AWS - Certified Solutions Architect IAM Policies and User Roles Questions and Answers

Question 1

A company runs an application on an Amazon EC2 instance that needs to access objects in an Amazon S3 bucket. To adhere to security best practices, how should the Solutions Architect grant the necessary permissions?

Accepted Answer

Create an IAM role with the necessary S3 permissions and attach it to the EC2 instance profile.

Answer

The most secure and recommended method for an AWS service like EC2 to access another service like S3 is to use an IAM role. IAM roles provide temporary security credentials that are automatically rotated, eliminating the need to store long-term credentials like access keys on the instance. This aligns with the principle of least privilege and avoids the security risks associated with hardcoded credentials.

Question 2

A developer is part of an IAM group that has an attached policy allowing `s3:GetObject` on a specific S3 bucket. The bucket also has a resource-based policy. In which of the following scenarios would the developer be DENIED access to an object in the bucket?

Accepted Answer

The resource-based policy contains a statement with `"Effect": "Deny"` for the developer's user ARN and the `s3:GetObject` action.

Answer

AWS IAM policy evaluation logic always prioritizes an explicit `Deny` statement over any `Allow` statement. If any policy (identity-based or resource-based) contains an explicit deny for the requested action, the request will be denied, regardless of any other policies that might allow it.

Question 3

A company has two AWS accounts: Account A for development and Account B for production resources, including a critical Amazon S3 bucket. A Solutions Architect needs to allow an IAM user in Account A to have read-only access to the S3 bucket in Account B. What is the most secure and scalable way to achieve this?

Accepted Answer

In Account B, create an IAM role with read-only permissions to the S3 bucket. The role's trust policy should specify Account A as the trusted principal.

Answer

Using a cross-account IAM role is the standard and most secure method for granting access to resources across AWS accounts. A role is created in the trusting account (Account B) with the necessary permissions, and it establishes a trust relationship with the trusted account (Account A). This allows users in Account A to assume the role and get temporary credentials, avoiding the insecure practice of sharing long-term access keys.

Question 4

Which of the following policy types is attached directly to a resource, such as an S3 bucket or an SQS queue, and specifies which principals are allowed or denied access?

Accepted Answer

Resource-based policy

Answer

Resource-based policies are attached directly to AWS resources. They are a primary way to control access to a specific resource and are unique in that they include a `Principal` element in the policy JSON, which specifies the user, account, service, or other entity that is allowed or denied access.

Question 5

An organization wants to enforce a rule that no developer, regardless of their other IAM permissions, can terminate production EC2 instances. Which IAM feature should be used to set the maximum permissions that an identity-based policy can grant to a user or role?

Accepted Answer

Permissions Boundary

Answer

A permissions boundary is an advanced IAM feature used to define the maximum permissions that an identity-based policy can grant. It acts as a ceiling. Even if a user has a policy that allows `ec2:TerminateInstances`, if their permissions boundary does not allow this action, the request will be denied. This is used to safely delegate permissions management while maintaining central control.

AWS Practice Test

AWS Practice Test

AWS - Certified Solutions Architect IAM Policies and User Roles Questions and Answers