🔐 AWS Identity and Access Management (IAM) - SAA-C03 Practice Questions

IAM enables you to manage access to AWS services securely. Learn about users, groups, roles, policies, MFA, identity federation, and the principle of least privilege.

24Questions Available
1Exam Domains

Practice IAM Questions Now

Start a timed practice session focusing on AWS Identity and Access Management (IAM) topics from the SAA-C03 question bank.

Start SAA-C03 Practice Quiz →

How IAM Is Really Tested in SAA-C03

IAM in SAA-C03 is mostly about selecting the least-privilege access pattern that still enables delivery speed. Answers that rely on long-term static credentials are frequently wrong when a role-based option exists.

You are expected to know policy evaluation order at a practical level: explicit deny wins, then allows are evaluated across identity policy, resource policy, permission boundaries, and organization controls.

The strongest IAM answers reduce both credential exposure and operational overhead. In exam scenarios, temporary credentials through STS and scoped roles usually beat IAM users with embedded keys.

IAM choices that separate good answers from great answers

Decision PointOption AOption BExam Takeaway
Workload authenticationIAM role with temporary credentials via STSIAM user access keys stored in config files or codeFor EC2, Lambda, ECS, and cross-account access, role assumption is the expected secure default.
Permission control surfaceIdentity-based policy attached to user/group/roleResource-based policy attached to S3 bucket, KMS key, or similarCross-account delegation often requires resource policy support in addition to identity policy.
Organization-wide guardrailsService Control Policies to set account-level maximum permissionsPer-account IAM policy standards without org-level enforcementIf governance must be enforced across many accounts, SCPs are usually central to the answer.

Cross-account deployment pipeline access

A CI/CD pipeline in one account must deploy infrastructure into multiple target accounts with strict least privilege and auditability.

  • Use assumable roles in target accounts with narrowly scoped action/resource permissions.
  • Require explicit trust policy conditions for pipeline principal identities.
  • Apply SCP guardrails so even admin roles cannot exceed prohibited actions.
  • Enable CloudTrail visibility for role assumption and high-risk API usage.

Common Exam Trap: Creating one shared admin user and distributing its long-lived keys across accounts is insecure and strongly disfavored.

SAA-C03 IAM Question Bank (24 Questions)

Browse all 24 practice questions covering AWS Identity and Access Management (IAM) for the SAA-C03 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1Design Cost-Optimized Architectures

    Account A owns an S3 bucket. Account B needs to upload objects to it. Account A has attached a Bucket Policy allowing Account B's root user. However, when an IAM user in Account B tries to upload, they get Access Denied. What is missing?

    AThe IAM user in Account B needs an IAM policy allowing `s3:PutObject` to the bucket.
    BThe Bucket Policy needs to specify the IAM User ARN, not the root ARN.
    CAccount A must enable ACLs on the bucket.
    DThe IAM user needs to switch roles to Account A.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  2. Question 2Design Secure Architectures

    A developer needs to update code in an AWS Lambda function. The developer has an IAM user, and the policy attached allows `lambda:UpdateFunctionCode` on the specific function ARN. However, the update fails with an "Access Denied" error regarding IAM `PassRole`. Why is this error occurring?

    AThe developer's IAM user is missing the `iam:PassRole` permission for the Lambda function's execution role.
    BThe Lambda function's execution role does not have trust relationship with the developer's account.
    CThe `lambda:UpdateFunctionCode` action also requires `s3:GetObject` permission.
    DThe developer needs the `lambda:InvokeFunction` permission to update the code.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  3. Question 3Design Cost-Optimized Architectures

    An S3 bucket policy allows `s3:GetObject` from `192.168.1.0/24`. An IAM user has an attached policy that allows `s3:*` on all resources. However, a Service Control Policy (SCP) at the root of the Organization has an explicit Deny on `s3:GetObject` for the user's OU. Can the user download the file?

    AYes, because the Bucket Policy is evaluated first.
    BYes, because the IAM policy allows `*`.
    CNo, because an Explicit Deny in any policy (SCP, IAM, Resource) overrides any Allow.
    DNo, but only if the user is using the console.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  4. Question 4Design Secure Architectures

    A developer needs to create Lambda functions that assume specific execution roles. The developer should only be able to assign roles with limited permissions, not highly privileged roles. How should IAM permissions be configured?

    AGrant the developer `iam:PassRole` for all roles in the account.
    BGrant the developer `iam:PassRole` only for specific execution role ARNs they should use.
    CCreate a custom IAM policy allowing `lambda:CreateFunction` without `iam:PassRole`.
    DUse AWS Organizations SCPs to restrict role assignment capabilities.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  5. Question 5Design Secure Architectures

    A shared S3 bucket contains data from multiple teams. Team A should only access the `/teamA/` prefix, while Team B should only access `/teamB/`. Cross-team access should be prevented. Which access control approach is most effective?

    AUse IAM policies only to restrict access based on S3 object prefixes.
    BUse S3 bucket policies only with condition keys for prefix-based access.
    CCombine IAM policies and S3 bucket policies for defense in depth.
    DCreate separate S3 buckets for each team to eliminate cross-access risks.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  6. Question 6Design Secure Architectures

    A security team needs to identify IAM policies that grant overly broad permissions and resources accessible from external accounts. Which tool provides comprehensive analysis of access patterns?

    AAWS CloudTrail to analyze API usage patterns.
    BIAM Access Analyzer to identify unused permissions and external access.
    CAWS Config to monitor IAM configuration compliance.
    DAWS Trusted Advisor to check IAM security recommendations.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  7. Question 7Design Secure Architectures

    A development team in AWS Account A needs to access resources in a production environment in AWS Account B. The security team wants to grant this access without creating long-term credentials. What is the standard, most secure method to allow this?

    ACreate an IAM user in Account B and share the access keys with the developers in Account A.
    BIn Account B, create an IAM role with the necessary permissions and establish a trust relationship with Account A. Developers in Account A can then assume this role.
    CSet up VPC peering between the Account A and Account B VPCs.
    DCreate a duplicate set of resources in Account A for the developers to use.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  8. Question 8Design Secure Architectures

    A Lambda function needs to access a database credential stored in Secrets Manager. The security team insists the function cannot decrypt the secret without an explicit permission check that includes the function's deployment tag value. How can you enforce this?

    APut the secret ARN in the Lambda environment variable and allow Lambda to call `GetSecretValue` without any additional checks.
    BUse a KMS key with a key policy that restricts decrypt to principals with a specific tag value, and attach a condition to the Lambda's IAM role that includes `aws:ResourceTag` on the Lambda function. Also enable Secret Manager resource policy that requires source principal tag in the request condition.
    CStore the secret in plain text in S3 behind an IAM role.
    DUse an IAM user for the Lambda and rotate credentials manually.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  9. Question 9Select All That ApplyMixed

    A financial services company runs workloads in multiple AWS accounts. The company must enable secure single sign-on access from its on-premises Active Directory Federation Services (AD FS) environment and apply least-privilege permissions for different job functions. Which combination of actions should the solutions architect take? (Select TWO.)

    AIntegrate AWS IAM Identity Center (AWS Single Sign-On) with AD FS by using SAML 2.0 federation.
    BCreate IAM users in each account with access keys synchronized to AD FS through scheduled automation.
    CEnable AWS Shield Advanced on the management account to provide centralized authentication controls.
    DBuild permission sets in IAM Identity Center that map to least-privilege roles, and assign them to user groups.
    EShare the root user credentials with AD FS so users can assume cross-account administrator roles.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  10. Question 10Design Resilient Architectures

    A solutions architect is designing a multi-region active-active architecture for a web application. The application must route users to the nearest healthy region. Which routing policy should be used with Route 53?

    AGeolocation routing
    BGeoproximity routing with health checks
    CLatency-based routing with health checks
    DWeighted routing

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  11. Question 11Design Resilient Architectures

    A solutions architect must design a multi-region active-active architecture for a web application. The application must route users to the nearest healthy region. Which routing policy should be used with Route 53?

    AGeolocation routing
    BGeoproximity routing with health checks
    CLatency-based routing with health checks
    DWeighted routing

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  12. Question 12Design Resilient Architectures

    A multi-region active-active web application must route users to the nearest healthy region. Which Route 53 policy should be used?

    AGeolocation routing
    BGeoproximity routing with health checks
    CLatency-based routing with health checks
    DWeighted routing

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  13. Question 13Design Secure Architectures

    A company wants to ensure that no S3 buckets in their AWS account can be made public, regardless of the bucket policy or object ACLs applied by users. This must be enforced globally for the entire account to prevent accidental data leaks. Which action achieves this?

    ACreate a Service Control Policy (SCP) at the Organization level denying `s3:PutBucketPolicy`.
    BEnable "Block All Public Access" at the account level in the S3 console.
    CCreate an IAM policy for all users denying `s3:PutObjectAcl` and `s3:PutBucketAcl`.
    DUse AWS Config rules to monitor for public buckets and auto-remediate them using Lambda.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  14. Question 14Design Secure Architectures

    A company wants to authenticate users accessing an internal web application hosted on Amazon EC2 instances behind an Application Load Balancer (ALB). The users are authenticated via a corporate OIDC (OpenID Connect) identity provider. The solution must minimize code changes on the application side. Which strategy should be implemented?

    AConfigure the ALB with an HTTPS listener and an authentication rule to authenticate users using Amazon Cognito user pools. Connect Cognito to the OIDC provider.
    BUse AWS IAM Identity Center (successor to AWS SSO) to handle authentication and pass the JWT token to the backend instances.
    CImplement the OIDC client logic directly on the EC2 instances using the provider's SDK.
    DUse API Gateway in front of the ALB and configure a Lambda Custom Authorizer.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  15. Question 15Design High-Performing Architectures

    A video processing application runs in an Auto Scaling Group (ASG) of EC2 instances. The workload involves processing messages from an SQS queue. The processing time per video varies significantly (from 1 minute to 1 hour). The current "Target Tracking" policy based on CPU utilization is causing the ASG to scale in prematurely, terminating instances that are still processing long videos. How should the architecture be improved?

    AUse a Step Scaling policy based on the SQS `ApproximateNumberOfMessagesVisible` metric.
    BEnable "Scale-In Protection" on instances that are actively processing a job.
    CIncrease the Connection Draining timeout on the Load Balancer.
    DUse a Simple Scaling policy with a longer cooldown period.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  16. Question 16Design Resilient Architectures

    During a scale-in event, an Auto Scaling Group should preferentially terminate the oldest instances while preserving instances that were recently updated with patches. Which termination policy achieves this?

    ADefault termination policy (balanced across AZs, then oldest launch template).
    BOldestLaunchTemplate termination policy.
    CNewestInstance termination policy.
    DClosestToNextInstanceHour termination policy.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  17. Question 17Design Resilient Architectures

    A CloudFormation stack deployment fails midway due to IAM permission issues, leaving some resources created and others failed. The infrastructure must be restored to a consistent state. What is the best recovery approach?

    ADelete the failed stack completely and redeploy from scratch.
    BUpdate the stack with corrected IAM permissions and continue from the failed point.
    CManually delete failed resources and update the template to exclude them.
    DUse CloudFormation drift detection to identify and fix inconsistencies.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  18. Question 18Design Secure Architectures

    A REST API serves both public endpoints (no authentication) and private endpoints requiring user authentication. The API should integrate with an existing OIDC identity provider. Which API Gateway authentication approach supports both requirements?

    AUse API Keys for all endpoints with different key permissions.
    BConfigure Cognito User Pool authorizer for private endpoints; leave public endpoints without authorization.
    CUse Lambda Custom Authorizers for all endpoints with conditional logic.
    DEnable IAM authentication for all endpoints using SigV4 signing.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  19. Question 19Design Cost-Optimized Architectures

    A data archival system stores files that are accessed frequently for 30 days, occasionally for 90 days, and then rarely for compliance (7 years total retention). Which S3 Lifecycle policy optimizes costs across all access patterns?

    AStandard → Standard-IA (30 days) → Glacier Instant Retrieval (90 days) → Glacier Deep Archive (365 days).
    BStandard → Intelligent-Tiering for automatic optimization across all time periods.
    CStore all data in Glacier Instant Retrieval for consistent costs.
    DStandard → Standard-IA (7 days) → Glacier Flexible Retrieval (30 days) → Deep Archive (90 days).

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  20. Question 20Mixed

    A company needs to allow its on-premises LDAP directory users to access the AWS Management Console with temporary credentials. The company wants to avoid creating IAM users. Which service should the solutions architect use?

    AAWS Secrets Manager
    BAWS Directory Service for Microsoft Active Directory
    CAWS Single Sign-On (IAM Identity Center) federation with the LDAP directory through SAML
    DAWS Key Management Service (AWS KMS)

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  21. Question 21Mixed

    A company needs to grant an IAM role to an Amazon EC2 instance so that an application can read from an Amazon S3 bucket. Which IAM feature should be used to avoid storing long-term access keys on the instance?

    AIAM Groups
    BIAM Users
    CIAM Roles
    DIAM Policies

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  22. Question 22Design High-Performing Architectures

    A developer builds a mobile app where users can browse content as guests but must sign in to post comments. The app needs temporary AWS credentials to access DynamoDB directly. Which Cognito configuration supports this?

    AUse a Cognito User Pool with the "Enable Guest Access" setting.
    BUse a Cognito Identity Pool with "Unauthenticated identities" enabled.
    CCreate a generic IAM user for guests and embed credentials in the app.
    DUse API Gateway with a usage plan for guests.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  23. Question 23Design Secure Architectures

    A dev team uses IAM roles for service accounts (IRSA) in EKS to let pods access AWS APIs. A new security rule requires that only specific namespaces can assume certain roles. How to enforce this effectively?

    ARely on pod annotations alone and trust developers.
    BCreate separate IAM roles per namespace and configure IAM OIDC trust policies with conditions that restrict using `kubernetes.io/serviceaccount/namespace` equal to the namespace; ensure ServiceAccount resources are created only in that namespace.
    CUse a single cluster role for all pods to simplify management.
    DUse node IAM roles and give nodes all permissions.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  24. Question 24Design Secure Architectures

    An attacker obtained temporary credentials that allowed `DescribeInstances` and `DescribeVolumes` but should not be able to copy EBS snapshots. Which control prevents snapshot copying even if the IAM role has `ec2:CreateSnapshot`?

    AUse a KMS key with a key policy that requires creation requests to include the principal in a key policy whitelist; only allow `kms:CreateGrant` for approved roles and restrict `ec2:CopySnapshot` via condition that checks `kms:ViaService`.
    BRemove EBS permissions from the role.
    CDisable EBS entirely in the account.
    DRely on CloudTrail to detect misuse after it happens.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz

Key IAM Concepts for SAA-C03

iamrolepolicyusergrouppermissionmfafederationstsassume roleidentity

SAA-C03 IAM Exam Tips

AWS Identity and Access Management (IAM) questions in SAA-C03 are typically scenario-based. Focus on architecture trade-offs, resilience, and secure-by-default design choices. Priority concepts: iam, role, policy, user, group, permission.

What SAA-C03 Expects

  • Anchor your answer in choose the most reliable and cost-aware architecture pattern, not just a feature match.
  • IAM scenarios for SAA-C03 are frequently mapped to Domain 1 (30%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where IAM interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Associate) and vendor best practices.

High-Value IAM Concepts

  • Know the core IAM building blocks cold: iam, role, policy, user.
  • Review the edge-case features and limits for group, permission; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how IAM pairs with KMS, Organizations, Cognito in real deployment patterns.
  • For SAA-C03, explain why the chosen IAM design meets reliability, security, and cost expectations better than the alternatives.

Common SAA-C03 Traps

  • Watch for answers that solve today's issue but do not scale across multiple AZs.
  • Questions in Design Secure Architectures often include distractors that look correct for IAM but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two IAM implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Design Secure Architectures (30%) outcomes for SAA-C03?
  • Can you explain security and access boundaries for IAM without relying on default-open assumptions?
  • Can you describe how IAM integrates with KMS and Organizations during failure, scaling, and monitoring events?

Exam Domains Covering IAM

Domain 1Design Secure Architectures30%

Related Resources

🎯 Free SAA-C03 Mock Exam KMS Questions Organizations Questions Cognito Questions

More SAA-C03 Study Resources

← SAA-C03 Study Hub30-Day Study PlanFull Practice Exam