Aws Iam MCQ Questions and Answers

Mastering Aws Iam is crucial for cloud certification success. This dedicated practice set features 170 Aws Iam MCQ questions and answers designed to mirror real exam scenarios across various AWS certifications.

📝 170 Questions⏱️ 90 min🎯 Pass: 70%

About Aws Iam Practice Questions

This detailed quiz focuses on Aws Iam, covering key concepts and scenarios often found in AWS exams.

  • Comprehensive coverage of Aws Iam features.
  • Scenario-based questions testing design and troubleshooting skills.
  • Detailed explanations to reinforce learning.

All 170 Aws Iam Questions

Browse through the complete list of questions and answers below. Use this resource to review specific concepts or check your understanding of Aws Iam.

1

What is the primary function of AWS Identity and Access Management (IAM)?

To securely control access to AWS resources
To provide internet connectivity to instances
To manage physical security in data centers
To encrypt data on hard drives
View Explanation
✓ Correct Answer: To securely control access to AWS resourcesExplanation:IAM enables you to manage users and their level of access to the AWS console and APIs.
2

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Share access keys between accounts
Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
3

Which IAM entity is best for providing temporary permissions to an AWS service so it can access other AWS resources?

IAM Role
IAM User
IAM Group
IAM Policy
View Explanation
✓ Correct Answer: IAM RoleExplanation:IAM roles are not associated with a specific person but can be assumed by anyone or anything that needs them.
4

What is the 'Principle of Least Privilege' in AWS?

Granting only the permissions required to perform a task
Giving todos users full admin access by default
Allowing only the CEO to have an AWS account
Restricting access based on the time of day
View Explanation
✓ Correct Answer: Granting only the permissions required to perform a taskExplanation:Least privilege reduces the risk of accidental or malicious actions by limiting what each entity can do.
5

Which of the following is a recommended best practice for the AWS Root user account?

Enable MFA and stop using the Root account for daily tasks
Share the Root password with all developers
Disable the Root account entirely
Use the Root account for command-line access
View Explanation
✓ Correct Answer: Enable MFA and stop using the Root account for daily tasksExplanation:The Root user should be protected with MFA and used only for a few specific accounting and service tasks.
6

What format are IAM policies written in?

JSON
YAML
XML
CSV
View Explanation
✓ Correct Answer: JSONExplanation:IAM policies are JSON documents that define permissions.
7

You want to organize 10 developers so they all have the same level of access to an S3 bucket. What is the most efficient way to manage this in IAM?

Create an IAM Group and add the developers to it
Create 10 identical IAM Roles
Manually attach policies to each user individually
Share a single IAM User's credentials with everyone
View Explanation
✓ Correct Answer: Create an IAM Group and add the developers to itExplanation:Groups allow you to manage permissions for multiple users at once.
8

Which IAM feature allows you to require more than just a username and password for a user to log in?

Multi-Factor Authentication (MFA)
Access Keys
IAM Policies
Security Groups
View Explanation
✓ Correct Answer: Multi-Factor Authentication (MFA)Explanation:MFA adds an extra layer of protection on top of user credentials.
9

What is an 'Access Key ID' and 'Secret Access Key' used for in IAM?

Programmatic access to AWS via the CLI, SDK, or API
Logging into the AWS Management Console
Unlocking a physical server rack
Encrypting an S3 bucket
View Explanation
✓ Correct Answer: Programmatic access to AWS via the CLI, SDK, or APIExplanation:Access keys allow code and tools to interact with AWS services.
10

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Create duplicate users in both accounts
AWS IAM Roles with cross-account access
Share access keys between accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
11

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Use Amazon EC2 instance profiles
Create long-term access keys for each developer
Share full administrative credentials
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
12

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Create duplicate users in both accounts
Share access keys between accounts
AWS IAM Roles with cross-account access
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
13

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Use Amazon EC2 instance profiles
Create long-term access keys for each developer
Share full administrative credentials
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
14

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
Share access keys between accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
15

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Share full administrative credentials
Use Amazon EC2 instance profiles
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Create long-term access keys for each developer
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
16

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Create duplicate users in both accounts
AWS IAM Roles with cross-account access
AWS IAM Users with Multi-Factor Authentication
Share access keys between accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
17

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create long-term access keys for each developer
Share full administrative credentials
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
18

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Users with Multi-Factor Authentication
AWS IAM Roles with cross-account access
Share access keys between accounts
Create duplicate users in both accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
19

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create long-term access keys for each developer
Use Amazon EC2 instance profiles
Share full administrative credentials
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
20

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Create duplicate users in both accounts
Share access keys between accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
21

Which IAM policy type is used to set the maximum permissions that an identity-based policy can grant to an IAM user or role?

Permissions Boundary
Service Control Policy (SCP)
Resource-based Policy
Access Control List (ACL)
View Explanation
✓ Correct Answer: Permissions BoundaryExplanation:Permissions boundaries are useful for delegating administrative tasks (like user creation) while ensuring the delegatee cannot grant themselves extra permissions.
22

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Users with Multi-Factor Authentication
AWS IAM Roles with cross-account access
Create duplicate users in both accounts
Share access keys between accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
23

A company uses AWS Organizations and wants to ensure that NO user in any account can delete S3 buckets, regardless of their individual IAM permissions. What should be used?

Service Control Policy (SCP) at the root or OU level
IAM Permissions Boundary
Global S3 Bucket Policy
AWS Config Rule
View Explanation
✓ Correct Answer: Service Control Policy (SCP) at the root or OU levelExplanation:SCPs provide centralized control over the maximum available permissions for all accounts in an organization.
24

What is the recommended way to grant an EC2 instance permission to call other AWS services (like S3 or DynamoDB)?

Assign an IAM Role to the instance via an Instance Profile
Store an IAM user's Access Key and Secret Key in the instance's user data
Hardcode credentials in the application code
Open the security group to all AWS services
View Explanation
✓ Correct Answer: Assign an IAM Role to the instance via an Instance ProfileExplanation:IAM Roles for EC2 provide temporary, rotating credentials that are much more secure than long-term access keys.
25

Which IAM feature allows an architect to verify which permissions in a policy are actually being used by an entity, helping to implement the 'principle of least privilege'?

IAM Access Advisor
IAM Policy Simulator
IAM Access Analyzer
CloudTrail
View Explanation
✓ Correct Answer: IAM Access AdvisorExplanation:Access Advisor shows 'Last Accessed' information for services, helping you identify and remove unused permissions.
26

A company wants to allow employees to log into the AWS Management Console using their existing corporate credentials from Microsoft Active Directory. Which service is required?

AWS IAM Identity Center (successor to AWS Single Sign-On)
AWS Directory Service
IAM User groups
AWS Cognito User Pools
View Explanation
✓ Correct Answer: AWS IAM Identity Center (successor to AWS Single Sign-On)Explanation:IAM Identity Center is the recommended service for managing workforce access to AWS accounts and applications via federation.
27

When multiple policies are applied to a user (e.g., an SCP, a Permissions Boundary, and an Identity-based Policy), when is a request finally allowed?

Only if ALL policies allow the action and NO policy explicitly denies it
If any one policy allows it
If the Identity-based policy is the most permissive
Based on the order of the policies
View Explanation
✓ Correct Answer: Only if ALL policies allow the action and NO policy explicitly denies itExplanation:An explicit Deny always wins. For an Allow, the request must be within the intersection of all applicable boundaries and policies.
28

What is 'IAM Access Analyzer' used for?

To identify resources in your account that are shared with external entities (unintended public or cross-account access)
To check if users have strong passwords
To speed up AWS Console performance
To analyze network traffic
View Explanation
✓ Correct Answer: To identify resources in your account that are shared with external entities (unintended public or cross-account access)Explanation:Access Analyzer helps you identify and remediation potential security risks from external resource sharing.
29

An architect needs to create a temporary link that allows an external consultant to download a specific file from S3 without creating an IAM user for them. Which feature is best?

S3 Presigned URL
IAM Policy with a Condition for IP address
STS GetSessionToken
VPC Endpoint Service
View Explanation
✓ Correct Answer: S3 Presigned URLExplanation:Presigned URLs provide time-limited access to objects using the credentials of the person who generated the URL.
30

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Create duplicate users in both accounts
AWS IAM Roles with cross-account access
AWS IAM Users with Multi-Factor Authentication
Share access keys between accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
31

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Use Amazon EC2 instance profiles
Create long-term access keys for each developer
Share full administrative credentials
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
32

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
Share access keys between accounts
AWS IAM Roles with cross-account access
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
33

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Use Amazon EC2 instance profiles
Share full administrative credentials
Create long-term access keys for each developer
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
34

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Share access keys between accounts
AWS IAM Roles with cross-account access
Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
35

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Create long-term access keys for each developer
Share full administrative credentials
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
36

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Share access keys between accounts
AWS IAM Roles with cross-account access
AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
37

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Use Amazon EC2 instance profiles
Create long-term access keys for each developer
Share full administrative credentials
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
38

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
Share access keys between accounts
AWS IAM Roles with cross-account access
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
39

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Use Amazon EC2 instance profiles
Create long-term access keys for each developer
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
40

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Share access keys between accounts
Create duplicate users in both accounts
AWS IAM Roles with cross-account access
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
41

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create long-term access keys for each developer
Use Amazon EC2 instance profiles
Share full administrative credentials
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
42

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
Share access keys between accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
43

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Use Amazon EC2 instance profiles
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
44

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Share access keys between accounts
AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
45

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Share full administrative credentials
Create long-term access keys for each developer
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
46

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Share access keys between accounts
Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
47

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Use Amazon EC2 instance profiles
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
48

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Create duplicate users in both accounts
Share access keys between accounts
AWS IAM Roles with cross-account access
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
49

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Use Amazon EC2 instance profiles
Create long-term access keys for each developer
Share full administrative credentials
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
50

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
Share access keys between accounts
AWS IAM Roles with cross-account access
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
51

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
52

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Share access keys between accounts
Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
53

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Use Amazon EC2 instance profiles
Create long-term access keys for each developer
Share full administrative credentials
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
54

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Share access keys between accounts
AWS IAM Roles with cross-account access
AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
55

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create long-term access keys for each developer
Share full administrative credentials
Use Amazon EC2 instance profiles
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
56

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Share access keys between accounts
AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
57

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
58

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Share access keys between accounts
Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
59

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Use Amazon EC2 instance profiles
Create long-term access keys for each developer
Share full administrative credentials
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
60

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Share access keys between accounts
Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
61

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Use Amazon EC2 instance profiles
Share full administrative credentials
Create long-term access keys for each developer
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
62

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
Share access keys between accounts
AWS IAM Roles with cross-account access
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
63

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Share full administrative credentials
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Create long-term access keys for each developer
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
64

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
Share access keys between accounts
AWS IAM Roles with cross-account access
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
65

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Share full administrative credentials
Use Amazon EC2 instance profiles
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Create long-term access keys for each developer
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
66

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
Share access keys between accounts
AWS IAM Roles with cross-account access
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
67

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Use Amazon EC2 instance profiles
Share full administrative credentials
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Create long-term access keys for each developer
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
68

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Create duplicate users in both accounts
Share access keys between accounts
AWS IAM Users with Multi-Factor Authentication
AWS IAM Roles with cross-account access
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
69

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
70

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Share access keys between accounts
Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
71

A large enterprise is migrating to AWS and wants to implement a centralized governance model across 100+ AWS accounts. They need to enforce a policy that prevents any account from disabling CloudTrail or deleting S3 buckets that store audit logs. Which solution is most appropriate?

Apply Service Control Policies (SCPs) at the Cloud Tower or Organization level
Create individual IAM policies in each account
Use AWS Config rules to auto-remediate configuration drift
Use AWS Trusted Advisor to monitor compliance
View Explanation
✓ Correct Answer: Apply Service Control Policies (SCPs) at the Cloud Tower or Organization levelExplanation:SCPs in AWS Organizations provide central control over the maximum available permissions for all accounts in an OU or organization, and they cannot be bypassed by local administrators (even 'root').
72

Which AWS service provides an automated way to detect that an EC2 instance in a public subnet has been compromised and is communicating with an known malicious command-and-control server?

Amazon GuardDuty
AWS Inspector
AWS Shield
Amazon Macie
View Explanation
✓ Correct Answer: Amazon GuardDutyExplanation:GuardDuty is a threat detection service that analyzes VPC Flow Logs, CloudTrail, and DNS logs to identify suspicious or malicious activity.
73

An enterprise wants to enforce a rule that all EC2 instances must be launched with a specific set of tags for cost allocation. How can they implement this 'Tagging Enforcement' to prevent non-compliant resources from even being created?

IAM Policy with 'Condition' element evaluating the resource tags (aws:RequestTag)
AWS Config
AWS Trusted Advisor
Lambda function on an EventBridge trigger
View Explanation
✓ Correct Answer: IAM Policy with 'Condition' element evaluating the resource tags (aws:RequestTag)Explanation:IAM policies can be written with 'StringEquals' conditions on request tags to deny the 'RunInstances' API call if the required tags are not present.
74

An enterprise wants to migrate its on-premises Microsoft Active Directory to AWS. They want a managed solution that integrates with Amazon RDS for SQL Server and allows them to use their existing AD tools. Which service should they choose?

AWS Directory Service for Microsoft Active Directory
AD Connector
Simple AD
IAM Identity Center
View Explanation
✓ Correct Answer: AWS Directory Service for Microsoft Active DirectoryExplanation:AWS Managed Microsoft AD is a fully managed AD that is highly available and supports AD-aware applications like RDS SQL Server and SharePoint.
75

To improve the security of your AWS environment, you want to identify any IAM roles that have not been used in the last 90 days across all your accounts. Which AWS feature provides this information?

IAM Access Analyzer (Unused Access findings)
AWS Trusted Advisor
AWS Config
IAM Credential Report
View Explanation
✓ Correct Answer: IAM Access Analyzer (Unused Access findings)Explanation:IAM Access Analyzer can now find unused IAM roles, access keys, and passwords, helping you implement least privilege.
76

An enterprise wants to enable 'Workload Identity' for their Amazon EKS clusters so that pods can assume specific IAM roles without needing to manage static AWS credentials inside the cluster. Which feature provides this?

IAM Roles for Service Accounts (IRSA)
IAM Instance Profiles on the worker nodes
AWS Security Token Service (STS) console manually
EKS Cluster Service Role
View Explanation
✓ Correct Answer: IAM Roles for Service Accounts (IRSA)Explanation:IRSA uses OIDC federation to allow Kubernetes service accounts to assume IAM roles, providing fine-grained access control at the pod level.
77

Which AWS service provides a unified view of security alerts and compliance status across multiple AWS accounts and security services like GuardDuty, Inspector, and IAM Access Analyzer?

AWS Security Hub
Amazon Detective
AWS Config
AWS Trusted Advisor
View Explanation
✓ Correct Answer: AWS Security HubExplanation:Security Hub aggregates and prioritizes security findings from across your organization into a single dashboard.
78

A financial firm needs to ensure that their database is compliant with data residency requirements specifying that data must never leave a specific AWS region. How can they enforce this at the organization level?

Service Control Policy (SCP) with a 'StringNotEquals' condition on 'aws:RequestedRegion'
IAM roles
VPC Service Controls
AWS Config
View Explanation
✓ Correct Answer: Service Control Policy (SCP) with a 'StringNotEquals' condition on 'aws:RequestedRegion'Explanation:SCPs can restrict which regions are usable within an AWS account or organization, ensuring data residency compliance.
79

An enterprise wants to ensure that all their AWS accounts follow a strict security baseline. They want to automate the setup of new accounts with pre-configured VPCs, IAM roles, and logging. Which AWS service is specifically designed to orchestrate this multi-account environment setup?

AWS Control Tower
AWS Organizations
AWS CloudFormation StackSets
AWS Service Catalog
View Explanation
✓ Correct Answer: AWS Control TowerExplanation:Control Tower uses a landing zone to automatically provision new accounts with pre-approved configurations and guardrails across the entire organization.
80

A global conglomerate wants to analyze their AWS spend across multiple business units. They want to create custom 'Cost Categories' based on tags, accounts, and services to better attribute costs to specific projects. Which tool provides this capability?

AWS Cost Categories
AWS Cost Explorer
AWS Budgets
AWS Trusted Advisor
View Explanation
✓ Correct Answer: AWS Cost CategoriesExplanation:Cost Categories allows you to group cost and usage information into meaningful categories for your business, improving financial governance and visibility.
81

An organization wants to analyze their VPC Flow Logs and CloudTrail logs to identify the 'Blast Radius' of a potential security breach. They need a tool that can visualize the relationships between their resources and security events. Which service should they use?

Amazon Detective
Amazon GuardDuty
AWS Security Hub
Amazon Inspector
View Explanation
✓ Correct Answer: Amazon DetectiveExplanation:Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.
82

An organization following the 'Least Privilege' principle wants to restrict all developers from creating new S3 buckets that do not have encryption enabled. How should they implement this organizational control?

Service Control Policy (SCP) at the OU level with a 'Deny' on 's3:CreateBucket' if the encryption condition is not met
AWS Config rule
IAM role at the user level
Manually deleting buckets
View Explanation
✓ Correct Answer: Service Control Policy (SCP) at the OU level with a 'Deny' on 's3:CreateBucket' if the encryption condition is not metExplanation:SCPs are the most effective way to enforce compliance at the 'API Call' level across multiple accounts in an organization.
83

An organization wants to implement 'Zero Trust' networking and wants to ensure that access to their internal web apps is denied unless the user's device is compliant with corporate patches. Which AWS service provides this context-aware access?

AWS Verified Access
AWS Client VPN
AWS WAF
AWS Identity Center
View Explanation
✓ Correct Answer: AWS Verified AccessExplanation:Verified Access evaluates every request against policies that can include device health data from endpoint management systems.
84

To protect your AWS accounts from unauthorized administrative actions, you want to require that any change to a specific set of critical IAM roles requires approval from two different security administrators (Two-Person Control). How can you implement this securely?

Use AWS Step Functions to orchestrate a manual approval workflow that updates the IAM policy only after two approvals
Grant 'AdministratorAccess' only to the security team
Use a shared password
SCPs with conditions
View Explanation
✓ Correct Answer: Use AWS Step Functions to orchestrate a manual approval workflow that updates the IAM policy only after two approvalsExplanation:Step Functions can integrate with Lambda and SES/SNS to create a formal multi-party approval process for sensitive infrastructure changes.
85

Which AWS service provides a consolidated way to view compliance-ready reports (like SOC 1/2, PCI-DSS, ISO) for the global AWS infrastructure?

AWS Artifact
AWS Security Hub
AWS Config
AWS Trusted Advisor
View Explanation
✓ Correct Answer: AWS ArtifactExplanation:Artifact is the self-service portal for AWS compliance reports and agreements.
86

An organization wants to analyze their organization-wide CloudTrail logs for threat detection. They want to use a tool that can automatically detect API patterns that indicate a hacker is attempting to exfiltrate data from an S3 bucket. Which service is best?

Amazon GuardDuty
Amazon Macie
AWS Security Hub
Amazon Inspector
View Explanation
✓ Correct Answer: Amazon GuardDutyExplanation:GuardDuty's S3 protection analyzes data events to detect malicious behavior like mass object deletion or access from unusual locations.
87

An enterprise wants to improve the security of their AWS environment by automatically identifying and remediating any public S3 buckets. Which AWS service provides a library of pre-built auto-remediation actions for common compliance issues?

AWS Config with Systems Manager (SSM) Automation
AWS Trusted Advisor
IAM Access Analyzer
AWS Shield
View Explanation
✓ Correct Answer: AWS Config with Systems Manager (SSM) AutomationExplanation:Config monitors the resources, and SSM Automation executes the remediation logic (e.g., calling the S3 API to disable public access).
88

An organization wants to move their legacy on-premises Windows-based applications to AWS with minimal changes. They want a managed platform that handles patching, auto-scaling, and provides a 'Zero Trust' access experience for their employees. Which AWS service should they use?

AWS AppStream 2.0 or WorkSpaces Web
AWS Fargate
EC2 instances with manual Windows Server installation
AWS Lambda
View Explanation
✓ Correct Answer: AWS AppStream 2.0 or WorkSpaces WebExplanation:AppStream 2.0 allows you to stream desktop applications to a web browser, providing a modern, secure experience for legacy software without needing to refactor the code.
89

Which AWS security service allows you to centrally manage and deploy firewall rules across your entire organization, including WAF rules, Shield Advanced protection, and Network Firewall policies?

AWS Firewall Manager
AWS Security Hub
AWS Organizations
AWS Config
View Explanation
✓ Correct Answer: AWS Firewall ManagerExplanation:Firewall Manager is an auditing and management service that ensures compliance by pushing security policies across accounts uniformly.
90

Your organization wants to implement a centralized way to manage and deploy configuration best practices across 100+ AWS accounts. They want to ensure that if a resource becomes non-compliant (e.g., an S3 bucket becomes public), it is automatically remediated without manual intervention. Which AWS service and feature provides this?

AWS Config with the 'Aggregator' and 'Auto-remediation' using Systems Manager
AWS Organizations SCPs
AWS Trusted Advisor
IAM Access Analyzer
View Explanation
✓ Correct Answer: AWS Config with the 'Aggregator' and 'Auto-remediation' using Systems ManagerExplanation:AWS Config monitors resource configurations. Aggregators collect data from multiple accounts, and auto-remediation (via SSM documents) allows for immediate fix of compliance violations.
91

To reduce the 'Blast Radius' of a potential compromise in a multi-tenant application, you want to ensure that each customer's data is stored in a separate DynamoDB table and that the application code can only access the specific table of the currently logged-in user. Which feature enables this dynamic, fine-grained access control?

IAM Policy Variables (e.g., ${www.amazon.com:user_id})
Hardcoded IAM roles for every user
DynamoDB Global Tables
VPC Service Controls
View Explanation
✓ Correct Answer: IAM Policy Variables (e.g., ${www.amazon.com:user_id})Explanation:IAM Policy Variables allowed you to write a single policy that dynamically restricts access based on the identity of the user, which is essential for multi-tenant security.
92

To improve the security of an Amazon ECR (Elastic Container Registry), an enterprise wants to ensure that any container image with a 'Critical' vulnerability is automatically prevented from being pulled or deployed to their EKS clusters. Which tool combination handles this enforcement?

Amazon Inspector (ECR Scanning) and a custom Lambda/Admission Controller in EKS
IAM roles
Security Groups
S3 Bucket Policies
View Explanation
✓ Correct Answer: Amazon Inspector (ECR Scanning) and a custom Lambda/Admission Controller in EKSExplanation:Inspector performs the scan. Enforce the scan result by having a Kubernetes admission controller check for the presence of vulnerabilities before allowing a pod to start.
93

How can you securely provide temporary access to a specific AWS account for a 3rd-party auditor without creating a permanent IAM user or sharing passwords?

Create an IAM Role with a 'Cross-account trust policy' and an 'External ID'
Email them a service account key
Add them to a 'security' AWS account locally
Use a public S3 bucket for logs
View Explanation
✓ Correct Answer: Create an IAM Role with a 'Cross-account trust policy' and an 'External ID'Explanation:Cross-account roles allow users from another account (the auditor) to assume a role in your account. The 'External ID' is a security best practice to prevent the 'confused deputy' problem.
94

An enterprise wants to ensure that all their employees can access their internal AWS dashboards only while they are connected to the corporate office network via VPN. Which AWS tool can enforce this IP-based restriction at the portal level?

IAM Policies with an 'IpAddress' condition (on the aws:SourceIp key)
VPC Firewall rules
AWS Client VPN
AWS Shield
View Explanation
✓ Correct Answer: IAM Policies with an 'IpAddress' condition (on the aws:SourceIp key)Explanation:IAM conditions can restrict access to any AWS service or action based on the source IP of the request, providing a powerful layer of security.
95

Your organization wants to implement 'Attribute-based Access Control' (ABAC) to simplify IAM management. They want to ensure that developers can only start/stop EC2 instances that have a 'Project' tag matching the 'Project' tag on the developer's IAM user. Which IAM policy element is used to achieve this comparison?

Condition with 'StringEquals' on 'aws:PrincipalTag/Project' and 'ec2:ResourceTag/Project'
IAM Role with a static policy
IAM Group with permissions
VPC Service Controls
View Explanation
✓ Correct Answer: Condition with 'StringEquals' on 'aws:PrincipalTag/Project' and 'ec2:ResourceTag/Project'Explanation:ABAC allows for dynamic permissions based on tags. By comparing the principal's tags to the resource's tags in a policy condition, you can scale permissions without updating individual policies.
96

An enterprise wants to be alerted immediately if their daily AWS spend exceeds their historical average by more than 20%, which could indicate a security breach or a misconfigured resource. Which AWS service provides this machine-learning based detection?

AWS Cost Anomaly Detection
AWS Budgets
AWS Cost Explorer
AWS Trusted Advisor
View Explanation
✓ Correct Answer: AWS Cost Anomaly DetectionExplanation:Cost Anomaly Detection uses ML to analyze your spending patterns and alert you to unusual spikes that might otherwise go unnoticed for weeks.
97

Whcih AWS service provides 'Managed Threat Intelligence' to protect your S3 buckets from malicious actors by checking data access events against a database of known suspicious IP addresses and domains?

Amazon GuardDuty (S3 Protection)
Amazon Macie
AWS Shield Standard
AWS Network Firewall
View Explanation
✓ Correct Answer: Amazon GuardDuty (S3 Protection)Explanation:GuardDuty S3 Protection continuously monitors data events in CloudTrail to identify threats such as scanning for open buckets or patterns of data exfiltration.
98

How can you analyze the 'Blast Radius' of a potential IAM user compromise by identifying exactly which resources that user has permission to access across your entire AWS Organization?

IAM Access Analyzer (Policy Generation and Access Preview)
IAM Credential Report
AWS Trusted Advisor
VPC Flow Logs
View Explanation
✓ Correct Answer: IAM Access Analyzer (Policy Generation and Access Preview)Explanation:Access Analyzer provides several tools for analyzing permissions, including the ability to see 'effective' access and generate least-privilege policies based on activity.
99

Which AWS service provides a managed way to run 'Service Quota' analysis across multiple accounts and automatically request increases before you hit the limit?

Service Quotas (with CloudWatch integration)
AWS Trusted Advisor
AWS Budgets
AWS Config
View Explanation
✓ Correct Answer: Service Quotas (with CloudWatch integration)Explanation:The Service Quotas console allows you to view and manage your quotas centrally, and integrating with CloudWatch allows you to set alarms for when you are approaching a limit.
100

Which AWS security service allows you to centrally manage and automate security configuration checks for your enterprise using a set of best-practice 'Conformance Packs'?

AWS Config
AWS Security Hub
Amazon GuardDuty
AWS IAM
View Explanation
✓ Correct Answer: AWS ConfigExplanation:Config Conformance Packs are collections of AWS Config rules and remediation actions that help you implement a specific compliance standard (like NIST or PCI).
101

Which AWS service provides an automated way to detect if an IAM role has been granted permissions that it hasn't used in 90 days, helping you move towards a model of 'Least Privilege'?

IAM Access Analyzer (Unused Access findings)
AWS Trusted Advisor
AWS Config
AWS Inspector
View Explanation
✓ Correct Answer: IAM Access Analyzer (Unused Access findings)Explanation:IAM Access Analyzer can identify unused roles, access keys, and passwords across your account or organization.
102

Scenario: To minimize the blast radius of a potential credential theft, you want to ensure that your developers can only access the production AWS account during business hours. Solution ?

IAM Policy with a 'Condition' element evaluating 'aws:CurrentTime' or 'aws:EpochTime'
Deleting their roles at 5 PM daily
Rotating passwords daily
Using a shared account
View Explanation
✓ Correct Answer: IAM Policy with a 'Condition' element evaluating 'aws:CurrentTime' or 'aws:EpochTime'Explanation:IAM conditions can restrict access based on the time and date of the request.
103

Which AWS service provides an automated way to detect if a specific Amazon EC2 instance has a legacy software package installed that contains a known security vulnerability (CVE)?

Amazon Inspector
Amazon GuardDuty
AWS Shield
AWS Systems Manager
View Explanation
✓ Correct Answer: Amazon InspectorExplanation:Amazon Inspector is a vulnerability management service that scans EC2 instances, ECR images, and Lambda functions for software vulnerabilities.
104

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
Share access keys between accounts
AWS IAM Roles with cross-account access
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
105

An enterprise wants to ensure that all their AWS CloudTrail logs are protected from being tampered with or deleted, even if their administrative accounts are compromised. Which feature provides the strongest protection for log integrity?

CloudTrail Log File Integrity Validation and S3 Object Lock (Compliance Mode)
IAM roles
Standard S3 versioning
AWS Config
View Explanation
✓ Correct Answer: CloudTrail Log File Integrity Validation and S3 Object Lock (Compliance Mode)Explanation:Log file integrity validation uses SHA-256 for signing, and Object Lock in Compliance Mode prevents even the root user from deleting the logs during the retention period.
106

To improve the security of a multi-account AWS environment, an architect wants to ensure that users can ONLY perform 'Delete' operations on production resources during a pre-authorized maintenance window. Which combination of services enables this time-based access control?

IAM Policies with 'aws:CurrentTime' conditions
Deleting roles manually
VPC Service Controls
AWS Trusted Advisor
View Explanation
✓ Correct Answer: IAM Policies with 'aws:CurrentTime' conditionsExplanation:IAM conditions allow you to restrict permissions based on the timestamp of the request, which is a native and secure way to enforce maintenance windows.
107

An organization wants to analyze the cost and usage of their AWS environment for the last 12 months with the ability to forecast future spending for the next 12 months. Which tool should they use?

AWS Cost Explorer
AWS Budgets
AWS Trusted Advisor
AWS Config
View Explanation
✓ Correct Answer: AWS Cost ExplorerExplanation:Cost Explorer provides historical data, visualization, and ML-based forecasting for future cloud spending.
108

An organization following the 'Zero Trust' model wants to ensure that access to their internal web apps is granted only if the user is authenticated via their enterprise IdP AND their device is company-managed. Which AWS service provides this integrated evaluation?

AWS Verified Access
AWS Client VPN
AWS Identity Center
WAF
View Explanation
✓ Correct Answer: AWS Verified AccessExplanation:Verified Access evaluates every request based on identity and device state for secure, VPN-less access.
109

Which AWS service allows you to centrally manage and enforce security best practices across all your AWS accounts by providing a set of 'Service Control Policies' (SCPs) that act as 'Guardrails'?

AWS Organizations
AWS Config
AWS Security Hub
AWS Shield
View Explanation
✓ Correct Answer: AWS OrganizationsExplanation:AWS Organizations is the foundation for multi-account governance and uses SCPs to define the maximum available permissions.
110

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Create duplicate users in both accounts
AWS IAM Roles with cross-account access
Share access keys between accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
111

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Use Amazon EC2 instance profiles
Create long-term access keys for each developer
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
112

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Share access keys between accounts
AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
113

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Use Amazon EC2 instance profiles
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
114

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Create duplicate users in both accounts
Share access keys between accounts
AWS IAM Users with Multi-Factor Authentication
AWS IAM Roles with cross-account access
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
115

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
116

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Share access keys between accounts
Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
117

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
118

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Share access keys between accounts
Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
119

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Use Amazon EC2 instance profiles
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
120

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Users with Multi-Factor Authentication
AWS IAM Roles with cross-account access
Share access keys between accounts
Create duplicate users in both accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
121

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Use Amazon EC2 instance profiles
Create long-term access keys for each developer
Share full administrative credentials
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
122

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Share access keys between accounts
Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
123

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create long-term access keys for each developer
Share full administrative credentials
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
124

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
AWS IAM Users with Multi-Factor Authentication
Share access keys between accounts
Create duplicate users in both accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
125

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Use Amazon EC2 instance profiles
Create long-term access keys for each developer
Share full administrative credentials
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
126

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Share access keys between accounts
AWS IAM Roles with cross-account access
AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
127

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Use Amazon EC2 instance profiles
Share full administrative credentials
Create long-term access keys for each developer
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
128

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
AWS IAM Users with Multi-Factor Authentication
Share access keys between accounts
Create duplicate users in both accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
129

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Use Amazon EC2 instance profiles
Share full administrative credentials
Create long-term access keys for each developer
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
130

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Create duplicate users in both accounts
AWS IAM Roles with cross-account access
AWS IAM Users with Multi-Factor Authentication
Share access keys between accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
131

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
132

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
Share access keys between accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
133

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create long-term access keys for each developer
Use Amazon EC2 instance profiles
Share full administrative credentials
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
134

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Share access keys between accounts
Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
135

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create long-term access keys for each developer
Share full administrative credentials
Use Amazon EC2 instance profiles
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
136

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Users with Multi-Factor Authentication
Share access keys between accounts
AWS IAM Roles with cross-account access
Create duplicate users in both accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
137

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Use Amazon EC2 instance profiles
Create long-term access keys for each developer
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
138

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Share access keys between accounts
AWS IAM Roles with cross-account access
Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
139

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
140

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
Share access keys between accounts
AWS IAM Roles with cross-account access
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
141

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create long-term access keys for each developer
Use Amazon EC2 instance profiles
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
142

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Share access keys between accounts
Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
143

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Use Amazon EC2 instance profiles
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
144

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Share access keys between accounts
Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
145

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create long-term access keys for each developer
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Use Amazon EC2 instance profiles
Share full administrative credentials
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
146

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Share access keys between accounts
Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
147

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Create long-term access keys for each developer
Share full administrative credentials
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
148

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Create duplicate users in both accounts
Share access keys between accounts
AWS IAM Users with Multi-Factor Authentication
AWS IAM Roles with cross-account access
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
149

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create long-term access keys for each developer
Use Amazon EC2 instance profiles
Share full administrative credentials
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
150

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Share access keys between accounts
AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
151

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Share full administrative credentials
Create long-term access keys for each developer
Use Amazon EC2 instance profiles
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
152

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
Share access keys between accounts
AWS IAM Roles with cross-account access
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
153

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Use Amazon EC2 instance profiles
Create long-term access keys for each developer
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
154

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Users with Multi-Factor Authentication
Share access keys between accounts
AWS IAM Roles with cross-account access
Create duplicate users in both accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
155

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create long-term access keys for each developer
Share full administrative credentials
Use Amazon EC2 instance profiles
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
156

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
Share access keys between accounts
AWS IAM Roles with cross-account access
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
157

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Use Amazon EC2 instance profiles
Create long-term access keys for each developer
Share full administrative credentials
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
158

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Share access keys between accounts
Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
159

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
160

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
Share access keys between accounts
AWS IAM Roles with cross-account access
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
161

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
162

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
AWS IAM Roles with cross-account access
Share access keys between accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
163

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
164

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Create duplicate users in both accounts
Share access keys between accounts
AWS IAM Users with Multi-Factor Authentication
AWS IAM Roles with cross-account access
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
165

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create long-term access keys for each developer
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Use Amazon EC2 instance profiles
Share full administrative credentials
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
166

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Share access keys between accounts
AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
167

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
168

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
AWS IAM Roles with cross-account access
Share access keys between accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
169

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Use Amazon EC2 instance profiles
Create long-term access keys for each developer
Share full administrative credentials
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
170

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Share access keys between accounts
AWS IAM Users with Multi-Factor Authentication
AWS IAM Roles with cross-account access
Create duplicate users in both accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.