SCS-C02 · topic practice

Identity and Access Management practice questions

Practise AWS Certified Security Specialty SCS-C02 Identity and Access Management practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Identity and Access Management

What the exam tests

What to know about Identity and Access Management

Identity and Access Management questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Identity and Access Management exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Identity and Access Management questions

20 questions · select your answer, then reveal the explanation

A developer needs to grant an IAM user read-only access to an S3 bucket named 'my-bucket'. Which policy should be attached to the IAM user?

A security engineer notices that an IAM role has a trust policy allowing any AWS account to assume it. Which attack is this misconfiguration most likely to enable?

An IAM policy includes the following condition: "StringNotEquals": {"aws:SourceArn": "arn:aws:ec2:us-east-1:123456789012:instance/*"}. What is the effect of this condition when attached to an IAM role?

An IAM user receives an 'AccessDenied' error when trying to list objects in an S3 bucket. The user has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::example-bucket"}]}. What is the most likely reason?

A company wants to allow users from its corporate Active Directory to access AWS resources. The company has set up an IAM identity provider for SAML. What must be created in IAM to map users to permissions?

An IAM policy has the following statement: {"Effect":"Deny","Action":"*","Resource":"*","Condition":{"Bool":{"aws:SecureTransport":"false"}}}. What does this policy achieve?

A solutions architect needs to design a system where an EC2 instance can write logs to CloudWatch Logs. Which IAM entity should be used to grant permissions to the EC2 instance?

A security administrator discovers that an IAM user has been deleted accidentally. What is the correct way to restore the user's access?

Which TWO actions can be performed using AWS IAM? (Choose two.)

Which THREE factors should be considered when designing IAM policies for cross-account access? (Choose three.)

Which TWO are valid ways to authenticate to AWS for API calls? (Choose two.)

Refer to the exhibit. An IAM policy is attached to a group. An IAM user in that group attempts to stop an EC2 instance from IP address 198.51.100.10. What will happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}

Refer to the exhibit. A security engineer runs the command above. Which of the following is true about the role MyRole?

Network Topology
$ aws iam get-rolerole-name MyRoleRefer to the exhibit."Role": {"Path": "/","RoleName": "MyRole","Arn": "arn:aws:iam::123456789012:role/MyRole","AssumeRolePolicyDocument": {"Version": "2012-10-17","Statement": ["Effect": "Allow","Principal": {"Service": "ec2.amazonaws.com"},"Action": "sts:AssumeRole"

A company has a multi-account AWS Organization with three accounts: Management, Development, and Production. The Security team uses the Management account to manage IAM policies centrally. They have created a service control policy (SCP) named 'RestrictRootAccess' that denies all actions for the root user in all accounts. The SCP is attached to the root organizational unit. The Development account has an IAM role 'DevAdmin' with full administrator access via an IAM policy. The role's trust policy allows the Management account's 'SecurityAudit' role to assume it. A security engineer in the Management account assumes the 'SecurityAudit' role and then tries to assume the 'DevAdmin' role in the Development account. The assumption fails with an 'AccessDenied' error. What is the most likely cause?

Question 15mediummultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all IAM users in the production account must use multi-factor authentication (MFA) to access the AWS Management Console. Which combination of actions should the security team take to enforce this requirement?

A developer is trying to upload an object to an S3 bucket named 'my-bucket' using the AWS CLI. The developer has an IAM user with a policy that includes 's3:PutObject' for 'arn:aws:s3:::my-bucket/*'. However, the upload fails with an 'Access Denied' error. The bucket policy is set to allow all principals from the same AWS account to perform 's3:PutObject'. What is the most likely cause of this failure?

A security administrator is designing a cross-account access strategy. The administrator needs to allow users in Account A to assume an IAM role in Account B to access an S3 bucket. Which TWO of the following statements are true regarding this configuration?

An IAM policy is attached to a user. The user is trying to change their own password in the IAM console but receives an 'Access Denied' error. The user has an MFA device configured and is logged in with MFA. Why is the password change failing?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "iam:ChangePassword",
      "Resource": "*"
    }
  ]
}

A company has a single AWS account with multiple IAM users. The administrator created an IAM policy that allows all users to launch EC2 instances, but only if they use a specific AMI ID (ami-12345678) and a specific instance type (t3.micro). The policy uses a condition that checks the EC2 instance type and AMI ID. However, a user is able to launch an EC2 instance with a different AMI ID and a larger instance type. The administrator reviews the policy and confirms that the condition is correctly written. What is the most likely reason that the policy is not working as expected?

A company has an S3 bucket policy that allows cross-account access for a specific IAM role in another account. The bucket policy includes a Principal element with the ARN of the role. However, users in the other account that assume the role are unable to access the bucket. Which of the following is the MOST likely cause?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Identity and Access Management sessions

Start a Identity and Access Management only practice session

Every question in these sessions is drawn from the Identity and Access Management domain — nothing else.

Related practice questions

Related SCS-C02 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SCS-C02 exam test about Identity and Access Management?
Identity and Access Management questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Identity and Access Management questions in a focused session?
Yes — the session launcher on this page draws every question from the Identity and Access Management domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SCS-C02 topics?
Use the topic links above to move to related areas, or go back to the SCS-C02 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SCS-C02 exam covers. They are not copied from any real exam or dump site.