CCNA IAM Questions

54 of 279 questions · Page 4/4 · IAM topic · Answers revealed

226
MCQhard

An IAM policy has the following statement: {"Effect":"Allow","Action":"s3:*","Resource":"arn:aws:s3:::my-bucket/*"}. A user with this policy tries to perform s3:ListBucket on 'my-bucket'. Will the request succeed?

A.No, because there is an explicit deny elsewhere.
B.Yes, because s3:* allows all actions.
C.No, because the resource ARN does not include the bucket itself.
D.Yes, because the user has permission to access objects.
AnswerC

ListBucket requires bucket-level ARN.

Why this answer

s3:ListBucket requires resource ARN 'arn:aws:s3:::my-bucket' (without /*). The policy only grants access to objects, not the bucket itself. Option A is incorrect because the action is not allowed.

Option C is incorrect because the resource is wrong. Option D is incorrect because service control policies are not mentioned.

227
MCQmedium

A security engineer is troubleshooting an issue where an IAM user is unable to list objects in an S3 bucket even though the user has an IAM policy that allows s3:ListBucket. What is the MOST likely cause?

A.The user's IAM policy is not attached to the user.
B.The bucket is in a different AWS region.
C.The user needs to use MFA.
D.The bucket policy explicitly denies the action for that user.
AnswerD

An explicit deny in a bucket policy overrides any allow.

Why this answer

S3 bucket policies and IAM user policies are evaluated together; if the bucket policy denies access, it overrides the allow.

228
MCQhard

Refer to the exhibit. This IAM policy is attached to a user. The user attempts to assume the AdminRole without using MFA. What is the result?

A.The user can assume the role because the Allow statement grants it
B.The user cannot assume the role because the Deny statement blocks all actions when MFA is not present
C.The user can assume the role because the Deny statement does not apply to sts:AssumeRole
D.The user cannot assume the role because the Allow statement requires MFA
AnswerB

The Deny condition blocks all actions if MFA is false.

Why this answer

Option D is correct because the Deny statement applies to all actions if MFA is not present, so the AssumeRole action is denied. Option A is incorrect because the Allow statement is overridden by the Deny. Option B is incorrect because the Deny is explicit.

Option C is incorrect because the Deny applies to all actions including AssumeRole.

229
MCQhard

An IAM user reports that they are unable to launch an EC2 instance in a specific VPC. The user has an IAM policy that allows ec2:RunInstances for all resources. The VPC has a network ACL that allows all inbound and outbound traffic. What is the most likely cause of the failure?

A.The IAM policy does not grant permission to use the VPC.
B.The security group associated with the instance is blocking the launch.
C.The IAM policy does not grant permission to use the subnet.
D.The network ACL is blocking the launch request.
AnswerC

Launching an instance requires permission for the subnet resource, and the policy may not include it.

Why this answer

Option D is correct because the user needs to specify a subnet when launching an instance, and the IAM policy may not grant permission for the specific subnet if it has a condition. However, the more likely cause is that the user does not have permission to use the subnet resource. Option A is wrong because the VPC is not a resource that requires IAM permissions for the instance launch; the instance is launched into a subnet.

Option B is wrong because security groups do not affect the ability to launch instances. Option C is wrong because network ACLs do not affect the ability to launch instances.

230
MCQhard

Refer to the exhibit. A security engineer runs the command above. Which of the following is true about the role MyRole?

A.The role has a resource-based policy attached
B.The role can be assumed by any IAM user in account 123456789012
C.The role can be assumed by any AWS service
D.The role can be assumed by EC2 instances
AnswerD

The trust policy grants sts:AssumeRole to the EC2 service.

Why this answer

The command `aws ec2 associate-iam-instance-profile --instance-id i-1234567890abcdef0 --iam-instance-profile Name=MyRole` attaches an IAM instance profile to an EC2 instance. An instance profile is a container for an IAM role that enables EC2 instances to assume that role and obtain temporary credentials via the EC2 metadata service. Therefore, the role MyRole can be assumed by EC2 instances when associated through an instance profile.

Exam trap

Cisco often tests the distinction between an IAM role's trust policy (who can assume it) and the instance profile (the mechanism for EC2 to use the role), leading candidates to incorrectly assume that any AWS service can assume the role or that the role has a resource-based policy attached.

How to eliminate wrong answers

Option A is wrong because a resource-based policy is attached to a resource (e.g., an S3 bucket or KMS key), not to an IAM role; IAM roles use trust policies (a type of resource-based policy for the role entity itself) but the exhibit shows an EC2 instance profile association, not a resource-based policy attachment. Option B is wrong because the trust policy of the role must explicitly grant the `sts:AssumeRole` action to the IAM user or account; the exhibit does not show any such trust policy, and simply having an instance profile does not allow any IAM user to assume the role. Option C is wrong because AWS services assume roles via service-linked roles or trust policies that specify the service principal; the exhibit only shows an EC2 instance profile association, which is specific to EC2, and does not grant assumption by any arbitrary AWS service.

231
MCQhard

A security engineer notices that an IAM user has permissions to create new IAM users and attach policies. What is the most effective way to detect if this user created a backdoor user?

A.Review S3 access logs for any PutObject calls from the IAM user.
B.Use IAM Access Analyzer to review all IAM policies for potential backdoor access.
C.Configure an AWS Config rule to check for IAM users with administrative policies.
D.Enable AWS CloudTrail and monitor IAM events using Amazon CloudWatch Logs and create a metric filter for CreateUser and AttachUserPolicy events.
AnswerD

CloudTrail records all IAM API calls, allowing detection of unauthorized actions.

Why this answer

Option A is correct because AWS CloudTrail logs all IAM API calls, enabling detection of user creation and policy attachment. Option B is wrong because IAM Access Analyzer focuses on resource policies, not user actions. Option C is wrong because AWS Config rules evaluate resource configurations, not API calls.

Option D is wrong because S3 server access logs track object-level access, not IAM actions.

232
MCQmedium

An organization is using IAM roles for EC2 instances. The security team needs to ensure that each EC2 instance can only assume a specific role based on tags. Which feature should be used?

A.Service Control Policy (SCP)
B.IAM policy with 'aws:SourceIp' condition
C.IAM permissions boundary
D.Role trust policy with 'aws:ResourceTag' condition
AnswerD

The trust policy can use tags to restrict which EC2 instances can assume the role.

Why this answer

Option D is correct because the role trust policy can use the 'aws:ResourceTag' condition key to restrict which EC2 instances can assume the role based on the instance's tags. This ensures that only instances with specific tags (e.g., 'Environment=Production') are allowed to assume the IAM role, meeting the security team's requirement for tag-based role assumption.

Exam trap

The trap here is that candidates often confuse IAM permissions boundaries (which limit permissions) with trust policies (which control who can assume a role), leading them to select Option C instead of the correct trust policy condition.

How to eliminate wrong answers

Option A is wrong because Service Control Policies (SCPs) are used to set permission boundaries across accounts in an AWS Organization, not to control role assumption based on EC2 instance tags. Option B is wrong because 'aws:SourceIp' condition restricts access based on the source IP address, not on EC2 instance tags, and is irrelevant for instance-based role assumption. Option C is wrong because IAM permissions boundaries define the maximum permissions a role or user can have, but they do not control which EC2 instances can assume a role based on tags.

233
MCQeasy

An IAM user needs to rotate their own access keys. Which IAM policy action should be allowed?

A.iam:DeleteAccessKey
B.iam:UpdateAccessKey
C.iam:CreateAccessKey
D.iam:ChangePassword
AnswerB

Allows updating the status of an access key.

Why this answer

Option C is correct because IAM:UpdateAccessKey is used to manage a user's own access keys. Option A is wrong because IAM:CreateAccessKey creates a new key, but rotation involves updating. Option B is wrong because IAM:ChangePassword is for password.

Option D is wrong because IAM:DeleteAccessKey deletes a key.

234
MCQhard

A company manages a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all Amazon S3 buckets in the organization are encrypted with AWS KMS customer managed keys (CMKs) and that no unencrypted buckets can be created. They also want to ensure that the encryption settings cannot be changed by account administrators. The team uses AWS CloudTrail to log all S3 API calls and wants to detect any attempts to create unencrypted buckets. The security team creates a service control policy (SCP) that denies s3:PutBucketEncryption and s3:PutBucketPolicy unless the request includes a specific encryption setting. However, they find that a developer in a member account was able to create an unencrypted bucket using the AWS Management Console. The CloudTrail logs show that the bucket was created with the s3:CreateBucket API call without specifying any encryption parameters. What should the security team do to prevent this from happening?

A.Modify the SCP to deny s3:CreateBucket unless the request includes the x-amz-server-side-encryption-aws-kms-key-id header.
B.Enable CloudTrail Insights to detect unusual S3 activity and create a CloudWatch alarm.
C.Attach an IAM permissions boundary to all IAM roles used by developers that denies s3:CreateBucket.
D.Enable S3 Block Public Access at the account level to prevent unencrypted bucket creation.
AnswerA

Correct – Denies creation of unencrypted buckets via SCP.

Why this answer

D: Correct – The SCP should deny s3:CreateBucket if the request does not include the x-amz-server-side-encryption-aws-kms-key-id header. This prevents creation of unencrypted buckets. A: Incorrect – CloudTrail is already logging; additional logging does not prevent the action.

B: Incorrect – IAM permissions boundary does not override SCP; the SCP should already prevent the action, but it was not effective because the SCP did not deny s3:CreateBucket without encryption. C: Incorrect – S3 Block Public Access does not enforce encryption.

235
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all IAM users in member accounts must have a password policy that requires a minimum length of 14 characters. How can this be achieved centrally?

A.Use a service control policy (SCP) to enforce the password policy across all accounts.
B.Use IAM permission boundaries to restrict password policy changes to specific Regions.
C.Use AWS Config rules to automatically remediate non-compliant password policies.
D.Use an SCP that denies the UpdateAccountPasswordPolicy action unless the policy has MinimumPasswordLength >= 14.
AnswerD

SCPs can deny API calls that don't meet conditions.

Why this answer

Option C is correct because a service control policy (SCP) can deny changes to the password policy that don't meet the requirement. Option A is wrong because SCPs cannot set password policies; they can only deny actions. Option B is wrong because AWS Config can detect non-compliance but cannot enforce.

Option D is wrong because IAM is a global service and cannot be restricted to a specific Region.

236
MCQeasy

Refer to the exhibit. This trust policy is attached to an IAM role. What does it allow?

A.All IAM users in account 123456789012 to assume the role with MFA.
B.The root user of account 123456789012 to assume the role without MFA.
C.The root user of account 123456789012 to assume the role only if MFA is present.
D.Any user in account 123456789012 to assume the role without MFA.
AnswerC

The principal is root user, and condition requires MFA.

Why this answer

Option D is correct because the trust policy allows the root user of account 123456789012 to assume the role only if MFA is present. Option A is wrong because it requires MFA. Option B is wrong because it allows the root user, not all users.

Option C is wrong because it allows the root user, not specific users.

237
Multi-Selecteasy

Which TWO are valid IAM identity-based policies? (Choose 2.)

Select 2 answers
A.Trust policy
B.Inline policy
C.S3 bucket policy
D.Service control policy (SCP)
E.AWS managed policy
AnswersB, E

Inline policies are identity-based policies directly attached to an entity.

Why this answer

Options B and D are correct. B: An AWS managed policy is a standalone policy that can be attached to IAM identities. D: An inline policy is embedded directly in a user, group, or role.

Option A is wrong because a bucket policy is a resource-based policy, not identity-based. Option C is wrong because an SCP is a policy used in AWS Organizations, not an identity-based policy. Option E is wrong because a trust policy is attached to a role to define who can assume it, not an identity-based policy.

238
MCQhard

A company has multiple AWS accounts managed through AWS Organizations. The security team wants to enforce that all users must use multi-factor authentication (MFA) to access the AWS Management Console. Which combination of actions should the security team take to enforce this requirement?

A.Use AWS CloudTrail to monitor and alert on console logins without MFA
B.Enable MFA through the AWS Account Management console for each account
C.Create an IAM policy in each account that denies access without MFA
D.Apply a service control policy (SCP) at the organization root that denies actions unless MFA is present
AnswerD

An SCP can enforce that all accounts must use MFA by denying access if the condition is not met.

Why this answer

Option B is correct because a service control policy (SCP) can be applied to all accounts to deny access if MFA is not present. Option A is incorrect because IAM policies in individual accounts can be overridden by account administrators. Option C is incorrect because an SCP cannot directly enable MFA; it can only deny access.

Option D is incorrect because while AWS CloudTrail can log, it does not enforce.

239
MCQhard

A security engineer is troubleshooting an issue where an IAM policy allows access to S3 but the user is denied access to a specific bucket. The policy has the following statement: { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } What is the most likely cause of the denial?

A.The policy statement is too broad and AWS automatically denies access to specific buckets.
B.An explicit deny statement in a different policy (e.g., SCP, permissions boundary) is overriding the allow.
C.The S3 bucket has a bucket policy that denies access to the user.
D.The policy is attached to the user but the user is assuming a role that does not have S3 permissions.
AnswerB

Explicit denies take precedence over allows.

Why this answer

Option A is correct because an explicit deny in a separate policy, such as a service control policy (SCP) or a permissions boundary, overrides any allow. Option B is wrong because the user's own policy is an allow. Option C is wrong because S3 bucket policies are resource-based and can deny access.

Option D is wrong because IAM policies are evaluated as a whole; there is no implicit deny for specific buckets unless a deny exists.

240
Multi-Selecteasy

A developer wants to allow an IAM role to be assumed by an EC2 instance that is part of an Auto Scaling group. Which TWO AWS services or features are required? (Choose TWO.)

Select 2 answers
A.AWS Config
B.Instance profile
C.IAM role
D.AWS CloudFormation
E.AWS Single Sign-On (SSO)
AnswersB, C

The instance profile is the container for the role that can be attached to EC2 instances.

Why this answer

An instance profile is required to attach an IAM role to an EC2 instance. When an EC2 instance is launched with an instance profile, the AWS credentials provider on the instance can retrieve temporary security credentials from the IAM role via the instance metadata service (IMDS). This allows the instance to assume the role and perform authorized API actions without embedding long-term credentials.

Exam trap

The trap here is that candidates often confuse IAM roles with instance profiles, thinking a role can be directly attached to an EC2 instance, but the instance profile is the required intermediary container that enables the role to be assumed by the instance.

241
Multi-Selecteasy

A company wants to grant a set of developers the ability to launch EC2 instances but only in a specific subnet. Which THREE steps should be taken?

Select 3 answers
A.Create a VPC endpoint for EC2.
B.Add a condition to the policy that restricts the subnet ID using ec2:Subnet.
C.Allow the developers to assume the role via an IAM policy or trust relationship.
D.Configure a security group to allow outbound traffic from the subnet.
E.Create an IAM role with a policy that allows ec2:RunInstances.
AnswersB, C, E

Conditions can enforce that instances are launched only in the specified subnet.

Why this answer

Options A, B, and D are correct. Create a role with permissions to launch instances (A), attach a policy that restricts the subnet via a condition (B), and assign the role to the developers (D). Option C is wrong because a VPC endpoint does not grant IAM permissions.

Option E is wrong because security groups control network traffic, not IAM permissions.

242
MCQhard

A company has a policy that requires all IAM users to use multi-factor authentication (MFA) to access the AWS Management Console. A user reports that they are unable to sign in even after configuring MFA. What is the most likely cause?

A.The IAM policy explicitly denies console access.
B.The user is using the root account instead of an IAM user.
C.The MFA token has expired.
D.The MFA device is not properly synchronized with AWS.
AnswerD

Time sync issues can cause MFA authentication to fail.

Why this answer

If the IAM user policy denies access if MFA is not present, but the user has MFA configured, the issue could be that the policy condition key aws:MultiFactorAuthPresent is set to 'false' when the session is not using MFA. However, if the user has MFA, the condition should be true. Another common issue is that the MFA device is not assigned to the user, or the user is using a non-MFA session.

Option A is most likely because if the MFA device is not synced, authentication fails. Option B is wrong because the policy can still apply to console users. Option C is wrong because MFA can be used for console.

Option D is wrong because MFA tokens expire, but that would only affect the session, not sign-in.

243
MCQhard

A security auditor notices that an IAM role has a policy that grants 'iam:PassRole' to a specific EC2 instance profile. What is the security implication of this permission?

A.It could allow privilege escalation if the role passes a role with more permissions to an EC2 instance.
B.It allows the role to delete IAM roles.
C.It allows the role to create new IAM policies.
D.It allows the role to create new IAM users.
AnswerA

iam:PassRole can be misused to grant higher privileges to EC2 instances.

Why this answer

Option B is correct because iam:PassRole allows passing a role to an AWS service, which could lead to privilege escalation if the role has more permissions than intended. Option A is wrong because it's not about changing policies. Option C is wrong because it's not about creating users.

Option D is wrong because it's not about deleting roles.

244
MCQmedium

A security engineer is troubleshooting an issue where an IAM role used by an EC2 instance cannot access an S3 bucket, even though the role has an attached policy that grants s3:GetObject on the bucket. The bucket policy does not explicitly deny access. What is the most likely cause?

A.A service control policy (SCP) is denying access
B.The bucket policy does not grant access to the IAM role
C.The IAM policy is attached to the user instead of the role
D.The bucket has an explicit deny in its policy
AnswerB

When using an IAM role, the bucket policy must explicitly allow the role, otherwise the implicit denial applies.

Why this answer

Option D is correct because for cross-account access or access from EC2, the bucket policy must explicitly grant access to the role. Option A is incorrect because explicit deny is not present. Option B is incorrect because the policy is attached to the role, not the user.

Option C is incorrect because service control policies (SCPs) are not mentioned and would be an organization-level deny.

245
MCQhard

A company wants to grant cross-account access to an S3 bucket. The bucket policy allows access from account 111111111111. An IAM user in account 111111111111 has a policy allowing s3:GetObject on that bucket. However, the user gets AccessDenied. What is the most likely reason?

A.The S3 bucket is in a different region and requires a VPC endpoint.
B.The IAM user policy is attached to a group, not directly to the user.
C.The bucket policy grants access to the account, but the IAM user's ARN is not explicitly listed.
D.The IAM user policy has an explicit deny for s3:GetObject.
AnswerC

When granting cross-account, the bucket policy must specify the IAM user ARN or a condition.

Why this answer

Option A is correct because the S3 bucket policy must explicitly grant access to the IAM user ARN, not just the account. Option B is wrong because explicit deny in the IAM policy would be unusual. Option C is wrong because S3 does not require VPC endpoints.

Option D is wrong because the user is in the same account as the policy.

246
MCQeasy

An administrator runs the AWS CLI command shown in the exhibit. What does this command do?

A.Lists all IAM policies in the account
B.Lists the managed policies attached to the user 'MyRole'
C.Lists the managed policies attached to the role 'MyRole'
D.Lists all inline policies attached to the role 'MyRole'
AnswerC

The output shows the managed policies (by name and ARN) attached to the role.

Why this answer

Option B is correct. The command lists the managed policies attached to a role named 'MyRole'. Option A is wrong because it lists attached policies, not inline policies.

Option C is wrong because it lists the policies attached to a role, not a user. Option D is wrong because it lists attached policies, not all policies in the account.

247
MCQeasy

A company's security policy requires that all IAM users must use strong passwords. Which IAM feature should be used to enforce this requirement?

A.AWS Organizations
B.AWS Key Management Service (AWS KMS)
C.AWS CloudTrail
D.IAM password policy
AnswerD

IAM password policy enforces password requirements for IAM users.

Why this answer

Option C is correct because IAM password policies allow enforcing complexity, length, and rotation. Option A is wrong because AWS KMS is for encryption keys. Option B is wrong because AWS Organizations is for managing multiple accounts.

Option D is wrong because AWS CloudTrail is for logging.

248
MCQmedium

A company has an S3 bucket that contains sensitive data. The security team wants to ensure that all objects uploaded to the bucket are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). What should the security team do to enforce this requirement?

A.Use an S3 bucket policy that requires the x-amz-server-side-encryption-aws-kms-key-id header to match a specific KMS key.
B.Use an S3 bucket policy with a condition that requires the x-amz-server-side-encryption header to be present.
C.Configure the bucket's default encryption to use SSE-KMS.
D.Use an S3 bucket policy with a condition that denies PutObject if the x-amz-server-side-encryption header is not set to 'aws:kms'.
AnswerD

This policy denies uploads that do not use SSE-KMS, effectively enforcing the requirement.

Why this answer

Option C is correct because an S3 bucket policy denying PutObject requests that do not include the x-amz-server-side-encryption header set to aws:kms ensures that only objects encrypted with SSE-KMS can be uploaded. Option A is wrong because bucket policies cannot enforce default encryption; they can only deny requests based on conditions. Option B is wrong because enabling default encryption does not prevent uploads without encryption headers.

Option D is wrong because SSE-S3 is not KMS encryption.

249
MCQmedium

A company uses IAM roles for EC2 instances. An application running on an EC2 instance needs to read from an S3 bucket in another AWS account. What is the most secure way to grant access?

A.Create an IAM role in the target account with read access to the bucket, and allow the EC2 instance's role to assume it.
B.Store the other account's IAM user access keys in the EC2 instance.
C.Make the bucket public.
D.Create a bucket policy that allows access from the EC2 instance's public IP.
AnswerA

Uses cross-account role assumption, following security best practices.

Why this answer

Option B is correct because using a cross-account IAM role in the target account allows the EC2 instance to assume the role and access the bucket securely, without sharing long-term credentials. Option A is less secure and requires managing keys. Option C is not secure.

Option D is overly permissive.

250
Multi-Selectmedium

A security administrator is designing a cross-account access strategy. The administrator needs to allow users in Account A to assume an IAM role in Account B to access an S3 bucket. Which TWO of the following statements are true regarding this configuration?

Select 2 answers
A.The IAM users in Account A must have an IAM policy that allows the sts:AssumeRole action for the role ARN in Account B.
B.The trust policy for the role must be defined in Account A.
C.The S3 bucket policy must grant access to the IAM users in Account A.
D.The role in Account B must have a trust policy that allows the IAM users in Account A to assume the role.
E.The IAM users in Account A must have cross-account permissions on the S3 bucket in Account B.
AnswersA, D

Users need explicit permission to call AssumeRole.

Why this answer

Option A is correct because for an IAM user in Account A to assume a role in Account B, the user must be explicitly granted permission to call the sts:AssumeRole API action against the role's Amazon Resource Name (ARN). This is done by attaching an IAM policy to the user (or a group/role the user belongs to) that includes the sts:AssumeRole action and specifies the target role ARN as the resource. Without this permission, the user cannot initiate the cross-account role assumption, even if the role's trust policy allows it.

Exam trap

The trap here is confusing where the trust policy is defined (it must be on the role in the target account, not in the source account) and assuming that direct IAM user permissions on the S3 bucket are required instead of using the assumed role's permissions.

251
MCQmedium

A developer creates this CloudFormation stack. An EC2 instance with this role tries to list objects in the bucket. What will happen?

A.The instance can list the bucket but not the objects
B.The instance cannot assume the role because the principal is ec2.amazonaws.com
C.The instance can upload objects to the bucket
D.The instance can list objects in the bucket
AnswerA

s3:ListBucket lists the bucket, not objects.

Why this answer

Option A is correct because the policy only allows s3:ListBucket, which lists the bucket itself, not its objects. s3:ListObjects is required to list objects. Option B is wrong because s3:GetObject is for reading objects. Option C is wrong because s3:PutObject is for uploading.

Option D is wrong because the role can assume.

252
MCQmedium

A company uses AWS Organizations with all features enabled. The security team wants to enforce that all IAM users in member accounts must use multi-factor authentication (MFA) to access the AWS Management Console. They create an SCP that denies all actions if the user does not have MFA. The SCP is attached to the root organizational unit. After a few days, users in a member account report that they can still access the console without MFA. The security team reviews the SCP and finds it is correctly configured. What is the MOST likely reason the SCP is not being enforced?

A.The member account has a separate SCP attached that allows the actions, overriding the root SCP.
B.The member account is the management account of the organization, which is not affected by SCPs.
C.The SCP is missing an explicit allow for the actions, so the default deny is not taking effect.
D.The SCP does not apply to the root user of the member account, so root can bypass MFA.
AnswerB

Correct: The management account is not subject to SCPs.

Why this answer

Option C is correct because SCPs do not affect the management account of the organization. If the member account is actually the management account, the SCP does not apply. Option A is incorrect because SCPs are not affected by service control policies at the account level (they are the same).

Option B is incorrect because SCPs do not require explicit allow; they work by denying. Option D is incorrect because SCPs apply to all users and roles, including root user, unless explicitly exempted.

253
Multi-Selectmedium

Which THREE statements about IAM roles are correct? (Choose THREE.)

Select 3 answers
A.IAM roles can be used by federated users.
B.IAM roles cannot be used for cross-account access.
C.IAM roles can be attached to an IAM user.
D.IAM roles can be assumed by AWS services.
E.IAM roles are global and not specific to a region.
AnswersA, D, E

Federated users can assume roles via SAML or OIDC.

Why this answer

The correct answers are A, B, and D. IAM roles are global and not region-specific, can be assumed by AWS services, and can be used by federated users. Option C is wrong because roles cannot be attached to IAM users directly; users assume roles.

Option E is wrong because roles can be used by cross-account access.

254
MCQhard

A company uses cross-account IAM roles to allow a third-party vendor to access resources in the company's AWS account. The security team wants to ensure that the vendor can only access the specific S3 bucket named 'vendor-bucket'. What should the security team do?

A.Create an IAM user for the vendor and attach a policy that allows access to 'vendor-bucket'.
B.In the trust policy of the role, specify the vendor's AWS account and attach a permissions policy that allows s3:* on 'vendor-bucket'. Also create a bucket policy that allows the role.
C.Use an SCP to deny access to all S3 buckets except 'vendor-bucket'.
D.Create a new AWS account for the vendor and use VPC peering.
AnswerB

The trust policy allows the vendor to assume the role, and the permissions policy limits actions to the bucket.

Why this answer

The correct approach is to define a permissions boundary on the role that only allows access to the specific bucket, and also ensure the bucket policy allows the role.

255
MCQmedium

Refer to the exhibit. An IAM policy allows s3:GetObject on an S3 bucket only when the object is encrypted with SSE-KMS. An IAM user with this policy attempts to download an object that is not encrypted. What will happen?

A.The download fails because the condition is not met, even though the action is allowed.
B.The download succeeds because the condition is not required.
C.The download fails because the policy is invalid.
D.The download succeeds because there is no explicit deny.
AnswerA

The Allow is conditional; condition not met results in implicit deny.

Why this answer

Option D is correct because the policy grants access only when the condition is met (SSE-KMS). Since the object is not encrypted with SSE-KMS, the condition fails, and the request is denied by default (implicit deny). Option A is incorrect because the policy does not have an explicit deny.

Option B is incorrect because the condition must be met. Option C is incorrect because the condition is evaluated.

256
MCQeasy

A developer needs to allow an IAM user to manage their own password in the AWS Management Console. Which IAM policy should be attached to the user?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"iam:ChangePassword","Resource":"*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"iam:ListUsers","Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"iam:ChangePassword","Resource":"*"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"iam:ChangePassword","Resource":"arn:aws:iam::*:user/${aws:username}"}]}
AnswerD

This policy restricts password change to the user's own account using a variable.

Why this answer

Option C is correct because it allows the user to change their own password. Option A is wrong because it allows any user to change any password. Option B is wrong because it allows listing users.

Option D is wrong because it denies password change.

257
Multi-Selectmedium

A security engineer is designing a CI/CD pipeline that deploys AWS infrastructure using AWS CloudFormation. The pipeline must assume an IAM role in each target account to create and update stacks. Which TWO steps are required to allow cross-account access for CloudFormation? (Choose TWO.)

Select 2 answers
A.Create a service role for CloudFormation in the pipeline account with a trust policy for the target account.
B.Store the target account root credentials in AWS Secrets Manager and retrieve them in the pipeline.
C.Configure the pipeline's IAM role with a trust policy that allows the target account to access it.
D.Use AWS STS AssumeRole in the pipeline to obtain temporary credentials for the target account role.
E.Create an IAM role in the target account with a trust policy allowing the pipeline account to assume it.
AnswersD, E

Correct: The pipeline must assume the target account role via STS to gain permissions.

Why this answer

Option A is correct because the IAM role in the target account must have a trust policy that allows the pipeline account to assume it. Option D is correct because the pipeline (using AWS CodeBuild or similar) must call STS AssumeRole with the role ARN. Option B is wrong because CloudFormation itself does not assume roles for stack operations; the entity calling CloudFormation assumes the role.

Option C is wrong because the pipeline's role does not need a trust policy for the target account. Option E is wrong because cross-account role assumption does not require root user credentials.

258
MCQhard

A security engineer needs to design an IAM policy that allows an IAM user to launch EC2 instances only if they specify a specific security group ID (sg-12345) and a specific instance type (t2.micro). Which policy achieves this?

A.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:security-group/sg-12345", "Condition": { "StringEquals": { "ec2:InstanceType": "t2.micro" } } } ] }
B.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "*", "Condition": { "StringEquals": { "ec2:InstanceType": "t2.micro", "aws:RequestTag/security-group": "sg-12345" } } } ] }
C.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "*", "Condition": { "StringEquals": { "ec2:InstanceType": "t2.micro" } } } ] }
D.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "*", "Condition": { "StringEquals": { "ec2:InstanceType": "t2.micro", "ec2:SecurityGroup": "sg-12345" } } } ] }
AnswerD

Correctly restricts both instance type and security group.

Why this answer

Option B is correct because it uses condition keys ec2:InstanceType and ec2:SecurityGroup to restrict the RunInstances action. Option A does not restrict instance type. Option C uses the wrong condition key for security group.

Option D uses RequestTag but security group is not a tag.

259
MCQeasy

A company wants to allow an IAM user to list only the objects in a specific S3 bucket named 'my-bucket'. Which IAM policy statement should be used?

A.{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}
B.{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::my-bucket"}
C.{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::my-bucket/*","Condition":{"StringEquals":{"s3:prefix":""}}}
D.{"Effect":"Allow","Action":"s3:*","Resource":"arn:aws:s3:::my-bucket/*"}
AnswerB

Correctly grants only ListBucket on the bucket.

Why this answer

Option A is correct because it grants s3:ListBucket on the specific bucket without allowing other actions. Option B is wrong because it allows all S3 actions. Option C is wrong because it grants GetObject instead of ListBucket.

Option D is wrong because it uses a condition that is not required for listing.

260
MCQmedium

A company wants to automate the rotation of IAM user access keys every 90 days. Which AWS service can be used to enforce this?

A.AWS Organizations SCP to deny access if keys are older than 90 days.
B.AWS Config with a custom rule that checks key age and triggers a Lambda function to rotate keys.
C.AWS CloudTrail to monitor key usage and send notifications.
D.AWS Lambda on a schedule to rotate keys.
AnswerB

AWS Config can evaluate key age and invoke Lambda to rotate.

Why this answer

Option A is correct because IAM access key last used information can be monitored by AWS Config to trigger automatic rotation. Option B is wrong because CloudTrail logs API calls but does not rotate keys. Option C is wrong because Lambda can be used but needs to be triggered by something like Config.

Option D is wrong because SCPs do not rotate keys.

261
MCQmedium

A company uses cross-account roles to allow developers in the 'dev' account to access resources in the 'prod' account. The trust policy in 'prod' allows the 'dev' account to assume the role. The developers have an IAM policy that allows sts:AssumeRole on the role ARN. However, when a developer tries to assume the role via the AWS CLI, they get an error that the role cannot be assumed. The developer can list the role using IAM. What is the MOST likely cause?

A.The developer's IAM policy does not include sts:AssumeRole.
B.The developer is not providing the required external ID when calling sts:AssumeRole.
C.The developer must use MFA to assume the role.
D.The role ARN specified in the policy is incorrect.
AnswerB

External ID is required if the trust policy specifies it.

Why this answer

Option A is correct. The trust policy must allow the specific IAM entity (user or role) or the entire account. If the trust policy allows the account, it should work.

But if the trust policy requires an external ID and the developer does not provide it, the assumption will fail. Option B is wrong because the developer's policy allows the action. Option C is wrong because the role exists.

Option D is wrong because the developer is not using MFA unless required.

262
MCQmedium

Refer to the exhibit. A KMS key policy allows decryption only when the request comes through S3 in us-east-1. An application in account 111122223333 tries to decrypt an S3 object using the KMS key directly via the KMS API (not through S3). What will happen?

A.The decryption succeeds because the principal is the root user.
B.The decryption fails because the policy is invalid.
C.The decryption succeeds because the principal is allowed.
D.The decryption fails because the condition on kms:ViaService is not satisfied.
AnswerD

The condition requires the request to come via S3.

Why this answer

Option C is correct because the condition restricts kms:ViaService to S3 in us-east-1. Since the request is made directly to KMS API, the condition is not met, resulting in implicit deny. Option A is incorrect because the condition is not satisfied.

Option B is incorrect because the policy is valid. Option D is incorrect because the condition is not about the principal.

263
MCQeasy

A developer is creating an AWS Lambda function that needs to read items from a DynamoDB table named 'Orders' in the same AWS account. The developer attaches an IAM policy to the Lambda execution role that includes the following statement: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "dynamodb:GetItem", "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders" } ] } When testing the Lambda function, it fails with an access denied error when trying to read from the table. The developer checks the Lambda function's code and confirms it is calling DynamoDB correctly. What is the MOST likely reason for the access denied error?

A.The Lambda function is in a VPC without a VPC endpoint for DynamoDB, so network connectivity fails.
B.The IAM policy does not include the dynamodb:Scan action, which is required for reading items.
C.The DynamoDB table has an identity-based policy that restricts access to specific IAM users.
D.The DynamoDB table has a resource-based policy that denies access to the Lambda execution role.
AnswerD

Correct: A resource-based policy on the table can override the execution role's permissions.

Why this answer

Option B is correct because even though the Lambda execution role has the necessary permissions, the DynamoDB table might have a resource-based policy that explicitly denies access to the Lambda execution role. Option A is incorrect because the policy does not need the dynamodb:Scan action for GetItem. Option C is incorrect because VPC endpoints do not affect IAM permissions; they affect network connectivity.

Option D is incorrect because DynamoDB uses a resource-based policy, not an identity-based policy on the table.

264
MCQmedium

Refer to the exhibit. An IAM policy is attached to a group. An IAM user in that group attempts to stop an EC2 instance from IP address 198.51.100.10. What will happen?

A.The action is allowed because the first statement allows StopInstances
B.The action is allowed because the resource is '*'
C.The action is denied because the source IP does not match the allowed range
D.The action is denied only if the user is not using MFA
AnswerC

The Deny statement blocks requests from IPs not in the allowed range.

Why this answer

The IAM policy includes a `Deny` statement with a `NotIpAddress` condition that restricts all actions (including `StopInstances`) to the IP range `10.0.0.0/8`. Since the user's source IP is `198.51.100.10`, which falls outside this range, the deny statement explicitly blocks the action. In IAM, an explicit deny always overrides any allow, so the request is denied regardless of the allow statement in the first policy block.

Exam trap

The trap here is that candidates assume the allow statement with `Effect: Allow` and `Action: ec2:StopInstances` will grant permission, forgetting that an explicit deny with a condition that does not match the request context takes precedence over any allow.

How to eliminate wrong answers

Option A is wrong because the explicit deny statement with the `NotIpAddress` condition overrides the allow statement; IAM evaluates deny before allow, and an explicit deny cannot be bypassed by a separate allow. Option B is wrong because while the resource is `*`, the deny statement applies to all resources and actions, and the condition key `aws:SourceIp` is evaluated against the source IP, not the resource ARN. Option D is wrong because the policy does not include any condition requiring MFA (`aws:MultiFactorAuthPresent`); the denial is based solely on the source IP mismatch.

265
MCQeasy

An AWS administrator needs to allow an IAM user to manage their own password and access keys. Which IAM policy action should be included?

A.iam:CreateGroup
B.iam:CreateUser
C.iam:DeleteLoginProfile
D.iam:ChangePassword and iam:UpdateAccessKey
AnswerD

These actions allow a user to change their own password and update their access keys.

Why this answer

Option C is correct because IAMUserChangePassword is the action for changing passwords, and UpdateAccessKey is for managing access keys. Option A is for group management. Option B is for creating users.

Option D is for login profile deletion.

266
Multi-Selecthard

A company wants to enforce that all IAM users in an AWS Organization must have a password policy that includes a minimum length of 12 characters. Which THREE steps are part of implementing this using SCPs?

Select 3 answers
A.Include a condition in the SCP that checks if the requested minimum password length is less than 12.
B.Use an SCP condition to restrict password policy changes to a specific Region.
C.Write an SCP that sets the password policy to require minimum length 12.
D.Write an SCP that denies the iam:UpdateAccountPasswordPolicy action.
E.Attach the SCP to the root organizational unit (OU) of the organization.
AnswersA, D, E

The condition denies the action if the length is less than 12.

Why this answer

Options A, C, and E are correct. Option A is correct because SCPs can deny the UpdateAccountPasswordPolicy action. Option C is correct because the SCP must be attached to the organization root or OUs to apply to all accounts.

Option E is correct because the SCP should use a condition to check MinimumPasswordLength. Option B is wrong because SCPs cannot set the policy directly. Option D is wrong because IAM is a global service and cannot be restricted to a Region.

267
MCQmedium

A company runs a multi-tier web application on AWS. The application consists of an Application Load Balancer (ALB) that distributes traffic to a fleet of EC2 instances in an Auto Scaling group. The EC2 instances need to read from an Amazon RDS MySQL database and write logs to an S3 bucket. The security team wants to ensure that the EC2 instances have only the minimum required permissions. Currently, the EC2 instances are launched with an IAM role that has an attached policy allowing full S3 access (s3:*) and full RDS access (rds:*). The security team has identified that this is overly permissive and wants to restrict access to only the specific resources needed. Additionally, the team wants to ensure that the EC2 instances can only access the RDS database using SSL/TLS. Which combination of actions should the security team take?

A.Remove the IAM role from the EC2 instances and instead use resource-based policies on the S3 bucket and RDS instance to grant access to the EC2 instances' VPC or subnet.
B.Create an IAM user with the required permissions, generate access keys, and store them in a secure S3 bucket. Have the EC2 instances retrieve the credentials at startup using an instance profile.
C.Update the IAM role to have two policies: one that allows s3:PutObject on the specific S3 bucket with a prefix, and another that allows rds:Connect on the specific RDS instance ARN with a condition requiring rds:ForceSsl. Also, ensure the RDS instance requires SSL.
D.Create a single IAM policy that allows s3:PutObject on the specific bucket and rds:Connect on the specific RDS instance without any conditions. Attach it to the IAM role.
AnswerC

This follows the principle of least privilege by scoping permissions to specific resources and enforcing SSL.

Why this answer

Option B is correct. It creates separate policies for S3 and RDS, restricts S3 to the specific bucket and prefix, and restricts RDS to the specific resource and enforces SSL. Option A is wrong because using an IAM user and storing credentials on EC2 is insecure.

Option C is wrong because using a single policy with wildcards is still overly permissive and does not enforce SSL. Option D is wrong because resource-based policies on the S3 bucket and RDS instance would not be sufficient without the IAM role permissions; also, S3 bucket policies are not the primary method for granting EC2 access.

268
MCQmedium

A company uses AWS IAM Identity Center (SSO) for managing access to multiple AWS accounts. A user reports that they can log in to the SSO portal but cannot see any AWS accounts in their dashboard. What is the most likely cause?

A.The user has not been assigned to any AWS accounts in IAM Identity Center.
B.The user's identity source (e.g., Active Directory) is not synchronized correctly.
C.The user's session token has expired.
D.The permission set assigned to the user does not grant any permissions.
AnswerA

User must be assigned to accounts to see them in the portal.

Why this answer

Option C is correct because the user must be assigned to the account in IAM Identity Center with a permission set to see and access the account. Option A is wrong because the user can log in, so the identity source is fine. Option B is wrong because the permission set defines the access level, but the user must be assigned to the account first.

Option D is wrong because the user is already authenticated via SSO.

269
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no IAM user in any account can create access keys. Which policy type should be used to enforce this restriction across all accounts?

A.IAM identity-based policy
B.Resource-based policy
C.Permissions boundary
D.Service Control Policy (SCP)
AnswerD

SCPs can deny actions at the account level for all principals.

Why this answer

Option B is correct because a Service Control Policy (SCP) can be applied at the organization level to deny actions across all member accounts. Option A is an IAM policy that applies only to specific users. Option C is for permissions boundaries, but it's per-user and not automatically enforced.

Option D is for resource-based policies.

270
MCQmedium

Refer to the exhibit. A security engineer runs the 'simulate-custom-policy' command to test a policy. The output shows 'explicitDeny' for ec2:RunInstances. What is the most likely reason?

A.The policy does not include ec2:RunInstances in the Action list
B.The policy includes an explicit Deny statement for ec2:RunInstances
C.The policy allows ec2:Describe* but the action ec2:RunInstances is not a Describe action
D.The policy uses a Resource of '*' which does not include the required resources
AnswerA

The policy only allows ec2:Describe*, so any action not matching is denied.

Why this answer

Option A is correct because the policy only allows Describe actions, and RunInstances is not allowed, resulting in an explicit deny from the simulation. Option B is incorrect because the policy does not deny. Option C is incorrect because the policy allows Describe* but not RunInstances.

Option D is incorrect because there is no resource restriction.

271
MCQhard

A company has multiple AWS accounts and wants to allow a user in the production account to assume a role in the development account. The role in the development account has a trust policy that allows the production account to assume it. What additional configuration is required?

A.Attach a policy to the user in the production account allowing sts:AssumeRole for the development role ARN.
B.Modify the trust policy of the role in the development account to allow the user ARN instead of the account ARN.
C.Set up a VPC peering connection between the accounts.
D.Create a new IAM user in the development account with the same name.
AnswerA

The user needs explicit permission to assume the role.

Why this answer

Option A is correct: the user in the production account must have an IAM policy that allows sts:AssumeRole targeting the development account role ARN. Option B is wrong because the trust policy is already set. Option C is wrong because the role must be created in the development account.

Option D is wrong because the trust policy should reference the production account.

272
MCQmedium

A company has a requirement to grant cross-account access to an S3 bucket named 'shared-data' in Account A (111111111111) to users in Account B (222222222222). The security team has set up a bucket policy in Account A that grants read-only access to the IAM role 'DataReader' in Account B. The bucket policy is as follows: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::222222222222:role/DataReader"},"Action":["s3:GetObject"],"Resource":"arn:aws:s3:::shared-data/*"}]}. A user in Account B assumes the 'DataReader' role, but when trying to read an object from the bucket, they receive an 'Access Denied' error. What is the MOST likely reason for this error?

A.The bucket policy principal must be the IAM user ARN, not the role ARN.
B.The bucket policy is missing the 's3:ListBucket' action, which is required to read objects.
C.The IAM role 'DataReader' does not have an IAM policy that allows s3:GetObject on the bucket.
D.The bucket objects are encrypted with a KMS key, and the role does not have permission to decrypt.
AnswerC

The role needs both a trust policy and an IAM policy granting the action; the IAM policy is missing.

Why this answer

Option D is correct. For cross-account access, the IAM role in Account B must have an IAM policy that allows the action (s3:GetObject) on the target bucket. Even if the bucket policy grants access, the role itself must also allow the action.

Option A is wrong because the bucket policy uses the correct principal format. Option B is wrong because S3 does not require KMS for access unless encryption is involved. Option C is wrong because the bucket policy allows all principals in the role, not just specific users.

273
MCQmedium

A company uses AWS Organizations and wants to restrict all IAM users in all accounts from using the AWS Management Console. What is the most effective way to achieve this?

A.Create an SCP with a condition that denies access if the user is signing in using the AWS Management Console.
B.Set an IAM password policy that requires strong passwords.
C.Create a service control policy (SCP) that denies the 'iam:CreateLoginProfile' action and attach it to all accounts.
D.Create an SCP that denies the 'aws:RequestedRegion' condition for us-east-1.
AnswerA

An SCP can use the 'aws:UserAgent' condition to deny console access.

Why this answer

Option A is correct because an SCP can deny console access for all users across all accounts. Option B is wrong because it only applies to the root user. Option C is wrong because IAM policies are per-account and can be overridden by administrators.

Option D is wrong because password policies do not prevent console access if the user has a password.

274
MCQmedium

Refer to the exhibit. An EC2 instance with an IAM role attached attempts to access an S3 bucket, but receives an 'AccessDenied' error. The role has an attached policy allowing s3:GetObject on the bucket. What is the most likely cause?

A.The S3 bucket policy denies access to the role.
B.The IAM policy is not attached to the role.
C.The trust policy does not allow the EC2 service to assume the role.
D.The EC2 instance does not have an instance profile associated with the role.
AnswerD

Without an instance profile, the instance cannot assume the role.

Why this answer

Option B is correct. The trust policy allows EC2 to assume the role, but if the instance does not have the correct instance profile, it cannot assume the role. The error suggests the role is not being used.

Option A is incorrect because the trust policy is fine. Option C is not the cause. Option D is not relevant.

275
MCQeasy

A company wants to allow its users to assume an IAM role in a different AWS account. What must the company configure to enable cross-account access?

A.In the source account, create an S3 bucket policy that allows access from the target account.
B.In the target account, create an IAM role with a trust policy that allows the source account, and attach a permissions policy to that role. In the source account, allow users to call sts:AssumeRole.
C.In the target account, create an IAM user and share the access keys securely with the source account users.
D.In the target account, attach a trust policy to an IAM group that allows the source account.
AnswerB

This is the standard cross-account access pattern.

Why this answer

Option A is correct because cross-account access requires a trust policy in the target account's role that allows the source account to assume it, and a permissions policy that grants the necessary actions. Option B is wrong because resource-based policies are not used for role assumption. Option C is wrong because IAM users from the source account need a policy to call AssumeRole, but the trust policy is the key.

Option D is wrong because the trust policy goes on the role, not the IAM group.

276
MCQhard

A developer is creating an AWS Lambda function that needs to read items from a DynamoDB table. The function is deployed in a VPC with no internet access. What is the MOST secure way to grant the Lambda function access to DynamoDB?

A.Attach a public IP to the Lambda function and use an IAM role with DynamoDB permissions.
B.Create an API Gateway REST API with a VPC link and DynamoDB integration.
C.Use a resource-based policy on the DynamoDB table allowing access from the Lambda function's ARN.
D.Create a VPC endpoint for DynamoDB and attach an IAM execution role to the Lambda function with the necessary permissions.
AnswerD

VPC endpoint allows private access to DynamoDB without internet, and IAM role grants fine-grained permissions.

Why this answer

Option A is correct because using a VPC endpoint for DynamoDB keeps traffic within the AWS network and avoids the public internet, while the execution role grants permissions via IAM. Option B requires internet access, which is not available. Option C is less secure as resource-based policies are not needed if the Lambda role has permissions.

Option D is for API Gateway, not DynamoDB.

277
MCQhard

A company has an S3 bucket with a bucket policy that grants access to an IAM role. The security team wants to restrict access to only requests that originate from the company's VPC. How can this be achieved?

A.Create a new IAM role that can only be assumed by instances in the VPC.
B.Add a condition in the IAM role policy using aws:SourceVpce.
C.Add a condition in the bucket policy using aws:SourceIp with the VPC CIDR range.
D.Add a condition in the bucket policy using aws:SourceVpce with the VPC endpoint ID.
AnswerD

This ensures requests come through the specified VPC endpoint.

Why this answer

Option A is correct: use a VPC endpoint and the aws:SourceVpce condition. Option B is wrong because aws:SourceIp is not effective for VPC traffic from S3. Option C is wrong because the condition is on the bucket policy, not the role policy.

Option D is wrong because allowing only specific instances is not granular.

278
MCQeasy

A company wants to grant a Lambda function access to write logs to CloudWatch Logs in the same AWS account. What is the BEST practice for granting this permission?

A.Store AWS access keys in the Lambda environment variables
B.Add a resource-based policy to the Lambda function to allow CloudWatch Logs to write logs
C.Use the AWS account root user credentials directly in the Lambda function
D.Create an IAM role with a policy allowing logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents, and attach it to the Lambda function
AnswerD

This is the correct approach: using an IAM role that the Lambda assumes.

Why this answer

Option B is correct because attaching an IAM role with the required permissions to the Lambda function is the standard and secure method. Option A is wrong because embedding credentials in code is insecure. Option C is wrong because resource-based policies are used for cross-account access, not for Lambda to CloudWatch.

Option D is wrong because using the root user is insecure and unnecessary.

279
MCQmedium

A security administrator discovers that an IAM user has been deleted accidentally. What is the correct way to restore the user's access?

A.Contact AWS Support to undo the deletion
B.Use the AWS IAM console to undelete the user
C.Restore the user from a backup of IAM
D.Create a new IAM user with the same name and attach the same policies
AnswerD

This is the only way to restore access; password and keys must be reset.

Why this answer

Option D is correct because IAM does not support undeletion or restoration of deleted users. When an IAM user is deleted, all associated credentials, permissions, and metadata are permanently removed. The only way to restore access is to create a new IAM user with the same name and manually reattach the same policies, groups, and tags, and then regenerate access keys and passwords as needed.

Exam trap

The trap here is that candidates may assume AWS provides an 'undelete' or 'restore from backup' feature for IAM users, similar to features in other AWS services like S3 versioning or RDS snapshots, but IAM has no such recovery mechanism.

How to eliminate wrong answers

Option A is wrong because AWS Support cannot undo an IAM user deletion; IAM user deletions are irreversible and not stored in any recoverable state. Option B is wrong because the AWS IAM console does not provide an 'undelete' feature; once a user is deleted, it is permanently removed from the IAM service. Option C is wrong because IAM does not have a native backup or restore mechanism; while you can use AWS CloudTrail logs or infrastructure-as-code templates to recreate configurations, there is no backup of the user object itself.

← PreviousPage 4 of 4 · 279 questions total

Ready to test yourself?

Try a timed practice session using only IAM questions.