CCNA IAM Questions

75 of 279 questions · Page 2/4 · IAM topic · Answers revealed

76
MCQmedium

A company wants to allow its employees to authenticate to the AWS Management Console using their existing corporate credentials. Which AWS service should be used to integrate with the company's identity provider?

A.AWS Secrets Manager
B.AWS Directory Service for Microsoft Active Directory
C.AWS Certificate Manager
D.AWS IAM Identity Center (AWS SSO)
AnswerD

IAM Identity Center supports federation with external IdPs.

Why this answer

AWS IAM Identity Center (formerly AWS SSO) is the correct service because it is specifically designed to enable single sign-on (SSO) from an external identity provider (IdP) to AWS accounts and business applications. It supports federation via SAML 2.0 or OIDC, allowing employees to authenticate using their existing corporate credentials and then access the AWS Management Console without needing separate IAM users.

Exam trap

The trap here is that candidates often confuse AWS Directory Service for Microsoft Active Directory with federation, but Directory Service is for managing AD domains in AWS, not for integrating with an external corporate IdP to provide SSO to the AWS console—that requires IAM Identity Center or IAM SAML federation.

How to eliminate wrong answers

Option A is wrong because AWS Secrets Manager is a service for securely storing and rotating secrets (e.g., database credentials, API keys), not for federating identity or integrating with an external IdP for console access. Option B is wrong because AWS Directory Service for Microsoft Active Directory is used to create a managed Microsoft AD domain in AWS or connect to an on-premises AD, but it does not directly provide the federation layer to authenticate corporate users to the AWS Management Console via an external IdP; that requires IAM Identity Center or IAM SAML federation. Option C is wrong because AWS Certificate Manager (ACM) manages SSL/TLS certificates for securing network traffic, not identity federation or authentication to the AWS console.

77
MCQmedium

A company uses IAM roles for cross-account access. Developers in Account A need to assume a role in Account B. What must be true for the AssumeRole call to succeed?

A.Account A must have an SCP that allows sts:AssumeRole
B.The user in Account A must have MFA enabled
C.The role's trust policy must allow Account A and the user must have sts:AssumeRole permission
D.The role in Account B must have a permissions boundary
AnswerC

Both conditions are required.

Why this answer

Option D is correct because the trust policy in Account B must allow Account A, and the user in Account A must have sts:AssumeRole permission. Option A is wrong because an SCP in Account A might allow it. Option B is wrong because MFA is not required.

Option C is wrong because the role exists.

78
MCQeasy

A company requires that all access to its S3 buckets be logged for compliance. Which AWS service should be used to record API calls to S3?

A.Amazon GuardDuty
B.Amazon Inspector
C.AWS Config
D.AWS CloudTrail
AnswerD

CloudTrail records API calls for auditing.

Why this answer

AWS CloudTrail records API calls for auditing. Option A is wrong because AWS Config tracks resource configuration changes. Option B is wrong because Amazon Inspector assesses vulnerabilities.

Option D is wrong because Amazon GuardDuty detects threats.

79
MCQhard

A security engineer is designing a cross-account IAM role to allow users in Account A to access resources in Account B. The engineer wants to restrict access to only users who have authenticated with multi-factor authentication (MFA) in Account A. What condition key should the engineer use in the trust policy of the IAM role in Account B?

A.aws:SourceIp
B.aws:MultiFactorAuthPresent
C.aws:RequestedRegion
D.aws:UserAgent
AnswerB

This condition key checks if the user authenticated with MFA.

Why this answer

Option D is correct because aws:MultiFactorAuthPresent is the condition key to check MFA status. Option A is wrong because aws:SourceIp checks source IP. Option B is wrong because aws:RequestedRegion checks region.

Option C is wrong because aws:UserAgent checks user agent string.

80
MCQhard

An organization uses AWS KMS to encrypt S3 objects. They want to allow a developer to decrypt objects only if the request comes from a specific IP address range. Which IAM policy condition should be used?

A.Condition with kms:GrantOperations and aws:SourceIp.
B.Condition with kms:CallerAccount and aws:SourceIp.
C.Condition with kms:EncryptionContext and aws:SourceIp.
D.Condition with kms:ViaService and aws:SourceIp.
AnswerD

kms:ViaService ensures the request comes through S3, and aws:SourceIp restricts the IP.

Why this answer

Option A is correct because kms:ViaService condition ensures the request goes through S3, and aws:SourceIp restricts IP. Option B is wrong because kms:EncryptionContext is for encryption context, not IP. Option C is wrong because kms:CallerAccount is for account, not IP.

Option D is wrong because kms:GrantOperations is for grants, not IP.

81
MCQhard

A company uses an IAM role to allow an EC2 instance to access an S3 bucket. The security team wants to ensure that if the EC2 instance is compromised, the attacker cannot use the role credentials to access resources outside the account. What should the security team do?

A.Store the role credentials in AWS Secrets Manager and rotate them frequently.
B.Use an instance profile with a short-lived session token.
C.Use an SCP to deny all actions except S3 access for the role.
D.Attach a permissions boundary to the IAM role that limits access to only the required S3 bucket.
AnswerD

Permissions boundaries set the maximum permissions for the role.

Why this answer

Using a permissions boundary restricts the maximum permissions the role can have, limiting the impact of a compromised instance.

82
MCQeasy

A company uses AWS Organizations and wants to delegate administration of IAM Access Analyzer to a member account. Which AWS service should be used to enable this delegation?

A.AWS Service Catalog
B.AWS Organizations
C.AWS CloudTrail
D.AWS Config
AnswerB

You can register a delegated administrator for IAM Access Analyzer using AWS Organizations.

Why this answer

Option A is correct because IAM Access Analyzer can be delegated through AWS Organizations. Option B is incorrect because AWS CloudTrail is for logging. Option C is incorrect because AWS Config is for resource compliance.

Option D is incorrect because AWS Service Catalog is for creating and managing catalogs of IT services.

83
MCQmedium

A security engineer is investigating an IAM role that was used to access AWS resources from an external account. The role has a trust policy that allows the external account to assume it. Which of the following is a required step for the external account to use the role?

A.Configure the role to require MFA for the external account.
B.Create a new IAM role in the external account with a trust policy allowing the role's ARN.
C.Add the external account's root user ARN to the role's trust policy.
D.Attach an IAM policy to an IAM user in the external account that allows sts:AssumeRole for the role ARN.
AnswerD

The external user needs permission to assume the role.

Why this answer

Option B is correct because the external account must have an IAM user or role with sts:AssumeRole permissions targeting the role ARN. Option A is wrong because the external account does not need to create a new role. Option C is wrong because the trust policy is on the role, not on the external account.

Option D is wrong because MFA is not required unless specified.

84
Multi-Selectmedium

Which THREE of the following are best practices for managing IAM access keys? (Choose THREE.)

Select 3 answers
A.Use IAM roles for EC2 instances instead of access keys
B.Use long-lived access keys for applications
C.Delete unused access keys
D.Embed access keys in application code for convenience
E.Rotate access keys regularly
AnswersA, C, E

Roles are more secure than embedding keys.

Why this answer

Options A, B, and D are best practices. Option C is not a best practice because access keys should be rotated, not kept indefinitely. Option E is incorrect because access keys should not be embedded in code; use roles instead.

85
MCQeasy

A company wants to allow an external auditor to assume a read-only role in their AWS account. The auditor's AWS account ID is 123456789012. Which trust policy should be attached to the role?

A.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": "sts:AssumeRole", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } } ] }
B.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": "sts:AssumeRole" } ] }
C.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/Auditor" }, "Action": "sts:AssumeRole" } ] }
D.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": { "AWS": "123456789012" }, "Action": "sts:AssumeRole" } ] }
AnswerA

Allows the external account root with MFA requirement, secure and standard.

Why this answer

Option A is correct because it grants the external auditor's AWS account (via its root principal ARN) permission to assume the read-only role, while enforcing multi-factor authentication (MFA) as a security best practice. The `sts:AssumeRole` action is the standard mechanism for cross-account role assumption, and the `aws:MultiFactorAuthPresent` condition ensures the auditor uses MFA, reducing the risk of compromised credentials.

Exam trap

The trap here is that candidates often overlook the MFA condition or incorrectly specify a specific user ARN, failing to recognize that the root principal ARN is the correct way to grant access to an entire external account while maintaining flexibility and security.

How to eliminate wrong answers

Option B is wrong because it lacks the MFA condition, which is a critical security control for external access; without it, the auditor could assume the role without MFA, violating the principle of least privilege and increasing risk. Option C is wrong because it specifies a specific IAM user (`user/Auditor`) rather than the entire account (`root`), which is inflexible and would require updating the policy if the auditor's username changes or if multiple auditors need access. Option D is wrong because it uses `Deny` instead of `Allow`, which would explicitly block the auditor from assuming the role, and the principal format is invalid (missing `arn:aws:iam::` prefix).

86
Multi-Selecteasy

Which TWO are IAM best practices? (Choose two.)

Select 2 answers
A.Avoid using IAM roles and instead attach policies directly to users.
B.Use the root user for everyday administrative tasks.
C.Grant broad permissions to all users to simplify management.
D.Use conditions in IAM policies to restrict access based on tags or IP addresses.
E.Use IAM roles for applications that run on EC2 instances.
AnswersD, E

Conditions help enforce context-specific access.

Why this answer

Option D is correct because using conditions in IAM policies (e.g., `aws:SourceIp`, `aws:RequestTag`) allows you to enforce fine-grained access control based on contextual attributes like IP addresses or resource tags. This follows the principle of least privilege by restricting permissions to only the necessary scope, reducing the attack surface. For example, you can deny access to S3 buckets unless the request originates from a corporate IP range.

Exam trap

The trap here is that candidates often confuse IAM roles with IAM users, mistakenly thinking roles are only for cross-account access, when in fact roles are the recommended mechanism for granting permissions to AWS services like EC2, Lambda, and ECS.

87
MCQmedium

A company wants to allow users from its corporate Active Directory to access AWS resources. The company has set up an IAM identity provider for SAML. What must be created in IAM to map users to permissions?

A.An IAM role with a trust policy for the SAML provider
B.An OIDC identity provider
C.An IAM user for each Active Directory user
D.A federation role type
AnswerA

The role trust policy allows the SAML provider to issue tokens for the role.

Why this answer

A is correct because when using SAML-based federation, IAM roles are the mechanism to grant permissions to federated users. The role must have a trust policy that specifies the SAML identity provider as the principal, allowing users authenticated by the corporate Active Directory to assume the role and obtain temporary AWS credentials. This maps the SAML assertion attributes (such as the user's group or role) to IAM permissions via the role's permissions policy.

Exam trap

The trap here is that candidates confuse the IAM role trust policy with the SAML identity provider configuration itself, thinking the provider alone grants permissions, rather than understanding that the role bridges the SAML assertion to AWS permissions.

How to eliminate wrong answers

Option B is wrong because OIDC (OpenID Connect) is a separate identity federation protocol used for web identity providers like Google or Amazon Cognito, not for SAML-based Active Directory federation. Option C is wrong because creating an IAM user for each Active Directory user defeats the purpose of federation—it would require managing duplicate identities and credentials outside the corporate directory. Option D is wrong because 'federation role type' is not a valid IAM entity; IAM roles are categorized by trust policy type (e.g., service role, cross-account role, or identity provider role), but there is no distinct 'federation role type' in the AWS API or console.

88
MCQmedium

A company wants to allow cross-account access to an S3 bucket in Account A for a user in Account B. What is the correct combination of steps?

A.Add a bucket policy in Account A allowing access to the user in Account B, and attach an IAM policy to the user in Account B allowing access to the bucket.
B.Create an IAM role in Account A with access to the bucket, and have the user in Account B assume that role.
C.Add a bucket policy in Account A allowing access to Account B, and no action is needed in Account B because the user already has permissions.
D.Add a bucket policy in Account A allowing access to Account B, and attach an IAM policy to the user in Account B allowing access to the bucket.
AnswerD

Both policies are required for cross-account access.

Why this answer

Option D is correct because cross-account access requires both a bucket policy allowing the user and an IAM user policy allowing access to the bucket. Option A is wrong because only the bucket policy is not sufficient; the user also needs permissions. Option B is wrong because the bucket policy needs to specify the user ARN, not just the account.

Option C is wrong because a role needs to be assumed, but the question asks for user access.

89
Multi-Selecthard

Which THREE are valid ways to grant cross-account access to an S3 bucket? (Choose three.)

Select 3 answers
A.Use an IAM user in the source account with access keys.
B.Create an IAM role in the target account and allow the source account to assume it.
C.Use an S3 access point with a policy that allows cross-account access.
D.Create a bucket policy that grants access to the other account's root user.
E.Set the bucket ACL to grant full control to the other account.
AnswersB, C, D

Cross-account role assumption is a common pattern.

Why this answer

Options A, B, and C are correct. A bucket policy with the target account's root user ARN (A), an IAM role in the target account that can be assumed (B), and an S3 access point with a policy (C) all allow cross-account access. Option D allows list but not full access.

Option E is not a valid method.

90
MCQeasy

A company has an AWS Lambda function that processes sensitive data stored in an Amazon S3 bucket. The Lambda function needs to read objects from the S3 bucket and write results to a different S3 bucket. The security engineer is configuring IAM permissions for the Lambda execution role. The engineer wants to follow the principle of least privilege. The Lambda function is triggered by S3 events from the source bucket. The engineer creates an IAM policy that grants s3:GetObject on the source bucket and s3:PutObject on the destination bucket. However, when testing, the Lambda function fails with an access denied error when trying to process an object. The error message indicates that the Lambda function does not have permission to list the objects in the source bucket. The engineer checks the S3 event notification configuration and confirms that the event is configured correctly. What should the engineer do to resolve the issue?

A.Add s3:ListBucket permission for the source bucket to the Lambda execution role.
B.Add s3:GetObject permission for the destination bucket to the Lambda execution role.
C.Add s3:* permission for both buckets to the Lambda execution role.
D.Add s3:PutObject permission for the source bucket to the Lambda execution role.
AnswerA

Correct – Grants the required list permission.

Why this answer

C: Correct – The Lambda function needs s3:ListBucket permission to list objects in the source bucket when triggered by S3 events; the event notification provides the object key but the function may still need list permission for certain operations (e.g., if it uses S3 batch operations or if the SDK performs a list). A: Incorrect – Adding s3:PutObject on the source bucket is unnecessary and grants extra permission. B: Incorrect – Granting full S3 access violates least privilege.

D: Incorrect – The issue is not with the destination bucket; the error is about listing source bucket.

91
Multi-Selecthard

A company uses AWS KMS to encrypt objects in an S3 bucket. The security team wants to ensure that only users with the appropriate KMS key permissions can decrypt objects. Which THREE conditions should be included in the S3 bucket policy to enforce this? (Choose THREE.)

Select 3 answers
A."Condition": {"StringEquals": {"kms:ViaService": "s3.us-east-1.amazonaws.com"}}
B."Condition": {"StringEquals": {"kms:KeySpec": "SYMMETRIC_DEFAULT"}}
C."Condition": {"StringEquals": {"kms:ViaService": "s3.us-east-1.amazonaws.com"}}
D."Condition": {"StringEquals": {"kms:GranteePrincipal": "arn:aws:iam::123456789012:role/Admin"}}
E."Condition": {"StringEquals": {"kms:EncryptionContext": {"aws:s3:arn": "arn:aws:s3:::my-bucket"}}}
AnswersA, C, E

Ensures that the KMS key is used via S3 service, preventing direct KMS decryption.

Why this answer

Options A, C, and D are correct. To require use of a specific KMS key, you can use kms:ViaService and kms:EncryptionContext conditions. Option B is wrong because kms:GranteePrincipal is used in grants, not in bucket policies.

Option E is wrong because S3 does not have a condition key kms:KeySpec.

92
MCQhard

An IAM administrator ran the simulate-custom-policy command shown in the exhibit. The result shows an 'explicitDeny' for s3:ListBucket. What is the most likely reason?

A.The simulation incorrectly evaluates the policy due to a syntax error.
B.The resource ARN for ListBucket is incorrect; it should include a wildcard.
C.The policy does not include an action that allows s3:ListBucket, so it is implicitly denied.
D.The s3:ListBucket action is not valid for S3.
AnswerC

The policy only allows GetObject; ListBucket is not allowed, resulting in implicit deny, but the simulator might show explicitDeny if there is another policy.

Why this answer

Option C is correct because the policy does not allow s3:ListBucket, so it is implicitly denied; but the simulator shows 'explicitDeny' because there might be an attached policy that denies it. However, in this simulation, the policy only allows s3:GetObject, so ListBucket is not allowed. The 'explicitDeny' could be due to an SCP or a different policy attached to the user.

Option A is wrong because the resource ARN is correct. Option B is wrong because the policy does not include ListBucket. Option D is wrong because the action is spelled correctly.

93
MCQmedium

A security engineer notices that an IAM role has a trust policy allowing any AWS account to assume it. Which attack is this misconfiguration most likely to enable?

A.Logging bypass via CloudTrail
B.Cross-service confused deputy attack
C.Unauthorized access by an external attacker
D.Privilege escalation by attaching additional policies
AnswerC

Any AWS account can assume the role, leading to unauthorized access.

Why this answer

Option C is correct because an IAM role trust policy that allows any AWS account (i.e., `"Principal": {"AWS": "*"}`) to assume the role means that any user or service in any AWS account can call the STS `AssumeRole` API to obtain temporary credentials for the role. This directly enables unauthorized access by an external attacker who can discover the role ARN and assume it, gaining all permissions attached to the role.

Exam trap

The trap here is that candidates may confuse a trust policy misconfiguration with a permissions policy misconfiguration, thinking that privilege escalation (Option D) is the primary risk, when in fact the trust policy directly controls who can assume the role, making unauthorized access the immediate and most likely attack.

How to eliminate wrong answers

Option A is wrong because CloudTrail logs all AWS API calls, including STS `AssumeRole` actions, and there is no mechanism in this misconfiguration to bypass or disable CloudTrail logging. Option B is wrong because a cross-service confused deputy attack involves a malicious service tricking another service into using its own permissions, not an overly permissive trust policy allowing any AWS account to assume a role. Option D is wrong because the misconfiguration is in the trust policy, not in the permissions policy; privilege escalation by attaching additional policies would require the attacker to already have IAM permissions to modify policies, which is not enabled by the trust policy alone.

94
Multi-Selecthard

Which THREE are best practices for securing IAM in an AWS environment? (Choose THREE.)

Select 3 answers
A.Use IAM roles for applications running on EC2.
B.Enable MFA for all IAM users.
C.Use the AWS account root user for daily administrative tasks.
D.Grant broad permissions to simplify management.
E.Rotate IAM user access keys regularly.
AnswersA, B, E

Roles provide temporary credentials and are more secure than access keys.

Why this answer

Option A is correct because using IAM roles for EC2 instances eliminates the need to store long-term AWS credentials (access keys) on the instance. Instead, the instance assumes the role via the EC2 metadata service, which automatically rotates temporary security credentials (via AWS STS). This follows the principle of least privilege and reduces the risk of credential leakage.

Exam trap

Cisco often tests the misconception that the root user is acceptable for daily tasks because it has full access, but the trap is that the root user lacks granular audit trails and cannot be restricted by IAM policies, making it a massive security risk for routine operations.

95
Multi-Selecthard

A security engineer needs to restrict access to an S3 bucket so that only requests from a specific VPC endpoint are allowed. Which TWO conditions must be configured?

Select 2 answers
A.aws:SourceIp
B.aws:UserAgent
C.aws:SourceVpce
D.aws:SourceVpc
E.aws:Referer
AnswersC, D

Restricts to a specific VPC endpoint ID.

Why this answer

Option A and C are correct because aws:SourceVpce restricts to a specific VPC endpoint, and aws:SourceVpc restricts to a specific VPC. Option B is wrong because aws:SourceIp is not applicable for VPC endpoint. Option D is wrong because aws:UserAgent is not relevant.

Option E is wrong because aws:Referer is not relevant.

96
Drag & Dropmedium

Drag and drop the steps to configure AWS CloudTrail for logging across all regions and accounts in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

CloudTrail setup requires S3 bucket, trail creation, multi-region selection, integrity validation, and organization trail.

97
MCQeasy

A developer needs to grant an IAM user access to a specific S3 bucket only. Which IAM policy element should be used to restrict access to that bucket?

A.Principal
B.Condition
C.Resource
D.Action
AnswerC

Resource specifies the bucket ARN.

Why this answer

Option C is correct because the Resource element specifies the ARN of the S3 bucket. Option A is wrong because Principal specifies who gets access, not the resource. Option B is wrong because Action specifies allowed actions.

Option D is wrong because Condition specifies when the policy applies.

98
MCQeasy

A company wants to allow its development team to have full access to Amazon S3 buckets that are tagged with 'Environment: Dev'. Which IAM policy element should be used to restrict access based on tags?

A.Use 'aws:PrincipalTag' in the Condition element
B.Use 'aws:SourceTag' in the Condition element
C.Use 'aws:RequestTag' in the Condition element
D.Use 'aws:ResourceTag' in the Condition element
AnswerD

'aws:ResourceTag' allows you to restrict actions based on tags attached to the resource.

Why this answer

Option B is correct because IAM policies can use Condition blocks with 'aws:ResourceTag' to restrict actions based on resource tags. Option A is incorrect because 'aws:RequestTag' is used to require specific tags on requests, not on resources. Option C is incorrect because 'aws:SourceTag' is not a valid condition key.

Option D is incorrect because 'aws:PrincipalTag' is used to restrict based on the principal's tags.

99
MCQmedium

A company is using IAM roles to grant EC2 instances access to an S3 bucket. The security team wants to ensure that the instances can only access their own bucket. Which policy should be attached to the IAM role to enforce this?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:*","Resource":"*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:GetObject","Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:GetObject","Resource":"*","Condition":{"IpAddress":{"aws:SourceIp":"10.0.0.0/16"}}}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}
AnswerD

This policy correctly restricts access to objects in my-bucket only.

Why this answer

Option C is correct because the condition aws:SourceIp is not relevant for EC2 instances; the correct approach is to use a resource-based policy on the S3 bucket that allows access only from the IAM role. Option A is wrong because it allows all S3 actions. Option B is wrong because it allows all resources.

Option D is wrong because it uses an IP condition that is not applicable.

100
MCQmedium

A company has an S3 bucket that contains sensitive data. The security team wants to ensure that all access to the bucket is encrypted in transit. What is the most effective way to enforce this?

A.Enable default encryption on the S3 bucket using SSE-S3.
B.Enable AWS CloudTrail to log all S3 access and alert on non-HTTPS requests.
C.Add a bucket policy that denies access if the request does not use HTTPS (aws:SecureTransport condition).
D.Create an IAM policy that denies S3 actions without the condition aws:SecureTransport.
AnswerC

This condition denies non-HTTPS requests.

Why this answer

Option B is correct because a bucket policy with a condition aws:SecureTransport ensures only HTTPS requests are allowed. Option A is wrong because enabling default encryption only encrypts at rest, not in transit. Option C is wrong because CloudTrail logs do not enforce encryption.

Option D is wrong because IAM policy can deny non-HTTPS but it's better to enforce at the bucket level.

101
MCQeasy

A company wants to enforce that all IAM users use multi-factor authentication (MFA) to access the AWS Management Console. What is the best way to achieve this?

A.Enable MFA in the account settings.
B.Attach an IAM policy to all users that denies console access without MFA.
C.Set a password policy that requires MFA.
D.Use an SCP to deny access if MFA is not present.
AnswerB

A policy with condition aws:MultiFactorAuthPresent is required.

Why this answer

Option D is correct because an IAM policy with a condition requiring MFA for console access is the standard approach. Option A is wrong because MFA is not enforced by default. Option B is wrong because password policy does not enforce MFA.

Option C is wrong because SCPs are not typically used for user-level MFA enforcement.

102
MCQeasy

A developer needs to grant an EC2 instance read-only access to an S3 bucket. Which of the following is the most secure way to provide these permissions?

A.Use an IAM role and store the credentials in AWS Systems Manager Parameter Store, then retrieve them at instance launch.
B.Create an IAM role with read-only access and attach it to the EC2 instance profile.
C.Create a bucket policy that grants read-only access to the instance's public IP address.
D.Create an IAM user with read-only access and store the access keys in the instance's user data.
AnswerB

IAM roles for EC2 provide temporary credentials without managing keys.

Why this answer

Option B is correct because an IAM role attached to the EC2 instance via instance profile avoids long-term credentials. Option A is wrong because storing access keys on the instance is less secure. Option C is wrong because a bucket policy grants access to all principals, not just the instance.

Option D is wrong because storing keys in SSM Parameter Store still exposes credentials to the instance.

103
MCQeasy

Which IAM entity can be used to delegate permissions to an AWS service to perform actions on your behalf?

A.Service role
B.Service-linked role
C.Instance profile
D.Permissions boundary
AnswerA

A service role allows an AWS service to assume it and perform actions.

Why this answer

A service role is an IAM role that a service assumes to perform actions on your behalf. Option A is correct. Option B is wrong because a service-linked role is a special type of service role, but not all service roles are service-linked.

Option C is wrong because an instance profile is used for EC2. Option D is wrong because a permissions boundary is used to set maximum permissions.

104
Multi-Selecthard

Which THREE are best practices for managing IAM roles?

Select 3 answers
A.Set the trust policy to allow any AWS account to assume the role.
B.Use IAM roles instead of IAM users for applications running on EC2.
C.Rotate role credentials automatically by using temporary credentials from STS.
D.Use service control policies (SCPs) to restrict permissions at the organizational level.
E.Grant broad permissions to roles to avoid frequent updates.
AnswersB, C, D

Roles are more secure than storing access keys on instances.

Why this answer

Options B, C, and D are correct. Option A is wrong because roles should be granted the least privilege, not broad access. Option E is wrong because trust policies should be scoped to specific accounts or principals.

105
MCQhard

A large enterprise has multiple AWS accounts managed via AWS Organizations. The security team wants to enforce that all IAM roles in all accounts must have a maximum session duration of 1 hour. They create an SCP that denies creating or updating roles if the MaxSessionDuration is greater than 3600 seconds. The SCP is attached to the root OU. After applying the SCP, the development team reports that they cannot create any new IAM roles, even with a session duration of 1 hour. They are using CloudFormation to create roles. What is the MOST likely reason for the failure?

A.The SCP cannot be attached to the root OU; it must be attached to individual accounts.
B.The SCP is not effective; the issue is with the IAM permissions boundary.
C.The SCP denies role creation when MaxSessionDuration is not explicitly set, even if it defaults to 1 hour.
D.CloudFormation does not support creating IAM roles.
AnswerC

Condition may not match when parameter absent.

Why this answer

Option C is correct. CloudFormation uses a service role (or the user's role) to create resources. If the SCP denies the creation of roles, CloudFormation itself may be denied if the service role does not have an explicit allow.

The SCP might deny the cloudformation:CreateStack action if it includes creating a role. However, the more likely issue is that the SCP uses a condition that does not account for the case when MaxSessionDuration is not specified; if not specified, the default is 1 hour, but the condition might still deny if it checks for the absence of the parameter. Option A is wrong because the SCP does not block CloudFormation overall.

Option B is wrong because SCPs are the likely cause. Option D is wrong because an SCP can be attached to the root OU.

106
MCQhard

Refer to the exhibit. An IAM policy allows running EC2 instances. A developer tries to launch a t2.micro instance but receives an 'AccessDenied' error. What is the most likely reason?

A.The policy does not grant permissions for other required resources such as images or security groups.
B.The developer is trying to launch a different instance type.
C.The region in the policy does not match the developer's region.
D.The policy has an explicit deny elsewhere.
AnswerA

RunInstances requires permissions on multiple resource types; the policy only grants on instance, not on image, network, etc.

Why this answer

Option C is correct because the policy only allows the instance resource, but RunInstances also requires permissions for other resources like images, security groups, etc. Option A is wrong because the condition is on instance type, not on region. Option B is wrong because the condition matches, so that is not the issue.

Option D is wrong because the action is allowed, but missing resource permissions cause denial.

107
MCQeasy

A company wants to allow a Lambda function to read objects from an S3 bucket in the same account. What should be done?

A.Store IAM user access keys in the Lambda function's environment variables.
B.Create an IAM role with an S3 read policy and attach it to the Lambda function.
C.Add a bucket policy allowing s3:GetObject for the Lambda service principal.
D.Configure the S3 bucket to be public.
AnswerB

Lambda assumes the role to get temporary credentials.

Why this answer

Option B is correct because Lambda functions require an IAM role (execution role) to obtain temporary AWS credentials via the AWS Security Token Service (STS). Attaching a policy with s3:GetObject permissions to this role grants the Lambda function the necessary access to read objects from the S3 bucket without hardcoding long-term credentials.

Exam trap

The trap here is that candidates confuse the Lambda service principal (lambda.amazonaws.com) with the Lambda execution role, incorrectly assuming that a bucket policy can grant access directly to the Lambda service rather than to the IAM role that the Lambda function assumes.

How to eliminate wrong answers

Option A is wrong because storing IAM user access keys in environment variables violates security best practices (long-term credentials are exposed and must be rotated manually), and Lambda natively supports temporary credentials via an execution role. Option C is wrong because a bucket policy that grants s3:GetObject to the Lambda service principal (lambda.amazonaws.com) does not work—the service principal cannot be used as a grantee in a resource-based policy; instead, you must specify the IAM role ARN or the AWS account root user. Option D is wrong because making the S3 bucket public exposes all objects to the internet, which is a severe security risk and unnecessary when a properly scoped IAM role can grant access only to the Lambda function.

108
MCQmedium

An organization wants to enforce multi-factor authentication (MFA) for all IAM users who perform sensitive actions. Which condition key should be used in an IAM policy to require MFA?

A.aws:SourceIp
B.aws:MultiFactorAuthPresent
C.aws:UserAgent
D.aws:CurrentTime
AnswerB

This condition checks if MFA was used.

Why this answer

Option B is correct: aws:MultiFactorAuthPresent is the condition key. Option A is wrong because it checks the time. Option C is wrong because it checks the user agent.

Option D is wrong because it checks the source IP.

109
Multi-Selectmedium

Which TWO actions can be performed using AWS IAM? (Choose two.)

Select 2 answers
A.Change the instance type of an RDS database
B.Create a CloudFront distribution
C.Define a password policy for IAM users
D.Create an IAM role with a trust policy for EC2
E.Configure a VPC peering connection
AnswersC, D

IAM allows setting account password policies.

Why this answer

Option C is correct because AWS IAM allows you to define a password policy for IAM users, which enforces complexity requirements, rotation periods, and reuse prevention. This is a core IAM feature that helps secure user credentials without relying on external identity providers.

Exam trap

The trap here is that candidates confuse IAM's authorization capabilities (granting permissions) with the ability to directly perform resource operations, leading them to select options like A, B, or E that are actual AWS actions but are not performed by IAM itself.

110
MCQeasy

A company wants to allow an external auditor to read all objects in a specific S3 bucket for a limited time. What is the most secure way to grant this access?

A.Generate pre-signed URLs for the objects the auditor needs to read, with an expiration time.
B.Use a bucket policy that allows access only from the auditor's IP address.
C.Make the bucket public and restrict access via IP address in the bucket policy.
D.Create an IAM user for the auditor with read-only access to the bucket and share the access keys.
AnswerA

Pre-signed URLs provide time-limited access without sharing credentials.

Why this answer

Option C is correct because a pre-signed URL can grant temporary access to specific objects, and the URL can have an expiration time. Option A is wrong because making the bucket public is not secure. Option B is wrong because creating an IAM user for the auditor and sharing credentials is not ideal for external parties.

Option D is wrong because a bucket policy with a condition for a specific IP address is an option but requires the auditor's IP and may not be as granular.

111
MCQmedium

An organization wants to enforce multi-factor authentication (MFA) for all IAM users accessing the AWS Management Console. Which policy should be used?

A.A policy that allows all actions and denies when aws:MultiFactorAuthPresent is true.
B.A policy that allows all actions except ConsoleLogin unless MFA is present.
C.A policy that allows all actions when aws:MultiFactorAuthPresent is true.
D.A policy that denies all actions unless aws:MultiFactorAuthPresent is true.
AnswerD

This explicitly denies access if MFA is not present, enforcing MFA.

Why this answer

Option D is correct because it uses an IAM policy with a Deny effect on all actions when `aws:MultiFactorAuthPresent` is false (or not true). This ensures that any IAM user attempting to perform any action, including ConsoleLogin, must have authenticated with MFA; otherwise, the request is denied. This is the standard approach to enforce MFA for all AWS Management Console access.

Exam trap

The trap here is that candidates often confuse the condition key evaluation — thinking a policy that 'allows when MFA is present' is sufficient, but without an explicit Deny for when MFA is absent, other policies could still grant access, making the enforcement incomplete.

How to eliminate wrong answers

Option A is wrong because it denies actions when `aws:MultiFactorAuthPresent` is true, which would block users who have authenticated with MFA, defeating the purpose. Option B is wrong because it allows all actions except ConsoleLogin unless MFA is present, but it does not deny other actions (like API calls) when MFA is absent, leaving a security gap. Option C is wrong because it allows all actions when MFA is present but does not explicitly deny actions when MFA is absent, meaning a user without MFA could still access resources if another policy grants access.

112
MCQeasy

Refer to the exhibit. An EC2 instance is launched with an instance profile that references this role. The application on the instance tries to list objects in 'my-bucket' but receives an AccessDenied error. What is the most likely cause?

A.The trust policy does not allow the EC2 service to assume the role.
B.The policy does not grant s3:GetObject permission.
C.The S3 bucket has a bucket policy that denies access.
D.The role does not have any permissions policy attached.
AnswerC

An explicit deny in the bucket policy would override the role's allow.

Why this answer

Option C is correct because the policy only allows s3:ListBucket on the bucket, but to list objects, the action s3:ListBucket is correct, but the resource arn:aws:s3:::my-bucket does not include the objects. To list objects, you also need s3:ListBucket on the bucket ARN and s3:GetObject on the objects? Actually, s3:ListBucket is for listing bucket contents, and it requires the bucket ARN. The error might be because the policy does not allow s3:GetObject for the objects, but the question says 'list objects' - that's s3:ListBucket.

However, the policy allows s3:ListBucket on the bucket, so that should work. Option A is wrong because the trust policy allows EC2. Option B is wrong because the role has a policy.

Option D is wrong because bucket policy is not mentioned. Actually, the most likely cause is that the bucket policy denies the access. So option D is correct.

113
MCQhard

A company uses AWS Organizations with SCPs. The SCP for the production OU denies all actions on DynamoDB. An IAM policy attached to a user in that OU allows dynamodb:PutItem. What is the effective access?

A.The user can perform PutItem because the IAM policy allows it.
B.The user cannot perform PutItem because the SCP denies all DynamoDB actions and IAM allows are overridden.
C.The user cannot perform PutItem because the SCP applies only to the root account.
D.The user can perform PutItem only if the SCP has an explicit allow.
AnswerB

SCP deny takes precedence over IAM allow.

Why this answer

Option D is correct because SCPs are deny-by-default; they override any allow in IAM policies. Option A is wrong because SCPs apply to all principals. Option B is wrong because explicit deny in SCP overrides allow.

Option C is wrong because the SCP applies to the user.

114
Multi-Selectmedium

Which TWO of the following are valid ways to grant an IAM user permissions to access an S3 bucket? (Choose 2.)

Select 2 answers
A.Assign an instance profile to the user.
B.Create a VPC endpoint policy.
C.Attach an IAM policy to the user.
D.Add the user to an IAM group with a policy.
E.Use an SCP to allow access.
AnswersC, D

IAM policies attached to users grant permissions.

Why this answer

IAM policies can be attached to users, and S3 bucket policies can grant access to specific users.

115
MCQhard

An IAM policy is attached to a user. The user is trying to change their own password in the IAM console but receives an 'Access Denied' error. The user has an MFA device configured and is logged in with MFA. Why is the password change failing?

A.The Allow statement for iam:ChangePassword is not sufficient because the Deny statement explicitly denies all actions.
B.The Deny statement uses 'BoolIfExists' which evaluates to true if the condition key is not present. In the IAM console, the 'aws:MultiFactorAuthPresent' key may not be set, causing the Deny to apply even when the user has MFA.
C.The Deny statement denies all actions unconditionally, so the Allow statement cannot override it.
D.The user does not have permission to change their own password because the Allow statement is not specific enough.
AnswerB

BoolIfExists returns true if the key does not exist, so the Deny applies, blocking all actions including password change.

Why this answer

Option B is correct because the Deny statement uses the `BoolIfExists` condition operator with the `aws:MultiFactorAuthPresent` key. In the IAM console, the `aws:MultiFactorAuthPresent` key may not be present in the request context (e.g., during the initial password change flow before MFA is re-validated), causing `BoolIfExists` to evaluate to true when the key is absent. This triggers the Deny even though the user has an MFA device and is logged in with MFA, blocking the `iam:ChangePassword` action.

Exam trap

The trap here is that candidates assume `BoolIfExists` behaves like `Bool` and that MFA presence is always indicated in the request context, but `BoolIfExists` treats a missing key as true, causing the Deny to apply when the key is absent, such as in the IAM console's password change flow.

How to eliminate wrong answers

Option A is wrong because the Deny statement does not explicitly deny all actions; it only denies actions when the condition evaluates to true, so the Allow statement could be sufficient if the condition were not met. Option C is wrong because the Deny statement is not unconditional; it includes a condition (`BoolIfExists`), so it only applies when the condition is true, not to all actions. Option D is wrong because the Allow statement is specific enough (it allows `iam:ChangePassword` for the user's own account), but the Deny overrides it due to the condition evaluation.

116
Matchingmedium

Match each AWS KMS key type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Managed by AWS for use with specific services

Managed by customer with full control

Used internally by AWS, not visible to customers

Key store backed by AWS CloudHSM

Why these pairings

KMS offers different key types with varying levels of control.

117
MCQeasy

An IAM policy attached to a user contains the above statements. The user attempts to download an object from 'example-bucket/confidential/report.pdf'. What is the result?

A.The download fails because the user is not an administrator.
B.The download succeeds because the user can access other objects.
C.The download succeeds because the first statement allows GetObject.
D.The download fails because the deny statement applies to the object.
AnswerD

Explicit deny on the path.

Why this answer

The explicit deny on the confidential folder overrides the allow. Option A is incorrect because deny overrides. Option B is incorrect because the user is not an admin.

Option D is incorrect because the deny is for the specific path.

118
MCQeasy

A developer is trying to use the AWS CLI to list objects in an S3 bucket but receives an AccessDenied error. The developer has an IAM user with a policy that allows s3:ListBucket on the bucket. What could be causing the error?

A.The developer has not enabled MFA on their IAM user.
B.The S3 bucket has a bucket policy that denies access to the developer's IAM user.
C.The S3 bucket does not exist in the same AWS region as the CLI is configured.
D.The IAM policy is attached to a group, not directly to the user.
AnswerB

An explicit deny in a bucket policy overrides an allow in an IAM policy.

Why this answer

Option A is correct because even if the IAM policy allows the action, the bucket policy may explicitly deny access. Option B is wrong because MFA is not required unless a condition exists. Option C is wrong because the developer can have multiple policies that combine.

Option D is wrong because the bucket exists if the error is AccessDenied.

119
MCQhard

A company has an IAM policy that allows s3:GetObject on all buckets. However, a specific S3 bucket policy explicitly denies s3:GetObject to all principals. An IAM user with the IAM policy tries to read an object from that bucket. What is the result?

A.The request is allowed because the IAM policy is more specific.
B.The request is allowed because the IAM policy allows the action.
C.The request is denied because the bucket policy applies only to IAM users.
D.The request is denied because the explicit deny in the bucket policy overrides the allow in the IAM policy.
AnswerD

Explicit deny always overrides any allow.

Why this answer

Option A is correct because an explicit deny in a bucket policy overrides any allow. Option B is wrong because explicit deny overrides allow. Option C is wrong because the bucket policy deny applies to all principals.

Option D is wrong because the IAM policy allows the action but the bucket policy denies it.

120
Multi-Selecthard

A company has an S3 bucket with a bucket policy that allows access to a specific IAM role. However, users assume the role but still get access denied. Which THREE factors could cause this?

Select 3 answers
A.The bucket policy does not reference the role's trust policy.
B.A service control policy (SCP) denies the required actions.
C.The bucket policy has a condition on aws:RoleSessionName that does not match.
D.The role's trust policy does not allow the user's account to assume the role.
E.The bucket policy grants access to an IAM user instead of the role.
AnswersB, D, E

SCPs can override IAM permissions.

Why this answer

Options B, C, and D are correct. B: The bucket policy must explicitly allow the role, and if it refers to a user instead, it will fail. C: If the role's trust policy does not allow the user's account, the role cannot be assumed.

D: A service control policy (SCP) can block access even if IAM allows. Option A is wrong because the bucket policy does not need the role's trust policy. Option E is wrong because bucket policies do not have condition key for role session name.

121
MCQmedium

An organization has a production AWS account and a development AWS account. Developers need to access the production account from the development account using IAM roles. What is the MOST secure way to set this up?

A.Create an IAM role in the production account with a trust policy allowing the development account to assume it.
B.Create IAM users in the production account and share access keys with developers.
C.Establish a VPN connection between the accounts and use directory credentials.
D.Create the same IAM users in both accounts with identical permissions.
AnswerA

Cross-account roles provide temporary credentials.

Why this answer

Option B is correct because cross-account roles allow granting least privilege access without sharing long-term credentials. Option A is wrong because sharing access keys is insecure. Option C is wrong because placing users in both accounts is not a cross-account solution.

Option D is wrong because VPN does not provide IAM access.

122
MCQeasy

An organization wants to use AWS Organizations to centrally manage permissions for multiple accounts. Which IAM feature is used to grant cross-account access within the organization?

A.IAM roles
B.Service control policies (SCPs)
C.Resource-based policies
D.IAM groups
AnswerA

IAM roles allow cross-account access through role assumption.

Why this answer

AWS Organizations allows you to use service control policies (SCPs) to centrally control permissions, but for actual cross-account access, IAM roles are still used. Option B is correct because IAM roles allow users in one account to assume a role in another account. Option A is wrong because SCPs are for permission boundaries, not direct access.

Option C is wrong because resource-based policies are for specific services, not general cross-account access. Option D is wrong because IAM groups are within a single account.

123
MCQeasy

An application running on an EC2 instance needs to read from an S3 bucket. What is the BEST practice for granting permissions to the EC2 instance?

A.Store AWS access keys in the application code.
B.Create an IAM user and give access keys to the developer.
C.Use an IAM role and attach it to the EC2 instance profile.
D.Use the root account credentials.
AnswerC

This provides temporary credentials automatically.

Why this answer

Using an IAM role attached to the EC2 instance is the secure and recommended way to grant permissions to applications on EC2.

124
MCQmedium

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that any new account created in the organization automatically has an S3 bucket policy that blocks public access. What is the most efficient way to enforce this requirement?

A.Create an AWS CloudFormation template that includes the S3 bucket policy and deploy it to each new account manually.
B.Use AWS Config rules to detect S3 buckets without public access block and automatically remediate.
C.Use AWS CloudFormation StackSets to deploy the bucket policy to all existing and future accounts.
D.Attach a service control policy (SCP) at the root level that denies the s3:PutBucketPublicAccessBlock action with a condition that the bucket must have public access blocked.
AnswerD

SCP at the root enforces the requirement for all accounts, including new ones.

Why this answer

Option D is correct because a service control policy (SCP) can be applied at the root organizational unit to deny the creation of S3 buckets without the public access block. Option A is wrong because it would require manual creation for each account. Option B is wrong because CloudFormation StackSets require accounts to be part of the stack set, which is not automatic for new accounts.

Option C is wrong because Config rules can detect but not enforce automatically.

125
MCQeasy

Refer to the exhibit. An IAM policy is attached to a user. The user is trying to download an object from 'example-bucket' from an IP address of 10.1.1.1. What will happen?

A.Access is denied because the policy does not include an explicit deny
B.Access is allowed because the condition key is misspelled
C.Access is denied because the IP address is not in the allowed range
D.Access is allowed because the policy allows s3:GetObject
AnswerC

The condition restricts to 10.0.0.0/16; 10.1.1.1 is not in that range.

Why this answer

Option B is correct because the condition restricts access to the IP range 10.0.0.0/16, and the user's IP is outside that range, so access is denied by default. Option A is incorrect because the condition is evaluated. Option C is incorrect because there is no explicit deny.

Option D is incorrect because the condition key is valid.

126
MCQeasy

A security administrator needs to ensure that all IAM users in the account use multi-factor authentication (MFA) to access the AWS Management Console. What is the most effective way to enforce this?

A.Set the IAM password policy to require MFA.
B.Use an SCP to deny access if MFA is not present, with a condition "aws:MultiFactorAuthPresent":"true".
C.Enable MFA for the root user and require all IAM users to use the root user credentials.
D.Create an IAM policy that denies all actions unless MFA is present, and attach it to all users.
AnswerD

An IAM policy with a condition on aws:MultiFactorAuthPresent can enforce MFA.

Why this answer

Option C is correct because an IAM policy with a condition that denies actions if MFA is not present can be attached to users or groups. Option A is wrong because the root user MFA is separate. Option B is wrong because password policy does not enforce MFA.

Option D is wrong because the condition in a policy must use 'aws:MultiFactorAuthPresent' with a boolean value, not 'true'.

127
MCQeasy

Which IAM feature allows you to grant temporary, limited-privilege credentials for a specific role?

A.Resource-based policies
B.IAM roles
C.AWS STS
D.Service control policies
AnswerC

Security Token Service issues temporary credentials.

Why this answer

Option A is correct because STS is used for temporary credentials. Option B is wrong because IAM roles are the entity, not the feature. Option C is wrong because SCPs are for Organizations.

Option D is wrong because resource-based policies are for granting to other accounts.

128
Multi-Selecteasy

Which TWO AWS services can be used to centrally manage permissions across multiple AWS accounts?

Select 2 answers
A.AWS Single Sign-On
B.AWS Config
C.AWS WAF
D.AWS Identity and Access Management (IAM)
E.AWS Organizations
AnswersA, E

SSO manages permissions across accounts.

Why this answer

AWS Organizations allows policy-based management. AWS SSO provides single sign-on and permission sets. Option C is a single account service.

Option D is for resource compliance. Option E is for web application firewall.

129
MCQeasy

A developer needs to run an application on an EC2 instance that accesses an S3 bucket. What is the best practice for granting permissions?

A.Use an SCP to allow S3 access for the instance.
B.Create a bucket policy that grants access to the instance ID.
C.Store AWS access keys on the instance and use them in the application.
D.Create an IAM role with S3 access and attach it to the EC2 instance profile.
AnswerD

Roles avoid long-term credentials and follow best practices.

Why this answer

Option A is correct because IAM roles are the secure and recommended way to grant permissions to EC2. Option B is wrong because access keys are less secure. Option C is wrong because the bucket policy should not grant access to the instance; it should grant to the role.

Option D is wrong because a service control policy does not grant permissions.

130
MCQeasy

A company wants to allow users to assume a role in another AWS account to access a specific S3 bucket. What must be configured?

A.A trust policy on the IAM role that allows the user's account to assume the role.
B.An S3 bucket policy that allows the user to access the bucket.
C.An IAM role with a trust policy allowing the user's account and a bucket policy granting the role access to the bucket.
D.A resource-based policy on the S3 bucket that allows the user's account.
AnswerC

Both policies are required for cross-account access via role assumption.

Why this answer

Option C is correct because both the trust policy (in the account with the role) and the resource-based policy (on the bucket) must allow access. Option A is wrong because a trust policy alone is insufficient; the bucket policy must also grant access. Option B is wrong because the bucket policy alone is insufficient; the role trust policy must allow the user to assume the role.

Option D is wrong because resource-based policies alone cannot grant cross-account role assumption.

131
MCQmedium

An administrator wants to audit all IAM actions in the account. Which AWS service should be used?

A.AWS Config
B.Amazon GuardDuty
C.AWS CloudTrail
D.Amazon CloudWatch
AnswerC

CloudTrail records all API calls for auditing.

Why this answer

Option D is correct: AWS CloudTrail records API activity. Option A is wrong because CloudWatch is for monitoring metrics. Option B is wrong because Config tracks resource configuration changes.

Option C is wrong because GuardDuty is for threat detection.

132
Multi-Selecthard

A security engineer is designing a permissions boundary for an IAM role used by an EC2 instance. The role must be able to read from an S3 bucket (my-bucket) and write to CloudWatch Logs. Which THREE conditions must be met for the role to have effective permissions? (Choose THREE.)

Select 3 answers
A.The EC2 instance must have an instance profile attached.
B.The effective permissions are the intersection of the boundary and identity-based policies.
C.The identity-based policy attached to the role must allow the required actions.
D.The permissions boundary policy must allow the required actions.
E.The S3 bucket policy must explicitly allow the role.
AnswersB, C, D

Permissions boundary and identity policy together define effective permissions.

Why this answer

Options A, B, and D are correct: the permissions boundary must allow the actions, the identity-based policy must allow them, and the intersection is effective. Option C is not required; resource-based policies are optional. Option E is irrelevant.

133
MCQhard

A security engineer is troubleshooting an issue where an IAM user cannot assume a role in another AWS account. The trust policy of the role allows the user's account to assume the role, and the user has a policy that allows sts:AssumeRole. The user receives an error: 'Access denied: User is not authorized to perform sts:AssumeRole.' What is the MOST likely cause?

A.The user's policy does not specify the resource ARN of the role.
B.The role requires an external ID that the user did not provide.
C.The user must use multi-factor authentication (MFA).
D.The trust policy does not include the user's IAM user ARN.
AnswerA

The policy must have a Resource element matching the role ARN.

Why this answer

Option C is correct because if the user's IAM policy does not explicitly allow the specific role ARN, sts:AssumeRole will fail. Option A is wrong because external ID is optional unless required by the trust policy. Option B is wrong because MFA is not required unless the policy specifies it.

Option D is wrong because the trust policy already allows the account.

134
Multi-Selecteasy

Which TWO are valid ways to authenticate to AWS for API calls? (Choose two.)

Select 2 answers
A.SSH key pairs
B.IAM user access keys
C.Database master password
D.Temporary credentials from an IAM role
E.Root user access keys
AnswersB, D

Access keys consist of an access key ID and secret access key.

Why this answer

IAM user access keys (option B) are a valid authentication method for programmatic API calls to AWS. They consist of an access key ID and a secret access key, which are used to sign requests using Signature Version 4 (SigV4). This is a standard, long-term credential for IAM users to interact with AWS services via CLI, SDK, or direct API calls.

Exam trap

The trap here is that candidates may think root user access keys (option E) are invalid or not a real authentication method, but they are technically valid—the question asks for 'valid ways,' and the correct pairing is B and D because they are the two primary recommended methods for programmatic access, while root keys are valid but discouraged and not a standard choice.

135
MCQeasy

An IAM policy allows the iam:PassRole action for a specific role only when the role is passed to EC2. A developer tries to launch an EC2 instance with this role, but fails. What is the most likely missing permission?

A.The developer does not have ec2:RunInstances permission.
B.The developer needs to create the role first.
C.The developer does not have iam:PassRole permission for the role.
D.The condition in the policy is incorrect; it should use 'ec2.amazonaws.com' as the service.
AnswerA

Launching an instance requires RunInstances permission.

Why this answer

Option B is correct because the developer also needs ec2:RunInstances permission to launch the instance. Option A is wrong because the PassRole permission is already granted. Option C is wrong because the condition is correct.

Option D is wrong because the developer does not need to create the role.

136
MCQhard

Refer to the exhibit. A user has this IAM policy attached. They attempt to download an object from example-bucket using the AWS CLI without specifying server-side encryption. Will the request succeed?

A.Yes, because the bucket policy may override the condition.
B.No, because the condition is not satisfied.
C.No, because S3 requires encryption for all requests.
D.Yes, because the Allow statement grants s3:GetObject.
AnswerB

The request lacks the required encryption header, so the Allow does not apply and the request is denied by default.

Why this answer

Option B is correct. The condition requires that the request includes the header x-amz-server-side-encryption with value AES256. Without that header, the condition is not met, so the Allow does not apply.

There is no explicit Deny, but since the Allow does not apply, the default implicit Deny takes effect, and the request fails.

137
MCQhard

A company uses AWS Organizations and wants to prevent any IAM user from creating access keys for a long period. Which SCP should be applied to the root OU to enforce that IAM users cannot create access keys unless explicitly allowed?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"iam:CreateAccessKey","Resource":"*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"iam:DeleteAccessKey","Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"iam:CreateAccessKey","Resource":"arn:aws:iam::*:user/*"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"iam:CreateAccessKey","Resource":"arn:aws:iam::*:user/*","Condition":{"StringNotEquals":{"aws:ResourceTag/purpose":"temporary"}}}]}
AnswerD

Denies creation unless tag 'purpose' is 'temporary'.

Why this answer

SCPs can deny actions. Option A is correct because it denies CreateAccessKey to all IAM users unless they have a specific tag. Option B allows all.

Option C only prevents deletion. Option D allows creation.

138
Multi-Selectmedium

A company is designing an IAM policy to grant a group of developers access to manage EC2 instances and RDS databases. Which TWO actions should be included to follow the principle of least privilege?

Select 2 answers
A.rds:CreateDBInstance
B.ec2:StartInstances
C.ec2:CreateInstances
D.rds:StartDBInstance
E.ec2:*
AnswersB, D

'ec2:StartInstances' is a specific action needed to start EC2 instances.

Why this answer

Options B and C are correct because they specify the minimum actions needed. Option A is not a valid action. Option D is too broad.

Option E is not a valid action.

139
MCQeasy

A developer needs to allow a Lambda function to write logs to CloudWatch Logs. What is the MINIMUM IAM policy that should be attached to the Lambda execution role?

A.{"Effect":"Allow","Action":["logs:CreateLogGroup","logs:CreateLogStream","logs:PutLogEvents"],"Resource":"*"}
B.{"Effect":"Allow","Action":"logs:PutLogEvents","Resource":"arn:aws:logs:us-east-1:123456789012:log-group:my-log-group:*"}
C.{"Effect":"Allow","Action":"logs:*","Resource":"*"}
D.{"Effect":"Allow","Action":["logs:DescribeLogGroups","logs:DescribeLogStreams"],"Resource":"*"}
AnswerA

Grants the minimum necessary actions.

Why this answer

Option A is correct because it grants the minimum required actions: CreateLogGroup, CreateLogStream, and PutLogEvents. Option B is wrong because it is too permissive. Option C is wrong because it grants actions not needed.

Option D is wrong because it grants only specific log group permissions but not the stream creation.

140
MCQmedium

A security team needs to audit all changes to IAM resources in their AWS account. Which AWS service should they use?

A.VPC Flow Logs
B.AWS CloudTrail
C.AWS Config
D.Amazon CloudWatch Logs
AnswerB

CloudTrail records all AWS API calls for auditing.

Why this answer

Option C is correct because AWS CloudTrail records API calls, including IAM changes. Option A is wrong because AWS Config records resource configurations but not all API calls. Option B is wrong because CloudWatch Logs stores logs but does not capture API calls by default.

Option D is wrong because VPC Flow Logs capture network traffic, not IAM changes.

141
MCQmedium

A company has an S3 bucket with a bucket policy that grants access to a specific IAM role. However, users who assume that role are unable to list objects in the bucket. The bucket policy includes a Principal element set to the role ARN. What is the MOST likely cause?

A.The IAM role does not have a permissions policy that allows s3:ListBucket.
B.The bucket has an ACL that denies access to the role.
C.The bucket policy requires MFA, but the role does not enforce MFA.
D.The role's trust policy does not allow sts:AssumeRole.
AnswerA

The role needs an IAM policy allowing S3 actions; bucket policy alone may not be sufficient if the role is not authorized.

Why this answer

Option A is correct: bucket policies do not grant permissions to IAM role principals unless the role has permission to access S3 via an IAM policy. Option B is false; S3 does not require MFA. Option C is irrelevant.

Option D is false; ACLs are not required.

142
MCQmedium

A company uses AWS Organizations with SCPs to restrict services. An administrator creates an SCP that denies access to EC2. A developer in a member account tries to launch an EC2 instance but fails. What is the most likely reason?

A.The SCP from the organization denies EC2
B.The root user of the account has denied EC2
C.The developer's IAM permissions boundary blocks EC2
D.The EC2 instance has a resource-based policy denying access
AnswerA

SCPs apply to all principals in the account.

Why this answer

The correct answer is A because Service Control Policies (SCPs) in AWS Organizations act as a centralized governance mechanism that applies a deny effect across all IAM principals in member accounts. When an SCP explicitly denies access to EC2, it overrides any allow permissions at the account level, including those granted by IAM policies. The developer's launch attempt fails because the SCP's deny is evaluated before any account-level permissions, effectively blocking the action regardless of the developer's IAM role or user permissions.

Exam trap

The trap here is that candidates often assume IAM permissions or permissions boundaries are the primary cause of access failures, overlooking that SCPs apply a blanket deny that overrides all account-level permissions, including those of the root user.

How to eliminate wrong answers

Option B is wrong because the root user of a member account is also subject to SCPs from the organization; while the root user has full permissions by default, an SCP that denies EC2 applies to the root user as well, so the root user cannot bypass the SCP to allow EC2. Option C is wrong because an IAM permissions boundary limits the maximum permissions a principal can have, but it does not deny actions by itself; if the developer's IAM policy allowed EC2 and the boundary did not explicitly deny EC2, the boundary would not cause the failure—the SCP's deny is the overriding factor. Option D is wrong because EC2 instances do not have resource-based policies that control who can launch them; resource-based policies are used for services like S3 buckets or Lambda functions, not for controlling the ability to create EC2 instances.

143
Multi-Selectmedium

Which TWO actions can be used to restrict access to an S3 bucket to only users who authenticate using multi-factor authentication (MFA)? (Choose TWO.)

Select 2 answers
A.Use AWS CloudTrail to log requests and deny those without MFA
B.Use pre-signed URLs with MFA credentials
C.Set an S3 bucket ACL that requires MFA
D.Add a condition in the IAM policy that checks aws:MultiFactorAuthPresent is true
E.Add a condition in the bucket policy that checks aws:MultiFactorAuthPresent is true
AnswersB, E

Pre-signed URLs can be generated with MFA, requiring MFA for access.

Why this answer

The correct answers are A and D. A bucket policy with a condition for aws:MultiFactorAuthPresent is the standard way to enforce MFA for S3 operations. Using pre-signed URLs with MFA can also enforce MFA for specific objects.

Option B is wrong because IAM policies can enforce MFA but not at the bucket level. Option C is wrong because CloudTrail does not enforce MFA. Option E is wrong because S3 ACLs do not support conditions.

144
MCQhard

A company has a multi-account AWS Organizations setup with a central security account (Account ID: 111122223333) and several member accounts. The security team uses AWS CloudTrail to log all API calls across accounts and stores the logs in an S3 bucket (my-cloudtrail-bucket) in the security account. The team wants to allow the security team members (IAM users in the security account) to access the CloudTrail logs, while denying access to all other users in the organization, including the root user of the security account. The security team has attached the following IAM policy to the IAM group containing the security team members: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-cloudtrail-bucket/*" } ] } However, a security team member reports that they are receiving an AccessDenied error when trying to download a log file. The bucket policy is as follows: { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-cloudtrail-bucket/*", "Condition": { "Bool": { "aws:SecureTransport": "false" } } }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-cloudtrail-bucket/*" }, { "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::my-cloudtrail-bucket/*", "Condition": { "StringNotEquals": { "aws:PrincipalAccount": "111122223333" } } } ] } What is the most likely reason for the AccessDenied error?

A.The bucket policy denies access to all principals except those in account 111122223333, but the IAM users are in that account, so they are denied.
B.The bucket policy requires secure transport, and the security team member is not using HTTPS.
C.The bucket policy allows only the root user of the security account, not the IAM users.
D.The IAM policy has an implicit deny because the security team members are not allowed to access S3.
AnswerC

The bucket policy's Allow statement grants access to the root user only, not to IAM users in the account.

Why this answer

Option B is correct. The bucket policy allows the root user but does not explicitly allow the IAM users. While the root user is allowed, the Deny statement for non-root users is not present; however, the Allow for root does not extend to IAM users.

The IAM users are not the root user, so the Allow statement does not apply to them. The IAM policy allows GetObject, but the bucket policy does not grant access to the IAM users, so the default implicit deny applies. Option A is wrong because the IAM policy does not have a Deny.

Option C is wrong because the Deny for non-111122223333 accounts does not affect users in the same account. Option D is wrong because the SecureTransport condition only denies when HTTPS is not used.

145
MCQhard

An IAM policy attached to a user allows s3:GetObject on bucket 'my-bucket'. The user also has a service control policy (SCP) in the organization that denies s3:GetObject on all resources. The user attempts to download an object from 'my-bucket'. What is the outcome?

A.The request fails because the SCP explicitly denies the action.
B.The request succeeds because the IAM policy allows it.
C.The request fails because the SCP effect is 'Allow' and the IAM policy is 'Deny'.
D.The request succeeds because the user is in the management account.
AnswerA

Explicit deny in SCP overrides allow.

Why this answer

The request fails because AWS Organizations Service Control Policies (SCPs) act as a boundary for all accounts within the organization. An explicit deny in an SCP overrides any allow from an IAM policy, including those attached to the user. Since the SCP denies s3:GetObject on all resources, the user's IAM policy allowing the same action is effectively blocked, resulting in a failed request.

Exam trap

The trap here is that candidates often forget that SCPs apply to all accounts in the organization, including the management account, and that an explicit deny in an SCP overrides any allow from IAM policies, leading them to incorrectly assume the IAM policy alone determines the outcome.

How to eliminate wrong answers

Option B is wrong because it ignores the effect of the SCP; an explicit deny at the organization level overrides any allow from an IAM policy, so the request cannot succeed. Option C is wrong because it misstates the policy effects: the SCP effect is 'Deny' (not 'Allow'), and the IAM policy is 'Allow' (not 'Deny'), so the logic is reversed. Option D is wrong because being in the management account does not exempt a user from SCPs; SCPs apply to all accounts in the organization, including the management account, unless explicitly excluded.

146
MCQhard

Refer to the exhibit. An IAM policy is attached to a group. A user in the group accesses the S3 bucket from an IP address 203.0.113.5 using HTTPS. What will be the result?

A.The user will be denied access because the source IP is not in the allowed ranges.
B.The user can access objects because an Allow with conditions grants access by default.
C.The user will be denied access because the policy does not allow the action explicitly.
D.The user can access objects because the condition for SecureTransport is met.
AnswerA

IP not in allowed ranges.

Why this answer

Option D is correct. The policy allows only from 192.0.2.0/24 and 198.51.100.0/24. The user's IP 203.0.113.5 does not match, so access is denied even though HTTPS is used.

Option A is wrong because the IP is not within allowed ranges. Option B is wrong because the condition is AND; all conditions must be met. Option C is wrong because the action is explicitly allowed only under conditions.

147
Multi-Selecteasy

Which TWO are valid ways to authenticate an IAM user?

Select 2 answers
A.SSL/TLS certificate
B.MFA token
C.Password
D.SSH key pair
E.Access keys (access key ID and secret access key)
AnswersC, E

Used for AWS Management Console access.

Why this answer

Options B and D are correct. Option A is wrong because SSL/TLS certificates are not used for IAM user authentication. Option C is wrong because SSH keys are used for EC2 instances, not IAM users.

Option E is wrong because passwords are used for the AWS Management Console, but access keys are for API/CLI.

148
MCQeasy

A startup company has a single AWS account and a few IAM users. The CEO wants to ensure that no one can delete an S3 bucket that contains critical data. The security engineer creates an IAM policy that denies s3:DeleteBucket for all users. However, the CEO later finds that the bucket was deleted by a user who had full administrator access. Why did the policy fail to prevent the deletion?

A.The root user deleted the bucket, which bypasses IAM policies.
B.A service control policy (SCP) is required to deny actions to all users.
C.An explicit deny cannot override an administrator policy.
D.The deny policy was not attached to the user.
AnswerD

If the deny policy is not attached, the user has full access.

Why this answer

Option B is correct. An explicit deny in an IAM policy overrides an allow, but if the user has an administrator policy that grants all actions, and the deny policy is also attached, the deny should work. However, if the user has a permissions boundary that allows the action, or if the deny policy is not correctly applied, it may fail.

But the most common reason is that the user had an AWS managed policy like AdministratorAccess, which does not include any explicit denies, so the deny policy should override. Wait, the question says the policy failed. The likely reason is that the deny policy was not attached to the user; the user still had full access.

Option A is wrong because explicit deny should work. Option C is wrong because SCPs don't apply to single account. Option D is wrong because root user is not a factor.

149
Multi-Selectmedium

A company needs to implement a cross-account access strategy where users in Account A can assume a role in Account B. Which TWO steps are necessary? (Choose TWO.)

Select 2 answers
A.Attach an IAM policy to the users or groups in Account A that allows sts:AssumeRole targeting the role ARN in Account B.
B.Create an IAM user in Account B with the same name as the users in Account A.
C.Enable MFA for all users in Account A.
D.Attach a resource-based policy to the IAM role in Account B.
E.Create an IAM role in Account B with a trust policy that allows Account A to assume the role.
AnswersA, E

Grants users permission to assume the role.

Why this answer

Options A and D are correct: the trust policy in Account B allows Account A to assume the role, and users in Account A need permission to call sts:AssumeRole. Option B is unnecessary. Option C is for resource-based policies.

Option E is not required.

150
Multi-Selectmedium

Which TWO actions are valid ways to grant an IAM user access to an S3 bucket owned by another AWS account? (Choose TWO.)

Select 2 answers
A.Have the user assume an IAM role in the bucket-owning account with appropriate permissions.
B.Create a bucket policy that grants access to the user's AWS account.
C.Attach an IAM policy to the user in their own account allowing access to the bucket.
D.Add the user's ARN to the bucket's ACL.
E.Use an S3 access point with a policy that allows the user.
AnswersA, B

Cross-account role assumption grants temporary access.

Why this answer

Correct answers are B and C. Bucket policies allow cross-account access when the bucket policy grants access to the user's account, and the user must have explicit permission. ACLs are legacy but can grant cross-account access.

Role assumption is also valid.

← PreviousPage 2 of 4 · 279 questions totalNext →

Ready to test yourself?

Try a timed practice session using only IAM questions.