🔑 AWS IAM - DVA-C02 Practice Questions

Understand IAM policies (identity-based, resource-based), roles, STS, least-privilege design, policy evaluation logic, cross-account access, and permission boundaries.

16Questions Available
1Exam Domains

Practice IAM Questions Now

Start a timed practice session focusing on AWS IAM topics from the DVA-C02 question bank.

Start DVA-C02 Practice Quiz →

DVA-C02 IAM Question Bank (16 Questions)

Browse all 16 practice questions covering AWS IAM for the DVA-C02 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1Security

    A developer uses IAM roles for cross-account access. Which statement is correct about the trust policy?

    ATrust policy defines what the role can do
    BTrust policy defines who can assume the role
    CTrust policy is the same as a permission policy
    DTrust policy is attached to the IAM user

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  2. Question 2Security

    An application uses an IAM role with a permission boundary. The role's policy allows s3:*, but the boundary only allows s3:GetObject. What can the role do?

    AAll S3 actions because the role policy allows s3:*
    BOnly s3:GetObject — effective permissions are the intersection of role policy and boundary
    CNo S3 actions because there is a conflict
    DAll S3 actions except DeleteObject

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  3. Question 3Security

    Which type of IAM policy is attached directly to an AWS resource (like an S3 bucket) to control cross-account access?

    AManaged policy
    BInline policy
    CResource-based policy
    DPermission boundary

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  4. Question 4Security

    An IAM policy contains both an explicit Allow and an explicit Deny for the same action. What is the result?

    AAllow takes precedence
    BThe most recently applied policy takes precedence
    CDeny takes precedence
    DIt results in an error

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  5. Question 5Security

    Which feature allows an IAM policy to limit the maximum permissions an IAM entity can have, regardless of what policies are attached?

    AResource-based policy
    BService control policy (SCP)
    CPermissions boundary
    DSession policy

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  6. Question 6Security

    A mobile application uses Cognito Identity Pools to get AWS credentials. The user's role gets a policy that includes 'cognito-identity.amazonaws.com:sub' as a condition. What does this enforce?

    AUsers can only access resources in a specific region
    BUsers can only access their own DynamoDB items (using their Cognito identity as the partition key)
    CUsers must be authenticated before accessing the API
    DUsers can only upload to their own S3 folder

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  7. Question 7Security

    A developer implements a custom Lambda authorizer that returns an IAM policy. What must the policy contain to authorize the request?

    AAn Effect:Allow for execute-api:Invoke on the method ARN
    BAn Effect:Allow for lambda:InvokeFunction
    CAn Effect:Allow for apigateway:* on all resources
    DAn Effect:Deny on all methods except the requested one

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  8. Question 8Security

    A developer needs to prevent an IAM policy from allowing access to a specific S3 bucket, even if other policies grant access. Which element is used?

    AAction: 's3:*' with Effect: Allow
    BEffect: Deny with the specific bucket ARN
    CResource: '*' with NotAction
    DCondition: StringNotEquals on bucket name

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  9. Question 9Security

    A developer uses IAM and wants to grant a user read access to all S3 buckets except one specific bucket. Which IAM policy pattern achieves this?

    AAllow s3:GetObject on *, then Deny s3:GetObject on the specific bucket ARN
    BUse NotResource with Allow for s3:GetObject
    CUse Deny with NotResource on the exception bucket
    DBoth A and B

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  10. Question 10Security

    A developer uses AWS STS AssumeRole to switch roles. What is the maximum duration for temporary credentials?

    A1 hour
    B12 hours
    CUp to the MaxSessionDuration configured on the role (max 12 hours)
    D24 hours

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  11. Question 11Security

    A developer creates a presigned S3 URL with a 1-hour expiration using IAM role credentials. If the role's session expires in 30 minutes, when does the presigned URL expire?

    A1 hour as specified
    B30 minutes — when the signing credentials expire
    C15 minutes — half of the credential expiry
    DNever expires once created

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  12. Question 12Security

    A Lambda function uses an IAM role with AmazonDynamoDBFullAccess but an SCP in the organization denies DynamoDB writes. Can the function write to DynamoDB?

    AYes — IAM role permissions override SCPs
    BNo — SCPs apply as an additional guard; both must allow the action
    CYes — Lambda is exempt from SCPs
    DNo — SCPs override all IAM policies including roles

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  13. Question 13Security

    Which IAM feature allows a developer to test what actions are allowed for a user or role without making actual API calls?

    AIAM Access Analyzer
    BIAM Policy Simulator
    CAWS Trusted Advisor
    DCloudTrail log analysis

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  14. Question 14Select All That ApplySecurity

    An API key stored in AWS Secrets Manager needs to be accessed by an application. Which action must the IAM role have?

    Asecretsmanager:PutSecretValue
    Bsecretsmanager:GetSecretValue
    Csecretsmanager:ListSecrets
    Dkms:Decrypt on the Secrets Manager key

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  15. Question 15Security

    A developer uses API Gateway with IAM authentication. The client must sign requests. Which signing algorithm should they use?

    AHMAC-SHA256 only
    BAWS Signature Version 4 (SigV4)
    CRSA-SHA256
    DOAuth 2.0 bearer token

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  16. Question 16Security

    An application needs to sign requests to an internal REST API protected by IAM authentication. Which mechanism should the client implement?

    AHTTP Basic Authentication
    BAWS Signature Version 4 (SigV4) signing
    CJWT bearer token in Authorization header
    DAPI key in x-api-key header

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz

Key IAM Concepts for DVA-C02

iampolicyrolestsassume rolepermission boundarycross-accountleast privilegepolicy evaluation

DVA-C02 IAM Exam Tips

AWS IAM questions in DVA-C02 are typically scenario-based. Focus on application development patterns, event-driven integration, and secure coding on AWS. Priority concepts: iam, policy, role, sts, assume role, permission boundary.

What DVA-C02 Expects

  • Anchor your answer in select developer-friendly managed services and patterns that minimize custom undifferentiated code.
  • IAM scenarios for DVA-C02 are frequently mapped to Domain 2 (26%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where IAM interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Associate) and vendor best practices.

High-Value IAM Concepts

  • Know the core IAM building blocks cold: iam, policy, role, sts.
  • Review the edge-case features and limits for assume role, permission boundary; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how IAM pairs with Cognito, KMS, API Gateway in real deployment patterns.
  • For DVA-C02, explain why the chosen IAM design meets reliability, security, and cost expectations better than the alternatives.

Common DVA-C02 Traps

  • Watch for using infrastructure-centric answers instead of application-centric ones.
  • Questions in Security often include distractors that look correct for IAM but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two IAM implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Security (26%) outcomes for DVA-C02?
  • Can you explain security and access boundaries for IAM without relying on default-open assumptions?
  • Can you describe how IAM integrates with Cognito and KMS during failure, scaling, and monitoring events?

Exam Domains Covering IAM

Domain 2Security26%

Related Resources

🎯 Free DVA-C02 Mock Exam Cognito Questions KMS Questions API Gateway Questions

More DVA-C02 Study Resources

← DVA-C02 Study Hub30-Day Study PlanFull Practice Exam