AWS Certified Security - Specialty · Domain 4 · 20% of exam

Identity and Access Management

Drill 20 practice questions focused entirely on Identity and Access Management for the AWS SCS-C03 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A security engineer at a large enterprise must enforce least privilege across 200 AWS accounts in an AWS Organization. Leadership wants an ongoing, automated way to identify IAM roles and users that have permissions they are not actually using (unused access), and to generate refined policies based on observed CloudTrail activity, so that overly broad policies can be tightened. Which approach best meets these requirements with the least custom development?

Reviewed for accuracy · Report an issue
Question 2 of 20

A company runs a KMS-encrypted S3 bucket in account A (111111111111). A data-processing application running on an EC2 instance in account B (222222222222) uses an IAM role to read objects. The security team confirms the S3 bucket policy in account A grants s3:GetObject to the account B role's ARN, and the KMS key policy in account A grants kms:Decrypt to the same role ARN. However, the application receives AccessDenied errors when downloading objects. The IAM role in account B currently has no attached identity-based policy for S3 or KMS. What must be changed to allow the download to succeed?

Reviewed for accuracy · Report an issue
Question 3 of 20

A company uses AWS IAM Identity Center integrated with an external SAML 2.0 identity provider (IdP) for workforce single sign-on across multiple AWS accounts. The security team wants each user's home region and cost-center to be passed from the IdP at sign-in so that permission sets can enforce access using policy conditions that reference these values, without creating a separate permission set per cost-center. What is the correct way to achieve this?

Reviewed for accuracy · Report an issue
Question 4 of 20

A company uses AWS IAM Identity Center (successor to AWS SSO) to manage workforce access across 40 accounts in an organization. The security team wants developers in the 'AppDev' group to receive identical read/write permissions to a specific set of DynamoDB tables in every account, but the exact table ARNs differ per account because they include the account ID. Administrators must be able to update the permission logic in one place and have it propagate to all assigned accounts automatically. Which approach BEST meets these requirements?

Reviewed for accuracy · Report an issue
Question 5 of 20

A company uses AWS IAM Identity Center (successor to AWS SSO) with an external SAML 2.0 identity provider for workforce federation. Users are provisioned via SCIM. The security team requires that finance analysts, who assume a permission set into a production account, can only hold active credentials for a maximum of 1 hour, while also ensuring that any employee removed from the finance group in the corporate directory loses access automatically. Which combination of actions BEST meets these requirements?

Reviewed for accuracy · Report an issue
Question 6 of 20

A security engineer manages an S3 bucket that stores audit logs shared across an organization. The bucket resource-based policy must deny all access to the bucket EXCEPT for a specific cross-account IAM role (arn:aws:iam::222222222222:role/AuditReader) and the local account root. The engineer wants the deny to apply to every other principal, including future ones, without having to enumerate them. Which policy construct correctly implements this?

Reviewed for accuracy · Report an issue
Question 7 of 20

A developer's IAM user has an identity-based policy that allows s3:GetObject and s3:PutObject on all buckets. A permission boundary attached to the same user allows only s3:GetObject on the bucket arn:aws:s3:::reports-data and dynamodb:* on all tables. There are no applicable SCPs or resource-based policies. When the developer attempts s3:PutObject to arn:aws:s3:::reports-data, what is the result and why?

Reviewed for accuracy · Report an issue
Question 8 of 20

A security engineer is designing guardrails for a development team. Developers assume an IAM role that has an identity-based policy granting full access to Amazon S3 and Amazon DynamoDB. The role also has a permissions boundary attached that allows only S3 actions. The account is in an OU whose Service Control Policy (SCP) allows only DynamoDB actions (and denies nothing explicitly). A developer using this role attempts an s3:PutObject call and a dynamodb:PutItem call. What is the result?

Reviewed for accuracy · Report an issue
Question 9 of 20

A company uses AWS Organizations with all features enabled. A developer's IAM user in a member account is attached to an identity-based policy that explicitly allows s3:GetObject on a specific bucket. The bucket's resource-based policy also allows the developer's principal to read objects. However, a Service Control Policy (SCP) attached to the developer's account contains an explicit Deny for all s3:* actions unless the request originates from a specific corporate IP range. The developer, working from home outside that range, receives an AccessDenied error. Which explanation correctly describes the policy evaluation outcome?

Reviewed for accuracy · Report an issue
Question 10 of 20

A company has thousands of IAM users who each need to manage only their own credentials (access keys, MFA devices, and passwords) without being able to touch any other user's credentials. The security team wants a single reusable managed policy attached to all users rather than per-user policies. Which policy construct allows one policy to scope actions to only the calling user's own IAM resources?

Reviewed for accuracy · Report an issue
Question 11 of 20

A company has an S3 bucket in Account A (the resource owner). A role in Account B needs to read objects from this bucket. The security team configures the following: the bucket policy in Account A grants s3:GetObject to the Account B role's ARN; the role in Account B has an identity-based policy allowing s3:GetObject on the bucket; and Account B is in an AWS Organization with an SCP that denies all s3:* actions except s3:ListBucket. When the role in Account B attempts to download an object, the request is denied. What is the cause?

Reviewed for accuracy · Report an issue
Question 12 of 20

A security engineer configures an automation pipeline where an EC2 instance profile role (RoleA) assumes a cross-account role (RoleB) in a partner account to run a long batch job. RoleB has a maximum session duration set to 4 hours. However, when the pipeline calls sts:AssumeRole from RoleA to obtain RoleB credentials, the returned credentials always expire after 1 hour regardless of the DurationSeconds value requested. What is the cause of this behavior?

Reviewed for accuracy · Report an issue
Question 13 of 20

A company runs a data-processing application on EC2 instances that must read objects from an S3 bucket. A security engineer creates an IAM role with an S3 read policy and attaches it to an instance profile, but the EC2 instances cannot assume the role and receive an error. The role's trust policy currently lists the AWS account root as the trusted principal. What change to the trust policy will allow the EC2 instances to assume the role?

Reviewed for accuracy · Report an issue
Question 14 of 20

A company uses a custom identity broker that authenticates employees against an on-premises Active Directory and then calls AWS STS AssumeRole to grant temporary credentials. All employees assume the same IAM role, DataAnalystRole, which has permissions to read all objects in a large S3 data lake. Compliance now requires that each analyst session be dynamically scoped so a user can only access the S3 prefix for their assigned business unit, WITHOUT creating a separate IAM role per business unit and WITHOUT modifying the DataAnalystRole's attached identity policy. What should the identity broker do when calling STS?

Reviewed for accuracy · Report an issue
Question 15 of 20

A company runs hundreds of projects, each with its own set of EC2 instances, S3 buckets, and DynamoDB tables. Every resource is tagged with a 'project' key. The security team wants developers to be able to manage only the resources belonging to their assigned project, without writing a separate IAM policy per project. Each developer's IAM principal is tagged with the project they belong to. Which approach best implements least privilege at scale?

Reviewed for accuracy · Report an issue
Question 16 of 20

A company uses AWS IAM Identity Center (successor to AWS SSO) federated with an external SAML identity provider. The security team wants users to access only the AWS resources tagged with the same cost center as the user, without creating a separate permission set per cost center. Each user's cost center is stored as an attribute in the corporate IdP. Which approach BEST meets this requirement while minimizing the number of permission sets to maintain?

Reviewed for accuracy · Report an issue
Question 17 of 20

A security team wants to let application developers create and manage IAM roles for their own workloads without being able to grant those roles more permissions than the developers themselves are allowed. Developers currently have an identity policy that allows iam:CreateRole, iam:AttachRolePolicy, and iam:PutRolePolicy. The security team is concerned developers could create a role with AdministratorAccess and then assume it to escalate privileges. Which approach enforces this restriction with least operational overhead?

Reviewed for accuracy · Report an issue
Question 18 of 20

A SaaS monitoring vendor needs read access to objects in your company's S3 buckets. The vendor asks you to create an IAM role that their AWS account can assume via sts:AssumeRole. Your security team is concerned that another customer of the same vendor could trick the vendor's software into accessing your buckets (a confused deputy attack). Which configuration in your role's trust policy most directly mitigates this risk?

Reviewed for accuracy · Report an issue
Question 19 of 20

A company's data-analytics account (111111111111) needs read-only access to a specific prefix (reports/) in an S3 bucket owned by the reporting account (222222222222). Security requires that access be granted with least privilege and that credentials never leave AWS. The bucket has no public access and object ownership is set to bucket-owner-enforced (ACLs disabled). Which combination of policies correctly grants this access?

Reviewed for accuracy · Report an issue
Question 20 of 20

A security engineer manages an AWS Organization with 200 accounts. Developers in member accounts have broad IAM permissions, including iam:CreateRole and iam:AttachRolePolicy. The security team wants to prevent any developer from creating or modifying roles that could grant themselves administrative access, while still allowing developers to create service roles for their applications. The team has defined that all developer-created roles MUST have a permissions boundary policy named 'DeveloperBoundary' attached. Which Service Control Policy (SCP) approach best enforces this requirement across all member accounts?

Reviewed for accuracy · Report an issue

More SCS-C03 practice

Keep going with the other AWS Certified Security - Specialty domains, or take a full timed mock exam.

← Back to SCS-C03 overview