🔑 AWS Identity and Access Management - SCS-C02 Practice Questions

Master IAM policies, roles, permission boundaries, policy evaluation logic, cross-account access, identity federation, and least privilege principles for the SCS-C02 exam.

14Questions Available
2Exam Domains

Practice IAM Questions Now

Start a timed practice session focusing on AWS Identity and Access Management topics from the SCS-C02 question bank.

Start SCS-C02 Practice Quiz →

SCS-C02 IAM Question Bank (14 Questions)

Browse all 14 practice questions covering AWS Identity and Access Management for the SCS-C02 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1Management and Security Governance

    A company's security policy states that no IAM user should have direct access to production accounts; all access must go through IAM roles. Which control enforces this?

    AAWS Config rule checking for IAM user policies
    BSCP denying iam:CreateUser in production OUs
    CGuardDuty monitoring for direct IAM user API calls
    DIAM Access Analyzer findings

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SCS-C02 Quiz
  2. Question 2Identity and Access Management

    Which IAM policy condition key restricts API calls to only those originating from a specific VPC endpoint?

    Aaws:SourceIp
    Baws:sourceVpce
    Caws:PrincipalOrgID
    Daws:RequestedRegion

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SCS-C02 Quiz
  3. Question 3Identity and Access Management

    Which type of IAM policy is attached directly to an AWS resource rather than to an IAM principal?

    AIdentity-based policy
    BResource-based policy
    CSession policy
    DPermission boundary

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SCS-C02 Quiz
  4. Question 4Identity and Access Management

    What is the purpose of AWS IAM Access Analyzer?

    ACreate IAM users
    BAnalyzes resource policies to identify resources shared with external principals and validates IAM policies against best practices
    CDelete unused roles
    DMonitor API calls

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SCS-C02 Quiz
  5. Question 5Identity and Access Management

    What is the purpose of IAM Access Analyzer?

    AAnalyze IAM users
    BIdentify resources (S3, IAM roles, KMS, Lambda, SQS) shared with external entities, validate policies against best practices, and generate least-privilege policies
    CAnalyze costs
    DAnalyze performance

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SCS-C02 Quiz
  6. Question 6Identity and Access Management

    What is cross-account role assumption and when is it used?

    ASharing passwords
    BAn IAM role in Account B trusts Account A; principals in Account A assume the role to get temporary credentials for Account B resources — secure cross-account access
    CCannot access cross-account
    DUsing access keys across accounts

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SCS-C02 Quiz
  7. Question 7Identity and Access Management

    What are IAM policy conditions and when should you use them?

    ANever use conditions
    BCondition elements in IAM policies add context-based restrictions: MFA required, source IP, time-based access, resource tags, encryption requirements, and more
    COnly for deny policies
    DOnly for S3 policies

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SCS-C02 Quiz
  8. Question 8Threat Detection and Incident Response

    After a security incident, a forensics team needs to reconstruct the sequence of API calls made by a compromised IAM role over the past 30 days. Which service provides this complete API activity history?

    AAmazon CloudWatch Logs
    BAWS CloudTrail
    CAWS Config change history
    DAmazon GuardDuty

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SCS-C02 Quiz
  9. Question 9Identity and Access Management

    A developer's IAM role allows s3:PutObject on all buckets. The security team wants to limit this permission to a single S3 bucket without modifying the role's IAM policies. Which IAM feature achieves this?

    AAWS Organizations SCP
    BIAM Permission Boundary
    CS3 Bucket Policy with condition
    DResource Control Policy (RCP)

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SCS-C02 Quiz
  10. Question 10Identity and Access Management

    A security team discovers that an IAM role has a wildcard action (iam:*) and is used by an EC2 instance. What is the most important remediation step?

    AEnable AWS Config to monitor the role
    BAdd a Deny all policy as a permission boundary
    CReplace the wildcard with only the specific IAM actions required by the application
    DEnable MFA for the EC2 instance

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SCS-C02 Quiz
  11. Question 11Identity and Access Management

    A security team needs to ensure that no IAM user has permissions broader than their assigned role. Which tool identifies over-privileged users?

    AIAM Access Analyzer
    BAWS Config
    CAmazon Inspector
    DAWS Trusted Advisor

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SCS-C02 Quiz
  12. Question 12Management and Security Governance

    Which AWS feature prevents accidental deletion of critical IAM roles by requiring an additional confirmation step?

    AIAM role path restrictions
    BSCP preventing role deletion
    CMFA Delete on IAM roles
    DIAM policy condition with aws:MultiFactorAuthPresent

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SCS-C02 Quiz
  13. Question 13Infrastructure Security

    What is the difference between AWS Organizations SCPs and IAM policies?

    ASame thing
    BSCPs set maximum permission boundaries for all accounts in an OU (guardrails); IAM policies grant specific permissions to users/roles within an account
    CSCPs grant permissions
    DIAM policies restrict OUs

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SCS-C02 Quiz
  14. Question 14Identity and Access Management

    What is the difference between SCP and IAM policies?

    ASame thing
    BSCPs set maximum permissions boundaries for accounts in an Organization (deny-based guardrails); IAM policies grant actual permissions to users/roles within accounts
    CSCPs grant permissions
    DIAM policies are org-wide

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SCS-C02 Quiz

Key IAM Concepts for SCS-C02

iampolicyrolepermission boundaryleast privilegecross-accountfederationaccess analyzerscp

SCS-C02 IAM Exam Tips

AWS Identity and Access Management questions in SCS-C02 are typically scenario-based. Focus on threat detection, preventive controls, encryption strategy, and security governance. Priority concepts: iam, policy, role, permission boundary, least privilege, cross-account.

What SCS-C02 Expects

  • Anchor your answer in choose layered security controls with clear detection and response pathways.
  • IAM scenarios for SCS-C02 are frequently mapped to Domain 1 (14%), Domain 2 (18%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where IAM interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Specialty) and vendor best practices.

High-Value IAM Concepts

  • Know the core IAM building blocks cold: iam, policy, role, permission boundary.
  • Review the edge-case features and limits for least privilege, cross-account; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how IAM pairs with Organizations, IAM Identity Center, Cognito in real deployment patterns.
  • For SCS-C02, explain why the chosen IAM design meets reliability, security, and cost expectations better than the alternatives.

Common SCS-C02 Traps

  • Watch for relying on one control where defense-in-depth is expected.
  • Questions in Threat Detection & Incident Response often include distractors that look correct for IAM but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two IAM implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Threat Detection & Incident Response (14%) outcomes for SCS-C02?
  • Can you explain security and access boundaries for IAM without relying on default-open assumptions?
  • Can you describe how IAM integrates with Organizations and IAM Identity Center during failure, scaling, and monitoring events?

Exam Domains Covering IAM

Domain 1Threat Detection & Incident Response14%Domain 2Security Logging & Monitoring18%

Related Resources

🎯 Free SCS-C02 Mock Exam Organizations Questions IAM Identity Center Questions Cognito Questions

More SCS-C02 Study Resources

← SCS-C02 Study Hub30-Day Study PlanFull Practice Exam