy explanation →

The above AWS CloudFormation template creates an S3 bucket with a bucket policy. A user from IP 198.51.100.5 tries to access an object in the bucket. What will happen?

Exhibit

Refer to the exhibit.

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "MyBucket": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": "my-bucket-12345",
        "VersioningConfiguration": {
          "Status": "Enabled"
        }
      }
    },
    "MyBucketPolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": {"Ref": "MyBucket"},
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": "*",
              "Action": "s3:GetObject",
              "Resource": "arn:aws:s3:::my-bucket-12345/*",
              "Condition": {
                "IpAddress": {
                  "aws:SourceIp": "203.0.113.0/24"
                }
              }
            }
          ]
        }
      }
    }
  }
}
Question 18hardmultiple choice
Read the full IAM Policy explanation →

A company uses AWS Organizations with hundreds of accounts. The security team wants to ensure that no account can disable AWS CloudTrail or delete CloudTrail log files. Which preventive control should be implemented?

Question 19mediummulti select
Read the full IAM Policy explanation →

A company uses AWS Organizations with multiple OUs. The security team wants to ensure that no account in the 'Production' OU can disable AWS CloudTrail or delete CloudTrail log files. Which two steps should be taken? (Choose TWO.)

Question 20mediummultiple choice
Read the full IAM Policy explanation →

A company uses AWS Organizations with multiple OUs. The security team wants to ensure that no IAM role in any member account can be assumed by a user from outside the organization. Which policy should be used?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused IAM Policy sessions

Start a IAM Policy only practice session

Every question in these sessions is drawn from the IAM Policy domain — nothing else.

Related practice questions

Related SAP-C02 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SAP-C02 exam test about IAM Policy?
IAM Policy questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just IAM Policy questions in a focused session?
Yes — the session launcher on this page draws every question from the IAM Policy domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SAP-C02 topics?
Use the topic links above to move to related areas, or go back to the SAP-C02 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SAP-C02 exam covers. They are not copied from any real exam or dump site.