IAM Multiple-Choice Questions

1. In AWS IAM, what is a user?

A. A group of roles
B. An application or service
C. An entity representing a person or service needing credentials
D. A temporary access key

Answer: C
Explanation:
An IAM user is an identity created for an individual person or service that
interacts with AWS. Each user has long-term credentials such as a username
and password or access keys.

2. Which IAM entity is used to grant temporary access to AWS services?

A. IAM Users
B. IAM Groups
C. IAM Policies
D. IAM Roles

Answer: D
Explanation:
IAM roles are used to delegate access to users or services and provide
temporary credentials. They are not associated with a specific user or group.

3. What is the purpose of IAM policies in AWS?

A. To manage passwords
B. To allow or deny permissions to AWS resources
C. To track billing
D. To create EC2 instances

Answer: B
Explanation:
IAM policies are JSON documents that define permissions to allow or deny
access to AWS services and resources. They are attached to users, groups, or
roles.

4. Which of the following is NOT a type of IAM policy?

A. Managed Policy
B. Inline Policy
C. Resource Policy
D. Group Policy
Answer: D
Explanation:
There is no specific "Group Policy" in IAM. Policies are either managed
(AWS-managed or customer-managed) or inline. Resource-based policies are
attached to AWS resources like S3 buckets.

5. What is IAM federation used for?

A. To combine IAM users into groups

B. To allow external identities to access AWS
C. To create custom IAM roles
D. To enable billing alerts

Answer: B
Explanation:
Federation allows users from external identity providers (like Active Directory,
Google, or SAML-based providers) to access AWS resources without creating
IAM users.

6. How does IAM Group help in AWS IAM management?

A. It automatically generates policies

B. It schedules user access
C. It lets you assign the same permissions to multiple users
D. It manages temporary credentials

Answer: C
Explanation:
IAM Groups allow administrators to assign permissions to multiple users at once.
Any permissions assigned to a group apply to all users in that group.

7. What is the default permission for a newly created IAM user?

A. Read-only to all AWS services

B. Admin access
C. No permissions
D. Full access to S3

Answer: C
Explanation:
By default, new IAM users have no permissions. You must explicitly attach
policies to grant access.

8. Which of the following is a best practice for using IAM roles instead of IAM users?
A. For long-term database access
B. For third-party SaaS integration
C. For applications running on EC2 that access AWS resources
D. For assigning passwords to developers

Answer: C
Explanation:
IAM roles are recommended for EC2 applications to grant temporary and secure
access to AWS resources without embedding credentials.

9. What does STS stand for in the context of IAM Federation?

A. Secure Token Service

B. Static Transfer System
C. Service Time Signature
D. Secure Transfer Socket

Answer: A
Explanation:
AWS Security Token Service (STS) provides temporary credentials for IAM
roles and federated users.

10. Which statement about inline and managed policies is true?

A. Inline policies are easier to manage than managed policies

B. Managed policies are embedded directly into a single user or group
C. Inline policies are attached to a single entity only
D. Managed policies cannot be reused

Answer: C
Explanation:
Inline policies are directly attached to a single user, group, or role, making
them entity-specific. Managed policies can be reused across multiple entities.

11. You want to allow an external identity provider to assume an IAM role in your AWS account.
What must you configure?

A. IAM Group
B. SAML 2.0 Federation
C. EC2 instance profile
D. IAM Access Analyzer

Answer: B
Explanation:
To allow access from an external identity provider (like Azure AD or Okta), you
configure SAML 2.0-based Federation with IAM roles that federated users
can assume.
12. What happens if you attach both an allow and a deny policy to an IAM role for the same action?

A. The allow takes precedence

B. The action is allowed only once
C. The deny overrides the allow
D. Both are ignored and action is audited

Answer: C
Explanation:
In IAM, explicit deny always overrides allow. If there's a deny statement, it
takes precedence regardless of allow permissions.

13. Which IAM feature allows EC2 instances to automatically obtain temporary credentials to
access AWS services?

A. IAM User Keys

B. IAM Group
C. Instance Profile
D. Lambda Role

Answer: C
Explanation:
Instance Profiles are containers for IAM roles that EC2 instances can assume
to access AWS services with temporary credentials.

14. Which service is used for fine-grained access control on specific AWS resources like individual
S3 buckets or DynamoDB tables?

A. IAM Inline Policy

B. Resource-based Policy
C. EC2 Role
D. CloudTrail

Answer: B
Explanation:
Resource-based policies are attached directly to resources like S3, Lambda,
etc., and allow for fine-grained permissions.

15. You need to allow an IAM user to create EC2 instances but prevent deletion. What should you
use?

A. IAM Group
B. Permissions Boundary
C. Managed Policy
D. Custom Policy with Action Allow and Deny

Answer: D
Explanation:
You would write a custom JSON policy that allows ec2:RunInstances but
explicitly denies ec2:TerminateInstances. Fine-grained control is possible using
allow/deny actions.

16. Which of the following can be used to limit the maximum permissions a user or role can have?

A. IAM Group
B. Inline Policy
C. Permissions Boundary
D. SAML Trust Policy

Answer: C
Explanation:
A Permissions Boundary is an advanced feature that defines the maximum
permissions a role or user can get, even if their attached policies allow more.

17. Which IAM policy type can be used across multiple accounts using AWS Organizations?

A. Inline Policy
B. Permissions Boundary
C. SCP (Service Control Policy)
D. Resource Policy

Answer: C
Explanation:
Service Control Policies (SCPs) are used with AWS Organizations to
define permission guardrails across multiple AWS accounts.

18. Which method is most secure for accessing AWS programmatically from an on-premises
environment?

A. IAM User access key stored in a config file

B. IAM Role assumed via AWS STS
C. Hardcoded credentials in source code
D. IAM Group with EC2 role

Answer: B
Explanation:
Assuming an IAM role using STS (Security Token Service) is secure
because it provides temporary credentials, reducing long-term exposure.

19. Which type of IAM policy is best for reusability and centralized management?

A. Inline Policy
B. Managed Policy
C. Resource Policy
D. Instance Profile

Answer: B
Explanation:
Managed policies (AWS-managed or customer-managed) are best for
reusability, as they can be attached to multiple users, groups, or roles.

20. What is the main benefit of using IAM roles over IAM users for applications?

A. IAM users have better access tracking

B. IAM roles support long-term credentials
C. IAM roles provide temporary credentials, improving security
D. IAM roles are easier to set up than users

Answer: C
Explanation:
IAM roles provide temporary credentials via STS, which is more secure for
applications than long-term user access keys.

1. Your company wants to allow temporary access to a third-party vendor to access an S3 bucket for
7 days. What’s the most secure and scalable way to do this?

A. Create an IAM user and share access keys

B. Use SAML-based federation
C. Create a role with an S3 access policy and have the vendor assume it using
STS
D. Use a bucket policy allowing anonymous access

✅ Answer: C
Explanation: Creating an IAM role and using STS AssumeRole for the vendor
is secure and allows temporary credentials with limited scope.

2. A developer hardcoded their AWS access keys in application code. What is the recommended
best practice to fix this issue?

A. Rotate the keys every 90 days

B. Store the keys in a secure S3 bucket
C. Use IAM roles with EC2 or Lambda and remove hardcoded keys
D. Encrypt the keys with KMS

✅ Answer: C
Explanation: The best practice is to use IAM roles with AWS services like
EC2/Lambda to avoid storing long-term credentials.

3. You want to enforce that no user in your AWS Organization can delete S3 buckets. What should
you use?
A. IAM Policy
B. Permissions Boundary
C. SCP
D. Resource Policy

✅ Answer: C
Explanation: Service Control Policies (SCPs) are used in AWS
Organizations to restrict actions across accounts, even if IAM allows it.

4. An IAM user was given full EC2 permissions, but is unable to terminate instances. What could
be the issue?

A. The IAM user policy is missing ec2:TerminateInstances

B. An SCP is denying termination across the org
C. The user is in a group with deny policy
D. All of the above

✅ Answer: D
Explanation: Any explicit deny in IAM, group policies, or SCPs will override
any allow. You must evaluate all policy layers.

5. You are designing cross-account access. How do you allow users in Account A to assume a role
in Account B?

A. Attach the role in Account B to users in Account A

B. Create a trust policy in Account B’s role for Account A
C. Use IAM groups across accounts
D. Share credentials of Account B

✅ Answer: B
Explanation: Use a trust policy in Account B’s role that allows users or roles
from Account A to assume it using STS.

6. A developer is able to list S3 buckets but not upload to any. The IAM policy allows "s3:*".
What could be the issue?

A. Permissions boundary limits write operations

B. User is in a deny group
C. S3 bucket policy explicitly denies uploads
D. All of the above

✅ Answer: D
Explanation: All 3 are possible. Bucket policies or boundaries can override
allow statements in IAM.

7. What is the correct method to give an EC2 instance access to read messages from an SQS queue?
A. Use access keys in user data
B. Attach inline policy to EC2
C. Use IAM role and instance profile with appropriate permissions
D. Set SQS to public

✅ Answer: C
Explanation: You should attach an IAM role with proper permissions to the
EC2 instance via instance profile.

8. How can you ensure that a Lambda function can access only DynamoDB and nothing else?

A. Use default Lambda execution role

B. Use a permissions boundary
C. Attach an inline policy allowing only DynamoDB actions
D. Use a customer-managed policy scoped to DynamoDB and assign it to the
Lambda role

✅ Answer: D
Explanation: The best practice is to use a customer-managed policy with
least privilege and assign it to the Lambda’s role.

9. A user is getting AccessDenied when trying to assume a role in another AWS account.
What’s the likely cause?

A. Role does not exist

B. Trust policy in target account is missing the user’s account
C. User’s IAM policy doesn’t allow sts:AssumeRole
D. B and C

✅ Answer: D
Explanation: Cross-account AssumeRole requires both a trust relationship
in the target account and explicit sts:AssumeRole permission in the source
account.

10. A policy contains both an allow and a deny statement for the same action. What will happen?

A. Allow takes precedence

B. Deny overrides allow
C. Depends on evaluation order
D. IAM will error out

✅ Answer: B
Explanation: Explicit deny always overrides any allow in IAM policy
evaluation logic.
11. You want to delegate access to your AWS account to an external Active Directory–based
identity provider. What should you configure?

A. IAM User Federation

B. SAML 2.0 Federation with AssumeRole
C. Lambda Authorizer
D. STS GetSessionToken

✅ Answer: B
Explanation: Use SAML 2.0 Federation with IAM roles and trust relationships
to allow users from external IdPs (like AD via ADFS) to assume roles in AWS.

12. You created a customer-managed IAM policy to allow s3:GetObject, but access is denied.
The S3 bucket also has a policy. What's the most likely reason?

A. IAM policy overrides bucket policy

B. Bucket policy has an explicit deny
C. IAM role does not exist
D. GetObject is not a supported action

✅ Answer: B
Explanation: If the S3 bucket policy has an explicit deny, it overrides the
IAM allow — both must permit access.

13. An engineer needs to test code that calls AWS APIs. You want to limit their access to AWS
resources only during office hours. What should you use?

A. Permissions Boundary
B. AWS Config
C. IAM Policy with Condition block using aws:CurrentTime
D. Role trust policy

✅ Answer: C
Explanation: Use the aws:CurrentTime condition key in an IAM policy to
restrict access based on time of day.

14. You notice multiple failed authentication attempts in CloudTrail for an IAM user. What is the
most immediate best practice response?

A. Terminate the IAM role

B. Rotate the access keys
C. Delete the IAM user
D. Disable CloudTrail

✅ Answer: B
Explanation: If you suspect access keys are compromised, the first step is to
rotate them (disable and create new ones), and then investigate further.
15. Your company requires that no IAM user should ever have permissions beyond read-only access
to AWS resources. What’s the best solution?

A. Attach read-only policies to all users

B. Use IAM roles
C. Enforce a permission boundary for users
D. Use AWS Managed Policies

✅ Answer: C
Explanation: Use Permissions Boundaries to set a maximum limit on the
permissions any IAM user can get, even if other policies allow more.

16. An application deployed on EC2 needs to access an S3 bucket in another AWS account. What is
the best way to configure access?

A. Share S3 credentials
B. Copy bucket to local region
C. Use a cross-account IAM role and allow EC2 to assume it
D. Make bucket public

✅ Answer: C
Explanation: Cross-account roles are the secure and recommended way to
allow access between accounts without exposing credentials.

17. You have multiple IAM roles that need the same permissions. What's the best practice for
managing this?

A. Use inline policies

B. Create a customer-managed policy and attach it to each role
C. Create a separate policy for each role
D. Use Lambda to sync policies

✅ Answer: B
Explanation: Use a customer-managed policy for reusability and consistent
permission management across roles or users.

18. What IAM feature is required to restrict a developer from accessing secrets in Secrets Manager
while still allowing S3 access?

A. Inline Policy
B. SCP
C. Resource-based Policy
D. Condition with NotAction

✅ Answer: A
Explanation: Use an inline policy (or managed policy) that explicitly allows
S3 actions and omits Secrets Manager. You can also add an explicit deny for
Secrets Manager if needed.

19. A federated user receives an "Access Denied" error when trying to access an S3 bucket. Their
role has correct permissions. What's the likely issue?

A. Trust policy is incorrect

B. The bucket policy denies federated roles
C. The IAM role lacks S3 full access
D. The user must be part of an IAM group

✅ Answer: B
Explanation: Even if the IAM role has the correct permissions, a bucket
policy can still deny access, especially if there's an explicit deny for
federated roles or unknown principals.

20. You want to enforce encryption at rest for all S3 bucket uploads using IAM. What should your
policy include?

A. s3:PutObject only
B. A Condition requiring s3:x-amz-server-side-encryption
C. Resource-based deny
D. CloudTrail metric filter

✅ Answer: B
Explanation: You can use a condition in the IAM or bucket policy to enforce
that uploads include the s3:x-amz-server-side-encryption header.

21. You created an IAM policy that allows ec2:TerminateInstances. However, a

developer still can’t terminate EC2 instances. What could be the cause?

A. IAM role does not exist

B. An explicit deny in a permissions boundary
C. EC2 service is down
D. The user has MFA enabled

✅ Answer: B
Explanation: Permissions boundaries limit what a user or role can do, even
if an IAM policy allows the action. An explicit deny in a permissions boundary
will override any allow.

22. You want to allow access to an S3 bucket only from specific IP addresses. What IAM policy
feature should you use?

A. aws:UserAgent
B. aws:SourceIp condition
C. Resource-based bucket encryption
D. VPC endpoint policy
✅ Answer: B
Explanation: Use the aws:SourceIp condition key to restrict access to
specific IP addresses in IAM or resource policies.

23. A developer needs CLI access to AWS but only during office hours and from the corporate VPN
IP range. What is the best way to enforce this?

A. IAM inline policy with time and IP condition

B. SCP in the root account
C. Use access keys that expire
D. EC2 instance roles

✅ Answer: A
Explanation: Use IAM policies with both aws:SourceIp and aws:CurrentTime
condition keys to restrict access to specific hours and IP ranges.

24. Which of the following can be attached directly to an S3 bucket to control access?

A. IAM user policy

B. Permissions boundary
C. Resource-based bucket policy
D. IAM group

✅ Answer: C
Explanation: Resource-based policies (like bucket policies) can be directly
attached to resources such as S3 buckets to define who can access them.

25. Which IAM feature helps define the maximum allowable permissions a user or role can have,
regardless of attached policies?

A. Trust policy
B. Resource-based policy
C. Permissions boundary
D. Inline policy

✅ Answer: C
Explanation: Permissions boundaries act as a ceiling — no permission
outside the boundary is effective even if other policies grant it.

26. Which IAM feature is most appropriate for providing temporary cross-account access to a
consultant?

A. IAM group
B. IAM user with rotating access keys
C. IAM role with trust relationship and STS
D. Inline policy with condition
✅ Answer: C
Explanation: The most secure way is to set up an IAM role with a trust policy
allowing the consultant’s AWS account to assume it via STS.

27. You want to enforce that all users in your AWS Org can only access resources within a specific
region. What should you use?

A. Inline policy
B. SCP with aws:RequestedRegion condition
C. Resource-based policy
D. Tag policy

✅ Answer: B
Explanation: Use an SCP with a condition on aws:RequestedRegion to
enforce a regional boundary across all accounts in the organization.

28. You attached a managed policy to a role, but it’s not granting permissions as expected. What’s
the most likely reason?

A. It’s a customer-managed policy

B. The role is missing a trust policy
C. SCP or permission boundary is blocking it
D. IAM policies don’t apply to roles

✅ Answer: C
Explanation: A permissions boundary or SCP can restrict effective
permissions even if the policy allows them.

29. How can you ensure only users with MFA enabled can delete objects from an S3 bucket?

A. Add MFA policy to IAM user

B. Use bucket policy with aws:MultiFactorAuthPresent condition
C. Use CloudTrail to alert on delete events
D. Attach a customer-managed policy

✅ Answer: B
Explanation: Enforce MFA by using the aws:MultiFactorAuthPresent
condition key in the S3 bucket policy or IAM policy for sensitive actions.

30. You want to prevent root account usage in your AWS accounts. What is the best enforcement
method?

A. Delete the root account

B. Remove all root policies
C. Use an SCP denying all actions for the root user
D. Create a permissions boundary
✅ Answer: C
Explanation: The root account cannot be deleted, but you can use an SCP to
deny all actions for the root user ("Principal": {"AWS":
"arn:aws:iam::account-id:root"}).

31. An EC2 instance needs access to both DynamoDB and CloudWatch. What's the most secure
and manageable way to provide this access?

A. Use access keys embedded in environment variables

B. Assign multiple IAM roles to the instance
C. Attach a single IAM role with a policy allowing both services
D. Use a bucket policy

✅ Answer: C
Explanation: You can only assign one IAM role per EC2 instance, so the
correct approach is to attach a role with a policy that includes
permissions for both services.

32. A new developer was added to an IAM group with S3 access, but they still can't list any buckets.
What’s a likely cause?

A. Group policy only allows s3:GetObject

B. User lacks MFA
C. S3 bucket policy denies listing
D. All of the above

✅ Answer: D
Explanation: All of these can block access. IAM group policy may not include
s3:ListBucket, the bucket policy may explicitly deny access, and some
resources might require MFA conditions.

33. A federated user successfully logs in via SAML but gets AccessDenied when accessing
EC2. What is most likely wrong?

A. The SAML provider is not enabled

B. Trust policy does not allow the SAML identity
C. IAM policy on the role lacks EC2 permissions
D. Both B and C

✅ Answer: D
Explanation: For federated access to work, you need a correct trust policy
(allowing SAML principal) and a permissions policy granting the needed EC2
actions.

34. What IAM feature would you use to audit which permissions are being used by a role or user?

A. IAM Access Analyzer

B. AWS Config
C. IAM Policy Simulator
D. IAM Access Advisor

✅ Answer: D
Explanation: IAM Access Advisor helps you identify which permissions
were recently used, enabling least-privilege refinement.

35. Which IAM feature allows you to simulate whether a user or role has access to a specific
action?

A. Access Advisor
B. Permissions Boundary
C. IAM Policy Simulator
D. SAML Assertion Viewer

✅ Answer: C
Explanation: The IAM Policy Simulator lets you test and debug permission
issues by simulating requests and showing whether access would be allowed or
denied.

36. Which of the following IAM entities can never have policies attached to it?

A. IAM User
B. IAM Group
C. IAM Role
D. IAM Permissions Boundary

✅ Answer: D
Explanation: A permissions boundary is not an IAM entity, it’s a policy
attached to an IAM user or role. It doesn’t itself hold or attach policies.

37. You want to allow a Lambda function in Account A to access an RDS instance in Account B.
What should you do?

A. Use environment variables to pass credentials

B. Enable RDS public access
C. Use a cross-account IAM role and VPC peering
D. Create an IAM user in Account B and share credentials

✅ Answer: C
Explanation: The secure and recommended approach is to set up a
cross-account role for Lambda to assume and enable VPC peering so the
function can reach RDS over private networking.

38. An IAM user with full permissions can’t perform actions in a newly created AWS Region. What
is the likely issue?
A. The region is disabled
B. Permissions are not region-specific
C. MFA is required in that region
D. IAM roles don’t support new regions

✅ Answer: A
Explanation: AWS allows you to enable or disable regions. By default,
newly created regions are disabled and need to be enabled by the account
admin.

39. Which of the following permissions models allows sharing access to AWS resources with
external AWS accounts without IAM user creation?

A. Resource-based policies
B. IAM groups
C. SAML Federation
D. Session policies

✅ Answer: A
Explanation: Resource-based policies (e.g., on S3, Lambda, etc.) allow you
to grant access to external accounts directly, without needing IAM users or
roles in the target account.

40. A company mandates that no IAM users be created and only short-lived credentials should be
used. What setup meets this requirement?

A. IAM users with access keys

B. IAM users with policies using aws:TokenExpiration
C. IAM roles with STS and identity federation
D. IAM group with time-limited inline policies

✅ Answer: C
Explanation: To comply with short-lived credentials only, use IAM roles
with STS, and integrate with identity federation (like SAML or OIDC) — no
IAM users needed.

IAM Expert Practice Exam – Set 2 (Questions 1–10)

1. You’ve created a CI/CD pipeline using AWS CodePipeline that deploys Lambda functions. How
should you securely allow deployment stages to update Lambda functions?

A. Use access keys stored in SSM

B. Attach an IAM user to the Lambda service
C. Use a service role for CodePipeline with permissions to update Lambda
D. Use an inline policy on Lambda

✅ Answer: C
Explanation: CodePipeline needs an IAM service role with permissions to
perform actions like lambda:UpdateFunctionCode. Never use access keys for
service-to-service access.

2. Your application runs on ECS Fargate and needs to write to CloudWatch Logs. What's the best
way to give this permission?

A. Create an IAM user with access keys

B. Attach a role directly to ECS task definition
C. Use a Lambda execution role
D. Attach a bucket policy

✅ Answer: B
Explanation: For Fargate tasks, you define a task execution role, which
the container uses to call AWS APIs (like writing to CloudWatch Logs).

3. A role’s trust policy allows EC2 to assume it, but no instances can assume the role. What could
be the problem?

A. Missing permission boundary

B. EC2 instance profile not attached
C. Role has no inline policy
D. STS is disabled

✅ Answer: B
Explanation: Trust policy alone isn't enough. You must attach the role to
the EC2 instance via an instance profile.

4. Which IAM policy element allows you to grant access only if a specific tag is present on the
resource?

A. Action
B. Effect
C. Condition
D. Principal

✅ Answer: C
Explanation: Use the Condition block in IAM policies with keys like
aws:TagKeys or aws:RequestTag to enforce tag-based access controls.

5. A developer assumes a role via STS. How can you further restrict what they can do during that
session?

A. Attach a resource-based policy

B. Use a session policy with AssumeRole
C. Use a permissions boundary
D. Add a deny policy to the role
✅ Answer: B
Explanation: When calling AssumeRole, you can include a session policy to
further restrict what the temporary session can do — even if the role allows
more.

6. Which IAM policy condition ensures actions are only permitted from your corporate IP range?

A. aws:VpcSourceIp
B. aws:SourceVpc
C. aws:SourceIp
D. ip:AllowList

✅ Answer: C
Explanation: Use the aws:SourceIp condition key in policies to allow/deny
access based on the caller’s IP address or CIDR block.

7. You’ve set up an SCP that denies ec2:*. However, a user in the account can still stop EC2
instances. Why?

A. IAM user overrides SCP

B. SCP applies only to roles
C. SCP is attached to the OU, but not the account
D. SCP must explicitly deny ec2:StopInstances

✅ Answer: C
Explanation: SCPs must be attached to the correct accounts or OUs. If the
SCP is not attached to the account where the user resides, it has no effect.

8. What is the primary benefit of a service-linked role?

A. Provides permanent credentials

B. Requires no permissions
C. Simplifies permission management for AWS-managed services
D. Bypasses IAM boundaries

✅ Answer: C
Explanation: Service-linked roles are IAM roles created and managed by
AWS that allow services like ECS, Auto Scaling, or Lex to access
resources on your behalf.

9. How would you allow access to s3:PutObject but only when the uploaded object is
encrypted with SSE-KMS?

A. Use an inline policy

B. Add a Condition requiring "s3:x-amz-server-side-encryption": "aws:kms"
C. Use CloudTrail
D. Use MFA

✅ Answer: B
Explanation: Add a Condition block to enforce SSE-KMS encryption during
PutObject operations.

10. You granted federated users access to assume a role. They still receive "Access Denied" errors.
What might be missing?

A. MFA device
B. Session duration
C. Trust policy for the identity provider
D. SCP granting access

✅ Answer: C
Explanation: Federated users need a trust relationship configured
between the role and the IdP (e.g., SAML). Without it, the AssumeRole call
fails.

11. You need to allow a Lambda function to publish to an SNS topic in another account. What is the
best approach?

A. Use Lambda environment variables to pass SNS credentials

B. Use a resource-based policy on the SNS topic allowing the Lambda function’s
role
C. Assign an IAM user with publish rights
D. Use KMS to encrypt the messages

✅ Answer: B
Explanation: When crossing AWS accounts, the SNS topic must have a
resource-based policy allowing the Lambda role’s ARN to publish to it.

12. A new SCP was attached to an OU, but no changes occurred in IAM behavior. What is most
likely wrong?

A. SCP must be enabled using IAM console

B. The accounts under the OU are not tagged
C. The SCP does not have "Effect": "Deny"
D. The SCP does not have "Effect": "Allow" and no other allow is in place

✅ Answer: D
Explanation: SCPs are deny-by-default, so if you don't explicitly allow
actions and no other SCP allows them, nothing will be permitted — including no
change to current behavior.

13. A user is allowed s3:* in their IAM policy, but still can’t delete an object in a bucket. What
could be wrong?
A. Object is owned by a different AWS account
B. Bucket has versioning
C. MFA is not enabled
D. SCP is missing

✅ Answer: A
Explanation: Even with s3:*, if the object was uploaded by another
account and ownership isn’t transferred, the user may not have
permission to delete it.

14. How can you allow an IAM user to assume a role only for read-only access to CloudWatch
Logs, regardless of other policies?

A. Attach a read-only managed policy

B. Use session policies with AssumeRole
C. Create a role with inline policy
D. Use an SCP

✅ Answer: B
Explanation: Session policies specified during the AssumeRole API call can
further restrict what the assumed session can do — perfect for enforcing
read-only limits.

15. Which IAM feature allows you to grant access to AWS Management Console without creating
IAM users?

A. SAML federation
B. Inline policy
C. AWS CLI
D. IAM groups

✅ Answer: A
Explanation: SAML-based federation lets users from external identity
providers (e.g., Okta, Azure AD) access the console without IAM user
creation.

16. You want to enforce that only users from your corporate email domain can assume a role. What
should you use?

A. SCP
B. aws:PrincipalTag
C. aws:PrincipalOrgID
D. aws:PrincipalEmail in a policy condition

✅ Answer: D
Explanation: Use the aws:PrincipalEmail condition key (with SAML federation
or OIDC) to restrict access based on the email domain.
17. Which of the following allows you to restrict IAM access based on the VPC from which the
request is made?

A. aws:VpcSourceIp
B. aws:SourceVpc
C. aws:VpcID
D. IAM does not support VPC-based conditions

✅ Answer: B
Explanation: Use the aws:SourceVpc condition key in IAM policies to restrict
access to requests originating from a specific VPC (works with VPC endpoints).

18. A developer created a role with s3:* permissions but can’t use it in an EC2 instance. What's
likely missing?

A. IAM policy needs versioning

B. Role lacks trust policy for EC2
C. S3 is blocked by SCP
D. EC2 doesn’t support IAM

✅ Answer: B
Explanation: For EC2 to assume a role, the role’s trust policy must
explicitly allow ec2.amazonaws.com as a principal.

19. You want to ensure that users cannot attach custom policies that allow access to restricted
services. What should you use?

A. SCP with deny on iam:AttachUserPolicy

B. IAM access advisor
C. Inline policy restriction
D. Lambda trigger

✅ Answer: A
Explanation: Use an SCP to deny iam:AttachUserPolicy or restrict attaching
policies that include specific services.

20. You want to give an external app access to an S3 bucket for 24 hours. What is the best way to
do this securely?

A. IAM user with temporary password

B. STS credentials with AssumeRole
C. Hardcoded credentials in app config
D. Lambda authorizer

✅ Answer: B
Explanation: Use STS AssumeRole to issue temporary credentials, valid
for up to 12 hours by default, and extendable to 24 hours using SAML or role
chaining.

IAM & Security Practice Exam — Encryption with KMS, SSE, and TLS
1. You want to ensure that all objects uploaded to an S3 bucket are encrypted using SSE-KMS.
How can you enforce this?

A. Use an IAM policy that enforces KMS encryption

B. Set a bucket policy to require aws:kms encryption
C. Use a lifecycle policy to apply SSE-KMS
D. Enable encryption in the S3 bucket settings

✅ Answer: B
Explanation: The S3 bucket policy can be configured to enforce that objects
are uploaded with SSE-KMS encryption by adding a condition like
"s3:x-amz-server-side-encryption": "aws:kms".

2. A Lambda function needs to read data from an encrypted S3 bucket with SSE-KMS. Which IAM
permission should be included in the Lambda execution role?

A. s3:GetObject
B. kms:Decrypt
C. s3:ListBucket
D. s3:PutObject

✅ Answer: B
Explanation: For reading from an SSE-KMS encrypted bucket, the Lambda
execution role needs permission to decrypt the object, i.e., kms:Decrypt, in
addition to s3:GetObject.

3. You are required to use SSE-S3 encryption for all objects in an S3 bucket. Which of the
following is true?

A. You must provide a KMS key ID for encryption

B. You cannot use S3 default encryption
C. You can set the encryption type during object upload, but it’s optional
D. Objects are encrypted using your own KMS key

✅ Answer: C
Explanation: SSE-S3 encryption uses Amazon S3's default encryption,
and when you configure it, any objects uploaded without specifying encryption
will be encrypted using SSE-S3 by default. You don’t need to provide a KMS key
ID for SSE-S3.

4. What is the primary difference between SSE-KMS and SSE-S3 encryption in Amazon S3?
A. SSE-S3 uses a customer-managed key, and SSE-KMS uses a default AWS key
B. SSE-KMS allows for key rotation, while SSE-S3 does not
C. SSE-KMS can only be used with IAM roles, while SSE-S3 works with IAM users
D. There is no difference between the two; they are interchangeable

✅ Answer: B
Explanation: SSE-KMS provides key management features like automatic
key rotation, which SSE-S3 does not. SSE-S3 uses Amazon's default
S3-managed keys.

5. Which AWS service allows you to create, store, and manage encryption keys for your
applications across AWS services?

A. CloudHSM
B. IAM
C. AWS KMS
D. AWS Certificate Manager

✅ Answer: C
Explanation: AWS KMS (Key Management Service) is designed to create,
store, and manage encryption keys for use in many AWS services, including
S3, EBS, and RDS.

6. Your team needs to transmit sensitive data over the internet, and you want to ensure the data is
encrypted in transit. Which protocol should you use?

A. SSH
B. TLS
C. IPsec
D. VPN

✅ Answer: B
Explanation: TLS (Transport Layer Security) is a cryptographic protocol
designed to provide secure communication over a computer network,
commonly used in HTTPS for encrypting data in transit.

7. You’ve created a KMS key for encrypting data at rest in an S3 bucket. How do you ensure only
authorized users can use this key?

A. Use a resource-based policy attached to the S3 bucket

B. Set IAM policies on users and roles that define who can use the KMS key
C. Enable bucket versioning and specify key restrictions
D. Restrict access via VPC endpoint policies

✅ Answer: B
Explanation: IAM policies on roles or users control who can use a specific
KMS key. You can define the kms:Encrypt and kms:Decrypt permissions to
control access.
8. A client connects to your website using HTTPS. What encryption is used to secure the traffic?

A. SSE-S3
B. TLS
C. AWS KMS
D. IPsec

✅ Answer: B
Explanation: TLS (Transport Layer Security) is used to secure HTTP traffic
(HTTPS), ensuring the integrity and confidentiality of data during transit.

9. You want to configure S3 to automatically encrypt new objects using a custom KMS key. Which
of the following actions do you need to perform?

A. Create an S3 bucket policy that references the KMS key

B. Enable bucket encryption with KMS and specify the key ID
C. Attach an IAM policy to the S3 bucket
D. Configure KMS key rotation on the S3 bucket

✅ Answer: B
Explanation: You can enable bucket-level encryption with KMS and specify
your custom KMS key ID for server-side encryption of objects uploaded to
the bucket.

10. You are tasked with setting up encryption in transit for a web application. Which AWS service
should you use to manage certificates and encryption for SSL/TLS?

A. AWS KMS
B. AWS Certificate Manager (ACM)
C. CloudHSM
D. AWS Shield

✅ Answer: B
Explanation: AWS Certificate Manager (ACM) helps manage SSL/TLS
certificates, enabling secure communications over HTTPS.

11. You want to ensure that all data in your S3 bucket is encrypted with your KMS key, but you
also need to allow the S3 service to use the key for encryption and decryption. What must you do?

A. Attach a KMS key policy allowing the s3.amazonaws.com service principal to

use the key
B. Use an IAM policy to allow s3:PutObject with encryption using your KMS key
C. Enable encryption using the aws:kms encryption type without specifying a
key
D. Use a bucket policy to require encryption using your custom key
✅ Answer: A
Explanation: To allow Amazon S3 to use your KMS key, you must attach a
key policy to your KMS key that grants s3.amazonaws.com the necessary
permissions (kms:Encrypt, kms:Decrypt, etc.) for encryption and decryption
operations.

12. You want to encrypt data in transit between your EC2 instances using an encrypted connection.
Which AWS service will you use?

A. VPC Peering
B. SSL/TLS
C. KMS
D. S3 encryption

✅ Answer: B
Explanation: SSL/TLS provides encryption for data in transit, ensuring
secure communication between EC2 instances or other systems.

13. Which of the following is a correct configuration for ensuring that your RDS database is
encrypted at rest with a customer-managed KMS key?

A. Set the RDS instance's encryption option to SSE-KMS during creation

B. Use an IAM policy to enforce encryption on the RDS instance
C. Create an encrypted RDS snapshot and share the snapshot
D. Set the RDS instance to SSE-S3 encryption

✅ Answer: A
Explanation: You must set the RDS instance’s encryption option to SSE-KMS
during its creation to ensure that it is encrypted at rest with a
customer-managed KMS key.

14. You want to encrypt an object in Amazon S3 with a specific KMS key using server-side
encryption. What must you do?

A. Use an IAM policy to enforce encryption

B. Set the x-amz-server-side-encryption header to aws:kms and specify the key
in the request
C. Configure a VPC endpoint policy for S3 access
D. Use S3 Bucket Encryption settings to specify the key

✅ Answer: B
Explanation: For server-side encryption with KMS (SSE-KMS), specify the
x-amz-server-side-encryption header in the upload request and provide the
key ID.
15. Your application needs to securely connect to an RDS instance over the internet. What is the
best practice for securing this communication?

A. Use SSH to encrypt the traffic

B. Use a VPN connection to encrypt the traffic
C. Use TLS to encrypt the communication between the application and RDS
D. Use CloudHSM to encrypt the traffic

✅ Answer: C
Explanation: TLS should be used to secure connections to your RDS
instance over the internet. AWS RDS supports SSL/TLS for encrypted
communication.

16. What action must be performed to rotate your KMS keys automatically?

A. Create a new key policy every 30 days

B. Enable automatic key rotation for the KMS key
C. Manually change the key ID every 6 months
D. Enable key versioning for the KMS key

✅ Answer: B
Explanation: You can enable automatic key rotation for a KMS key, which
will automatically rotate the key every year to enhance security.

17. Which of the following best practices should you follow when storing sensitive data in Amazon
S3?

A. Always use SSE-KMS for encryption at rest

B. Use SSE-S3 encryption and enable versioning on the S3 bucket
C. Encrypt data in transit using HTTPS and store unencrypted data in S3
D. Use SSE-S3 and disable public access on the S3 bucket

✅ Answer: A
Explanation: For sensitive data, the best practice is to use SSE-KMS to
encrypt data at rest, along with SSL/TLS to protect data in transit.
Versioning and access controls are also important.

18. How do you encrypt data in transit between an EC2 instance and an S3 bucket?

A. Use SSL/TLS to encrypt the connection between EC2 and S3

B. Use SSE-S3 to automatically encrypt all data
C. Use AWS VPN to connect EC2 and S3 securely
D. Use a VPC endpoint for secure S3 access from EC2

✅ Answer: A
Explanation: SSL/TLS encrypts data in transit between EC2 and S3. SSE-S3
only handles data at rest in S3 and doesn’t affect transit encryption.
19. When using SSE-KMS, who is responsible for managing the encryption keys?

A. AWS
B. You (the customer)
C. Only IAM roles
D. The EC2 instance role

✅ Answer: B
Explanation: When using SSE-KMS, you as the customer are responsible for
managing the KMS keys and ensuring that they have the correct IAM
policies and key policies attached.

20. How can you restrict which users or roles can access your KMS keys in a specific AWS
account?

A. Use IAM policies with conditions based on the key ARN

B. Set a KMS key policy restricting access to specific IAM users
C. Attach an SCP to the account that blocks access to KMS
D. Enable VPC peering for only authorized accounts

✅ Answer: B
Explanation: The KMS key policy defines who can access the KMS key and
under what conditions. You can specify which IAM users or roles have
permissions to use the key.