IAM AWS Identity and Access Management - SAP-C02 Practice Questions

Review policy evaluation, roles, permission boundaries, cross-account access, identity federation, least privilege, and access analysis.

6Questions Available
3Exam Domains

Practice IAM Questions Now

Start a timed practice session focusing on AWS Identity and Access Management topics from the SAP-C02 question bank.

Start SAP-C02 Practice Quiz →

SAP-C02 IAM Question Bank (6 Questions)

Browse all 6 practice questions covering AWS Identity and Access Management for the SAP-C02 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1Design Solutions for Organizational Complexity

    A company wants to ensure that IAM roles created by CloudFormation can only have permissions defined in a permission boundary. This prevents privilege escalation even through IaC. What is the approach?

    AReview all CloudFormation templates manually
    BAttach a permissions boundary to the CloudFormation execution role requiring it to attach a specific permission boundary to all IAM roles it creates
    CUse SCPs to limit CloudFormation permissions
    DRequire manual approval for all CloudFormation stacks with IAM resources

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAP-C02 Quiz
  2. Question 2Design Solutions for Organizational Complexity

    A company's security team needs to automatically detect when any IAM policy in any account grants admin privileges (AdministratorAccess or *:*). What is the BEST solution?

    AReview IAM policies quarterly
    BUse IAM Access Analyzer across all accounts (via Organizations delegated admin) to identify overly permissive policies; configure EventBridge to alert on new findings
    CUse Config rule iam-policy-no-statements-with-admin-access in each account
    DBoth B and C provide detection; use together for comprehensive coverage

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAP-C02 Quiz
  3. Question 3Design Solutions for Organizational Complexity

    A company needs to deploy the same IAM roles and policies across 50 AWS accounts simultaneously. What is the MOST efficient way to accomplish this?

    AUse IAM Identity Center permission sets, which automatically create roles in all accounts
    BUse CloudFormation StackSets targeting all accounts in the organization
    CWrite a script using AWS CLI that loops through all accounts
    DCreate IAM roles manually in each account using the console

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAP-C02 Quiz
  4. Question 4Design Solutions for Organizational Complexity

    A company is concerned about rogue IAM administrators in member accounts creating privileged roles that bypass organizational controls. What is the MOST effective preventive measure?

    AAudit IAM roles weekly with AWS Config
    BApply an SCP denying iam:CreateRole, iam:AttachRolePolicy, iam:PutRolePolicy unless the caller is a specific automation role
    CEnable IAM Access Analyzer in all accounts
    DUse CloudTrail to detect new role creation

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAP-C02 Quiz
  5. Question 5Design Solutions for Organizational Complexity

    A company needs to review all IAM roles created in the last 30 days across all accounts for unexpected privilege escalation. What is the MOST efficient approach?

    ALog in to each account and review IAM roles
    BUse AWS Security Hub with IAM findings + CloudTrail Lake queries for CreateRole API events across all organization accounts in the last 30 days
    CUse AWS Config history for IAM roles
    DSet up daily Lambda functions to list IAM roles in each account

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAP-C02 Quiz
  6. Question 6Design Solutions for Organizational Complexity

    A company discovered that several AWS accounts have unused IAM roles that have not been used in over 365 days. What approach identifies and removes these at scale?

    AManually review each account
    BUse IAM Access Analyzer unused access findings to identify unused roles across the organization; develop an automated workflow to review and delete stale roles
    CUse CloudTrail to find unused roles
    DUse AWS Config to list all roles

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAP-C02 Quiz

Key IAM Concepts for SAP-C02

iamrolepolicypermission boundaryleast privilegecross-accountfederationaccess analyzer

SAP-C02 IAM Exam Tips

AWS Identity and Access Management questions in SAP-C02 are typically scenario-based. Focus on enterprise-scale multi-account architecture, governance, and modernization strategies. Priority concepts: iam, role, policy, permission boundary, least privilege, cross-account.

What SAP-C02 Expects

  • Anchor your answer in prefer future-proof designs that support organizational complexity and migration realities.
  • IAM scenarios for SAP-C02 are frequently mapped to Domain 1 (26%), Domain 2 (29%), Domain 3 (25%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where IAM interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Professional) and vendor best practices.

High-Value IAM Concepts

  • Know the core IAM building blocks cold: iam, role, policy, permission boundary.
  • Review the edge-case features and limits for least privilege, cross-account; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how IAM pairs with IAM Identity Center, Organizations, Security & Compliance in real deployment patterns.
  • For SAP-C02, explain why the chosen IAM design meets reliability, security, and cost expectations better than the alternatives.

Common SAP-C02 Traps

  • Watch for answers that work for a single account but fail at organizational scale.
  • Questions in Design Solutions for Organizational Complexity often include distractors that look correct for IAM but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two IAM implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Design Solutions for Organizational Complexity (26%) outcomes for SAP-C02?
  • Can you explain security and access boundaries for IAM without relying on default-open assumptions?
  • Can you describe how IAM integrates with IAM Identity Center and Organizations during failure, scaling, and monitoring events?

Exam Domains Covering IAM

Related Resources

More SAP-C02 Study Resources