Identity and Access Management
Drill 20 practice questions focused entirely on Identity and Access Management for the AWS SCS-C02 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A company runs hundreds of project teams in a single AWS account. Each EC2 instance and each IAM role is tagged with a 'project' key identifying its owning team. The security team wants engineers to be able to start and stop only the EC2 instances belonging to their own project, without writing a separate IAM policy for every team as new projects are onboarded. Which approach best achieves this using least privilege at scale?
A security engineer is troubleshooting access for an application running on an EC2 instance in Account A. The instance uses an IAM role that has NO identity-based policy statements granting S3 access. The application must read objects from an S3 bucket that also resides in Account A. The bucket has a bucket policy that explicitly allows the s3:GetObject action for the instance role's ARN as the principal. When the application calls GetObject, what is the result and why?
A company uses AWS IAM Identity Center integrated with an external SAML 2.0 identity provider (IdP) for workforce single sign-on. Users are provisioned into Identity Center via SCIM from the IdP. Security requires that when an employee is terminated in the IdP, their ability to obtain new AWS access is revoked promptly, but they are concerned that already-active AWS CLI sessions could remain valid for hours. The current permission sets use the default 1-hour session duration. Which combination of actions BEST meets the requirement to limit lingering access after deprovisioning?
A company uses AWS IAM Identity Center (successor to AWS SSO) with an external SAML 2.0 identity provider. Workforce users are assigned to multiple AWS accounts through permission sets. The security team wants to grant each user access only to EC2 instances tagged with their department, without creating a separate permission set per department, and without editing policies whenever a new department is added. Which approach best achieves this at scale?
A company uses AWS IAM Identity Center (successor to AWS SSO) with an external SAML 2.0 identity provider. A security engineer creates a permission set named 'DataAnalyst' and assigns a group to it across 12 member accounts in the organization. Two weeks later, the engineer edits the inline policy inside the DataAnalyst permission set to add read access to a new S3 bucket. However, users report that the new S3 permissions are not taking effect in any of the accounts. What is the MOST likely cause and correct action?
A company with 40 AWS accounts under AWS Organizations currently uses direct SAML 2.0 federation, configuring an individual SAML identity provider and set of IAM roles in each member account. Administrators complain that onboarding a new account requires manually replicating dozens of IAM roles and trust configurations, and that access reviews are difficult because entitlements are scattered across accounts. The security team wants a solution that centralizes workforce access assignment, integrates with their existing external SAML IdP, and minimizes per-account IAM role maintenance. Which approach best meets these requirements?
A developer is assigned an IAM identity policy that grants full access to Amazon S3 and Amazon DynamoDB (s3:* and dynamodb:*). The same IAM user also has a permission boundary attached that allows only s3:GetObject and s3:PutObject. There are no applicable SCPs or resource-based policies. When the developer attempts to call dynamodb:PutItem and s3:DeleteObject, what is the outcome?
A security engineer attaches a permission boundary to an IAM role that allows only Amazon S3 and Amazon DynamoDB actions. The role's identity-based policy grants full access to S3, DynamoDB, and Amazon SQS. The AWS account belongs to an organization whose SCP allows S3 and SQS actions but does not include DynamoDB. There is no explicit deny anywhere. When the role attempts each service, which actions are effectively allowed?
A developer in a member account of an AWS Organization has an identity-based IAM policy that explicitly allows s3:GetObject on a specific bucket. The bucket's resource-based policy also allows the developer's role to read objects. However, a Service Control Policy (SCP) attached to the account's parent OU contains an explicit Deny for all S3 actions unless the request originates from a specific corporate IP range, using a Condition with aws:SourceIp. The developer attempts to download an object from a home network IP that is outside the corporate range. What is the result of this access attempt?
A security engineer is reviewing a customer-managed IAM policy attached to a developer group. The policy contains a single statement with "Effect": "Allow", "NotAction": ["iam:*", "organizations:*"], and "Resource": "*". Developers report they can perform far more actions than intended, including deleting production S3 buckets and modifying KMS keys. What is the most accurate explanation of this behavior?
A company stores per-user files in a single S3 bucket named 'corp-user-data', with each user's objects stored under a prefix matching their IAM user name (for example, 'home/alice/'). All employees authenticate as IAM users and assume no roles. The security team wants a single, maintainable identity-based policy attached to all users that grants each user full object access ONLY to their own prefix, without creating a separate policy per user. Which policy construct achieves this least-privilege requirement most efficiently?
A company has an Amazon S3 bucket in Account A (111111111111) that must be read by an application running on EC2 instances in Account B (222222222222). The EC2 instances use an instance profile role named AppRole. The security team requires that no additional IAM role be assumed and that access be granted with the least possible cross-account trust configuration. Which approach correctly grants the EC2 application read access to the bucket?
A company stores build artifacts in an S3 bucket that must be readable by every account in its AWS Organization. However, one specific account (111122223333) is a sandbox that must be completely denied access to the bucket, even if an administrator in that account attaches an IAM policy granting S3 permissions. The security team wants to enforce this restriction directly on the bucket so it holds regardless of identity-based policies in member accounts. Which bucket policy construction meets these requirements?
A data engineering team uses an automation pipeline that assumes RoleA in Account 1 via STS. From within that session, the pipeline then assumes RoleB in Account 2 to access data. RoleB has a MaxSessionDuration of 12 hours, and the pipeline requests a 6-hour session when calling AssumeRole for RoleB. The team observes that the credentials for RoleB consistently expire after only 1 hour, causing long-running jobs to fail. What is the cause of this behavior?
A company grants a partner account access to a shared S3 bucket via a bucket policy. The security team wants every principal in the partner account to be allowed to read objects EXCEPT for one specific IAM role named 'ContractorRole', which must never be able to read the objects regardless of that role's identity-based permissions. Which S3 bucket policy construct enforces this most reliably?
A security engineer creates an IAM role that an AWS Lambda function will assume to read objects from an S3 bucket. The role's permissions policy grants the required s3:GetObject action. However, when the Lambda function runs, it fails to assume the role and cannot access the bucket. The engineer confirms the Lambda execution configuration references this exact role ARN. Which change to the role is MOST likely required to resolve the failure?
A security engineer configures cross-account access so that an application role in a production account (Account B) can be assumed by an automation role in a tooling account (Account A). The engineer attached an identity-based policy to the automation role in Account A granting sts:AssumeRole on the target role's ARN. In Account B, the target role's trust policy lists only the AWS service principal 'ec2.amazonaws.com' as a trusted principal, and the target role has a permissions policy allowing the required S3 actions. When the automation role attempts to assume the target role, the AssumeRole call fails with AccessDenied. What is the correct fix?
A security engineer at a company using AWS Organizations must enforce that all member accounts can only operate in the eu-west-1 and eu-central-1 regions to meet data residency requirements. However, the finance team needs global services such as IAM, CloudFront, and Route 53 to continue functioning, and one designated account (the networking account) must additionally be allowed to use us-east-1 for a legacy Direct Connect gateway configuration. What is the MOST effective way to implement this using Service Control Policies (SCPs)?
A security team wants to let application developers create IAM roles for their Lambda functions without opening a ticket, but must prevent developers from granting those roles more permissions than the developers themselves are allowed to use. The team creates a managed policy that defines the maximum allowable permissions and requires developers to attach it as a permission boundary to any role they create. However, developers are still able to create roles that omit the boundary entirely, gaining broader access. What is the MOST effective way to enforce that every role created by developers has the required permission boundary attached?
A company uses AWS Organizations with an OU named 'Workloads'. An SCP attached to that OU allows only the ec2:* and s3:* actions. A developer in a member account has an IAM identity-based policy that grants dynamodb:PutItem and s3:GetObject. The developer also has a permissions boundary attached that allows only s3:* actions. When the developer attempts to call dynamodb:PutItem, the request is denied. What is the primary reason for the denial?
More SCS-C02 practice
Keep going with the other AWS Certified Security - Specialty domains, or take a full timed mock exam.
← Back to SCS-C02 overview