IAM and Roles

Question 1

An application on EC2 needs to access an S3 bucket. What is the MOST secure way to grant permissions?

Accepted Answer

IAM Role attached to instance

Answer

Embed Access Keys in code

Answer

Make bucket public

Answer

Environment variables with credentials

Question 2

A Lambda application needs to access secrets in Secrets Manager with LOWEST operational overhead. What is the most secure way without hard-coded credentials?

Accepted Answer

Attach IAM Role to Lambda with Secrets Manager permissions

Answer

Use AWS SDK with credentials in environment variables

Answer

Store secrets in Parameter Store

Answer

Use KMS to encrypt secrets in code

Question 3

You need to grant permissions to 50 developers to access development resources. What is the MOST efficient approach?

Accepted Answer

Create an IAM Group with policies and add users

Answer

Create 50 IAM users with individual policies

Answer

Share credentials of an admin user

Answer

Use root account for everyone

Question 4

Which of the following statements about IAM policies is CORRECT?

Accepted Answer

An explicit Deny always overrides any Allow

Answer

Inline policies take precedence over managed policies

Answer

AWS Managed policies cannot be applied to users

Answer

Customer Managed policies don't support conditions

Question 5

A company needs to allow an external AWS account to access S3 resources in their account with HIGHEST security. What is the recommended solution?

Accepted Answer

Create an IAM Role with trust policy for the external account

Answer

Share Access Keys of an IAM user

Answer

Make the S3 bucket public

Answer

Create IAM users in the external account

Question 6

What is the security best practice for the AWS root account?

Accepted Answer

Enable MFA and use only when absolutely necessary

Answer

Use it daily for administrative tasks

Answer

Share credentials with DevOps team

Answer

Disable root account after creating IAM users

Question 7

Which type of MFA offers the HIGHEST level of security to protect AWS accounts?

Accepted Answer

Hardware MFA device (U2F security key)

Answer

Virtual MFA (Google Authenticator, Authy)

Answer

SMS text message

Answer

Email verification code

Question 8

An IAM policy has the following statements: Statement 1: Allow s3:*, Statement 2: Deny s3:DeleteBucket. What can the user do?

Accepted Answer

Can perform all S3 operations except DeleteBucket

Answer

Can perform all S3 operations including DeleteBucket

Answer

Cannot perform any S3 operations

Answer

Can only perform read operations on S3

Question 9

What is the main difference between AWS Managed Policies and Customer Managed Policies?

Accepted Answer

AWS Managed Policies cannot be modified, Customer Managed Policies can

Answer

AWS Managed Policies are more secure than Customer Managed Policies

Answer

Customer Managed Policies can only be used with users, not roles

Answer

AWS Managed Policies are automatically deleted after 90 days

Question 10

An application needs to assume different IAM roles depending on the environment (dev, staging, prod). What IAM Roles feature enables this?

Accepted Answer

Role switching via AssumeRole API

Answer

Multiple trust policies per role

Answer

IAM Groups for roles

Answer

Environment-specific inline policies

IAM and Roles

An application on EC2 needs to access an S3 bucket. What is the MOST secure way to grant permissions?

Explanation

IAM Roles for EC2

Official Documentation