CCNA IAM Questions

75 of 279 questions · Page 3/4 · IAM topic · Answers revealed

151
Multi-Selectmedium

Which TWO are best practices for managing IAM roles for EC2 instances?

Select 2 answers
A.Regularly rotate IAM user access keys.
B.Attach the same role to all instances for simplicity.
C.Apply the principle of least privilege when defining role permissions.
D.Use an IAM role to grant permissions to applications running on EC2.
E.Store AWS access keys directly on the instance.
AnswersC, D

Minimizes security risk.

Why this answer

Using instance profiles with roles avoids long-term credentials. Rotating keys is for IAM users. Option C is correct for role assumption.

Option D is correct for limiting permissions. Option E is not a best practice.

152
MCQhard

A security engineer notices that a developer's IAM user has full administrator access. The engineer wants to implement the principle of least privilege for the developer. What is the best way to proceed?

A.Create a new IAM group with the AdministratorAccess policy and add the developer to the group.
B.Use IAM Access Advisor to review the developer's historical usage and create a custom policy that only includes the services and actions used.
C.Replace the AdministratorAccess policy with a managed job function policy such as PowerUserAccess.
D.Remove the administrative access and ask the developer to request permissions as needed.
AnswerB

This allows granting only the permissions actually needed.

Why this answer

Option B is correct because starting with a minimal set of permissions and gradually adding based on actual usage is the principle of least privilege. Option A is wrong because using the managed policy for job function may grant more permissions than needed. Option C is wrong because removing administrative access without providing alternative permissions would break the developer's work.

Option D is wrong because IAM Access Analyzer helps analyze existing policies but does not provide automated least privilege.

153
Multi-Selectmedium

A security engineer is designing a system to manage access to an S3 bucket containing confidential data. Which TWO actions should the engineer take to implement least privilege?

Select 2 answers
A.Use a condition in the IAM policy to restrict access to requests from a specific IP range.
B.Grant only the specific S3 actions needed (e.g., s3:GetObject) rather than s3:*
C.Use a policy that allows s3:* for all users in the organization.
D.Make the bucket public and rely on object ACLs to restrict access.
E.Use pre-signed URLs for all access to the bucket.
AnswersA, B

Restricting by IP reduces the attack surface.

Why this answer

Option A and D are correct. Option A: granting only required actions limits permissions. Option D: using a condition for source IP restricts access to known networks.

Option B is wrong because full access is not least privilege. Option C is wrong because pre-signed URLs are for temporary access, not for ongoing least privilege. Option E is wrong because public access is the opposite.

154
MCQhard

A security engineer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket even though the IAM role attached to the instance has an Allow policy for s3:GetObject. The S3 bucket policy includes a Deny statement with the condition 'aws:SourceIp': ['10.0.0.0/8']. What is the likely cause of the failure?

A.The IAM role’s permissions boundary is blocking the action.
B.The IAM role does not have an STS trust policy.
C.The S3 bucket is in a different region.
D.The Deny statement in the bucket policy is blocking the request because the EC2 instance’s IP falls within the 10.0.0.0/8 range.
AnswerD

The bucket policy denies all requests from the private IP range, including the EC2 instance.

Why this answer

Option A is correct because the Deny in the bucket policy overrides the Allow from the IAM role. Even though the role allows the action, the bucket policy denies it based on the source IP. Option B is wrong because roles can access S3.

Option C is irrelevant. Option D is not the cause.

155
Multi-Selectmedium

A security engineer needs to restrict access to an S3 bucket so that only requests from a specific VPC are allowed. Which TWO steps are required?

Select 2 answers
A.Add a bucket policy that denies access unless the request source VPC endpoint matches the created endpoint.
B.Add a bucket policy with aws:SourceVpc condition.
C.Create a VPC endpoint for S3 and attach it to the VPC.
D.Attach a VPC endpoint policy that allows the required actions.
E.Create a bucket policy that allows access from the VPC ID.
AnswersA, C

Use aws:sourceVpce condition.

Why this answer

Options B and D are correct. B: Create a VPC endpoint for S3 and attach it to the VPC. D: Add a bucket policy that denies access unless the request comes from the VPC endpoint.

Option A is wrong because a bucket policy can reference the VPC endpoint. Option C is wrong because a VPC endpoint policy is not required; the bucket policy can enforce the condition. Option E is wrong because bucket policies do not have condition keys for VPC ID directly.

156
MCQmedium

A company uses AWS IAM Identity Center (AWS SSO) to manage access. A user is assigned to a permission set that grants AdministratorAccess. However, when the user tries to access the AWS console, they receive an error that they are not authorized. What is a possible reason?

A.The user is not assigned to the AWS account in Identity Center
B.The user has not set up MFA
C.The permission set does not include the necessary policies
D.The user does not have permissions to manage permission sets
AnswerA

Account assignment is required.

Why this answer

Option A is correct because the user may not have been granted access to the specific account. Option B is wrong because permission set is sufficient. Option C is wrong because MFA might be required but not the only cause.

Option D is wrong because the user might not have AWS credentials to manage permission sets.

157
Multi-Selectmedium

A security engineer needs to design a system where an EC2 instance can write logs to a CloudWatch log group. Which TWO steps are required?

Select 2 answers
A.Enable server-side encryption for the log group.
B.Attach the IAM role to the EC2 instance profile.
C.Create a CloudWatch log group resource policy that allows the EC2 instance to write logs.
D.Install and configure the CloudWatch agent on the EC2 instance.
E.Create an IAM role with the policy allowing logs:CreateLogStream and logs:PutLogEvents.
AnswersB, E

The role must be attached to the instance to provide credentials.

Why this answer

Options A and C are correct because the IAM role attached to EC2 must have permission to write logs, and the instance must be configured to send logs. Option B is wrong because CloudWatch log groups don't have resource policies for EC2; IAM roles suffice. Option D is wrong because SSE is optional.

Option E is wrong because CloudWatch agent needs to be installed and configured.

158
MCQhard

An IAM policy includes: { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/MyRole" }. What does this allow?

A.Allows the user to create the role MyRole.
B.Allows the user to pass the role MyRole to an AWS service like Lambda.
C.Allows the user to assume the role MyRole.
D.Allows the user to attach the role to an IAM user.
AnswerB

PassRole is used when a service needs to assume a role.

Why this answer

Option C is correct because PassRole allows passing a role to an AWS service. Option A is wrong because it's not about assuming. Option B is wrong because it's not about creating.

Option D is wrong because it's not about attaching to users.

159
MCQeasy

A company wants to grant temporary credentials to mobile app users to access their own data in an S3 bucket. Which AWS service should be used to achieve this securely?

A.Amazon Cognito identity pools
B.AWS Key Management Service (KMS)
C.IAM users with long-term access keys
D.Amazon CloudFront signed URLs
AnswerA

Cognito identity pools provide temporary credentials for authenticated users.

Why this answer

Option A is correct because Cognito Identity Pools can issue temporary AWS credentials for authenticated users. Option B is wrong because IAM users are not suitable for millions of mobile users. Option C is wrong because KMS is for encryption keys.

Option D is wrong because CloudFront is a CDN, not for issuing credentials.

160
MCQhard

A security engineer is analyzing an IAM policy that is attached to a group. The policy is intended to allow users to manage their own credentials. However, users are reporting that they cannot change their password. The policy is: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["iam:ChangePassword", "iam:GetAccountPasswordPolicy"], "Resource": "*" } ] } What is the issue?

A.The policy does not include the iam:UpdateLoginProfile action.
B.The policy should be attached to the user instead of the group.
C.The policy is missing the iam:CreateLoginProfile action.
D.The policy resource is set to "*", but ChangePassword requires the resource to be the specific user ARN.
AnswerD

IAM enforces that ChangePassword must be scoped to the user's own ARN.

Why this answer

Option B is correct: the ChangePassword action requires the resource ARN to be the user's own ARN. With a wildcard, it fails. Option A is false.

Option C is false; the action is correct. Option D is false.

161
Multi-Selectmedium

An IAM policy includes the following statement: 'Effect': 'Allow', 'Action': 's3:GetObject', 'Resource': 'arn:aws:s3:::example-bucket/*', 'Condition': {'IpAddress': {'aws:SourceIp': '192.0.2.0/24'}}. Which TWO statements about this policy are correct?

Select 2 answers
A.The policy allows s3:PutObject from the IP range 192.0.2.0/24.
B.Requests from outside 192.0.2.0/24 will be implicitly denied.
C.The policy allows s3:GetObject only if the bucket owner matches.
D.The policy allows anonymous access.
E.The policy allows s3:GetObject from the IP range 192.0.2.0/24.
AnswersB, E

IAM policies default deny; if condition not met, access is denied.

Why this answer

Option A and D are correct because the policy allows GetObject from the specified IP range, and any request from outside that range will be implicitly denied. Option B is wrong because the condition is on source IP, not bucket owner. Option C is wrong because the policy allows GetObject, not PutObject.

Option E is wrong because the policy does not allow anonymous access; it requires the request to come from the specified IP.

162
Multi-Selecthard

A company has an S3 bucket that contains sensitive data. The security team wants to enforce that all access to the bucket must use HTTPS and that requests originating from outside the corporate network (as defined by a specific IP range 203.0.113.0/24) must be denied. Which THREE conditions should be included in the S3 bucket policy? (Choose THREE.)

Select 3 answers
A."Condition": {"IpAddress": {"aws:SourceIp": "203.0.113.0/24"}}
B."Condition": {"StringLike": {"aws:Referer": "https://corporate.internal/*"}}
C."Condition": {"Bool": {"aws:SecureTransport": "true"}}
D."Effect": "Deny", "Condition": {"NotIpAddress": {"aws:SourceIp": "203.0.113.0/24"}}
E."Condition": {"NotIpAddress": {"aws:SourceIp": "203.0.113.0/24"}}
AnswersC, D, E

Enforces HTTPS by requiring SecureTransport to be true.

Why this answer

Options A, B, and D are correct. To enforce HTTPS, use the condition aws:SecureTransport. To deny non-corporate IPs, use a Deny statement with aws:SourceIp condition and the NotIpAddress operator for the corporate range.

Option C is wrong because aws:Referer is for referrer header, not network location. Option E is wrong because using IpAddress with a Deny effect would deny the corporate IPs, which is opposite of the requirement.

163
Matchingmedium

Match each AWS CloudHSM feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hardware security module

Cryptographic token interface standard

Java Cryptography Extension provider

Security standard for cryptographic modules

Why these pairings

CloudHSM provides dedicated hardware security modules.

164
MCQhard

A company has a multi-account AWS organization with centralized logging in a Security account. The Security account contains an S3 bucket that stores CloudTrail logs from all member accounts. The bucket policy allows CloudTrail from member accounts to deliver logs. Recently, a security audit revealed that the bucket is publicly accessible. The security engineer must ensure that only authorized accounts can access the logs. The engineer updates the bucket policy to include a condition that restricts access to specific AWS accounts. However, after the change, member accounts report that CloudTrail is failing to deliver logs to the bucket. The bucket policy currently includes the following statement: { "Effect": "Allow", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::central-logs/*", "Condition": { "StringEquals": { "aws:SourceAccount": "111111111111" } } } The Security account ID is 222222222222. What is the MOST likely cause of the delivery failure, and what should the engineer do to fix it?

A.Modify the KMS key policy to allow CloudTrail to decrypt and re-encrypt logs if SSE-KMS is enabled.
B.Update the bucket ACL to grant the CloudTrail service write access, as CloudTrail requires both bucket policy and ACL permissions.
C.Change the Principal from "*" to the CloudTrail service principal to restrict access more tightly.
D.Create an IAM role in the Security account and configure member accounts to use that role for log delivery.
AnswerB

Correct: CloudTrail checks bucket ACL for PutObject; the bucket ACL must allow CloudTrail to write.

Why this answer

Option B is correct because CloudTrail uses GetBucketAcl to verify bucket ownership. The bucket ACL must grant the CloudTrail service access, but the bucket ACL is separate from the bucket policy. The error suggests that the bucket ACL does not grant CloudTrail the necessary permissions.

Option A is incorrect because the bucket policy already allows PutObject. Option C is incorrect because CloudTrail does not need to assume a role for log delivery; it uses its own service principal. Option D is incorrect because the issue is not related to KMS key policy but to bucket ACL.

165
MCQmedium

A security engineer notices that an IAM user has been using an access key that was not rotated for over 90 days. What is the BEST action to take?

A.Disable the user's access key and create a new one.
B.Do nothing; 90 days is acceptable.
C.Delete the IAM user and create a new one.
D.Notify the user and ask them to rotate the key.
AnswerA

This forces rotation and maintains access.

Why this answer

Rotating access keys regularly is a security best practice to reduce the risk of compromised keys.

166
MCQeasy

An IAM policy includes the following statement: 'Effect': 'Deny', 'Action': 's3:*', 'Resource': '*', 'Condition': {'Bool': {'aws:SecureTransport': 'false'}}. What does this policy do?

A.Denies all S3 actions when the request is not using HTTPS.
B.Denies all S3 actions to a specific bucket.
C.Denies all S3 actions for all users.
D.Allows all S3 actions only when using HTTPS.
AnswerA

The condition denies when SecureTransport is false (HTTP).

Why this answer

Option D is correct because the policy denies all S3 actions when the request is not using HTTPS. Option A is wrong because it denies, not allows. Option B is wrong because it denies all S3 actions, not just certain ones.

Option C is wrong because it denies all S3 actions, not just to a specific bucket.

167
MCQhard

An IAM role has the above trust policy. Users from account 123456789012 try to assume the role. What is required for the AssumeRole API call to succeed?

A.The user must be an IAM user in the same account as the role.
B.The user must have an IAM policy that allows sts:AssumeRole.
C.The user must have MFA enabled and present the MFA token.
D.The request must originate from a specific IP address range.
AnswerC

Condition requires MFA.

Why this answer

The condition requires MFA to be present. Option A is incorrect because MFA is required. Option B is about source IP, not required.

Option D is incorrect because the role can be assumed without additional permissions.

168
MCQhard

A company has an S3 bucket that stores sensitive data. The bucket policy allows access only from a specific VPC endpoint. A security engineer notices that an EC2 instance in the same VPC can access the bucket, but an instance in a peered VPC cannot. Both instances have the same IAM role attached. The VPC endpoint is in the first VPC and is shared via a transit gateway. What is the MOST likely reason the second instance cannot access the bucket?

A.The IAM role does not have permissions for the second instance.
B.The bucket policy condition on aws:sourceVpce does not match requests from the peered VPC.
C.The VPC endpoint is not accessible from the peered VPC.
D.The transit gateway does not support S3 traffic.
AnswerB

Requests from peered VPC do not use the endpoint.

Why this answer

Option D is correct. The bucket policy condition aws:sourceVpce checks the VPC endpoint ID. If the request comes from a peered VPC, it does not go through the VPC endpoint; it goes through the transit gateway, so the condition fails.

Option A is wrong because IAM policies are not the issue. Option B is wrong because the transit gateway does not inherently block S3. Option C is wrong because VPC peering does not automatically provide access to the endpoint.

169
MCQmedium

A company wants to allow a third-party auditor to read objects in an S3 bucket for a limited time. The auditor does not have an AWS account. What is the most secure way to grant this access?

A.Use a bucket policy that grants read access to the auditor's AWS account (if they have one).
B.Generate presigned URLs for all objects in the bucket and share them with the auditor.
C.Create a cross-account IAM role with an external ID and allow the auditor to assume the role using AWS STS.
D.Create an IAM user with read-only access and share the credentials with the auditor.
AnswerC

This provides time-limited, secure access without sharing permanent credentials.

Why this answer

Option C is correct because it uses cross-account roles with external ID and temporary credentials, which provide time-limited access without exposing long-term keys. Option A is wrong because sharing keys violates security best practices. Option B is wrong because ACLs do not support cross-account access without granting ListBucket permission.

Option D is wrong because presigned URLs are typically used for individual objects, not a bucket-wide audit.

170
MCQmedium

A developer needs to grant an EC2 instance access to an S3 bucket. Which is the most secure way to provide credentials to the EC2 instance?

A.Store AWS access keys in the application code
B.Store the keys in an S3 bucket and download them at startup
C.Create an IAM role and attach it to the EC2 instance profile
D.Use environment variables to store the keys
AnswerC

IAM roles provide temporary credentials that are automatically rotated.

Why this answer

Option C is correct because it uses an IAM role attached to an EC2 instance profile, which allows the instance to obtain temporary, automatically rotated credentials from the AWS STS service via the instance metadata service (IMDS). This eliminates the need to hardcode, store, or manage long-term access keys, significantly reducing the risk of credential exposure.

Exam trap

The trap here is that candidates may think storing keys in S3 or environment variables is acceptable, but the exam emphasizes that any form of long-term static credential storage on an EC2 instance is insecure compared to using IAM roles with instance profiles and temporary credentials from STS.

How to eliminate wrong answers

Option A is wrong because storing AWS access keys in application code exposes them to version control, code reviews, and potential leaks, violating the principle of least privilege and long-term credential security. Option B is wrong because storing keys in an S3 bucket and downloading them at startup still requires the instance to have long-term credentials to access the bucket, creating a circular dependency and exposing keys during transit and at rest. Option D is wrong because environment variables can be read by any process or user on the instance, are often logged or captured in debugging output, and still rely on long-term access keys that must be manually rotated.

171
MCQeasy

A developer needs to grant an IAM user the ability to manage their own password and access keys, but not any other IAM users. Which IAM policy should be used?

A.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["iam:CreateAccessKey", "iam:UpdateAccessKey", "iam:DeleteAccessKey", "iam:UpdateLoginProfile"], "Resource": "arn:aws:iam::*:user/*" } ] }
B.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["iam:CreateAccessKey", "iam:UpdateAccessKey", "iam:DeleteAccessKey", "iam:UpdateLoginProfile"], "Resource": "arn:aws:iam::*:user/${aws:username}" } ] }
C.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:*", "Resource": "*" } ] }
D.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["iam:CreateAccessKey", "iam:UpdateAccessKey", "iam:DeleteAccessKey"], "Resource": "arn:aws:iam::*:user/${aws:username}" } ] }
AnswerB

Correctly restricts to the user's own ARN using a variable.

Why this answer

Option C is correct because it uses a condition to limit actions to the user's own ARN. Option A grants access to all users. Option B grants full IAM access.

Option D does not include password management.

172
MCQmedium

An IAM policy grants access to a DynamoDB table with a condition that the request must originate from a specific VPC endpoint. However, requests from an EC2 instance in that VPC are being denied. What is the most likely cause?

A.The EC2 instance does not have a public IP address.
B.The security group on the EC2 instance does not allow outbound traffic to the DynamoDB endpoint.
C.The EC2 instance is not using the VPC endpoint to access DynamoDB; it is using an internet gateway.
D.The VPC endpoint policy does not allow the specific DynamoDB action.
AnswerC

The condition requires the request to come through the VPC endpoint; if the instance routes traffic via internet, the condition fails.

Why this answer

Option A is correct because the EC2 instance needs to have a route to the VPC endpoint; if not, traffic goes through the internet and doesn't use the endpoint. Option B is wrong because the instance does not need a public IP. Option C is wrong because the endpoint policy must allow the action.

Option D is wrong because security groups control network traffic, not IAM conditions.

173
MCQeasy

A company uses AWS Organizations and wants to restrict all IAM users in member accounts from using the Amazon EC2 RunInstances API unless they have MFA. What is the most efficient way to enforce this?

A.Create an IAM policy in each member account and attach it to all IAM users.
B.Use a security group to block outbound traffic from EC2 instances unless MFA is used.
C.Create a service control policy (SCP) that denies ec2:RunInstances unless MFA is present, and attach it to the organization root or relevant OUs.
D.Attach a policy to the root user of the master account.
AnswerC

SCPs can centrally enforce restrictions across all accounts in the organization.

Why this answer

Option B is correct because a service control policy (SCP) can apply to all accounts in the organization and enforce the restriction centrally. Option A is wrong because it applies only to the organization root, not member accounts. Option C is wrong because it would require modifying each account individually.

Option D is wrong because security groups do not control API calls.

174
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that no IAM user can have an access key older than 90 days. What is the MOST efficient way to achieve this?

A.Use an SCP in the root organizational unit that denies IAM actions if the access key age exceeds 90 days.
B.Use AWS Config rules to detect old access keys and send alerts.
C.Use an IAM policy in each account that denies access if the key age exceeds 90 days.
D.Use an SCP to disable IAM user creation.
AnswerA

SCP can centrally enforce with condition aws:CurrentTime.

Why this answer

Option B is correct: a service control policy (SCP) can deny access if the key is older than 90 days, using a condition. Option A is per-account and not centralized. Option C requires manual audit.

Option D is not an SCP action.

175
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team has created an SCP that denies access to all DynamoDB actions except for the 'prod' account. The SCP is attached to the root OU. The 'prod' account has an IAM role that allows full DynamoDB access. A developer in the 'prod' account tries to create a DynamoDB table but receives an 'AccessDenied' error. The developer has the correct IAM permissions. What is the MOST likely cause and what should be done to resolve the issue?

A.The SCP denies DynamoDB by default; the 'prod' account needs an explicit allow in the SCP.
B.The DynamoDB table has a resource-based policy that denies access.
C.The SCP is attached to the OU and cannot be overridden; the developer must use a different account.
D.The IAM role's permissions boundary is blocking access.
AnswerA

SCPs deny by default; explicit allow needed.

Why this answer

Option A is correct. The SCP denies DynamoDB actions to all accounts except 'prod', but the SCP may not have an explicit allow for 'prod', causing implicit deny. The SCP should explicitly allow DynamoDB actions for 'prod'.

Option B is wrong because SCPs do not require resource-based policies. Option C is wrong because SCPs are not overridden by IAM; they are boundaries. Option D is wrong because SCPs are not optional.

176
Multi-Selecteasy

Which TWO of the following are best practices for managing IAM user credentials? (Choose TWO.)

Select 2 answers
A.Create a single IAM user for multiple developers.
B.Store access keys in source code repositories for convenience.
C.Enable MFA for all IAM users.
D.Rotate access keys regularly.
E.Use long-term access keys for all users.
AnswersC, D

MFA adds security.

Why this answer

Options B and D are correct: enable MFA for all users, and rotate access keys regularly. Option A is not a best practice; use roles instead. Option C is not a best practice; use IAM roles for applications.

Option E is not recommended; use IAM roles.

177
MCQmedium

A company has an S3 bucket that stores sensitive data. The security team requires that all access to the bucket be logged in AWS CloudTrail and that all requests must be authenticated using IAM credentials. Which S3 bucket policy statement should be added to enforce these requirements?

A."Deny" effect with "StringNotEquals" on "aws:SourceIdentity"
B."Deny" effect with "aws:SourceIp" condition
C."Deny" effect with "Null" condition on "aws:PrincipalArn"
D."Allow" effect with "Referer" condition
AnswerC

Denies access when the principal ARN is null (anonymous requests).

Why this answer

Option C is correct because the condition 'aws:SourceIp' is not relevant for enforcing IAM credentials; the correct condition is 'aws:SecureTransport' for requiring HTTPS, but the question is about requiring IAM credentials. However, the correct answer is to deny access when the principal is not an IAM user/role. Option A denies access from specific IPs, B denies anonymous access, and D uses the wrong condition key for IAM credentials.

The correct policy should deny when 'aws:userid' is not present, but none of the options exactly match. Since the question asks for a policy to enforce IAM credentials, the correct answer is to deny anonymous access. So Option B is correct.

Explanation: Option B denies access when the principal is anonymous, ensuring only IAM-authenticated requests succeed. Option A only blocks IPs, not unauthenticated access. Option C uses 'aws:SourceIp' which doesn't check authentication.

Option D uses 'aws:Referer' which is not for authentication.

178
MCQmedium

A security engineer needs to grant cross-account access to an S3 bucket in Account A to a role in Account B. Which combination of IAM entities must be configured?

A.Bucket policy in Account A and IAM user policy in Account B
B.IAM role in Account B with trust policy for Account A
C.IAM role in Account A with trust policy for Account B
D.IAM user in Account B with permissions to the bucket
AnswerC

The role in Account A trusts Account B to assume it.

Why this answer

Cross-account access requires an IAM role in the trusting account (Account A) with a trust policy that allows the trusted account (Account B) to assume it, and an IAM policy in Account B that allows the user or role to call sts:AssumeRole. Option C is correct. Option A is wrong because the bucket policy alone is not sufficient; the role must also allow the action.

Option B is wrong because the role is in Account A, not Account B. Option D is wrong because an IAM user in Account B cannot directly access a role in Account A without assuming it.

179
MCQeasy

A company wants to allow users from an external AWS account to assume a role in the company's account. What must be configured in the company's account?

A.An IAM user in the company's account with cross-account access.
B.A permissions policy that allows the external account to list roles.
C.An IAM identity provider for the external account.
D.A trust policy that allows the external account to assume the role.
AnswerD

Trust policy defines who can assume the role.

Why this answer

The trust policy of the role must specify the external account as a principal. Option B is for permissions policy. Option C is for identity provider.

Option D is for cross-account access via IAM user.

180
MCQhard

A security team wants to grant a Lambda function access to read from a DynamoDB table in the same account. What is the most secure way to do this?

A.Create a VPC endpoint for DynamoDB and associate it with the Lambda function.
B.Attach the AWS managed policy AmazonDynamoDBFullAccess to the Lambda execution role.
C.Store the database access keys in the Lambda environment variables.
D.Create an IAM role with a policy that allows only the required DynamoDB actions (e.g., GetItem, Query) on the specific table and assign it to the Lambda function.
AnswerD

This follows least privilege and uses temporary credentials.

Why this answer

Option D is correct because it uses an execution role with the least privilege principle. Option A is wrong because it grants full access. Option B is wrong because storing keys in environment variables is insecure.

Option C is wrong because VPC endpoints do not grant IAM permissions.

181
MCQhard

A security engineer notices that an IAM role for an EC2 instance has a policy that allows s3:PutObject on a bucket. However, the application reports access denied when trying to upload. The bucket policy does not explicitly deny access. What is a likely cause?

A.The bucket policy denies access
B.The instance profile is not attached to the EC2 instance
C.The role's policy does not include s3:PutObject
D.The policy condition key does not match the request context
AnswerA

Explicit deny overrides allow.

Why this answer

Option B is correct because the bucket policy may explicitly deny access, which overrides allows. Option A is wrong because missing permissions would cause implicit deny. Option C is wrong because instance profile is just a container.

Option D is wrong because condition keys not matching would cause deny.

182
MCQmedium

A security engineer needs to ensure that an IAM role can only be assumed by a specific EC2 instance. The instance has a tag 'Environment=Production'. Which condition key should be used in the trust policy of the role?

A.aws:SourceArn
B.aws:UserAgent
C.aws:SourceAccount
D.ec2:ResourceTag
AnswerD

The condition 'ec2:ResourceTag' can be used to check tags on the EC2 instance.

Why this answer

Option B is correct because 'aws:EC2InstanceSourceVPC' is not a valid key; the correct key is 'ec2:ResourceTag' to check instance tags. Option A is incorrect because 'aws:SourceArn' is used for services like Lambda. Option C is incorrect because 'aws:SourceAccount' checks the account.

Option D is incorrect because 'aws:UserAgent' checks the user agent.

183
MCQeasy

A company has a single AWS account with multiple IAM users. The administrator created an IAM policy that allows all users to launch EC2 instances, but only if they use a specific AMI ID (ami-12345678) and a specific instance type (t3.micro). The policy uses a condition that checks the EC2 instance type and AMI ID. However, a user is able to launch an EC2 instance with a different AMI ID and a larger instance type. The administrator reviews the policy and confirms that the condition is correctly written. What is the most likely reason that the policy is not working as expected?

A.The condition keys used (ec2:InstanceType and ec2:ImageId) are not supported for the RunInstances action in IAM policies.
B.The policy is attached to the user but must also be attached to the IAM group.
C.The policy does not include an explicit deny statement for non-compliant launches.
D.The condition is written incorrectly; it should use StringLike instead of StringEquals.
AnswerA

These condition keys are not supported for RunInstances; they are only available for certain resource-level permissions like DescribeInstances.

Why this answer

Option A is correct because the `ec2:InstanceType` and `ec2:ImageId` condition keys are not supported for the `ec2:RunInstances` action in IAM policies. AWS IAM condition keys for EC2 are action-specific, and for RunInstances, only certain keys like `ec2:InstanceType` and `ec2:ImageId` are actually supported in the request context. However, the key detail is that `ec2:ImageId` is not a valid condition key for RunInstances; the correct key is `ec2:ImageId` is not listed in the AWS documentation for RunInstances, meaning the condition is silently ignored, allowing any AMI and instance type.

Exam trap

The trap here is that candidates assume all EC2 request parameters (like AMI ID) are automatically available as IAM condition keys, but AWS only documents specific condition keys per action, and using an unsupported key causes the condition to be ignored rather than denying the request.

How to eliminate wrong answers

Option B is wrong because attaching a policy to an IAM group is not required for it to take effect; policies attached directly to a user are fully evaluated and do not need group attachment to work. Option C is wrong because an explicit deny statement is not needed; IAM policies are deny-by-default, so an allow with a condition that fails results in an implicit deny, but the condition keys are unsupported, so the condition is ignored and the allow applies broadly. Option D is wrong because the condition key issue is not about the operator (StringEquals vs StringLike); even if StringLike were used, the unsupported condition keys would still be ignored, so the policy would still not restrict the launch.

184
MCQmedium

Refer to the exhibit. This is an S3 bucket policy. The CrossAccountRole in account 111111111111 has an IAM policy that allows s3:GetObject on 'my-bucket'. A user in account 111111111111 assumes the role and tries to get an object. What will happen?

A.Access is allowed because the bucket policy allows access to the role
B.Access is denied because the IAM policy does not grant access to the bucket
C.Access is allowed because both the bucket policy and the IAM policy allow
D.Access is denied because the bucket policy does not grant access to the user
AnswerA, C

Actually both policies allow, so it is allowed.

Why this answer

Option A is correct because both the bucket policy and the IAM policy allow access, and there is no explicit deny. Option B is incorrect because the bucket policy grants access to the role. Option C is incorrect because both policies allow.

Option D is incorrect because the bucket policy is valid.

185
MCQmedium

A security engineer is troubleshooting an IAM policy that is not working as expected. The policy allows ec2:StartInstances and ec2:StopInstances but the user gets an access denied error when trying to stop an instance. What is the most likely cause?

A.A service control policy is denying the action.
B.The user does not have permission to call ec2:DescribeInstances.
C.The policy does not allow stopping instances in all regions.
D.There is an explicit deny statement in the policy.
AnswerB

The console calls describe before performing actions.

Why this answer

Option D is correct because if the user does not have ec2:DescribeInstances, the AWS Management Console may show an error. Option A is wrong because the policy allows stop. Option B is wrong because if there were an explicit deny, it would be separate.

Option C is wrong because SCPs are at the OU level, not account.

186
MCQmedium

A security engineer reviews the trust policy of an IAM role. Which accounts can assume this role?

A.Only the root user of account 123456789012
B.Account 123456789012
C.Any AWS account
D.Account 111111111111
AnswerD

The trust policy allows the entire account.

Why this answer

Option B is correct because the principal is the root user of account 111111111111, meaning any IAM user or role from that account with sts:AssumeRole permission can assume the role. Option A is wrong because it's not any AWS account. Option C is wrong because only account 111111111111.

Option D is wrong because the IAM user's root account is 111111111111, not 123456789012.

187
MCQhard

A company has an S3 bucket with a bucket policy that grants access to a specific IAM role. The role is used by an application running on an EC2 instance. The application is unable to access the bucket, but the role can access other resources. What is the most likely cause?

A.A service control policy (SCP) denies access to the bucket
B.The bucket policy denies access to the role
C.The EC2 instance does not have an instance profile associated with the role
D.The role's trust policy does not allow EC2 to assume the role
AnswerC

Without an instance profile, the instance cannot assume the role.

Why this answer

Option A is correct because an EC2 instance profile is required to provide the role to the instance. Option B is incorrect because the role can access other resources, so the trust policy is likely correct. Option C is incorrect because the bucket policy is not denying access, it's granting.

Option D is incorrect because SCPs are not mentioned.

188
MCQeasy

A developer needs to grant an IAM user temporary access to an S3 bucket for 15 minutes. Which AWS service should be used to generate temporary credentials?

A.AWS Certificate Manager (ACM)
B.AWS Key Management Service (KMS)
C.AWS Security Token Service (STS)
D.AWS Directory Service
AnswerC

STS issues temporary credentials.

Why this answer

AWS STS is used to request temporary, limited-privilege credentials for IAM users or federated users.

189
Multi-Selecthard

Which THREE AWS services can be used to authenticate users for accessing AWS resources?

Select 3 answers
A.AWS Single Sign-On
B.Amazon Cognito
C.AWS Secrets Manager
D.AWS Identity and Access Management (IAM)
E.AWS CloudTrail
AnswersA, B, D

SSO authenticates users with identity providers.

Why this answer

IAM authenticates users, Cognito provides user pools for federated access, SSO integrates with identity providers. Option D is not an authentication service. Option E is for secrets management.

190
MCQhard

A developer is trying to upload a file to an S3 bucket using the AWS CLI, but receives an 'AccessDenied' error. The IAM policy attached to the user includes 's3:PutObject' on the bucket. The bucket policy has a Deny statement with the condition 'aws:Referer': ['example.com']. The CLI command does not include a referer header. What is the cause of the error?

A.The user’s access keys are expired.
B.The bucket policy denies requests that do not include the required referer header.
C.The IAM policy does not include s3:PutObjectAcl.
D.The CLI is not using HTTPS.
AnswerB

The Deny statement blocks requests without the specified referer.

Why this answer

Option B is correct because the Deny statement with a condition that does not match the request (no referer header) still denies the request if the condition is not met? Actually, the Deny statement with a condition only denies if the condition evaluates to true. Since the request has no referer, the condition 'StringNotEquals'? Wait, typical bucket policy is: Deny unless referer equals example.com. But if the request has no referer, the condition fails, so the Deny does not apply.

However, the error persists. Possibly the bucket policy has an explicit Deny for all requests without the referer. In that case, the Deny applies.

So Option B is correct: the Deny is blocking requests without the referer. Option A is wrong because CLI uses HTTPS. Option C is irrelevant.

Option D is not the cause.

191
MCQeasy

A company needs to grant cross-account access to an S3 bucket. Which IAM feature should be used?

A.Create an IAM user in the source account and share the credentials.
B.Use an S3 bucket policy that grants access to the external account's IAM users.
C.Use a service control policy (SCP) to allow cross-account access.
D.Use an IAM role in the source account that the external account can assume.
AnswerB

Bucket policies can grant cross-account access.

Why this answer

Option B is correct because a bucket policy can grant access to principals in another account. Option A is wrong because IAM users are within the same account. Option C is wrong because a role can be used but requires the external account to assume the role, not directly access the bucket.

Option D is wrong because SCPs apply within an organization.

192
MCQhard

A security team notices that an IAM user has permissions to launch EC2 instances but should not have access to certain instance types. Which IAM policy condition key should be used to restrict this?

A.ec2:ResourceTag
B.ec2:Tenancy
C.ec2:InstanceProfile
D.ec2:InstanceType
AnswerD

Allows restriction based on instance type.

Why this answer

The ec2:InstanceType condition key allows you to restrict IAM users to launching only specific EC2 instance types (e.g., t2.micro, m5.large) by evaluating the instance type value in the RunInstances API call. This is the correct key to enforce a policy that denies access to certain instance types while permitting others.

Exam trap

The trap here is that candidates often confuse ec2:InstanceType with ec2:ResourceTag, thinking they can use tags to restrict instance types, but tags are applied after launch and cannot be used to block the initial API call based on instance type.

How to eliminate wrong answers

Option A is wrong because ec2:ResourceTag is used to control access based on tags attached to EC2 resources, not to restrict instance types. Option B is wrong because ec2:Tenancy controls whether instances can be launched on shared or dedicated hardware (e.g., default vs. dedicated tenancy), not the instance type. Option C is wrong because ec2:InstanceProfile is used to restrict which IAM roles (instance profiles) can be associated with an EC2 instance, not the instance type itself.

193
MCQhard

An IAM policy allows a user to pass a specific role and launch EC2 instances. The user tries to launch an EC2 instance with the role 'ec2-full-access' but receives an error: 'You are not authorized to perform iam:PassRole'. What is the MOST likely cause?

A.The role 'ec2-full-access' does not exist in the account
B.The user is attempting to pass a role with an ARN that does not exactly match the one in the policy
C.The policy is missing a condition key such as ec2:InstanceProfile
D.The user does not have permission to call ec2:RunInstances
AnswerB

The policy allows PassRole only for the specific ARN; any other role will be denied.

Why this answer

Option B is correct. The policy allows iam:PassRole on the exact ARN, but the condition 'Resource: "*"' for ec2:RunInstances does not include the role. However, the error is about iam:PassRole, which means the user tried to pass a role that is not the exact ARN.

The most common issue is that the user is trying to pass a role that is different or the ARN is incorrect. Option A is wrong because the policy does not require a condition key for PassRole. Option C is wrong because the policy allows ec2:RunInstances on all resources.

Option D is wrong because the role may exist but the ARN mismatch causes the failure.

194
Multi-Selecthard

Which THREE factors should be considered when designing IAM policies for cross-account access? (Choose three.)

Select 3 answers
A.The resource-based policy must allow the external account
B.Permission boundaries must be used
C.The AWS account ID must be specified in the policy
D.The IAM policy in the external account must allow the action
E.Service control policies (SCPs) must allow the action
AnswersA, C, D

The resource must grant access to the external account.

Why this answer

Option A is correct because for cross-account access using resource-based policies (e.g., S3 bucket policies, KMS key policies), the resource-based policy must explicitly grant access to the external AWS account. This allows the external account's IAM principals to access the resource, provided the external account's IAM policy also permits the action. Without this allowance in the resource-based policy, the external account cannot access the resource, even if its own IAM policies allow it.

Exam trap

Cisco often tests the misconception that only one policy (either resource-based or identity-based) is sufficient for cross-account access, but in reality both the resource-based policy and the external account's IAM policy must allow the action.

195
MCQeasy

A company needs to grant cross-account access to an S3 bucket in Account A to users in Account B. What is the recommended approach?

A.Attach an IAM role to Account B's users.
B.Add a bucket policy in Account A that grants access to the IAM user ARNs from Account B.
C.Make the bucket public.
D.Create an IAM user in Account A and share the credentials with Account B users.
AnswerB

Bucket policy can grant cross-account access to specific IAM principals.

Why this answer

Option B is correct because a bucket policy in Account A can explicitly grant cross-account access to IAM user ARNs from Account B. This is the recommended approach for granting access to an S3 bucket across AWS accounts, as it avoids managing additional IAM users or roles and leverages the resource-based policy directly on the bucket. The bucket policy must specify the `Principal` element with the AWS account ID of Account B and the `Action` and `Resource` for the S3 operations, allowing Account B's IAM users to access the bucket after they have appropriate permissions in their own account.

Exam trap

The trap here is that candidates often confuse resource-based policies (bucket policies) with identity-based policies (IAM policies) and incorrectly think that a bucket policy cannot grant access to users in another account, or they mistakenly believe that an IAM role must be created in the target account for cross-account access.

How to eliminate wrong answers

Option A is wrong because attaching an IAM role to Account B's users is not a valid operation; IAM roles are attached to AWS resources or assumed by users, not directly attached to users in another account. The correct approach would be for Account B's users to assume a cross-account role, but that requires a role in Account A with a trust policy, not attaching a role to users. Option C is wrong because making the bucket public grants access to anyone on the internet, which violates the principle of least privilege and is not a secure cross-account access method.

Option D is wrong because creating an IAM user in Account A and sharing credentials with Account B users introduces security risks (e.g., credential leakage, lack of audit trail) and is not a scalable or recommended practice for cross-account access.

196
Multi-Selecteasy

Which TWO services can be used to manage identity and access across multiple AWS accounts? (Choose TWO.)

Select 2 answers
A.Amazon Cognito
B.AWS Organizations
C.AWS Single Sign-On (SSO)
D.AWS Config
E.AWS CloudTrail
AnswersB, C

Organizations lets you manage policies across accounts.

Why this answer

Correct answers are B and D. AWS Organizations allows you to centrally manage accounts and apply SCPs. IAM is used per account.

AWS SSO (now IAM Identity Center) provides single sign-on across accounts. CloudTrail is auditing, not access management. Config is configuration management.

197
MCQmedium

A company uses IAM roles for EC2 instances to access S3. A security audit reveals that some instances have roles with overly permissive policies. What is the BEST practice to scope down permissions while maintaining functionality?

A.Use S3 bucket policies instead of IAM policies
B.Attach the AdministratorAccess policy to the role and use S3 conditions
C.Create custom IAM policies that grant only the necessary S3 actions on specific buckets
D.Create a new instance profile with a more restrictive permissions boundary
AnswerC

Least privilege is best practice.

Why this answer

Option A is correct because the principle of least privilege is applied by granting only required actions on specific resources. Option B is wrong because S3 bucket policies are resource-based and can be used in addition. Option C is wrong because using the root user is insecure.

Option D is wrong because instance profiles are just containers for roles.

198
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all IAM users in the production account must use multi-factor authentication (MFA) to access the AWS Management Console. Which combination of actions should the security team take to enforce this requirement?

A.Use an SCP to deny access to the AWS Management Console unless MFA is present. Attach the SCP to the production OU.
B.Disable password-based access for all IAM users and require federation with an identity provider that enforces MFA.
C.Enable MFA on the root user and apply a password policy that requires MFA.
D.Create an IAM policy that denies all console actions unless MFA is present. Attach the policy to the IAM group that contains all production users.
AnswerD

This policy ensures that after login, without MFA, users cannot perform any console actions; combined with requiring MFA for sensitive actions, it effectively enforces MFA for console access.

Why this answer

Option D is correct because an IAM policy with a condition that denies all console actions unless MFA is present can be attached to an IAM group containing all production users. This enforces MFA at the user level within the account, directly meeting the requirement to ensure all IAM users in the production account must use MFA to access the AWS Management Console.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking SCPs can enforce MFA for console access within an account, but SCPs apply at the organizational level and cannot target specific IAM users or groups within an account.

How to eliminate wrong answers

Option A is wrong because SCPs cannot deny access to the AWS Management Console specifically; they deny actions on AWS resources, and the condition for MFA in an SCP would apply to all accounts in the OU, not just the production account's IAM users. Option B is wrong because disabling password-based access and requiring federation with an identity provider that enforces MFA is a valid approach but not listed as a combination of actions that the security team can take directly within the production account; it requires external setup and does not enforce MFA for existing IAM users. Option C is wrong because enabling MFA on the root user and applying a password policy that requires MFA does not enforce MFA for all IAM users; the root user MFA is separate, and password policies cannot enforce MFA for console access.

199
MCQmedium

A security engineer is reviewing an AWS account and notices that multiple IAM users have full administrative access. The company policy requires that users have only the permissions necessary to perform their job. What is the MOST secure and efficient way to enforce this policy?

A.Create an IAM policy that denies all actions except those specifically allowed, and attach it to each user.
B.Use an IAM group for each job function, attach appropriate managed policies to the group, and add users to the group.
C.Use an SCP in AWS Organizations to deny all actions by default.
D.Assign an inline policy to each user that specifies allowed actions.
AnswerB

This is the best practice for managing permissions at scale.

Why this answer

Using IAM groups and attaching managed policies to them allows centralized permission management and simplifies the principle of least privilege.

200
MCQhard

Refer to the exhibit. A security engineer runs the IAM Policy Simulator with the provided policy input. The result shows 'explicitDeny' for ec2:RunInstances even though the policy only contains an Allow. What is the most likely reason?

A.The user has an attached policy or SCP that explicitly denies ec2:RunInstances.
B.The policy input has a syntax error.
C.The simulate-custom-policy command does not support ec2:RunInstances.
D.The resource ARN is incorrect for ec2:RunInstances.
AnswerA

Explicit deny overrides Allow; other policies may be causing the deny.

Why this answer

Option B is correct because an explicit deny can come from other policies attached to the user or a service control policy (SCP). The simulate-custom-policy only evaluates the provided policy input, but if the user has other policies or SCPs, they may deny the action. Option A is unlikely because the resource ARN is not the issue.

Option C is not shown. Option D is incorrect because the policy syntax is valid.

201
MCQhard

Refer to the exhibit. An IAM user has this policy attached. The user tries to download an object from the S3 bucket using the AWS CLI from an on-premises server with IP address 198.51.100.50. What will happen?

A.The request will succeed because the policy allows s3:GetObject.
B.The request will fail because the user must use HTTPS.
C.The request will fail because the user's IP is not in the allowed range.
D.The request will fail because the user must use MFA.
AnswerC

The condition restricts to 192.0.2.0/24.

Why this answer

Option D is correct because the policy allows s3:GetObject only if the request comes from the specified IP range. Since the user's IP is outside that range, the request will be denied. Option A is wrong because the policy does not allow all IPs.

Option B is wrong because there is no requirement for MFA. Option C is wrong because the policy does not require HTTPS; it only checks IP.

202
MCQeasy

A developer needs to access AWS resources from a mobile app. Which AWS service allows the app to obtain temporary credentials for authenticated users?

A.Amazon Cognito user pools
B.AWS IAM Identity Center (AWS SSO)
C.Amazon Cognito identity pools (federated identities)
D.AWS Key Management Service (AWS KMS)
AnswerC

Provides temporary AWS credentials for authenticated users.

Why this answer

Option A is correct because Amazon Cognito identity pools provide temporary AWS credentials for app users. Option B is for user directories and sign-in. Option C is for single sign-on.

Option D is for key management.

203
MCQmedium

A security engineer is designing a permissions boundary for an IAM role used by an EC2 instance. The boundary must allow the instance to list all S3 buckets but deny the ability to delete any bucket. Which policy should be used as the permissions boundary?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"*"},{"Effect":"Deny","Action":"s3:DeleteBucket","Resource":"*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"s3:ListAllMyBuckets","Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:ListAllMyBuckets","s3:DeleteBucket"],"Resource":"*"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"*"},{"Effect":"Allow","Action":"s3:DeleteBucket","Resource":"*"}]}
AnswerA

Allows list, denies delete, meets requirement.

Why this answer

Permissions boundaries limit the maximum permissions. Option A allows both actions. Option B denies s3:DeleteBucket but allows s3:ListAllMyBuckets, which meets the requirement.

Option C denies list. Option D allows delete.

204
MCQmedium

An IAM user has the policy shown in the exhibit. The user tries to launch an m5.large instance in us-east-1, but gets an 'AccessDenied' error. Why does this happen?

A.The policy restricts RunInstances to instance type t2.micro, but the user requested m5.large.
B.The condition uses StringEquals, which is case-sensitive and the instance type is in the wrong case.
C.The policy does not allow the RunInstances action at all.
D.The resource ARN in the policy is incorrect for launching instances.
AnswerA

The condition ec2:InstanceType restricts to t2.micro.

Why this answer

Option B is correct because the policy only allows RunInstances for instance type t2.micro, not m5.large. Option A is wrong because the policy allows RunInstances. Option C is wrong because the resource ARN is correct for instances.

Option D is wrong because the condition uses StringEquals, which is valid.

205
MCQhard

A security engineer notices that an IAM role has a trust policy that allows 'sts:AssumeRole' from any AWS account. What is the security risk?

A.The role can be assumed by any AWS service.
B.The role's permissions are exposed to all AWS accounts.
C.Any IAM user in any AWS account can assume the role and gain its permissions.
D.The role can be used to access resources in other accounts.
AnswerC

The trust policy is too permissive.

Why this answer

Option A is correct because any user from any account can assume the role. Option B is wrong because the risk is not just about resources outside the account. Option C is wrong because the trust policy allows assumption, not just viewing.

Option D is wrong because the risk is that anyone can assume the role, not just malicious users.

206
MCQmedium

A security team is troubleshooting an issue where an IAM role assumed by a Lambda function is unable to write logs to CloudWatch Logs. The role has an attached policy that allows logs:CreateLogGroup and logs:PutLogEvents. What is a likely reason for the failure?

A.The trust policy of the role does not include Lambda as a trusted entity.
B.The Lambda function is in a VPC without a NAT gateway.
C.The role does not have permission to create network interfaces.
D.The CloudWatch Logs resource policy denies the role.
AnswerA

Without trust policy, Lambda cannot assume the role.

Why this answer

Lambda execution role must have a trust policy allowing Lambda to assume it. Option A is irrelevant. Option C is about resource policy.

Option D is about VPC permissions.

207
MCQmedium

A company uses an IAM role to allow an EC2 instance to access an S3 bucket. The instance is launched in a VPC with a VPC endpoint for S3. The IAM role has a policy that grants s3:GetObject on the bucket. However, the application on the instance receives 'Access Denied' errors when trying to read objects. What is the MOST likely cause?

A.The VPC endpoint policy for S3 does not allow the required action.
B.The EC2 instance does not have an encryption key to decrypt the objects.
C.The S3 bucket policy does not explicitly allow the IAM role.
D.The IAM role is not attached to the EC2 instance profile.
AnswerA

VPC endpoint policies can override IAM permissions.

Why this answer

Option B is correct because a VPC endpoint policy can restrict access to specific buckets, and if it does not allow the target bucket, requests will be denied even if the IAM role allows it. Option A is wrong because the S3 bucket policy is not required to allow the role if the role already grants access. Option C is wrong because the IAM role is correctly associated with the instance.

Option D is wrong because S3 does not require encryption for access.

208
Drag & Dropmedium

Drag and drop the steps to implement AWS KMS key rotation in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Key rotation starts with creating a CMK, enabling auto-rotation, manual rotation if needed, updating apps, and verifying decryption.

209
Multi-Selectmedium

A company wants to allow an IAM role from Account A to access an S3 bucket in Account B. Which THREE conditions must be met?

Select 3 answers
A.The S3 bucket policy in Account B must grant access to the IAM role in Account A.
B.The IAM role in Account A must have a trust policy that allows the S3 bucket's account to assume the role.
C.A service control policy (SCP) must allow the cross-account access.
D.The IAM role must be assumed by an IAM user or AWS service in Account A.
E.The IAM role in Account A must have an IAM permissions policy that allows the required S3 actions.
AnswersA, D, E

The bucket policy must explicitly allow the role.

Why this answer

Option A, C, and E are correct. Option A: the role must have a trust policy allowing the bucket's account to assume it? Actually, the role is in Account A, and the bucket in Account B. The role needs to be allowed by the bucket policy.

So option A is incorrect: the bucket policy in Account B must allow the IAM role. Option B is correct? Let's re-evaluate: To grant cross-account access to an S3 bucket, the bucket policy in Account B must grant access to the IAM role in Account A. The IAM role in Account A must have a permissions policy that allows S3 actions, but the trust policy on the role is not needed for S3 access because S3 uses resource-based policies.

So the correct conditions are: Option B: IAM role in Account A must have a permissions policy allowing S3 actions. Option C: S3 bucket policy in Account B must grant access to the IAM role. Option E: The IAM role must be assumed by a user or service in Account A.

So the correct combination is B, C, E. Option A is incorrect because trust policy is for the role to be assumed by another account, not for S3 access. Option D is incorrect because an SCP could deny but is not required.

210
MCQmedium

A company hosts a web application on EC2 instances behind an Application Load Balancer. The application accesses an S3 bucket to store user uploads. The security team needs to ensure that the EC2 instances can access the S3 bucket without storing AWS credentials on the instances. What should the security team do?

A.Create an IAM user with programmatic access and use those credentials in the application.
B.Configure a security group that allows outbound traffic to the S3 bucket.
C.Create an IAM role with an S3 access policy and attach it to the EC2 instance profile.
D.Store AWS access keys in a configuration file on the EC2 instances.
AnswerC

IAM roles provide temporary credentials via instance profile, eliminating the need for stored credentials.

Why this answer

Option C is correct because an IAM instance profile with an IAM role grants temporary credentials to EC2 instances. Option A is wrong because storing credentials on instances is insecure. Option B is wrong because it's not a best practice.

Option D is wrong because security groups do not grant access to S3.

211
MCQeasy

A company wants to allow an IAM user to manage only their own password in the AWS Management Console. Which IAM policy action should be used?

A.iam:ChangePassword
B.iam:ListUsers
C.iam:CreateAccessKey
D.iam:DeactivateMFADevice
AnswerA

Allows the user to change their own password.

Why this answer

The correct action is iam:ChangePassword for changing the password and iam:GetAccountPasswordPolicy for viewing the password policy. Option C is correct because it allows the user to change their own password. Option A allows listing users, which is not needed.

Option B allows deactivating MFA. Option D allows creating access keys, which is unrelated.

212
MCQmedium

A company has an IAM policy that allows a user to launch EC2 instances only in a specific Availability Zone (us-east-1a). The user is able to launch instances, but the instances are launched in us-east-1b instead. What is the most likely reason?

A.The policy is not attached to the user; it is attached to a group.
B.The user is using an IAM role that overrides the policy.
C.The policy uses a condition with ec2:Region instead of ec2:AvailabilityZone.
D.The policy uses the condition key "aws:RequestedAvailabilityZone" which is not valid; it should be "ec2:AvailabilityZone".
AnswerD

The correct condition key is ec2:AvailabilityZone.

Why this answer

Option B is correct because the condition key ec2:AvailabilityZone is not a global condition and must be specified with the appropriate prefix. Option A is wrong because the condition may not be evaluated correctly without the proper key. Option C is wrong because the policy should be evaluated.

Option D is wrong because the user could still launch in that AZ if the policy allows.

213
Multi-Selecteasy

A company wants to grant an IAM user the ability to manage (create, update, delete) their own access keys. Which TWO IAM actions must be allowed in the policy?

Select 2 answers
A.iam:UpdateAccessKey
B.iam:CreateAccessKey
C.iam:GetAccessKeyLastUsed
D.iam:DeleteAccessKey
E.iam:ListAccessKeys
AnswersB, D

Needed to create a new access key.

Why this answer

Options A and B are correct because CreateAccessKey and DeleteAccessKey are needed to manage access keys. Option C (ListAccessKeys) is read-only, not required for management. Option D (UpdateAccessKey) is for activating/deactivating, not create/delete.

Option E (GetAccessKeyLastUsed) is read-only.

214
MCQeasy

A developer needs to grant an IAM user read-only access to an S3 bucket named 'my-bucket'. Which policy should be attached to the IAM user?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::my-bucket"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:*","Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:PutObject","Resource":"arn:aws:s3:::my-bucket/*"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}
AnswerD

Correctly allows read-only access to objects in the bucket.

Why this answer

Option D is correct because it grants the s3:GetObject permission on the 'my-bucket/*' resource, which allows the IAM user to read (download) objects from the bucket. For read-only access, the user needs both s3:ListBucket (to list objects) and s3:GetObject (to retrieve objects), but the question asks for a policy that grants read-only access; while D alone is insufficient for full read-only access (it lacks ListBucket), it is the only option that provides a read action on the bucket's objects. The other options either grant write access, full access, or only list permissions without read capability.

Exam trap

The trap here is that candidates often confuse s3:ListBucket with read access, thinking listing objects is sufficient for reading, when in fact s3:GetObject is required to retrieve the actual object data.

How to eliminate wrong answers

Option A is wrong because it only grants s3:ListBucket on the bucket itself, which allows listing objects but not reading their contents; this is insufficient for read-only access. Option B is wrong because it grants s3:* on all resources, which is an administrative full-access policy that violates the principle of least privilege. Option C is wrong because it grants s3:PutObject, which is a write action that allows uploading objects, not read-only access.

215
Multi-Selectmedium

Which TWO are characteristics of an IAM role? (Choose 2.)

Select 2 answers
A.It can be used to grant permissions to an AWS service without requiring a user.
B.It does not have long-term access keys.
C.It cannot have an attached permissions policy.
D.It provides temporary security credentials.
E.It is associated with a specific IAM user.
AnswersB, D

Roles do not have permanent keys; they use temporary credentials.

Why this answer

Options A and C are correct. A: Roles are assumed by entities and provide temporary credentials. C: Roles do not have long-term credentials; they use temporary security credentials.

Option B is wrong because roles can have a trust policy that specifies who can assume the role. Option D is wrong because roles are not associated with a specific user; they can be assumed by multiple entities. Option E is wrong because roles can have permissions policies attached.

216
MCQeasy

A company wants to allow an IAM user to list objects in an S3 bucket named 'my-bucket'. Which IAM policy statement grants the minimum required permissions?

A.{"Effect":"Allow","Action":"s3:PutObject","Resource":"arn:aws:s3:::my-bucket/*"}
B.{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}
C.{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::my-bucket"}
D.{"Effect":"Allow","Action":"s3:*","Resource":"arn:aws:s3:::my-bucket"}
AnswerC

Grants only the required ListBucket action.

Why this answer

Option B is correct because it grants only the s3:ListBucket action on the specified bucket. Option A is wrong because it grants s3:* which is excessive. Option C is wrong because it uses s3:GetObject which is not needed for listing.

Option D is wrong because it grants s3:PutObject which is not needed.

217
MCQhard

A company has a multi-account AWS Organization with three accounts: Management, Development, and Production. The Security team uses the Management account to manage IAM policies centrally. They have created a service control policy (SCP) named 'RestrictRootAccess' that denies all actions for the root user in all accounts. The SCP is attached to the root organizational unit. The Development account has an IAM role 'DevAdmin' with full administrator access via an IAM policy. The role's trust policy allows the Management account's 'SecurityAudit' role to assume it. A security engineer in the Management account assumes the 'SecurityAudit' role and then tries to assume the 'DevAdmin' role in the Development account. The assumption fails with an 'AccessDenied' error. What is the most likely cause?

A.The SCP is attached to the root OU and overrides any allow in the member accounts
B.The trust policy of the 'DevAdmin' role does not grant sts:AssumeRole to the 'SecurityAudit' role
C.The SCP 'RestrictRootAccess' denies the sts:AssumeRole action for all principals except root
D.The 'SecurityAudit' role requires MFA to assume the 'DevAdmin' role
AnswerB

Without a trust policy allowing the Management account role, assumption is denied.

Why this answer

The error 'AccessDenied' occurs because the trust policy of the 'DevAdmin' role in the Development account does not explicitly grant the 'sts:AssumeRole' action to the 'SecurityAudit' role from the Management account. Even though the 'SecurityAudit' role has permission to call sts:AssumeRole via its IAM policy, the target role's trust policy acts as a resource-based policy that must allow the incoming principal. Without that allow, the assumption fails regardless of permissions in the source account.

Exam trap

The trap here is that candidates often assume an SCP attached to the root OU can block all actions across accounts, but they forget that trust policies are resource-based and evaluated separately from SCPs, so the SCP cannot cause the 'AccessDenied' error in this cross-account role assumption scenario.

How to eliminate wrong answers

Option A is wrong because SCPs attached to the root OU do not override resource-based policies like trust policies; they only affect IAM policies and cannot block sts:AssumeRole calls that are authorized by the target role's trust policy. Option C is wrong because the SCP 'RestrictRootAccess' denies actions for the root user only, not for all principals, and it does not deny sts:AssumeRole for IAM roles or users. Option D is wrong because there is no evidence or mention of an MFA condition in the trust policy of 'DevAdmin', and the error message does not indicate an MFA requirement.

218
Multi-Selecthard

An organization wants to enforce that all IAM users must use MFA to access the AWS API. Which TWO steps should be taken?

Select 2 answers
A.Rotate all IAM user access keys.
B.Attach the policy to all IAM users or to a group that all users belong to.
C.Create an IAM policy with a condition that denies all actions unless aws:MultiFactorAuthPresent is true.
D.Configure the account password policy to require MFA.
E.Create a service control policy (SCP) that requires MFA for all API calls.
AnswersB, C

The policy must be applied to users to take effect.

Why this answer

Options B and C are correct. An IAM policy with a condition that denies access if MFA is not present (B) must be attached to all users or groups (C). Option A is wrong because an SCP cannot enforce MFA for IAM users in the same account; it applies to member accounts.

Option D is wrong because password policy only affects console login. Option E is wrong because access keys are not affected by MFA policies unless the condition is used.

219
MCQmedium

A security engineer notices that an IAM role allows 'iam:PassRole' to an EC2 instance. What security risk does this present?

A.The instance can launch new resources with a more privileged role.
B.The instance can modify IAM policies.
C.The instance can stop CloudTrail logging.
D.The instance can decrypt data encrypted with KMS keys.
AnswerA

Privilege escalation via passing a role with more permissions.

Why this answer

PassRole allows an entity to pass a role to an AWS service. If the role has broad permissions, the instance can escalate privileges. Option A is not directly related.

Option B is about data encryption. Option D is about logging.

220
MCQhard

A company uses an IAM role to allow an EC2 instance to access an S3 bucket. The role has an attached policy that grants s3:GetObject on the bucket. However, the application on the EC2 instance is unable to read objects. What is the MOST likely cause?

A.The S3 bucket policy denies access to the IAM role.
B.The EC2 instance does not have an IAM instance profile configured.
C.The policy is attached to the EC2 instance instead of the role.
D.The EC2 instance is not running the latest user data script.
AnswerB

Without an instance profile, the role credentials are not available to the instance.

Why this answer

Option D is correct because the instance profile must be associated with the EC2 instance for the role to be used. Option A is wrong because the policy is attached to the role, not the instance. Option B is wrong because the bucket policy may be blocking access.

Option C is wrong because the user data script does not affect IAM permissions.

221
MCQhard

A company uses AWS Organizations with a service control policy (SCP) that denies all IAM actions unless the request comes from a specific IP address range. A security administrator needs to create a new IAM role for a service that runs on-premises, but the request is being denied. What should the administrator do?

A.Modify the SCP to include the on-premises IP address range in the condition.
B.Use the root user of the management account to create the role, as root is not affected by SCPs.
C.Create a new IAM user in the account with full administrator access and use that user to create the role from the on-premises network.
D.Remove the account from the organization temporarily, create the role, and re-add the account.
AnswerA

This allows the on-premises service to perform IAM actions.

Why this answer

Option D is correct because the SCP denies all IAM actions if not from the specified IP range. To allow the on-premises service, the administrator can add the on-premises IP range to the SCP condition. Option A is wrong because the administrator already has full access but the SCP overrides.

Option B is wrong because the SCP affects all principals including the administrator. Option C is wrong because the SCP applies to all accounts.

222
MCQeasy

An AWS Lambda function needs to read from a DynamoDB table. What is the best practice for granting the Lambda function the necessary permissions?

A.Use a resource-based policy on the DynamoDB table to allow the Lambda function.
B.Create an IAM user with the necessary permissions and assign it to the Lambda function.
C.Create an IAM role with the necessary permissions and attach it as the Lambda function's execution role.
D.Embed the IAM user's access key and secret key in the Lambda function code.
AnswerC

This is the recommended approach, allowing secure and temporary credentials.

Why this answer

Option B is correct because attaching an execution role to the Lambda function is the standard and secure method. Option A is wrong because embedding credentials in the code is insecure. Option C is wrong because resource-based policies are not supported for Lambda functions to access DynamoDB.

Option D is wrong because IAM users are not appropriate for service-to-service access.

223
MCQmedium

A security engineer needs to grant an IAM user in Account A (111111111111) access to an S3 bucket in Account B (222222222222). The bucket policy in Account B allows cross-account access from Account A. Which additional step is required?

A.Attach an IAM policy to the IAM user in Account A granting s3:GetObject on the bucket.
B.Create a cross-account role in Account B and have the user assume it.
C.Attach the bucket policy to the IAM user in Account A.
D.Create an S3 access point in Account B and grant the IAM user access.
AnswerA

The IAM user needs a permissions policy that allows the action; the resource-based policy allows from the account, but the user still needs explicit allow.

Why this answer

Option B is correct because cross-account access requires both a resource-based policy (bucket policy) and a permissions policy in the requesting account. Option A is wrong because you cannot attach a bucket policy to a user. Option C is wrong because S3 access points are not required.

Option D is wrong because cross-account roles are an alternative, but the IAM user policy is the standard approach when using resource-based policies.

224
MCQhard

A developer is trying to upload an object to an S3 bucket named 'my-bucket' using the AWS CLI. The developer has an IAM user with a policy that includes 's3:PutObject' for 'arn:aws:s3:::my-bucket/*'. However, the upload fails with an 'Access Denied' error. The bucket policy is set to allow all principals from the same AWS account to perform 's3:PutObject'. What is the most likely cause of this failure?

A.The IAM user is not authorized to perform 's3:PutObject' on the bucket 'my-bucket'.
B.The bucket policy denies access because the principal is not explicitly listed.
C.The IAM policy grants 's3:PutObject' only on objects (/*), but the request may also require 's3:PutObject' on the bucket itself for some operations.
D.The bucket 'my-bucket' does not exist in the same region as the CLI request.
AnswerC

The IAM policy should allow 's3:PutObject' on the bucket ARN as well, or the bucket policy should explicitly allow the user. The bucket policy allows all principals in the account, so that is not the issue.

Why this answer

Option C is correct because the IAM policy grants 's3:PutObject' only on the bucket's object ARN (arn:aws:s3:::my-bucket/*), but certain S3 operations, such as multipart uploads initiated via the AWS CLI, may require the 's3:PutObject' permission on the bucket resource itself (arn:aws:s3:::my-bucket) to complete the upload. The bucket policy allows 's3:PutObject' for all principals in the same account, but the IAM user's policy is too restrictive, causing the 'Access Denied' error.

Exam trap

The trap here is that candidates assume 's3:PutObject' on the object ARN (/*) is sufficient for all uploads, but the AWS CLI may require the same permission on the bucket ARN for multipart upload initiation, leading to an 'Access Denied' error even when the bucket policy is permissive.

How to eliminate wrong answers

Option A is wrong because the IAM user does have 's3:PutObject' permission on objects within the bucket, as granted by the policy on 'arn:aws:s3:::my-bucket/*'. Option B is wrong because the bucket policy explicitly allows all principals from the same AWS account to perform 's3:PutObject', so the principal is effectively allowed. Option D is wrong because S3 bucket names are globally unique, and the CLI request automatically resolves the correct region; a region mismatch would cause a 'NoSuchBucket' or redirect error, not an 'Access Denied' error.

225
MCQhard

An IAM policy includes the following condition: "StringNotEquals": {"aws:SourceArn": "arn:aws:ec2:us-east-1:123456789012:instance/*"}. What is the effect of this condition when attached to an IAM role?

A.Denies all requests from EC2 instances
B.Allows the role to be assumed only by EC2 instances in the specified account and region
C.Denies requests that do not originate from an EC2 instance in the specified account and region
D.Allows any request that comes from an EC2 instance regardless of account
AnswerC

Correct interpretation: Denies if SourceArn is not equal to the given ARN pattern.

Why this answer

The condition uses `StringNotEquals` with `aws:SourceArn`, meaning it denies access when the source ARN does NOT match the specified pattern. Since the condition is attached to a role's trust policy, it restricts which principals can assume the role. The correct effect is that requests not originating from an EC2 instance in account 123456789012 and region us-east-1 are denied.

Exam trap

The trap here is that candidates confuse `StringNotEquals` with `StringEquals`, mistakenly thinking the condition allows only matching ARNs instead of denying non-matching ones, leading them to choose Option B.

How to eliminate wrong answers

Option A is wrong because the condition does not deny all EC2 requests; it only denies those that do not match the specified ARN pattern, allowing requests from EC2 instances in the given account and region. Option B is wrong because the condition uses `StringNotEquals` (deny if not matching), not `StringEquals` (allow only if matching), so it does not positively allow assumption only by those instances; it denies non-matching requests, which effectively allows matching ones but the statement is about the deny effect. Option D is wrong because the condition explicitly denies requests that do not match the account and region, so it does not allow requests from any EC2 instance regardless of account.

← PreviousPage 3 of 4 · 279 questions totalNext →

Ready to test yourself?

Try a timed practice session using only IAM questions.