SY0-701 · topic practice
IAM practice questions
Practise Security+ SY0-701 IAM practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.
Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.
What the exam tests
What to know about IAM
IAM questions test whether you can apply the concept in context, not just recognise a definition.
How the topic appears in realistic exam-style scenarios.
Which detail in the question changes the correct answer.
How to eliminate plausible but wrong options.
How to connect the question back to the wider exam objective.
Watch out for
Common IAM exam traps
- ▸Answering from memory before reading the full scenario.
- ▸Missing a constraint such as cost, availability, security, scope or command context.
- ▸Choosing a broad answer when the question asks for the most specific fix.
- ▸Ignoring why the wrong options are tempting.
Practice set
IAM questions
9 questions · select your answer, then reveal the explanation
A company stores customer documents in cloud object storage. The provider already offers encryption at rest and physical security. Which action most directly reduces the risk of unauthorized access to the stored files?
Trap 1: Assume the provider's default settings are sufficient because…
Default settings often do not enforce least privilege or restrict who can read the objects.
Trap 2: Move the documents to a public bucket so users can access them…
Public access increases exposure and contradicts the goal of reducing unauthorized access risk.
Trap 3: Disable encryption at rest so administrators can troubleshoot…
Removing encryption weakens protection and does nothing to reduce unauthorized access risk.
- A
Assume the provider's default settings are sufficient because encryption at rest is already enabled.
Why wrong: Default settings often do not enforce least privilege or restrict who can read the objects.
- B
Move the documents to a public bucket so users can access them without friction.
Why wrong: Public access increases exposure and contradicts the goal of reducing unauthorized access risk.
- C
Configure least-privilege IAM roles, bucket policies, and object permissions for approved users only.
Access control is the customer's main responsibility here, and least-privilege permissions directly limit who can retrieve the files.
- D
Disable encryption at rest so administrators can troubleshoot access problems more easily.
Why wrong: Removing encryption weakens protection and does nothing to reduce unauthorized access risk.
A development team needs a centralized service to store, rotate, and control access to encryption keys for applications. Which solution best fits?
Trap 1: Port forwarding rule, because it allows applications to reach the…
Port forwarding changes network paths, but it does not provide secure key storage or key rotation capabilities.
Trap 2: Load balancer, because it distributes encryption requests across…
Load balancers improve availability and performance, but they do not manage cryptographic keys or define who may access them.
Trap 3: Web application firewall, because it protects the keys from…
A WAF can help protect web apps from some attacks, but it is not a key management platform and does not store or rotate keys.
- A
Key management service, because it centralizes key storage and rotation controls.
A key management service is designed to store, manage, rotate, and control access to cryptographic keys. It helps reduce the risk of hardcoded or poorly protected keys and gives administrators a central place to enforce lifecycle management. This is the best fit when multiple applications need secure, organized key handling.
- B
Port forwarding rule, because it allows applications to reach the encryption system.
Why wrong: Port forwarding changes network paths, but it does not provide secure key storage or key rotation capabilities.
- C
Load balancer, because it distributes encryption requests across servers.
Why wrong: Load balancers improve availability and performance, but they do not manage cryptographic keys or define who may access them.
- D
Web application firewall, because it protects the keys from injection attacks.
Why wrong: A WAF can help protect web apps from some attacks, but it is not a key management platform and does not store or rotate keys.
A company uses a SaaS CRM platform. The provider patches the application and underlying infrastructure. Which two responsibilities remain with the company? Select two.
Trap 1: Patch the SaaS application's source code on the provider's servers.
The provider owns the application code and is responsible for patching the service itself.
Trap 2: Replace the provider's hypervisors with company-owned hardware.
The provider manages the underlying platform, including the hardware and virtualization layer.
Trap 3: Maintain the provider's network firewalls and datacenter cooling…
Physical and platform infrastructure are provider responsibilities, not tenant responsibilities.
- A
Set up MFA, conditional access, and user-role assignments for tenant accounts.
Identity governance, MFA, and tenant permissions remain customer responsibilities in SaaS environments.
- B
Patch the SaaS application's source code on the provider's servers.
Why wrong: The provider owns the application code and is responsible for patching the service itself.
- C
Decide what customer data is entered into the service and how it is shared.
Data handling, classification, and sharing decisions belong to the customer, even in SaaS.
- D
Replace the provider's hypervisors with company-owned hardware.
Why wrong: The provider manages the underlying platform, including the hardware and virtualization layer.
- E
Maintain the provider's network firewalls and datacenter cooling systems.
Why wrong: Physical and platform infrastructure are provider responsibilities, not tenant responsibilities.
A security architect is designing a solution to securely store sensitive customer data in a cloud object storage service. The architect's primary concern is that if the storage bucket is accidentally configured as publicly accessible, the data should still be protected from unauthorized viewing. Which of the following architectural designs provides the strongest defense in depth to meet this concern?
Trap 1: Use server-side encryption with a cloud-managed key (SSE-S3) and…
Server-side encryption with a cloud-managed key means the cloud provider holds the encryption key and automatically decrypts data for any user who satisfies the bucket policy. If the bucket becomes public, users with read access can retrieve the decrypted data, negating protection. This does not provide defense in depth against accidental public exposure.
Trap 2: Use default encryption with a cloud-managed key (SSE-S3) and enable…
Default SSE-S3 encryption is equivalent to server-side encryption with a cloud-managed key. Enabling logging only provides detective capability; it does not prevent data exposure if the bucket is public. The data would be decrypted by the cloud provider for any authorized read request, exposing plaintext to anyone with read access.
Trap 3: Use server-side encryption with a customer-provided key (SSE-C) and…
SSE-C requires the client to supply the encryption key for each read request, so an attacker without the key cannot decrypt the data. However, this design relies on server-side encryption, meaning the cloud provider briefly processes the plaintext during upload. More importantly, the MFA requirement only protects against unauthorized deletion, not against unauthorized read access. Client-side encryption is a more robust defense in depth, as it ensures the cloud provider never has access to plaintext at any point.
- A
Use server-side encryption with a cloud-managed key (SSE-S3) and restrict access with bucket policies.
Why wrong: Server-side encryption with a cloud-managed key means the cloud provider holds the encryption key and automatically decrypts data for any user who satisfies the bucket policy. If the bucket becomes public, users with read access can retrieve the decrypted data, negating protection. This does not provide defense in depth against accidental public exposure.
- B
Use client-side encryption with a customer-managed key stored in a hardware security module (HSM) and restrict access with IAM roles.
Client-side encryption encrypts the data before it is uploaded, so the cloud provider never sees plaintext. The customer retains sole control of the encryption key in an HSM. Even if the bucket is made publicly accessible, an attacker can only retrieve encrypted ciphertext, which is indecipherable without the key. This provides the strongest defense in depth against accidental public exposure.
- C
Use default encryption with a cloud-managed key (SSE-S3) and enable bucket logging.
Why wrong: Default SSE-S3 encryption is equivalent to server-side encryption with a cloud-managed key. Enabling logging only provides detective capability; it does not prevent data exposure if the bucket is public. The data would be decrypted by the cloud provider for any authorized read request, exposing plaintext to anyone with read access.
- D
Use server-side encryption with a customer-provided key (SSE-C) and require MFA for delete operations on the bucket.
Why wrong: SSE-C requires the client to supply the encryption key for each read request, so an attacker without the key cannot decrypt the data. However, this design relies on server-side encryption, meaning the cloud provider briefly processes the plaintext during upload. More importantly, the MFA requirement only protects against unauthorized deletion, not against unauthorized read access. Client-side encryption is a more robust defense in depth, as it ensures the cloud provider never has access to plaintext at any point.
Based on the exhibit, which logging capability should be enabled first to create an audit trail for cloud administration changes?
Exhibit: 2026-04-25 09:14:03 iam:AttachRolePolicy user=alice 2026-04-25 09:15:10 ec2:AuthorizeSecurityGroupIngress user=alice 2026-04-25 09:16:22 s3:PutBucketPolicy user=alice
Requirement: Security wants to track management-plane API calls and configuration changes across cloud resources.
Exhibit
2026-04-25 09:14:03 iam:AttachRolePolicy user=alice 2026-04-25 09:15:10 ec2:AuthorizeSecurityGroupIngress user=alice 2026-04-25 09:16:22 s3:PutBucketPolicy user=alice Requirement: Security wants to track management-plane API calls and configuration changes across cloud resources.
Trap 1: Install a rootkit detector on each workload and ignore…
Host-based rootkit detection can help on individual instances, but it does not provide a complete record of cloud configuration changes. The exhibit is specifically about administrative API actions, not malware on a single server.
Trap 2: Capture only DNS traffic, because it reveals all admin changes…
DNS logs may provide context, but they do not record policy edits, role changes, or security group modifications. They are far too indirect for the stated requirement.
Trap 3: Rely on manual change tickets in a spreadsheet because cloud…
Manual tickets are useful for process control, but they are not a reliable security log. Cloud platforms do record detailed administrative activity, and that data should be enabled and retained.
- A
Enable cloud control-plane audit logging such as CloudTrail or the provider equivalent.
This is the best choice because the exhibit shows API-level changes to identity, networking, and storage policies. Control-plane audit logging records who made those changes, what action was taken, and when it occurred. That creates the most useful evidence for investigations, change tracking, and compliance in a cloud environment.
- B
Install a rootkit detector on each workload and ignore management-plane activity.
Why wrong: Host-based rootkit detection can help on individual instances, but it does not provide a complete record of cloud configuration changes. The exhibit is specifically about administrative API actions, not malware on a single server.
- C
Capture only DNS traffic, because it reveals all admin changes indirectly.
Why wrong: DNS logs may provide context, but they do not record policy edits, role changes, or security group modifications. They are far too indirect for the stated requirement.
- D
Rely on manual change tickets in a spreadsheet because cloud platforms do not record useful logs.
Why wrong: Manual tickets are useful for process control, but they are not a reliable security log. Cloud platforms do record detailed administrative activity, and that data should be enabled and retained.
A SaaS vendor hosts a customer relationship platform for multiple organizations. Your company wants to know which two responsibilities typically remain with the customer rather than the SaaS provider. Select two.
Trap 1: Patching the provider's underlying database engine.
The SaaS provider is normally responsible for patching and maintaining the platform infrastructure, including underlying databases and host services. Customers do not directly manage those layers in a true SaaS model. Trying to treat that work as a customer duty misunderstands the service boundary.
Trap 2: Maintaining the vendor's physical data center power and cooling.
Physical data center operations are handled by the SaaS provider or its infrastructure partners. Customers do not manage power, cooling, or hardware replacement in the provider facility. Those responsibilities sit far below the customer control plane in the shared responsibility model.
Trap 3: Replacing the provider's hypervisors during maintenance windows.
Hypervisor maintenance is part of the provider's platform responsibility, not the customer’s. In SaaS, customers should focus on identity, data handling, and tenant configuration. Hardware and virtualization layers remain under the vendor's control and are not customer-administered tasks.
- A
Assigning user roles and approving access within the tenant.
Customer organizations usually remain responsible for deciding who gets access and what role each user receives inside the SaaS tenant. The provider supplies the platform, but the customer controls business authorization decisions. This is a core shared responsibility item because access mistakes often come from tenant configuration rather than provider infrastructure.
- B
Protecting the organization's data classification and sharing rules.
Data classification and sharing decisions belong to the customer because the business defines what information is sensitive and who may see it. The SaaS provider may offer tools, but the customer must configure and enforce proper handling. This responsibility remains with the organization even when the data is stored in a vendor-managed platform.
- C
Patching the provider's underlying database engine.
Why wrong: The SaaS provider is normally responsible for patching and maintaining the platform infrastructure, including underlying databases and host services. Customers do not directly manage those layers in a true SaaS model. Trying to treat that work as a customer duty misunderstands the service boundary.
- D
Maintaining the vendor's physical data center power and cooling.
Why wrong: Physical data center operations are handled by the SaaS provider or its infrastructure partners. Customers do not manage power, cooling, or hardware replacement in the provider facility. Those responsibilities sit far below the customer control plane in the shared responsibility model.
- E
Replacing the provider's hypervisors during maintenance windows.
Why wrong: Hypervisor maintenance is part of the provider's platform responsibility, not the customer’s. In SaaS, customers should focus on identity, data handling, and tenant configuration. Hardware and virtualization layers remain under the vendor's control and are not customer-administered tasks.
A team manages virtual machines in a public cloud and wants an audit trail of who created instances, changed security groups, and modified IAM settings. What should be enabled first?
Trap 1: Host-based antivirus on each virtual machine.
Antivirus helps detect malware on guests, but it does not record cloud management actions or configuration changes.
Trap 2: A guest operating system screen saver policy.
Screen saver settings are endpoint usability controls and do not provide the needed visibility into cloud administration events.
Trap 3: A static public IP address for every virtual machine.
Public addressing does not create an audit trail and can actually increase exposure if used carelessly.
- A
Host-based antivirus on each virtual machine.
Why wrong: Antivirus helps detect malware on guests, but it does not record cloud management actions or configuration changes.
- B
Cloud control plane or audit logging.
This is the best answer because audit logs record management actions such as instance creation, security group changes, and IAM updates. Those events are central to cloud investigations and change tracking. Enabling cloud-native logging first gives the team visibility into who did what and when, which is essential for security monitoring and accountability.
- C
A guest operating system screen saver policy.
Why wrong: Screen saver settings are endpoint usability controls and do not provide the needed visibility into cloud administration events.
- D
A static public IP address for every virtual machine.
Why wrong: Public addressing does not create an audit trail and can actually increase exposure if used carelessly.
An HR department hires contractors for fixed 60-day engagements. Accounts should stop working automatically when the engagement ends, and any rehire should require fresh approval rather than restoring old access. What IAM control is the best fit?
Trap 1: Use one shared contractor account and rotate the password when…
Incorrect. Shared accounts weaken accountability and make it impossible to tie activity to a specific contractor or manage lifecycle accurately.
Trap 2: Disable the account after the contract ends but keep all group…
Incorrect. Leaving old memberships in place creates reactivation risk and can reintroduce excessive permissions if the account is enabled again later.
Trap 3: Create a local workstation account so the contractor does not need…
Incorrect. Local accounts are harder to govern centrally and make expiration, auditing, and revocation more difficult across systems.
- A
Use one shared contractor account and rotate the password when people leave.
Why wrong: Incorrect. Shared accounts weaken accountability and make it impossible to tie activity to a specific contractor or manage lifecycle accurately.
- B
Configure an account expiration date and automatic deprovisioning tied to the approved role.
Correct. Time-bound accounts with automatic deprovisioning are designed for contractors and other temporary users. They enforce least privilege over time, remove access when the engagement ends, and force a new approval process for any future engagement. This reduces the risk of forgotten accounts and prevents accidental restoration of access without review.
- C
Disable the account after the contract ends but keep all group memberships unchanged.
Why wrong: Incorrect. Leaving old memberships in place creates reactivation risk and can reintroduce excessive permissions if the account is enabled again later.
- D
Create a local workstation account so the contractor does not need centralized identity services.
Why wrong: Incorrect. Local accounts are harder to govern centrally and make expiration, auditing, and revocation more difficult across systems.
Free account
Track your progress over time
Create a free account to save your results and see which topics improve across sessions.
Focused IAM sessions
Start a IAM only practice session
Every question in these sessions is drawn from the IAM domain — nothing else.
Related practice questions
Related SY0-701 topic practice pages
Move into related areas when this topic feels solid.
General Security Concepts practice questions
Practise SY0-701 questions linked to General Security Concepts.
Threats, Vulnerabilities, and Mitigations practice questions
Practise SY0-701 questions linked to Threats, Vulnerabilities, and Mitigations.
Security Architecture practice questions
Practise SY0-701 questions linked to Security Architecture.
Security Operations practice questions
Practise SY0-701 questions linked to Security Operations.
Security Program Management and Oversight practice questions
Practise SY0-701 questions linked to Security Program Management and Oversight.
Security+ social engineering questions
Practise SY0-701 questions linked to Security+ social engineering questions.
Security+ cryptography practice questions
Practise SY0-701 questions linked to Security+ cryptography.
Security+ IAM questions
Practise SY0-701 questions linked to Security+ IAM questions.
Security+ risk management questions
Practise SY0-701 questions linked to Security+ risk management questions.
Security+ incident response questions
Practise SY0-701 questions linked to Security+ incident response questions.
Security+ malware questions
Practise SY0-701 questions linked to Security+ malware questions.
Security+ vulnerability management questions
Practise SY0-701 questions linked to Security+ vulnerability management questions.
Frequently asked questions
- What does the SY0-701 exam test about IAM?
- IAM questions test whether you can apply the concept in context, not just recognise a definition.
- How should I use these practice questions?
- Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
- Can I practise just IAM questions in a focused session?
- Yes — the session launcher on this page draws every question from the IAM domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
- Where can I practise other SY0-701 topics?
- Use the topic links above to move to related areas, or go back to the SY0-701 question bank to see all topics.
- Are these real exam questions or dumps?
- These are original practice questions written to test the same concepts the SY0-701 exam covers. They are not copied from any real exam or dump site.
Track your progress
A free account saves results across sessions and highlights which topics need work.
Sign up freeStudy resources
Exam traps to avoid
- ▸Answering from memory before reading the full scenario.
- ▸Missing a constraint such as cost, availability, security, scope or command context.
- ▸Choosing a broad answer when the question asks for the most specific fix.
- ▸Ignoring why the wrong options are tempting.