Identity and Access Management (IAM) | AWS Certified Solutions Architect – Associate MCQs
Master AWS IAM Concepts: Key for AWS Certified Solutions Architect – Associate Exam
Identity and Access Management (IAM) is the foundation of AWS security, providing tools for securely controlling user access to AWS resources. This guide focuses on IAM topics like roles, policies, MFA, and federated access. Prepare effectively with these 20 scenario-based MCQs designed for AWS certification success.
Topic 1: IAM Overview – Roles, Users, Groups, and Policies (5 Questions)
Q1. You’ve been assigned to create a group for the development team in AWS. The group should allow members to launch EC2 instances. What is the best approach to achieve this?
a) Create a group and attach an EC2-specific managed policy.
b) Attach an inline policy directly to each user.
c) Assign an AdministratorAccess policy to the group.
d) Use an IAM role to assume EC2 permissions temporarily.
e) Attach an S3 bucket policy to the group.
Q2. Your organization has multiple IAM users. You need to grant one user permission to manage another user’s security credentials. What should you do?
a) Attach the IAMFullAccess policy to the user.
b) Use an IAM group to provide the necessary permissions.
c) Attach a custom policy allowing iam:UpdateLoginProfile.
d) Enable MFA for both users and grant access via trust relationships.
e) Assign Admin permissions to the user.
Q3. Which statement accurately describes the use of IAM roles?
a) Roles can only be assumed by AWS services, not users.
b) Roles provide temporary security credentials.
c) Roles must be attached directly to individual users.
d) Roles automatically enable MFA for users.
e) A single role can only be assumed by one user at a time.
Q4. A business application running on an EC2 instance needs access to an S3 bucket. What’s the best way to configure this access?
a) Attach a bucket policy directly to the S3 bucket.
b) Assign an IAM role to the EC2 instance.
c) Embed the S3 access credentials in the application code.
d) Create an IAM user and pass its credentials to the application.
e) Use AWS Key Management Service (KMS) to enable access.
Q5. A user has been assigned to manage groups but should not have permissions to create users. Which AWS policy would meet this requirement?
a) Attach a PowerUserAccess policy.
b) Use a custom policy with iam:UpdateGroup permission.
c) Use AWSManagedPolicyGroupAdministrator managed policy.
d) Assign iam:CreateGroup permissions only.
e) Disable user creation via group policy restrictions.
Topic 2: Access Policies – JSON Structure, Inline vs. Managed Policies (5 Questions)
Q6. What’s a key difference between inline and managed IAM policies?
a) Inline policies are automatically assigned to groups.
b) Managed policies can be attached to multiple entities.
c) Inline policies support JSON formatting, while managed policies do not.
d) Managed policies cannot be edited once attached.
e) Inline policies automatically inherit group permissions.
Q7. An administrator wants to restrict an IAM user’s access to only the us-west-2 region for all actions. Which policy statement should they use?
a) "Action": "*", "Resource": "*", "Condition": {"StringEquals": {"aws:Region": "us-west-2"}}
b) "Effect": "Deny", "Action": "*", "Condition": {"aws:region": "us-west-2"}
c) "Effect": "Allow", "Resource": ["*"], "Condition": {"StringEquals": {"aws:RequestedRegion": "us-west-2"}}
d) "Effect": "Allow", "Action": "*", "Resource": "*", "Condition": {"aws:RequestedRegion": "us-west-2"}
e) "Effect": "Deny", "Condition": {"aws:Region": ["us-west-1", "us-east-1"]}
Q8. You want to create a custom policy that grants read access to S3 buckets. Which policy structure is correct?
a) "Effect": "Allow", "Action": "s3:PutObject", "Resource": "*".
b) "Effect": "Deny", "Action": "s3:Read*", "Resource": "arn:aws:s3:::my-bucket".
c) "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::my-bucket/*".
d) "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": "*".
e) "Effect": "Allow", "Action": ["s3:DeleteObject"], "Resource": "arn:aws:s3:::my-bucket/*".
Q9. A new managed policy needs to enforce least privilege for accessing specific RDS instances. How can this be achieved?
a) Use rds:* as the action for maximum flexibility.
b) Specify instance-level ARNs in the policy resource block.
c) Include a deny rule for RDS actions globally.
d) Avoid using conditions for policy enforcement.
e) Enable IAM database authentication in RDS settings.
Q10. What happens when both a deny and allow policy apply to the same resource?
a) Allow always overrides deny.
b) The resource becomes inaccessible.
c) Deny takes precedence over allow.
d) Both policies cancel each other out.
e) AWS automatically evaluates the most specific rule.
Topic 3: IAM Best Practices – MFA and Least Privilege (5 Questions)
Q11. Which method ensures the highest level of security for IAM users?
a) Enabling root access for trusted users.
b) Attaching inline policies with extensive permissions.
c) Using managed policies with detailed conditions.
d) Enforcing MFA for all users and roles.
e) Disabling all policy attachments except for admins.
Q12. A junior admin accidentally granted s3:* permissions to a user. What is the best way to mitigate potential misuse?
a) Immediately delete the user.
b) Disable the S3 service for the entire account.
c) Attach a deny policy to override the current policy.
d) Enable AWS Config rules to restrict S3 usage.
e) Remove the existing policy and apply a least privilege one.
Q13. Why is it recommended to use roles instead of sharing user credentials?
a) Roles automatically enable advanced logging.
b) Credentials associated with roles are long-term.
c) Roles allow for temporary security credentials.
d) Shared credentials require less management effort.
e) Roles prevent the need for custom policies.
Q14. What best practice ensures root account security in AWS?
a) Assigning root credentials to key users.
b) Using IAM groups for all privileged operations.
c) Enabling MFA on the root account and storing credentials securely.
d) Disabling the root account after creating an admin user.
e) Deleting all keys associated with the root account.
Q15. A company requires temporary elevated access for audits. Which IAM approach should they use?
a) Grant permanent admin access to users involved in audits.
b) Use an IAM group with full access policies.
c) Assign temporary roles with limited privileges for the audit duration.
d) Enable inline policies that expire automatically.
e) Allow unrestricted account-wide access during audits.
Topic 4: Federated Access and SSO – Identity Providers and AWS SSO (5 Questions)
Q16. An organization uses Active Directory for user authentication. How can users be given access to AWS resources?
a) Attach a managed policy for Active Directory users.
b) Set up SSO using a SAML-based identity provider.
c) Manually add all users to IAM groups.
d) Create individual IAM users for each Active Directory user.
e) Use EC2 instance profiles for authentication.
Q17. What’s a primary benefit of using AWS SSO?
a) Unlimited access to all AWS services.
b) Centralized user management across multiple accounts.
c) Eliminating the need for managed policies.
d) Reduced billing for user accounts.
e) Automated logging and monitoring of all activities.
Q18. Which identity provider is compatible with AWS SSO?
a) SAML 2.0
b) OAuth 1.0
c) LDAP-only providers
d) OpenID Connect 1.0
e) Google Cloud Directory.
Q19. A company wants to allow external contractors to access AWS resources securely. What’s the best approach?
a) Share root credentials with the contractors.
b) Use an identity provider and roles for temporary access.
c) Create dedicated IAM users for each contractor.
d) Allow public access to resources.
e) Implement federated access via EC2 instances.
Q20. How does federated access improve security in AWS?
a) It replaces the need for all IAM users.
b) Provides secure, temporary credentials for external users.
c) Enables SSO without additional configuration.
d) Grants permanent access to trusted external entities.
e) Eliminates all policies for resource management.
Answers
| Qno | Answer (Option with Text) |
|---|---|
| Q1 | a) Create a group and attach an EC2-specific managed policy. |
| Q2 | c) Attach a custom policy allowing iam:UpdateLoginProfile. |
| Q3 | b) Roles provide temporary security credentials. |
| Q4 | b) Assign an IAM role to the EC2 instance. |
| Q5 | b) Use a custom policy with iam:UpdateGroup permission. |
| Q6 | b) Managed policies can be attached to multiple entities. |
| Q7 | a) "Action": "*", "Resource": "*", "Condition": {"StringEquals": {"aws:Region": "us-west-2"}}. |
| Q8 | c) "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::my-bucket/*". |
| Q9 | b) Specify instance-level ARNs in the policy resource block. |
| Q10 | c) Deny takes precedence over allow. |
| Q11 | d) Enforcing MFA for all users and roles. |
| Q12 | e) Remove the existing policy and apply a least privilege one. |
| Q13 | c) Roles allow for temporary security credentials. |
| Q14 | c) Enabling MFA on the root account and storing credentials securely. |
| Q15 | c) Assign temporary roles with limited privileges for the audit duration. |
| Q16 | b) Set up SSO using a SAML-based identity provider. |
| Q17 | b) Centralized user management across multiple accounts. |
| Q18 | a) SAML 2.0 |
| Q19 | b) Use an identity provider and roles for temporary access. |
| Q20 | b) Provides secure, temporary credentials for external users. |