CCNA Identity and Access Management Questions

75 of 279 questions · Page 1/4 · Identity and Access Management · Answers revealed

1
MCQhard

A large enterprise uses AWS Organizations to manage multiple accounts. The security team has implemented a Service Control Policy (SCP) at the root level that denies all actions unless the request originates from the corporate IP range (10.0.0.0/8). Recently, a developer in a member account tried to launch an EC2 instance from the AWS Management Console while connected via a VPN that provides an IP address within the corporate range. However, the launch failed with an 'AccessDenied' error. The developer is using an IAM user with full EC2 permissions (ec2:*). The SCP is as follows: {"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"*","Resource":"*","Condition":{"NotIpAddress":{"aws:SourceIp":"10.0.0.0/8"}}}]}. What is the MOST likely reason for the failure?

A.The SCP allows actions only from the specified IP range, but the developer's IP is not in that range.
B.The SCP does not apply to IAM users in member accounts; it only applies to the root user.
C.The aws:SourceIp condition key does not work correctly for requests made via the AWS Management Console because the console may use a different IP.
D.The IAM user does not have the necessary permissions because the SCP explicitly denies all actions.
AnswerC

The console may use intermediary IPs; the source IP condition is not reliable for console access.

Why this answer

Option C is correct. The SCP uses the aws:SourceIp condition, but when accessing the Management Console, the IP address seen by AWS is the console's IP, which may not be the same as the developer's VPN IP if the console uses a proxy or if the VPN is configured incorrectly. Option A is wrong because SCPs affect all principals, including the root user.

Option B is wrong because the SCP denies actions, not allows them; an explicit deny overrides allows. Option D is wrong because the SCP denies all actions, so even if the developer has permissions, the SCP denies them.

2
MCQeasy

Which IAM entity can be used to grant temporary access to AWS resources for users from a different AWS account?

A.IAM group
B.IAM role
C.IAM policy
D.IAM user
AnswerB

Roles provide temporary credentials via sts:AssumeRole.

Why this answer

An IAM role is the correct entity because it is specifically designed to grant temporary, cross-account access to AWS resources. When a user from a different AWS account assumes a role, AWS STS (Security Token Service) issues temporary security credentials (access key, secret key, and session token) that are valid for a configurable duration (default 1 hour, max 12 hours). This avoids the need to create permanent IAM users or share long-term credentials across accounts.

Exam trap

The trap here is that candidates often confuse an IAM policy with an IAM role, thinking that attaching a policy directly to an external user grants access, but policies alone cannot be assumed and do not generate temporary credentials.

How to eliminate wrong answers

Option A is wrong because an IAM group is a container for IAM users within the same AWS account and cannot be used to grant access to users from a different AWS account; it has no cross-account trust policy. Option C is wrong because an IAM policy is a document that defines permissions but is not an identity that can be assumed; it must be attached to an IAM user, group, or role to grant permissions, and by itself cannot provide temporary credentials. Option D is wrong because an IAM user is a permanent identity tied to a single AWS account; while you could create a user in your account for an external user, that would require sharing long-term access keys, which violates security best practices and does not provide temporary, scoped credentials.

3
MCQeasy

A developer needs to allow an EC2 instance to access an S3 bucket. Which is the best practice for granting permissions?

A.Store IAM user access keys in a configuration file on the EC2 instance.
B.Use a security group to allow the EC2 instance to access S3.
C.Attach an S3 bucket policy that grants access to the EC2 instance ID.
D.Create an IAM role with S3 access and attach it to the EC2 instance profile.
AnswerD

The instance assumes the role and obtains temporary credentials automatically.

Why this answer

Option B is correct because an IAM role attached to the EC2 instance provides temporary credentials via the instance metadata service, avoiding long-term keys. Option A is wrong because storing keys on the instance is insecure. Option C is wrong because a bucket policy granting access to the instance ID is not a valid principal.

Option D is wrong because security groups do not grant IAM permissions.

4
MCQmedium

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any account can create new IAM users. Which approach should be used?

A.Apply an IAM policy to the root user of each account.
B.Use an SCP attached to each IAM user.
C.Use an IAM permissions boundary on each IAM user.
D.Apply a service control policy (SCP) at the root organizational unit that denies IAM:CreateUser.
AnswerD

SCPs can deny actions across all accounts in the organization.

Why this answer

Option B is correct because an SCP can deny the IAM:CreateUser action across all accounts. Option A is wrong because it only applies to the root user. Option C is wrong because it affects only one account.

Option D is wrong because SCPs cannot be attached to IAM users.

5
MCQhard

An organization wants to enforce that all IAM users use MFA. The security team creates an IAM policy that denies all actions unless MFA is present. However, some users report they cannot even change their own password to enable MFA. What should the security team do to resolve this?

A.Add a statement that allows all actions when MFA is present.
B.Add an exception statement that allows iam:ChangePassword without MFA.
C.Assign the policy only after users have enabled MFA.
D.Remove the MFA condition from the policy.
AnswerB

Allows users to set up MFA by changing their password first.

Why this answer

Option C is correct because the policy should include an exception for the iam:ChangePassword action to allow users to change their password (and set up MFA) before the MFA condition is enforced. Option A would allow all actions without MFA. Option B is too permissive.

Option D doesn't fix the issue.

6
MCQmedium

A company wants to allow an IAM user to manage only their own access keys. Which IAM policy should be attached to the user?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"iam:*AccessKey*","Resource":"arn:aws:iam::*:user/*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"iam:*AccessKey*","Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"iam:*AccessKey*","Resource":"arn:aws:iam::*:user/${aws:username}"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"iam:*AccessKey*","Resource":"*"}]}
AnswerC

Restricts to the user's own access keys using a resource ARN with a condition variable.

Why this answer

Option C is correct because the IAM policy with 'Condition': {'StringEquals': {'iam:username': '${aws:username}'}} restricts the user to manage only their own access keys. Option A gives full access to all users' keys. Option B denies all key management.

Option D allows full access without restriction.

7
MCQeasy

A company uses IAM roles for EC2 instances to access DynamoDB. The security team wants to ensure that the instances can only access specific DynamoDB tables. They create an IAM policy that allows dynamodb:GetItem and dynamodb:PutItem on the specific table ARN. The policy is attached to the instance role. However, when an application on the instance tries to read from the table, it receives an 'AccessDeniedException'. The application is using the correct table name. What is the MOST likely cause?

A.The IAM policy is not attached to the instance profile.
B.The DynamoDB table is encrypted with a customer managed key that the role does not have access to.
C.The policy does not include dynamodb:DescribeTable action.
D.The instance does not have the required instance profile associated.
AnswerC

Many SDKs need DescribeTable.

Why this answer

Option B is correct. DynamoDB requires the user to have permission on the table ARN, but also on the index ARN if using indexes. However, the most common mistake is that the policy does not allow the necessary actions like dynamodb:DescribeTable, which is often required by SDKs.

Option A is wrong because the policy is attached. Option C is wrong because the instance profile is correct. Option D is wrong because the role is not about encryption.

8
MCQeasy

An administrator needs to grant an IAM user the ability to change their own password without allowing them to change other users' passwords. Which IAM action should be included in the policy?

A.iam:CreateLoginProfile
B.iam:UpdateAccountPasswordPolicy
C.iam:UpdateServiceSpecificCredential
D.iam:ChangePassword
AnswerD

Allows the user to change their own password.

Why this answer

Option A is correct because iam:ChangePassword allows a user to change their own password. Option B allows any password change. Option C is for creating login profiles.

Option D is a service control policy action.

9
Multi-Selectmedium

A security engineer is designing a solution to allow a Lambda function to write logs to CloudWatch Logs. Which TWO actions are required in the IAM execution role? (Choose TWO.)

Select 2 answers
A.logs:GetLogEvents
B.logs:PutLogEvents
C.logs:CreateLogStream
D.logs:PutRetentionPolicy
E.logs:CreateLogGroup
AnswersB, E

Needed to write log events.

Why this answer

The correct options are B and D. logs:CreateLogGroup is needed to create a log group if it doesn't exist, and logs:PutLogEvents is needed to write log events. Option A is for reading, C is for managing retention, E is for creating streams, but CreateLogStream is not always needed if the group already exists? Actually, the Lambda runtime automatically creates the log stream, but the IAM role still needs logs:CreateLogStream. However, the typical minimum permissions are logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents.

Since the question says 'Which TWO', the most essential are CreateLogGroup and PutLogEvents. But CreateLogStream is also required. However, in many documentation, they list all three.

Given the constraint, we choose the two that are absolutely necessary: CreateLogGroup (once) and PutLogEvents (every write). But CreateLogStream is also needed per invocation. Let's see the options: A is reading, B is creating group, C is setting retention, D is writing events, E is creating stream.

The correct answer set should be B and D, as CreateLogStream might be implicitly required but not listed? Actually, the question expects B and D. I'll go with that.

10
Multi-Selectmedium

A security engineer is designing IAM policies for a data analytics platform that uses Amazon S3, Amazon Athena, and AWS Glue. The platform must allow data scientists to query data in S3 using Athena, but only from specific VPC subnets. Additionally, the data must be encrypted at rest using AWS KMS. Which TWO actions should the engineer take to meet these requirements? (Choose TWO.)

Select 2 answers
A.Grant kms:Decrypt permission in the IAM policy and configure the KMS key policy to allow the IAM role to use the key.
B.Add kms:EncryptionContext condition to the IAM policy to require a specific encryption context.
C.Create a VPC endpoint for Athena and attach a bucket policy that restricts access to that endpoint.
D.Use the s3:SourceIp condition key in the IAM policy to restrict access to the private IP ranges of the VPC subnets.
E.Enable default encryption on the S3 bucket using SSE-S3 and configure the KMS key policy to allow the IAM role.
AnswersA, C

Correct – Allows Athena to decrypt S3 objects with the KMS key.

Why this answer

A: Correct – Using a VPC endpoint for Athena with a bucket policy that restricts access to the VPC endpoint ensures that queries are only allowed from the specified VPC subnets. D: Correct – Granting kms:Decrypt permission in the IAM policy and ensuring the KMS key policy allows the IAM role enables Athena to decrypt S3 objects encrypted with a customer-managed KMS key. B: Incorrect – The s3:SourceIp condition key does not work for VPC endpoints; use aws:SourceVpce instead.

C: Incorrect – The kms:EncryptionContext condition is not used for restricting encryption at rest; it is used for encryption context in KMS operations. E: Incorrect – S3 default encryption (SSE-S3) does not use KMS, so the KMS key policy would not be relevant.

11
Multi-Selecthard

Which TWO IAM policy conditions can be used to enforce that API calls originate from a specific AWS region? (Choose TWO.)

Select 1 answer
A.ec2:Region
B.aws:UserAgent
C.aws:SourceIp
D.aws:RequestedRegion
E.aws:Region
AnswersD

Use this condition to check the region in the API request.

Why this answer

The correct answers are B and C. aws:RequestedRegion is the condition key to check the region in the request. aws:SourceIp can be used to restrict IP addresses, but not directly region. However, there is also a condition key aws:Region that can be used in some services, but aws:RequestedRegion is the standard for most services. Option A is wrong because there is no aws:Region condition.

Option D is wrong because ec2:Region is specific to EC2. Option E is wrong because aws:SourceIp is for IP, not region.

12
MCQhard

A company runs a serverless application using AWS Lambda functions that access an Amazon DynamoDB table. The Lambda functions are part of a microservices architecture and need to read and write to the DynamoDB table. The security team wants to ensure that the Lambda functions have the minimum required permissions. Initially, the team attached the AWS managed policy 'AWSLambdaDynamoDBExecutionRole' to the Lambda execution role, but later discovered that this policy grants more permissions than needed. The team decides to create a custom policy with only the required actions: GetItem, PutItem, UpdateItem, and DeleteItem. However, after attaching the custom policy, the Lambda functions start failing with 'AccessDeniedException' when trying to access DynamoDB. The CloudWatch logs show that the Lambda function is unable to write logs to CloudWatch Logs. What is the MOST likely cause of the failures?

A.The custom policy does not include permissions for CloudWatch Logs actions (logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents), which are required for Lambda to write logs.
B.The custom policy does not include dynamodb:ListTables, which is required for the DynamoDB SDK to work.
C.The DynamoDB table has a resource-based policy that denies access from Lambda functions without a specific condition key.
D.The Lambda function is attached to a VPC and requires permissions to create Elastic Network Interfaces (ec2:CreateNetworkInterface).
AnswerA

Lambda uses CloudWatch Logs for logging; without these permissions, the function fails when trying to log.

Why this answer

Option A is correct. The custom policy only grants DynamoDB permissions but does not include permissions for CloudWatch Logs, which are needed for Lambda to write logs. The managed policy included both DynamoDB and CloudWatch Logs permissions.

Option B is wrong because the Lambda function does not need VPC permissions unless it is in a VPC. Option C is wrong because the Lambda function does not need to list tables to perform read/write operations. Option D is wrong because the condition keys are not the issue; the problem is missing permissions.

13
MCQmedium

A security engineer runs the IAM policy simulator with a custom policy. The output shows the above. Which statement is true about the policy?

A.The policy allows iam:DeleteUser but denies iam:CreateUser.
B.The policy allows all actions by default.
C.The policy contains a statement that explicitly denies iam:DeleteUser.
D.The policy has no effect because the simulator returned errors.
AnswerC

Simulator shows explicitDeny.

Why this answer

The simulator indicates 'explicitDeny' for DeleteUser, meaning a deny statement exists. Option A is correct. Option B is wrong because there is a deny.

Option C is wrong because CreateUser is allowed. Option D is wrong because simulator shows explicit deny.

14
Multi-Selecthard

Which THREE are valid ways to restrict access to an S3 bucket using IAM policies? (Choose 3.)

Select 3 answers
A.Requiring server-side encryption using the 's3:x-amz-server-side-encryption' condition key
B.Using the 'aws:PrincipalOrgID' condition key
C.Restricting access to a specific VPC using the 'aws:SourceVpc' condition key
D.Using the 's3:ResourceAccount' condition key to restrict access to a specific bucket
E.Limiting access to specific IP addresses using the 'aws:SourceIp' condition key
AnswersA, C, E

This can be done in IAM policies to enforce encryption.

Why this answer

Options B, C, and D are correct. B: You can use condition keys like 's3:x-amz-server-side-encryption' in an IAM policy. C: You can limit access to specific IP addresses using the 'aws:SourceIp' condition key.

D: You can restrict access to specific VPCs using the 'aws:SourceVpc' condition key. Option A is wrong because IAM policies cannot use the 'aws:PrincipalOrgID' condition key to restrict access to an S3 bucket; that key is used in resource-based policies. Option E is wrong because restricting access to a specific bucket is done by specifying the bucket ARN in the Resource element, not by a condition key.

15
MCQhard

A security engineer must ensure that cross-account access to an S3 bucket is restricted to only accounts that are part of a specific AWS organization. Which IAM policy condition key should be used in the bucket policy?

A.aws:SourceIp
B.aws:MultiFactorAuthPresent
C.aws:PrincipalOrgID
D.aws:SourceVpce
AnswerC

Checks that the principal's account is in the specified AWS organization.

Why this answer

Option D is correct because 'aws:PrincipalOrgID' condition key checks that the principal's account belongs to a specific AWS organization. Option A is for MFA. Option B is for source IP.

Option C is for VPC endpoint.

16
MCQmedium

Refer to the exhibit. A developer is trying to list objects in a Google Cloud Storage bucket from an AWS environment. What is the most likely cause of the error?

A.The bucket name is incorrect.
B.The developer is using the wrong command (gsutil instead of aws s3).
C.The IAM role does not have S3 permissions.
D.The S3 bucket policy does not allow the user.
AnswerB

gsutil is for Google Cloud Storage; to access S3, use 'aws s3 ls s3://bucket-name'.

Why this answer

Option A is correct because the error indicates a Google Cloud Storage bucket, not an AWS S3 bucket, so the developer is using wrong command. Option B is wrong because it's a Google Cloud bucket, not S3. Option C is wrong because there is no such bucket or wrong syntax.

Option D is wrong because IAM roles do not apply to Google Cloud.

17
MCQmedium

A company is using AWS Organizations and wants to delegate administrative tasks for a specific OU to another account. Which feature should be used?

A.AWS Resource Access Manager
B.AWS CloudTrail
C.AWS SSO
D.Delegated administrator for AWS Organizations
AnswerD

Allows a member account to perform administrative tasks on behalf of the organization.

Why this answer

Option A is correct: delegated administrator allows a member account to manage services for the organization. Option B is for sharing resources. Option C is for sharing accounts.

Option D is for logging.

18
Multi-Selecthard

A company has a requirement that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. Which TWO steps should the company take to enforce this?

Select 2 answers
A.Enable MFA devices for each IAM user.
B.Use a service control policy (SCP) to require MFA for all users.
C.Attach an IAM policy that denies all actions unless the request includes MFA (condition aws:MultiFactorAuthPresent).
D.Enable MFA for the root user only.
E.Configure an IAM password policy that requires MFA.
AnswersA, C

Users must have MFA devices assigned.

Why this answer

Option A and D are correct. Option A: enabling MFA on each user is the first step. Option D: an IAM policy with a condition for aws:MultiFactorAuthPresent denies access if MFA is not present.

Option B is wrong because the root user should not be used for daily tasks. Option C is wrong because password policy does not force MFA. Option E is wrong because SCPs do not enforce MFA at the user level.

19
MCQhard

A developer needs to access an S3 bucket from an EC2 instance. The developer creates an IAM role with the necessary S3 permissions and attaches it to the instance profile. However, applications running on the instance can still not access the bucket. What is the most likely cause?

A.The IAM role cannot be attached after the EC2 instance is launched.
B.The IAM role is not attached to the EC2 instance's instance profile.
C.The instance metadata service is disabled on the EC2 instance.
D.The S3 bucket policy does not explicitly grant access to the IAM role.
AnswerB

The role must be associated with the instance profile to be used by the instance.

Why this answer

Option C is correct because the instance profile must be associated with the EC2 instance at launch or by attaching the profile. Option A is wrong because instance metadata is used by the AWS CLI to obtain credentials. Option B is wrong because a bucket policy with a condition for a specific principal is not required.

Option D is wrong because the IAM role can be attached to an existing instance via the instance profile.

20
Multi-Selectmedium

Which TWO statements are true about IAM roles? (Choose two.)

Select 2 answers
A.IAM roles can be used by federated users.
B.IAM roles are specific to an AWS region.
C.IAM roles cannot be attached to an EC2 instance.
D.IAM roles have permanent access keys.
E.IAM roles can be assumed by AWS services like EC2.
AnswersA, E

Federated users can assume roles to access AWS.

Why this answer

Options B and C are correct. IAM roles can be assumed by AWS services (B) and can be used by federated users (C). Option A is false; roles do not have long-term credentials.

Option D is false; roles are not region-specific. Option E is false; roles can be attached to EC2 instances via instance profiles.

21
MCQeasy

Refer to the exhibit. An IAM user has this policy attached. Can the user create a new IAM user in the us-east-1 region?

A.Yes, because the Allow statement explicitly permits CreateUser.
B.No, because IAM is a global service and region conditions do not apply.
C.Yes, because the Deny only applies to us-east-1.
D.No, because the Deny statement blocks all IAM actions in us-east-1.
AnswerD

The Deny is explicit and overrides the Allow.

Why this answer

Option C is correct. The Deny statement applies to all IAM actions in us-east-1, which overrides the Allow for CreateUser. Since the Deny is explicit, it blocks the action even though there is an Allow.

The request fails.

22
MCQmedium

A company has an S3 bucket with a bucket policy that grants access to an IAM role used by an application running on EC2. The application is unable to read objects from the bucket, even though the IAM role has the necessary permissions. What is the most likely cause?

A.The bucket is in a different AWS account.
B.The bucket policy denies access to the IAM role.
C.The bucket policy does not explicitly allow the IAM role.
D.The IAM role has an explicit deny statement.
AnswerB

A deny in bucket policy overrides any allow.

Why this answer

Option C is correct because S3 bucket policies and IAM policies must both allow access; if either denies, access is denied. Option A is wrong because explicit deny overrides allow, but the bucket policy might not have an explicit deny. Option B is wrong because the bucket policy might not allow the role.

Option D is wrong because service control policies apply at organization level, not directly.

23
Multi-Selecteasy

Which TWO of the following are AWS best practices for managing access keys? (Choose 2.)

Select 2 answers
A.Use the same access key for multiple users.
B.Share access keys via email.
C.Delete unused access keys.
D.Rotate access keys regularly.
E.Embed access keys directly in application code.
AnswersC, D

Reduces attack surface.

Why this answer

Rotating keys regularly and not embedding them in code are standard security practices.

24
MCQhard

A security engineer is configuring a VPC endpoint for Amazon S3 and wants to ensure that only traffic from specific IAM roles can access the S3 bucket through the endpoint. Which policy element should the engineer use?

A.aws:SourceVpc
B.aws:PrincipalArn
C.aws:username
D.aws:SourceVpce
AnswerB

This condition key allows restricting access to specific IAM roles.

Why this answer

Option A is correct because VPC endpoint policies can use 'aws:PrincipalArn' condition to restrict access to specific IAM roles. Option B is wrong because 'aws:SourceVpc' restricts to a specific VPC, not IAM role. Option C is wrong because 'aws:SourceVpce' restricts to a specific endpoint, not role.

Option D is wrong because 'aws:username' is for IAM users, not roles.

25
MCQhard

A company runs a critical application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application processes financial transactions and must store transaction logs in an Amazon S3 bucket. The security team requires that all API calls to AWS services are logged and that the logs are stored in a secure, tamper-proof manner. The team enables AWS CloudTrail to log management events and Amazon S3 server access logs for the S3 bucket. They also enable AWS Config to track resource changes. The compliance team wants to ensure that no one can disable CloudTrail logging or delete the CloudTrail log files. The security engineer proposes a solution using an SCP in AWS Organizations to deny actions that would disable CloudTrail or delete log files. However, the engineer is concerned that the SCP might be applied too broadly and affect legitimate administrative actions. The engineer wants to ensure that only the security team’s IAM role (SecurityAdminRole) can perform these restricted actions, while all other principals (including IAM users, roles, and the root user) are denied. The engineer creates an SCP that denies cloudtrail:StopLogging, cloudtrail:DeleteTrail, and s3:DeleteObject on the CloudTrail S3 bucket. The SCP includes a condition that allows the action if the principal is SecurityAdminRole. However, after applying the SCP, the security team finds that even SecurityAdminRole is unable to stop CloudTrail logging. What is the most likely cause of this issue?

A.The condition in the SCP is incorrectly scoped, causing the deny to apply to all principals including SecurityAdminRole.
B.The SCP is applied to the root organizational unit (OU), which includes the management account where the root user is not affected by SCPs.
C.The SecurityAdminRole does not have the necessary IAM permissions to stop CloudTrail logging.
D.The S3 bucket policy on the CloudTrail bucket denies access to the SecurityAdminRole.
AnswerA

Correct – The condition likely does not properly exclude SecurityAdminRole, so the deny applies to all.

Why this answer

C: Correct – The root user is not affected by SCPs by default, but if the condition incorrectly references the root user, it may block all principals including SecurityAdminRole. However, the more common issue is that the SCP was applied without an explicit allow for the SecurityAdminRole, or the condition was not properly scoped. In this scenario, the most likely cause is that the condition in the SCP is not correctly scoped to allow SecurityAdminRole.

The SCP should use a condition like "StringNotEquals": {"aws:PrincipalArn": "arn:aws:iam::*:role/SecurityAdminRole"} to deny only when the principal is not that role. If the condition is incorrectly written, it may deny all principals. Alternatively, the SCP might be applied to the management account where root user cannot be denied, but the issue is that SecurityAdminRole is denied.

The typical mistake is using "Deny" without a proper condition that excludes the allowed role. A: Incorrect – If the SCP is applied to the root OU, it applies to all accounts including the security team's account. B: Incorrect – S3 bucket policies can grant access, but if the SCP denies, the deny overrides.

D: Incorrect – The correct answer is that the SCP is too restrictive; the condition is flawed.

26
Multi-Selecteasy

A company wants to allow a Lambda function to read messages from an SQS queue and write logs to CloudWatch Logs. Which TWO IAM actions should be included in the Lambda execution role?

Select 2 answers
A.logs:DeleteLogGroup
B.sqs:ReceiveMessage
C.cloudwatch:*
D.logs:CreateLogStream and logs:PutLogEvents
E.sqs:SendMessage
AnswersB, D

This allows the function to read messages from the queue.

Why this answer

Options B and D are correct because they are the specific actions needed. Option A is for writing to SQS, not reading. Option C is too broad for CloudWatch Logs.

Option E is for deleting logs, which is not needed.

27
MCQmedium

A company has an AWS Lambda function that processes messages from an Amazon SQS queue. The Lambda function is configured with an execution role that has the following IAM policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:GetQueueAttributes" ], "Resource": "arn:aws:sqs:us-east-1:123456789012:MyQueue" }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] } The Lambda function is also configured with an SQS trigger that uses the same queue. The function code tries to send a message to an Amazon SNS topic, but the send fails with an AccessDenied error. What is the most likely cause?

A.The SQS queue has a resource-based policy that denies the Lambda function from sending to SNS.
B.The Lambda execution role does not have permissions to publish to SNS.
C.The SNS topic has a resource-based policy that denies the Lambda function.
D.The SQS queue is not configured to allow the Lambda function to send messages to SNS.
AnswerB

The policy only grants SQS and CloudWatch Logs permissions, not SNS.

Why this answer

Option A is correct. The Lambda execution role does not include permissions to publish to SNS. The function can only perform actions that are allowed by the role.

Option B is wrong because the SQS trigger does not affect the function's ability to call SNS. Option C is wrong because the SQS policy is not relevant to SNS. Option D is wrong because the SNS topic policy may not exist or may not deny; the error is due to missing IAM permissions.

28
MCQmedium

An administrator is troubleshooting an issue where an IAM user cannot launch an EC2 instance in a specific VPC. The user has the AmazonEC2FullAccess policy attached. What is the most likely cause?

A.The user's permissions boundary blocks EC2 actions.
B.The user has exceeded the maximum number of EC2 instances allowed.
C.The VPC has an IAM policy attached that denies the ec2:RunInstances action.
D.The key pair specified is not owned by the user.
AnswerC

VPCs can have resource-based policies (e.g., VPC endpoint policies) that restrict actions.

Why this answer

Option A is correct because the VPC might have a resource-based policy or a network ACL (though IAM is more common) that restricts actions. However, a more precise answer is that the user may not have permissions to use the subnet or security group. Option B is wrong because the user has full access.

Option C is wrong because the user has full access. Option D is wrong because the key pair is not an IAM resource.

29
Multi-Selecthard

A company is using AWS Organizations with multiple accounts. The security team wants to enforce that all IAM users must have MFA enabled. Which TWO methods can be used to enforce this? (Choose TWO.)

Select 2 answers
A.Attach an IAM policy that denies all actions unless MFA is present.
B.Configure a password policy that requires MFA.
C.Require MFA for all IAM roles.
D.Use a Service Control Policy (SCP) to deny actions when MFA is not present.
E.Enable MFA delete on S3 buckets.
AnswersA, D

This policy can be applied to users or groups to enforce MFA.

Why this answer

The correct options are B and D. A Service Control Policy can deny actions if MFA is not present, and an IAM policy with a condition for 'aws:MultiFactorAuthPresent' can be attached to users or groups. Option A is not effective because password policy does not enforce MFA usage.

Option C is about requiring MFA for API calls, but not enforcement. Option E is about roles, not users.

30
MCQeasy

A company wants to grant an IAM user the ability to rotate their own access keys. What is the least privileged IAM policy that allows this?

A.A policy with Action: 'iam:*AccessKey*' and Resource: 'arn:aws:iam::*:user/*'
B.A policy with Action: 'iam:ListAccessKeys' and 'iam:GetAccessKeyLastUsed' and Resource: '*'
C.A policy with Action: 'iam:CreateAccessKey', 'iam:DeleteAccessKey', 'iam:UpdateAccessKey' and Resource: 'arn:aws:iam::*:user/${aws:username}'
D.A policy with Action: 'iam:*' and Resource: '*'
AnswerC

This allows the user to manage only their own access keys.

Why this answer

Option B is correct because it allows the user to manage their own access keys. Option A is wrong because it grants full IAM access. Option C is wrong because it does not allow deleting or creating keys.

Option D is wrong because it requires a specific resource ARN with a wildcard, which is not necessary for self-management.

31
MCQmedium

A developer is trying to push an image to Amazon ECR but receives an 'AccessDeniedException' error. The developer's IAM user has the 'AmazonEC2ContainerRegistryPowerUser' managed policy attached. What is the most likely reason for the failure?

A.The developer needs to call 'ecr:GetAuthorizationToken' and authenticate to the registry.
B.The developer is pushing from an unsupported region.
C.The ECR repository has a resource policy that denies the push.
D.The image is too large for ECR.
AnswerA

ECR requires an authorization token before pushing; PowerUser policy does not include GetAuthorizationToken.

Why this answer

Option B is correct because ECR requires authentication via 'ecr:GetAuthorizationToken' which is not included in the PowerUser policy. Option A is wrong because the error is not about resource policy. Option C is wrong because the error is access denied, not unsupported media type.

Option D is wrong because the error is not about image size.

32
MCQeasy

An application running on an EC2 instance needs to access an S3 bucket. What is the most secure way to grant the EC2 instance the necessary permissions?

A.Create an IAM role with the necessary S3 permissions and attach it to the EC2 instance as an instance profile.
B.Store the credentials in an encrypted file on the EC2 instance and decrypt them at runtime.
C.Store the AWS access key and secret key in the application code.
D.Use an S3 bucket policy that allows access from the EC2 instance's public IP address.
AnswerA

This allows the application to obtain temporary credentials securely.

Why this answer

Option B is correct because an IAM instance profile is the recommended way to grant permissions to EC2 instances. Option A is wrong because storing credentials in the code is insecure. Option C is wrong because storing credentials in an encrypted file still requires managing keys.

Option D is wrong because S3 bucket policies are not designed to grant permissions to EC2 instances directly.

33
MCQeasy

A developer needs to grant an IAM user the ability to launch EC2 instances with specific tags. Which IAM condition key should be used to enforce that the instance is tagged with 'Environment=Production'?

A.aws:ResourceTag
B.aws:SourceIp
C.ec2:ResourceTag
D.aws:RequestTag
AnswerD

Enforces tags at request time.

Why this answer

aws:RequestTag is used to enforce tags at creation. Option B is for existing tags. Option C is for EC2-specific resource tags.

Option D is for source IP.

34
MCQhard

A security engineer is designing a cross-account access solution. An IAM role in Account A needs to be assumed by users from Account B. Which two components are required?

A.Permissions boundary on the role to limit permissions
B.Service control policy in Account A allowing AssumeRole
C.Trust policy allowing Account B to assume the role, and IAM policy in Account B allowing sts:AssumeRole
D.Resource-based policy on the role allowing cross-account access
AnswerC

This is the standard cross-account role setup.

Why this answer

Option D is correct because the trust policy in Account A allows Account B to assume the role, and users in Account B need permissions to call sts:AssumeRole. Option A is wrong because a resource-based policy on the role is not used. Option B is wrong because permission boundary is optional.

Option C is wrong because an SCP in Account B might deny the action.

35
MCQhard

A security engineer attaches this policy to an IAM user. The user tries to download an object from the bucket from an IP address 10.1.0.5. What will happen?

A.The user will be denied access because the condition does not match
B.The user will be allowed access because the policy allows s3:GetObject
C.The policy is invalid and will cause an error
D.The user will be denied access because there is an explicit deny
AnswerA

The IP is outside the allowed range.

Why this answer

Option C is correct because the condition restricts access to IPs in 10.0.0.0/16, and 10.1.0.5 is not in that range. Option A is wrong because the condition is not satisfied. Option B is wrong because there is no explicit deny.

Option D is wrong because the policy is valid.

36
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all IAM users in the member accounts must have multi-factor authentication (MFA) enabled to access the AWS Management Console. Which approach should be used?

A.Use AWS Config rules to detect users without MFA and automatically disable their access
B.Attach an SCP to the root OU that denies all AWS actions unless the request includes MFA authentication
C.Create an IAM policy in each account that allows console access only if MFA is present and attach it to all users
D.Attach an SCP to the root OU that adds an IAM policy requiring MFA to all users
AnswerB

This SCP will deny any action if the user does not authenticate with MFA, effectively enforcing MFA.

Why this answer

Option B is correct because a Service Control Policy (SCP) can deny all actions if a condition for MFA is not met, effectively enforcing MFA across all accounts. Option A is wrong because an SCP cannot attach IAM policies to users; it only sets permission boundaries. Option C is wrong because IAM policies in each account would require manual management and may not be enforced consistently.

Option D is wrong because AWS Config rules can detect non-compliance but cannot enforce MFA at the time of access.

37
MCQmedium

A company is using Amazon API Gateway to expose a set of REST APIs. The APIs are backed by AWS Lambda functions. The security team wants to control access to the APIs using IAM authorization. The team has created an IAM policy for a group of developers that allows them to invoke the APIs only from within the corporate network (IP range 203.0.113.0/24). The policy is attached to an IAM group, and the developers are members of the group. However, when a developer tries to invoke the API from the corporate network, they receive a '403 Forbidden' error. The API Gateway endpoint is configured with IAM authorization. The IAM policy is as follows: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"execute-api:Invoke","Resource":"arn:aws:execute-api:us-east-1:123456789012:api-id/*","Condition":{"IpAddress":{"aws:SourceIp":"203.0.113.0/24"}}}]}. What is the MOST likely reason for the failure?

A.The resource ARN in the policy does not include the stage and method; it should be 'arn:aws:execute-api:us-east-1:123456789012:api-id/stage/GET/resource'.
B.The IAM policy must be attached directly to the IAM user, not to a group.
C.The condition key aws:SourceIp does not work for API Gateway; you must use a custom header.
D.API Gateway IAM authorization does not support resource-level conditions; you must use a Lambda authorizer.
AnswerA

The resource ARN must be more specific to match the API's resource hierarchy.

Why this answer

Option B is correct. For API Gateway IAM authorization, the resource ARN must include the stage and method, or use wildcards. The policy uses 'api-id/*' which may not match the actual resource path.

Option A is wrong because the condition is correct for IP restriction. Option C is wrong because the policy is attached to the group, so the developers should inherit it. Option D is wrong because API Gateway IAM authorization works with IAM policies; the issue is likely the resource ARN.

38
MCQhard

A security architect is designing a system where an S3 bucket must be accessed by users from multiple AWS accounts. The solution must use the principle of least privilege. Which approach should be used?

A.Create an IAM role in the bucket owner account and use a bucket policy that grants access to the role
B.Grant s3:ListBucket and s3:GetObject to all IAM users in the account
C.Use an SCP to allow access to the bucket for all accounts in the organization
D.Use an IAM role in each account with a bucket policy allowing the role
AnswerA

Users assume the role and get temporary credentials; bucket policy allows the role.

Why this answer

The best approach is to use S3 bucket policies with conditions that require the user to assume a specific IAM role in the bucket owner account. Option D is correct because it centralizes permissions and uses temporary credentials. Option A is wrong because it grants list access to all authenticated users.

Option B is wrong because resource-based policies (bucket policies) are better for cross-account. Option C is wrong because it allows full access to the whole organization.

39
Multi-Selecteasy

Which THREE are valid methods for authenticating to AWS APIs? (Choose THREE.)

Select 3 answers
A.Access key ID and secret access key
B.SSH key pair
C.SAML federation
D.Client certificate
E.IAM role temporary credentials
AnswersA, C, E

Used for programmatic access to AWS APIs.

Why this answer

The correct options are A, C, and E. Access keys, IAM roles (via STS), and SAML federation are valid authentication methods. Option B, SSH keys, are for EC2 instance access, not AWS APIs.

Option D, client certificates, are not used for AWS API authentication.

40
MCQmedium

Refer to the exhibit. An IAM user 'ExternalUser' from account 111111111111 tries to assume the role 'MyRole' in account 123456789012 but receives an error. The user has a policy that allows sts:AssumeRole. What is the most likely reason for the failure?

A.The role does not exist in the target account.
B.The user's AWS account has a service control policy (SCP) that denies sts:AssumeRole.
C.The user must have MFA enabled to assume the role.
D.The trust policy does not specify a principal.
AnswerB

SCP can deny the action even if the user has an allow policy.

Why this answer

Option B is correct because the trust policy allows the specific user ARN, but if the user does not have permission to assume the role from their account, they need an IAM policy allowing sts:AssumeRole on that role. The question says the user has such a policy, so that is not the issue. Option A is wrong because the trust policy does specify a principal.

Option C is wrong because the trust policy does not require MFA. Option D is wrong because the role exists. The error may be due to the user not having the correct trust policy? Actually, the trust policy allows the user, so that's fine.

Another possibility is that the user's account has an SCP that denies sts:AssumeRole. So option B is plausible: the user's account might have a service control policy (SCP) that denies the action. However, the question says 'the user has a policy that allows sts:AssumeRole' but an SCP could override.

So B is correct.

41
MCQhard

A company uses cross-account IAM roles to allow a third-party auditor to access a specific S3 bucket. The auditor reports that they are getting 'Access Denied' errors when trying to list objects. The bucket policy allows access to the auditor's account. What additional configuration is needed?

A.Modify the trust policy of the IAM role to include the auditor's account.
B.Ensure the auditor's account does not have a service control policy (SCP) denying S3 actions.
C.Attach an IAM policy to the auditor's IAM user that allows s3:ListBucket on the specific bucket.
D.Add a bucket policy that grants access to the auditor's IAM user ARN.
AnswerC

Cross-account access requires both the resource policy and the principal's IAM policy to allow the action.

Why this answer

Option D is correct because cross-account access requires both the resource-based policy (bucket policy) and the identity-based policy (on the auditor's IAM user/role) to allow the action. Option A is wrong because the bucket policy already allows the account. Option B is wrong because SCPs are for the auditor's account, not the resource account.

Option C is wrong because the trust policy is for assuming the role, not for S3 access.

42
MCQhard

A security engineer notices that an IAM user has permissions that are not explicitly granted through any policy. The engineer suspects that the user might have inherited permissions from a group or role. Which IAM feature should the engineer use to identify the source of these permissions?

A.IAM Roles Anywhere
B.IAM Policy Simulator
C.CloudTrail Insights
D.IAM Access Analyzer
AnswerD

Can identify policies that grant access and their origins.

Why this answer

Option D is correct because IAM Access Analyzer provides policy validation and can help identify unintended access. Option A shows effective permissions but doesn't necessarily trace sources. Option B is for analyzing service roles, not user permissions.

Option C is for CloudTrail analysis.

43
Multi-Selecteasy

Which TWO of the following are valid IAM policy condition keys? (Choose TWO.)

Select 2 answers
A.aws:RequestedRegion
B.aws:RequestedService
C.aws:SourceIp
D.aws:PrincipalService
E.aws:SourceArn
AnswersA, C

Valid condition key for region.

Why this answer

The `aws:RequestedRegion` condition key is valid and used to restrict access to specific AWS Regions. It evaluates the Region endpoint that the API request is sent to, allowing you to enforce that actions can only be performed in designated Regions, such as us-east-1 or eu-west-2.

Exam trap

The trap here is that candidates often confuse `aws:SourceArn` with `aws:SourceIp` or assume `aws:RequestedService` is a real key because it sounds plausible, but AWS does not define these keys in the IAM documentation, leading to incorrect selections.

44
Multi-Selecthard

Which THREE of the following are characteristics of IAM roles? (Choose 3.)

Select 3 answers
A.Roles have long-term credentials like access keys.
B.Roles require a password for assumption.
C.Roles can be assumed by IAM users in another AWS account.
D.Roles have a trust policy that specifies who can assume the role.
E.Roles can be attached to EC2 instances to grant permissions to applications.
AnswersC, D, E

Cross-account access is a common use case.

Why this answer

Roles are assumed by trusted entities, provide temporary credentials, and can be used by AWS services.

45
Multi-Selectmedium

A security engineer is designing a system to allow an EC2 instance to write logs to an S3 bucket. Which TWO steps are required?

Select 2 answers
A.Configure the security group of the EC2 instance to allow outbound HTTPS traffic to S3.
B.Create a VPC endpoint for S3 in the same subnet as the EC2 instance.
C.Add a bucket policy that allows the IAM role to perform s3:PutObject.
D.Create an IAM role with a policy that allows s3:PutObject on the bucket and attach it to the EC2 instance.
E.Enable AWS CloudTrail to capture log write events.
AnswersC, D

The bucket policy must explicitly grant access to the role.

Why this answer

Options A and D are correct. The EC2 instance needs an IAM role with permissions to write to the bucket (A), and the bucket policy must allow the role to write (D). Option B is wrong because CloudTrail is for API logging, not application logs.

Option C is wrong because the VPC endpoint is for private connectivity, not required. Option E is wrong because a security group does not grant IAM permissions.

46
MCQeasy

A solutions architect needs to design a system where an EC2 instance can write logs to CloudWatch Logs. Which IAM entity should be used to grant permissions to the EC2 instance?

A.A resource-based policy on the EC2 instance
B.An IAM role with an instance profile
C.An IAM user with access keys stored on the instance
D.An IAM group
AnswerB

Role with instance profile provides temporary credentials to the instance.

Why this answer

An IAM role with an instance profile is the correct approach because it allows the EC2 instance to assume temporary, rotated credentials via the AWS Security Token Service (STS). The instance profile is attached to the EC2 instance, and the AWS SDK or CLI automatically retrieves credentials from the instance metadata service (IMDS) to authenticate API calls to CloudWatch Logs. This eliminates the need to store long-term credentials on the instance and follows the principle of least privilege.

Exam trap

The trap here is that candidates may confuse IAM groups with IAM roles, thinking a group can be attached to an EC2 instance, but groups only apply to IAM users and cannot be assumed by AWS services.

How to eliminate wrong answers

Option A is wrong because a resource-based policy on an EC2 instance does not exist; EC2 instances use IAM roles (via instance profiles) for permissions, not resource-based policies like those for S3 buckets or KMS keys. Option C is wrong because storing IAM user access keys on the EC2 instance is a security risk—keys are long-term credentials that can be compromised, and AWS best practices mandate using IAM roles with temporary credentials instead. Option D is wrong because an IAM group is a container for IAM users and cannot be directly attached to an EC2 instance; permissions must be assigned via an IAM role with an instance profile.

47
MCQeasy

A company needs to provide temporary credentials to mobile app users to access AWS resources. Which AWS service should be used to issue these credentials?

A.AWS IAM
B.AWS Cognito
C.AWS Security Token Service (STS)
D.AWS Key Management Service (KMS)
AnswerC

STS issues temporary security credentials for users.

Why this answer

Option B is correct because AWS STS is used to issue temporary credentials. Option A is incorrect because IAM is for managing users and roles, not issuing temporary credentials. Option C is incorrect because AWS Cognito is for identity pools but uses STS internally; the direct service is STS.

Option D is incorrect because AWS KMS is for encryption keys.

48
Multi-Selectmedium

Which TWO actions are valid ways to grant an IAM user in Account A access to an S3 bucket in Account B? (Choose 2.)

Select 2 answers
A.Attach an IAM policy to the user in Account A that allows access to the S3 bucket.
B.Add a bucket policy in Account B that grants access to the user's ARN in Account A.
C.Use a service control policy (SCP) in Account B to allow access from Account A.
D.Create an IAM role in Account B with permissions to the bucket and allow the user in Account A to assume that role.
E.Add an IAM policy to the S3 bucket in Account B granting access to the user.
AnswersB, D

This allows the user direct access if the IAM policy in Account A also allows S3 actions.

Why this answer

Options B and C are correct. B: A bucket policy can grant cross-account access to a specific user. C: A role in Account B can be assumed by the user in Account A.

Option A is wrong because IAM users cannot be granted access directly to resources in other accounts via an IAM policy in their own account; the resource account must also grant access. Option D is wrong because the S3 bucket cannot have an IAM policy; it uses bucket policies. Option E is wrong because SCPs are used in AWS Organizations to set permissions boundaries, not to grant access.

49
MCQmedium

A company has an S3 bucket policy that allows cross-account access for a specific IAM role in another account. The bucket policy includes a Principal element with the ARN of the role. However, users in the other account that assume the role are unable to access the bucket. Which of the following is the MOST likely cause?

A.The IAM role does not have a permissions policy granting s3:GetObject on the bucket.
B.The bucket policy has an explicit Deny statement that overrides the Allow.
C.The role's trust policy does not allow the S3 service to assume the role.
D.The bucket policy uses the role ARN in the Principal element instead of the AWS account ID.
AnswerD

S3 bucket policies require the AWS account ID as Principal for cross-account access; role ARNs are not valid principals.

Why this answer

Option D is correct because when an S3 bucket policy uses a role ARN in the Principal element, the policy only grants access to that specific role session, not to the users who assume the role. Cross-account access via S3 bucket policies requires the Principal to be set to the AWS account ID (or a canonical user ID) of the other account, not the ARN of a role. The role ARN in the Principal element is not evaluated as a valid principal for S3 bucket policies in the same way as an account ID, causing the access to fail.

Exam trap

The trap here is that candidates often assume that specifying a role ARN in the Principal element of an S3 bucket policy is sufficient for cross-account access, but AWS requires the Principal to be the account ID for the policy to be evaluated correctly across accounts.

How to eliminate wrong answers

Option A is wrong because the question states the bucket policy allows cross-account access for a specific IAM role, and the issue is about the policy's Principal element, not the role's permissions policy; even if the role had an s3:GetObject permission, the bucket policy's Principal mismatch would still block access. Option B is wrong because there is no mention of an explicit Deny statement in the scenario; the problem is that the Allow statement itself is misconfigured due to the Principal element, not overridden by a Deny. Option C is wrong because the role's trust policy controls which entities can assume the role, not whether the S3 service can assume it; S3 does not assume roles—users or services assume roles, and the trust policy is irrelevant to S3 bucket policy evaluation.

50
Multi-Selectmedium

A company wants to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. Which THREE steps should the company take?

Select 3 answers
A.Create an IAM policy that denies all actions if aws:MultiFactorAuthPresent is false.
B.Enable CloudTrail to monitor MFA usage.
C.Attach the MFA enforcement policy to all IAM users or groups.
D.Set the password policy to require MFA.
E.Enable MFA for each IAM user.
AnswersA, C, E

This policy forces MFA to be used.

Why this answer

Option A, B, and D are correct because MFA devices must be assigned, an IAM policy can deny access if MFA is not present, and the policy must be attached to users or groups. Option C is wrong because CloudTrail does not enforce MFA. Option E is wrong because there is no built-in MFA enforcement for the root user via password policy.

51
Multi-Selectmedium

A security engineer needs to allow an IAM user to rotate their own access keys. Which TWO IAM actions must be allowed in the user's policy? (Choose TWO.)

Select 2 answers
A.iam:GetAccessKeyLastUsed
B.iam:DeleteAccessKey
C.iam:ListAccessKeys
D.iam:UpdateAccessKey
E.iam:CreateAccessKey
AnswersB, E

Needed to delete the old access key after creating a new one.

Why this answer

Option A and Option E are correct. To rotate access keys, the user needs to create a new key and delete the old one. Option B is wrong because UpdateAccessKey can change the status (Active/Inactive) but is not required for rotation.

Option C is wrong because ListAccessKeys is not strictly necessary; it helps but is not required. Option D is wrong because GetAccessKeyLastUsed is not needed.

52
MCQmedium

A company has multiple AWS accounts and wants to centrally manage access using IAM Identity Center (AWS SSO). Which feature allows the company to define permissions once and reuse them across multiple accounts?

A.Application assignments
B.Identity providers
C.Permission sets
D.Account assignments
AnswerC

Define reusable collections of permissions for AWS accounts.

Why this answer

Option B is correct because permission sets in IAM Identity Center define collections of policies that can be assigned to users and groups across accounts. Option A is for managing access to external applications. Option C is for federation.

Option D is for account management.

53
MCQeasy

An IAM user receives an 'AccessDenied' error when trying to list objects in an S3 bucket. The user has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::example-bucket"}]}. What is the most likely reason?

A.The policy is missing a condition
B.The bucket policy explicitly denies the action
C.The policy does not include s3:GetObject
D.The policy has a syntax error
AnswerB

An explicit deny in the bucket policy overrides the user policy allow.

Why this answer

The IAM policy grants the s3:ListBucket action on the bucket, which should allow listing objects. However, an explicit deny in a bucket policy overrides any allow, including those from IAM policies. Since the user receives an 'AccessDenied' error, the most likely cause is that the bucket policy explicitly denies the s3:ListBucket action for this user, as explicit denies take precedence over all allows.

Exam trap

The trap here is that candidates often assume an IAM policy alone is sufficient and forget that bucket policies can explicitly deny actions, overriding IAM allows, leading them to incorrectly choose options like missing permissions or syntax errors.

How to eliminate wrong answers

Option A is wrong because a missing condition would not cause an 'AccessDenied' error if the action and resource are correctly allowed; conditions only further restrict access, and their absence typically broadens access. Option C is wrong because s3:GetObject is not required for listing objects; s3:ListBucket alone is sufficient for the ListObjects operation. Option D is wrong because a syntax error would result in a different error (e.g., 'MalformedPolicy') or the policy would be invalid, not an 'AccessDenied' error during the API call.

54
MCQeasy

An IAM user reports that they are unable to launch an EC2 instance in us-east-1. The IAM policy attached to the user allows ec2:RunInstances but with a condition that the instance type must be t2.micro. What could be the reason for the failure?

A.The user is trying to launch an instance type other than t2.micro.
B.The user has not attached a security group to the instance.
C.The IAM policy does not include ec2:RunInstances for us-east-1.
D.The user's account has reached the EC2 instance limit.
AnswerA

The condition restricts to t2.micro; any other type would be denied.

Why this answer

Option A is correct because the condition likely specifies 'ec2:InstanceType' equals 't2.micro', so if the user tries to launch any other type, the action is denied. Option B is irrelevant because the policy allows the action. Option C is not a common condition.

Option D is unrelated.

55
MCQhard

A company uses AWS SSO to manage access to multiple accounts. An employee leaves the company. What is the most efficient way to revoke all AWS access for that employee?

A.Deactivate the user in the connected identity provider (e.g., Active Directory).
B.Delete the corresponding IAM user in every AWS account.
C.Remove the user from all groups in AWS SSO.
D.Delete the IAM role that the user assumes in each account.
AnswerA

This immediately revokes all access across accounts via AWS SSO.

Why this answer

Option B is correct because deactivating the user in the identity provider (IdP) will invalidate all sessions and prevent new ones. Option A is wrong because deleting the IAM user in each account is inefficient. Option C is wrong because removing from groups in AWS SSO may not immediately revoke active sessions.

Option D is wrong because deleting the IAM role would break access for other users.

56
Multi-Selectmedium

Which TWO actions can be used to restrict access to an S3 bucket to only requests that originate from a specific VPC?

Select 2 answers
A.Use a security group to allow inbound traffic from the VPC to S3.
B.Use an IAM policy with a condition key aws:SourceVpce to restrict access to the VPC endpoint.
C.Configure a VPC endpoint for S3 and attach a bucket policy that allows access only from that endpoint.
D.Use a network ACL to allow traffic from the VPC to S3.
E.Use an IAM policy with a condition key aws:SourceIp to restrict access to the VPC CIDR.
AnswersB, C

IAM policies can restrict based on VPC endpoint ID.

Why this answer

Option B is correct because the `aws:SourceVpce` condition key in an IAM policy allows you to restrict access to an S3 bucket to requests that originate from a specific VPC endpoint (VPC Endpoint ID). This ensures that only traffic coming through that VPC endpoint can access the bucket, effectively limiting access to the VPC. Option C is also correct because you can configure a VPC endpoint for S3 and attach a bucket policy that explicitly allows access only from that endpoint using the `aws:SourceVpce` condition, achieving the same restriction.

Exam trap

The trap here is that candidates often confuse IAM policies with bucket policies or think that security groups or network ACLs can directly control access to S3, but S3 is a managed service and does not process security group or NACL rules; only bucket policies and IAM policies with VPC endpoint conditions can enforce such restrictions.

57
Multi-Selecthard

Which TWO of the following are valid use cases for IAM permissions boundaries? (Choose TWO.)

Select 2 answers
A.To allow cross-account access to an S3 bucket
B.To prevent an IAM user from escalating privileges
C.To allow developers to create roles with limited permissions
D.To delegate permission management to non-administrators
E.To restrict access to an S3 bucket based on IP address
AnswersB, C

Boundaries limit the maximum permissions.

Why this answer

Options A and D are valid uses. Option B is incorrect because permissions boundaries don't delegate administration. Option C is incorrect because boundaries are applied to IAM entities, not resource-based policies.

Option E is incorrect because cross-account access is governed by trust policies, not boundaries.

58
MCQeasy

An administrator needs to allow a Lambda function to write logs to CloudWatch Logs. What is the BEST way to grant these permissions?

A.Store AWS credentials in the Lambda function code.
B.Attach a resource-based policy to the Lambda function.
C.Create an IAM role with the necessary CloudWatch Logs permissions and assign it as the Lambda function's execution role.
D.Attach the AdministratorAccess managed policy to the Lambda function's execution role.
AnswerC

Standard best practice for Lambda permissions.

Why this answer

Option B is correct: attach an execution role to the Lambda function that includes permissions for logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents. Option A uses resource-based policy which is not typical for Lambda. Option C is overly permissive.

Option D uses user credentials, not best practice.

59
MCQhard

A security engineer is designing an IAM policy to allow an application running on an EC2 instance to read objects from a specific S3 bucket (my-bucket) and write objects to a different S3 bucket (my-other-bucket). The application uses an IAM role with the following trust policy. Which additional policy should be attached to the role to meet the requirements with least privilege?

A.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:GetObject", "s3:PutObject"], "Resource": "arn:aws:s3:::*/*" } ] }
B.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ] }
C.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::my-bucket/*" }, { "Effect": "Allow", "Action": ["s3:PutObject"], "Resource": "arn:aws:s3:::my-other-bucket/*" } ] }
D.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:GetObject", "s3:PutObject"], "Resource": "arn:aws:s3:::my-bucket/*" } ] }
AnswerC

Correctly scopes read to my-bucket and write to my-other-bucket.

Why this answer

Option A is correct because it uses separate statements for read and write actions, with resource ARNs limited to the respective buckets, and does not include unnecessary actions. Option B grants s3:PutObject to the wrong bucket. Option C grants full S3 access.

Option D uses a wildcard for resources.

60
Multi-Selectmedium

A company wants to enforce that all IAM users use MFA. Which THREE actions should be taken to achieve this?

Select 3 answers
A.Set an IAM password policy requiring MFA.
B.Enable MFA devices for all IAM users.
C.Create an IAM policy that denies all actions unless MFA is authenticated.
D.Use IAM Access Analyzer to validate policies.
E.Use AWS Single Sign-On (SSO) with MFA.
AnswersB, C, D

MFA must be enabled on each user.

Why this answer

Option B is correct because enabling MFA devices for all IAM users is a prerequisite for enforcing MFA usage. Without an assigned MFA device, a user cannot authenticate via MFA, and any policy requiring MFA would lock them out. This action ensures each user has a physical or virtual MFA device associated with their IAM user account.

Exam trap

The trap here is confusing IAM password policy settings with MFA enforcement mechanisms, leading candidates to select option A, which does not exist in AWS IAM.

61
MCQmedium

A security engineer needs to enforce that all IAM users in an AWS account use multi-factor authentication (MFA) when making API calls. What is the MOST effective way to enforce this?

A.Enable MFA for the root user.
B.Enable CloudTrail to log MFA usage.
C.Attach an IAM policy that denies all actions unless MFA is present.
D.Use an AWS Organizations service control policy (SCP) that denies all actions unless MFA is present.
AnswerD

Enforces MFA at the account level, overriding any IAM policies.

Why this answer

Option C is correct because a service control policy (SCP) can be applied at the account level to deny all actions if MFA is not present. Option A is wrong because it only applies to the root user. Option B is wrong because IAM policies can be attached to users but can be overridden.

Option D is wrong because CloudTrail logs do not enforce MFA.

62
MCQhard

A security engineer needs to ensure that an IAM role can be assumed only from a specific VPC. Which IAM policy condition key should be used?

A.aws:RequestedRegion
B.aws:VpcSourceIp
C.aws:SourceVpc
D.aws:SourceIp
AnswerC

Restricts to the specified VPC.

Why this answer

Option B is correct because aws:SourceVpc restricts requests to originate from a specific VPC. Option A is wrong because aws:SourceIp is for IP addresses. Option C is wrong because aws:VpcSourceIp is not a condition key.

Option D is wrong because aws:RequestedRegion is for region.

63
MCQmedium

A company has a policy that all IAM users must rotate their access keys every 90 days. How can this be enforced?

A.Use AWS Config to check key age and automatically deactivate old keys
B.Use an IAM password policy to set the key rotation period
C.Use AWS CloudTrail to monitor key usage and send alerts
D.Use an IAM policy with a condition for key age
AnswerA

AWS Config rules can check key age and trigger Lambda to deactivate old keys.

Why this answer

IAM access key last used information can be used with a custom policy and a condition that denies access if the key is older than 90 days. However, there is no built-in IAM policy condition for key age. Option C is correct because you can use AWS Config rules to check key age and trigger notifications, but the question asks for enforcement.

Option A is wrong because IAM does not have a built-in key rotation policy. Option B is wrong because password policy is for passwords, not access keys. Option D is wrong because CloudTrail is for logging, not enforcement.

64
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any account can create or modify IAM roles. What is the MOST effective way to enforce this?

A.Use AWS Config rules to detect role creation and automatically delete the roles.
B.Set up a Lambda function that monitors CloudTrail and revokes role creation permissions.
C.Create an SCP that denies iam:CreateRole and iam:UpdateAssumeRolePolicy and attach it to the root organizational unit.
D.Create an IAM policy that denies role creation and attach it to each user in every account.
AnswerC

SCPs can centrally restrict permissions across accounts.

Why this answer

A service control policy (SCP) can be applied to the root organizational unit to deny the specified actions across all accounts.

65
MCQhard

An IAM policy has the following statement: {"Effect":"Deny","Action":"*","Resource":"*","Condition":{"Bool":{"aws:SecureTransport":"false"}}}. What does this policy achieve?

A.Denies all actions that are not made over HTTPS
B.Allows all actions only when using HTTPS
C.Enforces HTTPS for S3 bucket policies only
D.Blocks all actions for a specific AWS service
AnswerA

Correctly denies when SecureTransport is false.

Why this answer

This policy statement uses the `aws:SecureTransport` condition key with a `Bool` condition set to `false`. When the condition evaluates to true (i.e., the request is not using HTTPS/TLS), the `Deny` effect applies to all actions on all resources. This effectively denies any API call made over HTTP (non-secure transport), ensuring that only HTTPS requests are allowed.

The policy does not explicitly allow anything; it only denies non-HTTPS traffic, so all actions are implicitly allowed when made over HTTPS.

Exam trap

The trap here is that candidates often confuse a `Deny` with a `Bool` condition as an implicit `Allow` for the opposite condition, but the policy only denies non-HTTPS requests and does not grant any explicit allow, so all actions are allowed by default when HTTPS is used.

How to eliminate wrong answers

Option B is wrong because the policy does not contain an `Allow` statement; it only denies non-HTTPS requests, so it does not affirmatively allow actions. Option C is wrong because the policy applies to all AWS services and resources, not just S3 bucket policies; the `Resource` is `*`, meaning it covers every service. Option D is wrong because the policy does not block all actions for a specific service; it blocks all actions across all services only when the request is not using HTTPS.

66
Multi-Selecthard

A security engineer is designing a permissions boundary for an IAM user. Which TWO statements about permissions boundaries are correct?

Select 2 answers
A.Permissions boundaries can be applied to service-linked roles.
B.Permissions boundaries can only be applied to IAM users, not roles.
C.The effective permissions are the intersection of the identity-based policy and the permissions boundary.
D.Permissions boundaries can override resource-based policies.
E.A permissions boundary alone does not grant permissions; an identity-based policy is also required.
AnswersC, E

Intersection of both policies.

Why this answer

Options A and C are correct. A: A permissions boundary limits the maximum permissions for the user, but the user must also have an identity-based policy granting the actions. C: The effective permissions are the intersection of the boundary and the identity-based policy.

Option B is wrong because resource-based policies are not affected by boundaries. Option D is wrong because boundaries do not affect service-linked roles. Option E is wrong because boundaries can be used with roles as well.

67
MCQhard

A security engineer notices that an IAM role allows an EC2 instance to access a DynamoDB table. The instance is compromised. What is the best way to immediately revoke the instance's access without affecting other resources that use the same role?

A.Attach a permissions boundary to the role that denies all DynamoDB actions.
B.Stop the EC2 instance.
C.Modify the trust policy of the role to deny the instance's ARN.
D.Delete the IAM role.
AnswerA

A permissions boundary can restrict the role's permissions without deleting it.

Why this answer

Option C is correct: using a permissions boundary can limit the role's permissions. Option A is wrong because deleting the role would affect all resources using it. Option B is wrong because stopping the instance may not be immediate and could be delayed.

Option D is wrong because modifying the trust policy would break all instances using that role.

68
MCQmedium

A company needs to allow an external auditor to access a specific S3 bucket for 30 days. The auditor does not have an AWS account. What is the MOST secure way to grant temporary access?

A.Create an IAM user with long-term credentials and share them with the auditor.
B.Use AWS STS to issue temporary credentials via a custom identity broker.
C.Grant access via a bucket policy using the auditor's email address as a condition.
D.Create an IAM role and allow the auditor to assume it using SAML federation.
AnswerB

Temporary credentials can be issued after authenticating the auditor externally.

Why this answer

Option C is correct because you can create a role with a trust policy that allows the external auditor to assume it, and the auditor authenticates using their own credentials? But the auditor has no AWS account, so they cannot assume a role directly. The correct answer is to use a bucket policy granting access to a role that the auditor can assume via web identity federation? Actually, Option D is correct: Use STS temporary credentials with a custom federation broker. However, Option A is not secure.

Option B is not possible without AWS account. Option C is not possible without trust. Option D is the best: you can create a federation proxy that authenticates the auditor and issues temporary credentials.

Wait, let's reconsider. The correct answer is Option D: Use AWS STS to generate temporary credentials for the auditor after authenticating them via a custom identity broker. This is the recommended approach for granting access to external users without AWS accounts.

69
MCQmedium

A company wants to allow users from an external AWS account to assume an IAM role in its account. What must be configured in both accounts?

A.An IAM password policy in both accounts.
B.Only the trusting account's role trust policy.
C.Only the external account's IAM policy to allow sts:AssumeRole.
D.Both the trusting account's role trust policy and the external account's IAM policy to allow sts:AssumeRole.
AnswerD

Cross-account access requires both sides: trust policy and permissions policy.

Why this answer

Option C is correct because the trusting account (role owner) must have a trust policy allowing the external account, and the external account must have a policy granting users permission to assume the role. Option A is wrong because only the trusting account needs trust policy. Option B is wrong because only the external account needs to grant sts:AssumeRole.

Option D is wrong because neither account needs password policy.

70
MCQmedium

A security engineer notices that an IAM user, 'svc-backup', has full S3 access (s3:*) to all buckets. The engineer wants to restrict the user to only put objects into a specific bucket named 'mycompany-backup' and deny all other S3 actions. Which IAM policy should be attached?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:PutObject","Resource":"arn:aws:s3:::mycompany-backup/*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","NotAction":"s3:PutObject","Resource":"*","Condition":{...}}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:*","Resource":"arn:aws:s3:::mycompany-backup/*"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:PutObject","Resource":"arn:aws:s3:::mycompany-backup/*"},{"Effect":"Deny","Action":"s3:*","Resource":"*"}]}
AnswerD

This allows only PutObject and denies all other S3 actions, effectively restricting the user.

Why this answer

Option C is correct because it explicitly allows s3:PutObject on the target bucket and denies all other S3 actions. Option A is wrong because it only allows s3:PutObject but does not deny other actions, so other S3 actions would still be allowed if the user has another policy granting them. Option B is wrong because it allows all S3 actions on the bucket, which is too broad.

Option D is wrong because it denies all S3 actions except PutObject, but the Deny effect with NotAction can be confusing; however, the more straightforward approach is Option C.

71
MCQmedium

A security engineer discovers that an IAM policy allows 'iam:CreateUser' and 'iam:CreateAccessKey' for all users in the account. Which risk does this pose?

A.Users can create new IAM users and programmatic access keys
B.Users can disable CloudTrail logging
C.Users can decrypt data in S3
D.Users can modify VPC security groups
AnswerA

This allows creation of new users and keys, which can be used for unauthorized access.

Why this answer

Option C is correct because creating access keys allows programmatic access, and creating users allows creation of new identities. Option A is incorrect because it does not directly affect logging. Option B is incorrect because it does not directly affect encryption.

Option D is incorrect because it does not directly affect network traffic.

72
MCQmedium

A developer needs to allow an EC2 instance to read from a DynamoDB table named 'Orders' in the same account. The security team requires that the permissions be granted using an instance profile. Which steps should be taken?

A.Create an IAM role with a policy that allows dynamodb:GetItem on the 'Orders' table, create an instance profile, add the role to the profile, and launch the EC2 instance with the instance profile
B.Create an instance profile and attach a policy to it, then launch the EC2 instance with the instance profile
C.Create an IAM role with the required policy, then attach the role directly to the EC2 instance during launch
D.Create an IAM user with programmatic access, store the access key in a secure S3 bucket, and have the EC2 instance retrieve the credentials at startup
AnswerA

This is the standard procedure for granting permissions to EC2 instances.

Why this answer

Option A is correct because the instance profile is created, the IAM role is attached, and the EC2 instance is launched with that profile. Option B is wrong because the role itself is not attached directly to the instance; the instance profile must be used. Option C is wrong because storing credentials on the instance is insecure.

Option D is wrong because the instance profile is not just for the root user; the role is assumed automatically.

73
MCQmedium

An IAM policy has the following statement: { "Effect": "Deny", "Action": "s3:*", "Resource": "*", "Condition": { "BoolIfExists": { "aws:SecureTransport": "false" } } }. What does this policy do?

A.Denies all S3 access for any request.
B.Requires MFA for all S3 access.
C.Allows all S3 access only if using HTTPS.
D.Denies all S3 access if the request is not using HTTPS.
AnswerD

The condition checks for false SecureTransport.

Why this answer

Option B is correct because the policy denies all S3 actions when the request is not using HTTPS (SecureTransport false). Option A is wrong because it denies only non-HTTPS. Option C is wrong because it does not allow anything.

Option D is wrong because it does not require MFA.

74
Multi-Selecthard

A security engineer is reviewing an IAM policy that allows access to an S3 bucket. The policy includes a condition that checks 'aws:SourceIp'. However, users report they can still access the bucket from IP addresses not in the allowed list. Which THREE possible reasons could explain this behavior?

Select 3 answers
A.The policy is attached to an IAM group, but the user is not a member of that group
B.The 'aws:SourceIp' condition key is not supported for S3 actions
C.The policy is attached to an IAM role that is used by an AWS service, and the condition does not apply to service principals
D.The condition key is misspelled, causing the condition to be ignored
E.The bucket policy allows public access, overriding the IAM policy
AnswersC, D, E

If the role is assumed by a service, the source IP may not be the end user's IP.

Why this answer

Option C is correct because when an IAM role is assumed by an AWS service (e.g., AWS Lambda, EC2), the `aws:SourceIp` condition key does not apply to requests made by the service principal. The source IP address in such cases is the service's internal IP, not the end user's IP, and the condition is evaluated against the service's principal context, which does not include a source IP. This means the condition is effectively ignored for service-invoked actions, allowing access from any IP.

Exam trap

The trap here is that candidates assume `aws:SourceIp` always applies to all requests, but they overlook that when an AWS service assumes a role, the condition is evaluated against the service's principal context, not the original client's IP, causing the condition to be ignored.

75
Multi-Selecthard

A security engineer is designing a solution to allow an external auditor to access logs in an S3 bucket in the company's AWS account. The auditor does not have an AWS account. The engineer needs to grant read-only access to the specific bucket for a limited time. Which TWO actions should the engineer take? (Choose two.)

Select 2 answers
A.Enable S3 Access Analyzer on the bucket to generate findings for the auditor.
B.Create a cross-account IAM role in the company's account and share the role ARN with the auditor.
C.Use AWS STS to issue temporary credentials that the auditor can use to access the bucket.
D.Generate a pre-signed URL for each log file the auditor needs to access.
E.Configure the bucket policy to grant access to 'Principal': '*' with a condition that limits access to the auditor's IP address.
AnswersC, D

STS can issue temporary credentials with a specified expiration; the auditor can use these to access the bucket.

Why this answer

Option C is correct because AWS Security Token Service (STS) can issue temporary, limited-privilege credentials (access key, secret key, and session token) that the auditor can use to authenticate API requests to the S3 bucket. This approach does not require the auditor to have an AWS account and allows the engineer to control the validity period (via the DurationSeconds parameter) to enforce a limited time window. Option D is correct because a pre-signed URL embeds temporary credentials and a specific expiration time, granting read-only access to a single object without requiring the auditor to have AWS credentials or an AWS account.

Exam trap

The trap here is that candidates often choose cross-account IAM roles (Option B) without realizing that the external user must have an AWS account to assume the role, which is explicitly not the case in this scenario.

Page 1 of 4 · 279 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Identity and Access Management questions.