Practice Set

Q1. What does an IAM Permission Boundary define for an IAM entity?

Q2. An AWS Service Control Policy (SCP) attached to an OU explicitly denies ec2:TerminateInstances. A member account Administrator (with AdministratorAccess policy) tries to terminate an EC2 instance. What is the result?

Q3. An IAM user's identity policy has an explicit Deny for s3:GetObject on all resources. An S3 bucket in the SAME account has a resource-based policy that explicitly allows s3:GetObject for that IAM user. What is the effective access?

Q4. A third-party SaaS application requires you to create an IAM role and share the role ARN so they can access your S3 data. What should you include in the role's trust policy to prevent the confused deputy attack?

Q5. Which statements about AWS Service Control Policies (SCPs) are CORRECT? (More than one answer may be correct — Select TWO.)

Q6. IAM Access Analyzer is used to identify which category of security issues?

Q7. A company wants to implement Attribute-Based Access Control (ABAC) so that developers can only start/stop EC2 instances tagged with Project=TeamBlue. Which IAM policy condition achieves this?

Q8. A Lambda function in Account A assumes an IAM role in Account B. The resulting credentials are used to assume a role in Account C. What is the maximum session duration for the final credentials obtained from Account C?

Q9. GuardDuty raises a finding of type UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration. What does this finding indicate and what is the MOST effective immediate response?

Q10. A company wants to automatically DETECT and REMEDIATE existing IAM users who have the AdministratorAccess policy attached, without manual intervention. Which approach is BEST?