IAM Exam Questions

Practice Questions with Detailed Answers

Question 1

Which IAM feature allows you to set the maximum permissions that an IAM entity can have?

A) IAM Policies
B) Permission Boundaries
C) Service Control Policies (SCPs)
D) Access Control Lists (ACLs)

Answer: B) Permission Boundaries

Permission boundaries define the maximum permissions that an IAM entity (user or role) can have. They don't grant permissions but act as a filter to limit what permissions can be granted through identity-based policies.

Question 2

What is the recommended way to provide AWS credentials to an application running on EC2?

A) Hard-code access keys in the application
B) Use IAM roles attached to the EC2 instance
C) Store access keys in environment variables
D) Use IAM user credentials

Answer: B) Use IAM roles attached to the EC2 instance

IAM roles provide temporary credentials that are automatically rotated. This is the most secure method as it eliminates the need to manage long-term access keys and follows AWS security best practices.

Question 3

Which service should you use to track all API calls made in your AWS account?

A) AWS CloudTrail
B) AWS Config
C) AWS CloudWatch
D) AWS X-Ray

Answer: A) AWS CloudTrail

CloudTrail logs all API calls made to AWS services, including who made the call, when it was made, and what resources were accessed. This is essential for security auditing and compliance.

Question 4

What is the difference between IAM policies and resource-based policies?

A) There is no difference
B) IAM policies are attached to identities, resource-based policies are attached to resources
C) IAM policies are for users, resource-based policies are for groups
D) Resource-based policies are deprecated

Answer: B) IAM policies are attached to identities, resource-based policies are attached to resources

IAM policies are attached to users, groups, or roles (identities) and define what actions they can perform. Resource-based policies are attached to resources (like S3 buckets) and define who can access the resource and what actions they can perform on it.

Question 5

Which MFA device provides the highest level of security for AWS root account access?

A) Virtual MFA device (smartphone app)
B) Hardware MFA device (YubiKey)
C) SMS text message
D) Email verification

Answer: B) Hardware MFA device (YubiKey)

Hardware MFA devices like YubiKey provide the highest security as they are physical devices that cannot be compromised through software attacks. They support FIDO U2F standard and are recommended for root account protection.

Question 6

What is the purpose of AWS STS (Security Token Service)?

A) To create permanent access keys
B) To provide temporary security credentials
C) To manage IAM users
D) To encrypt data at rest

Answer: B) To provide temporary security credentials

AWS STS provides temporary, limited-privilege credentials for IAM users or federated users. These credentials consist of an access key ID, secret access key, and security token, and they automatically expire after a specified duration.

Previous: Security Architecture Next: Architecture Questions