🔐 AWS Identity and Access Management (IAM) - SOA-C03 Practice Questions

SOA-C03 IAM Question Bank (45 Questions)

Browse all 45 practice questions covering AWS Identity and Access Management (IAM) for the SOA-C03 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

1. Question 1Security & Compliance

   A SysOps administrator is configuring permission boundaries for an IAM role used by a development team. The permission boundary allows only `s3:` and `ec2:` actions. The role's identity-based policy grants `s3:`, `ec2:`, `rds:`, and `lambda:`. What effective permissions does the role have?

   A`s3:*`, `ec2:*`, `rds:*`, and `lambda:*`

   B`s3:*` and `ec2:*` only

   CNo permissions, because the permission boundary overrides the identity policy

   D`rds:*` and `lambda:*` only, because the permission boundary blocks the overlapping permissions

   Answer hidden for practice.

   Use the interactive quiz to reveal the correct answer and explanation.

   Start SOA-C03 Quiz
2. Question 2Security & Compliance

   A SysOps Administrator needs to grant a partner application temporary permission to encrypt and decrypt data using a specific KMS key for a 24-hour window. The partner application is running as an IAM role in a different AWS account. The administrator does not want to modify the KMS key policy permanently. Which KMS feature should be used?

   ACreate a KMS grant for the partner's IAM role ARN with `Encrypt` and `Decrypt` operations, and set a retirement constraint tied to a time-based condition.

   BAdd the partner's IAM role to the KMS key policy with a condition limiting access to 24 hours, then manually remove it after.

   CShare the KMS key with the partner account using AWS Resource Access Manager (RAM).

   DExport the KMS key material and share it with the partner for 24 hours.

   Answer hidden for practice.

   Use the interactive quiz to reveal the correct answer and explanation.

   Start SOA-C03 Quiz
3. Question 3Security & Compliance

   A SysOps Administrator needs to create an IAM policy that allows each IAM user to manage only their own access keys and MFA devices. The policy should dynamically scope permissions to the user making the request without creating a separate policy per user. Which IAM policy feature achieves this?

   AIAM policy variables such as `${aws:username}` in the `Resource` element, e.g., `arn:aws:iam::*:user/${aws:username}`.

   BIAM policy conditions using `StringEquals` with `aws:SourceIp`.

   CIAM permission boundaries that limit each user to their own resources.

   DResource-based policies on the IAM user resource.

   Answer hidden for practice.

   Use the interactive quiz to reveal the correct answer and explanation.

   Start SOA-C03 Quiz
4. Question 4Security & Compliance

   A SysOps Administrator uses AWS STS to provide temporary credentials to third-party contractors via `AssumeRole`. Management wants to further restrict what the contractor can do during a specific session beyond what the IAM role policy allows. Which mechanism provides per-session permission restriction?

   AModify the IAM role's trust policy with a condition key for the contractor's IP address.

   BPass a session policy as a parameter in the `AssumeRole` API call. The effective permissions are the intersection of the role's identity policy and the session policy.

   CCreate a separate IAM role for each restricted session.

   DAttach an SCP to the account to restrict the contractor's permissions.

   Answer hidden for practice.

   Use the interactive quiz to reveal the correct answer and explanation.

   Start SOA-C03 Quiz
5. Question 5Security & Compliance

   A SysOps administrator needs to use IAM Access Analyzer to validate that no Lambda function execution roles in the account grant permissions broader than a specific reference policy. Which Access Analyzer feature should be used?

   AAccess Analyzer policy validation to check IAM policies against AWS best practices

   BAccess Analyzer custom policy checks to validate policies against a reference permission set

   CAccess Analyzer finding details to identify Lambda roles with cross-account access

   DAccess Analyzer unused access findings to identify Lambda roles with unused permissions

   Answer hidden for practice.

   Use the interactive quiz to reveal the correct answer and explanation.

   Start SOA-C03 Quiz
6. Question 6Select All That ApplySecurity & Compliance

   A company wants to ensure that IAM roles created by development teams cannot escalate privileges beyond a defined set of permissions. The security team wants to enforce this without reviewing every policy document. Which TWO mechanisms should the security team implement? (Select TWO.)

   ARequire all developer-created roles to have a specific permission boundary attached using an SCP

   BCreate a permission boundary policy that defines the maximum allowed permissions

   CUse IAM Access Analyzer to continuously review role policies for privilege escalation

   DEnable AWS CloudTrail management events to detect privilege escalation attempts

   EConfigure AWS Config rules to ensure all IAM roles have the `AdministratorAccess` policy removed

   Answer hidden for practice.

   Use the interactive quiz to reveal the correct answer and explanation.

   Start SOA-C03 Quiz
7. Question 7Security & Compliance

   An IAM user has the following attached policies: an identity-based policy that allows `s3:GetObject` on all buckets, and a permissions boundary that allows `s3:` only on the bucket `arn:aws:s3:::approved-bucket/`. The user attempts to download an object from `arn:aws:s3:::other-bucket/file.txt`. What is the result?

   AThe request is allowed because the identity-based policy explicitly allows `s3:GetObject` on all buckets.

   BThe request is denied because the permissions boundary restricts effective permissions to only `approved-bucket`, and the intersection of the identity policy and boundary does not include `other-bucket`.

   CThe request is denied because the permissions boundary takes precedence over all other policies.

   DThe request is allowed because permissions boundaries only restrict IAM users created by the user, not the user's own actions.

   Answer hidden for practice.

   Use the interactive quiz to reveal the correct answer and explanation.

   Start SOA-C03 Quiz
8. Question 8Security & Compliance

   A SysOps administrator is setting up AWS IAM Identity Center (AWS SSO) for a multi-account organization. The security team requires that developers in the `Development` OU have read-only access to all AWS services, while infrastructure engineers in the same OU have full EC2 and S3 access but no IAM permissions. How should the administrator configure this?

   ACreate two permission sets: one with the `ViewOnlyAccess` AWS managed policy and one with custom policies granting EC2/S3 full access but explicitly denying IAM actions; assign each permission set to the appropriate groups

   BCreate a single permission set with both policies and use session tags to differentiate access between developers and infrastructure engineers

   CCreate two separate AWS accounts within the Development OU and assign different IAM policies in each account

   DAssign the `PowerUserAccess` managed policy permission set to both groups and use an SCP to restrict IAM access for infrastructure engineers

   Answer hidden for practice.

   Use the interactive quiz to reveal the correct answer and explanation.

   Start SOA-C03 Quiz
9. Question 9Select All That ApplySecurity & Compliance

   A SysOps Administrator needs to ensure that an IAM role for a Lambda function allows `s3:GetObject` only on a specific S3 bucket prefix (`data/reports/*`) and only during business hours (Monday–Friday, 08:00–18:00 UTC). Which IAM policy elements should be used? (Select TWO.)

   AA `Resource` element specifying `arn:aws:s3:::bucket-name/data/reports/*`.

   BA `Condition` element using `aws:CurrentTime` with `DateGreaterThan` and `DateLessThan` operators to restrict to business hours and `aws:CurrentTime` weekday conditions.

   CA `NotResource` element excluding all other S3 prefixes.

   DA `Principal` element specifying the Lambda function's ARN.

   EAn SCP that restricts `s3:GetObject` to business hours across the organization.

   Answer hidden for practice.

   Use the interactive quiz to reveal the correct answer and explanation.

   Start SOA-C03 Quiz
10. Question 10Security & Compliance

    A company allows team leads to create IAM roles for their teams, but wants to ensure they cannot create roles with more permissions than they themselves possess. Which IAM feature enforces this constraint?

    AIAM service control policies (SCPs) that deny `iam:CreateRole` unless a condition is met.

    BIAM permission boundaries — the team lead attaches a permissions boundary to every role they create, and the boundary limits the effective permissions to a defined policy.

    CIAM policy conditions using `aws:RequestedRegion` to limit where roles can be used.

    DTagging new roles with `created-by` and denying actions for untagged roles.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
11. Question 11Select All That ApplySecurity & Compliance

    A SysOps administrator needs to grant an EC2 instance temporary access to a secret stored in AWS Secrets Manager. The secret is encrypted with a customer-managed KMS key. What permissions must the EC2 instance's IAM role have? (Select TWO)

    A`secretsmanager:GetSecretValue` on the specific secret ARN

    B`kms:Decrypt` on the KMS key used to encrypt the secret

    C`secretsmanager:DescribeSecret` on all secrets in the account

    D`kms:GenerateDataKey` on the KMS key used to encrypt the secret

    E`sts:AssumeRole` on the Secrets Manager service role

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
12. Question 12Deployment, Provisioning & Automation

    An administrator creates a Service Catalog portfolio with three products. The administrator wants a specific IAM role to be used when end users launch any product from this portfolio, regardless of the user's own permissions. Which constraint type achieves this?

    ALaunch constraint

    BTemplate constraint

    CNotification constraint

    DStack Set constraint

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
13. Question 13Security & Compliance

    A company grants a contractor in Account B access to an S3 bucket in Account A using a cross-account IAM role. The contractor's application in Account B assumes the role in Account A but receives an AccessDenied error when attempting to read objects. The IAM role in Account A has a policy allowing `s3:GetObject` on the bucket. What is the most likely cause?

    AThe S3 bucket policy in Account A does not grant access to the IAM role, and the objects are owned by Account A with "Bucket owner enforced" set, requiring the bucket policy to allow the role

    BThe trust policy on the IAM role in Account A does not include Account B as a trusted principal

    CThe contractor's IAM user in Account B does not have `sts:AssumeRole` permission for the role in Account A

    DThe S3 bucket has a deny policy for all external accounts that overrides the IAM role permissions

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
14. Question 14Security & Compliance

    A SysOps administrator discovers using IAM Access Analyzer that several IAM users have access keys that have not been used in over 90 days. Company policy requires unused credentials to be disabled. What is the most efficient way to identify and remediate these credentials?

    AGenerate an IAM credential report, filter for access keys with `last_used_date` older than 90 days, and use the AWS CLI to deactivate those keys.

    BUse AWS Config's `iam-user-unused-credentials-check` rule with automatic remediation via an SSM Automation document that deactivates unused keys.

    CCreate a Lambda function that calls `ListUsers` and `GetAccessKeyLastUsed` for each user and deactivates stale keys.

    DUse IAM Access Analyzer findings to identify unused access and manually deactivate each key through the IAM console.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
15. Question 15Security & Compliance

    A SysOps administrator needs to restrict IAM users in a development account from creating EC2 instances larger than `t3.medium`. The administrator wants this enforced account-wide regardless of any permissions granted by IAM policies. Which approach should the administrator use?

    AAttach a Service Control Policy (SCP) to the development account's OU that denies `ec2:RunInstances` when the `ec2:InstanceType` condition key does not match allowed types.

    BCreate a permission boundary that restricts EC2 instance launches to `t3.medium` and smaller, and attach it to all IAM users.

    CModify the default VPC security group to reject traffic from instances larger than `t3.medium`.

    DCreate an AWS Config rule that terminates any EC2 instances larger than `t3.medium` after launch.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
16. Question 16Security & Compliance

    A company is implementing AWS IAM Identity Center (successor to AWS SSO) to manage workforce access to 20 AWS accounts. Users are sourced from an on-premises Active Directory. Which configuration allows users to authenticate using their existing AD credentials?

    ACreate IAM users in each account that match the AD usernames

    BConfigure IAM Identity Center with an Active Directory Connector or AWS Managed Microsoft AD as the identity source

    CSet up SAML federation directly between each AWS account and the on-premises AD

    DUse Amazon Cognito user pools to federate with the on-premises AD

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
17. Question 17Security & Compliance

    A company wants to ensure that IAM principals can only make API calls to AWS services from within the corporate network (a specific IP range) or from within AWS services using VPC endpoints. Which IAM policy condition key combination achieves this?

    AUse `aws:SourceIp` to restrict to the corporate IP range, combined with `aws:ViaAWSService` to allow calls made through AWS service-to-service communication.

    BUse `aws:SourceVpc` to restrict to a specific VPC ID, which automatically covers both corporate VPN and VPC endpoints.

    CUse `aws:PrincipalOrgID` to restrict access to only principals within the AWS Organization.

    DUse `aws:RequestedRegion` to limit API calls to specific regions where the corporate network has connectivity.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
18. Question 18Security & Compliance

    A company wants to implement Attribute-Based Access Control (ABAC) so that developers can only manage EC2 instances that are tagged with their department. For example, a developer in the "Engineering" department should only be able to start/stop EC2 instances tagged `Department=Engineering`. Which IAM policy approach implements this?

    ACreate separate IAM policies for each department and attach them to the corresponding IAM groups.

    BCreate a single IAM policy with a condition that uses `aws:PrincipalTag/Department` matches `ec2:ResourceTag/Department`, and tag each IAM user/role with their department.

    CUse an SCP that restricts EC2 actions based on resource tags.

    DConfigure resource-based policies on each EC2 instance to allow actions only from principals with matching tags.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
19. Question 19Monitoring, Logging & Remediation

    A development team deploys an AWS Lambda function that processes orders. The team wants the function to emit custom business metrics (e.g., `OrderValue`, `ProcessingTime`) to CloudWatch without making explicit `PutMetricData` API calls, to avoid the overhead and additional IAM permissions. Which approach should the SysOps Administrator recommend?

    AWrite the metrics to the function's standard output as structured JSON using the CloudWatch Embedded Metric Format (EMF) specification, which CloudWatch Logs automatically extracts as custom metrics.

    BUse the AWS SDK to call `PutMetricData` asynchronously after each invocation, which avoids blocking the main function logic.

    CPublish the metrics to an SNS topic, and configure a CloudWatch Logs subscription filter to parse and create metrics.

    DEnable Lambda Insights, which automatically captures custom business metrics alongside performance metrics.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
20. Question 20Select All That ApplySecurity & Compliance

    A SysOps Administrator needs to allow a fleet of EC2 instances in a private subnet to access an S3 bucket without traversing the internet. The instances use an IAM instance profile for S3 access. The security team also requires that all S3 API requests are logged and that the endpoint does not incur per-hour or per-GB data processing charges. Which endpoint type should be used? (Select TWO.)

    ACreate an S3 Gateway VPC endpoint and add it to the route table of the private subnet.

    BGateway endpoints for S3 are free — there are no hourly or data processing charges, only standard S3 request charges apply.

    CCreate an S3 Interface VPC endpoint (PrivateLink) with private DNS enabled.

    DUse a NAT Gateway to route S3 traffic through the internet gateway.

    EGateway endpoints do not support logging; use an Interface endpoint instead.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
21. Question 21Security & Compliance

    A SysOps Administrator is reviewing IAM policies and finds a policy with the following condition: ```json "Condition": { "StringEquals": { "aws:PrincipalTag/Department": "Engineering" } } ``` What does this condition enforce?

    AThe policy applies only when the IAM principal (user or role) making the request has a tag `Department` with the value `Engineering`.

    BThe policy applies only when the target resource has a tag `Department` with the value `Engineering`.

    CThe policy applies only when the request was made from the `Engineering` AWS account.

    DThe policy applies only when the request includes the header `X-Department: Engineering`.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
22. Question 22Monitoring, Logging & Remediation

    A SysOps administrator is configuring Amazon EventBridge to trigger a Lambda function whenever an IAM policy is changed. The rule has been created but the Lambda function is not being invoked. Which of the following is the MOST LIKELY cause?

    AThe EventBridge rule's event pattern does not match the IAM API calls

    BCloudTrail is not enabled in the region where the EventBridge rule was created

    CThe Lambda function does not have a resource-based policy allowing EventBridge to invoke it

    DThe IAM role attached to EventBridge does not have permission to invoke Lambda

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
23. Question 23Security & Compliance

    A SysOps administrator discovers that an IAM user has both an explicit allow and an explicit deny for `s3:PutObject` on the same S3 bucket, coming from different IAM policies. What is the effective permission for this action?

    AThe explicit allow takes precedence because it was attached most recently

    BThe explicit deny always takes precedence over any allow

    CThe permissions cancel out, and the default implicit deny applies

    DThe result depends on which policy is evaluated first

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
24. Question 24Security & Compliance

    A SysOps administrator needs to allow a third-party application running outside of AWS to access an Amazon S3 bucket securely. The company policy prohibits creating long-lived IAM access keys. Which solution should the administrator implement?

    ACreate an IAM role with the required S3 permissions and configure the third-party application to use `AssumeRole` with an external ID

    BCreate a pre-signed S3 URL with a long expiration time

    CConfigure the S3 bucket policy to allow public read/write access from the third-party's IP range

    DCreate a temporary IAM user with short-lived credentials

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
25. Question 25Monitoring, Logging & Remediation

    An administrator sets up an EventBridge rule with the following event pattern to capture IAM policy changes: ```json { "source": ["aws.iam"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventName": [{ "prefix": "Put" }, { "prefix": "Delete" }, { "prefix": "Attach" }, { "prefix": "Detach" }] } } ``` The rule is triggering for events such as `PutObject` from S3. What is the problem?

    AThe prefix matching on `eventName` matches across all AWS services, not just IAM; the administrator should add a filter on `detail.eventSource` equal to `iam.amazonaws.com`

    BThe `source` field for IAM events should be `aws.cloudtrail` instead of `aws.iam`

    CEventBridge does not support prefix matching on the `eventName` field

    DThe rule should use `detail.userIdentity.type` to scope events to IAM operations

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
26. Question 26Monitoring, Logging & Remediation

    An operations team deployed a Lambda function that processes SQS messages, but they are unable to see per-invocation performance data such as memory usage, CPU time, and init duration in CloudWatch. The function already has the `CloudWatchLambdaInsightsExecutionRolePolicy` managed policy attached. What is the MOST likely reason?

    AThe Lambda function's execution role is missing the `logs:PutLogEvents` permission for the `/aws/lambda-insights` log group

    BThe Lambda Insights extension layer has not been added to the function configuration

    CLambda Insights only works with Lambda functions that use provisioned concurrency

    DThe function's CloudWatch Logs log group must be encrypted with a KMS key before Lambda Insights can publish data

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
27. Question 27Monitoring, Logging & Remediation

    A SysOps administrator configured Lambda Insights on a function, but the `/aws/lambda-insights` log group shows no data. The function's execution role has the `CloudWatchLambdaInsightsExecutionRolePolicy` attached, and the Lambda Insights extension layer is added. What is the MOST likely cause?

    AThe Lambda Insights layer version is incompatible with the function's runtime version

    BThe function's timeout is set to less than 3 seconds, which is insufficient for the extension to report metrics

    CThe function is running in a VPC without a NAT gateway or VPC endpoint for CloudWatch Logs, so the extension cannot send data

    DLambda Insights requires X-Ray tracing to be enabled on the function

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
28. Question 28Security & Compliance

    An IAM Identity Center administrator needs to grant a group of data engineers temporary elevated access to production Redshift clusters for maintenance windows. The elevated access should expire after 8 hours. Which approach BEST meets this requirement?

    ACreate a permission set with a maximum session duration of 8 hours and assign it to the data engineers group for the production account, then remove the assignment after the maintenance window

    BCreate an inline session policy within the permission set that uses a time-based condition `aws:CurrentTime` to restrict access to the 8-hour maintenance window

    CCreate a separate permission set with a session duration of 8 hours; the engineers' console session will expire after 8 hours, requiring them to re-authenticate

    DUse temporary IAM credentials generated by STS with an 8-hour expiry and distribute them to the engineers manually

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
29. Question 29Monitoring, Logging, and Remediation

    A SysOps administrator wants to detect when any IAM policy change occurs in the account. Which approach creates an alert for this?

    ACloudWatch metric filter on CloudTrail logs for IAM events + alarm + SNS

    BAWS Config rule for IAM policy changes

    CEventBridge rule for CreatePolicy/AttachUserPolicy CloudTrail events

    DBoth A and C

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
30. Question 30Security and Compliance

    A SysOps administrator uses IAM Identity Center (formerly AWS SSO). What is its primary advantage over individual IAM users per account?

    AIAM Identity Center is free; IAM users have per-user charges

    BIAM Identity Center provides centralized SSO access across multiple AWS accounts using permission sets, integrating with existing identity providers (Active Directory, Okta)

    CIAM Identity Center users have more permissions than IAM users

    DIAM Identity Center replaces IAM entirely

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
31. Question 31Security & Compliance

    A SysOps administrator needs to enable MFA for all IAM users who access the AWS Management Console. The administrator wants to deny access to all AWS services (except IAM self-service for MFA setup) if MFA is not present. How should the administrator implement this?

    AAttach an IAM policy to all users that includes a `Deny` for all actions with a condition `aws:MultiFactorAuthPresent` is `false`, with exceptions for IAM MFA self-service actions.

    BEnable MFA enforcement in the IAM account settings, which automatically blocks all non-MFA console access.

    CApply an SCP that denies all actions unless MFA is present, with exceptions for IAM actions.

    DConfigure AWS SSO with mandatory MFA and migrate all users from IAM to SSO.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
32. Question 32Security & Compliance

    An auditor requests a report of all IAM users, their access key age, password last used date, and MFA status. The administrator needs to generate this data quickly. Which method is MOST efficient?

    AUse the AWS CLI to call `iam list-users` and iterate through each user to collect credential details

    BGenerate an IAM credential report using the AWS Management Console or CLI

    CQuery CloudTrail logs for IAM user activity to infer credential usage

    DUse AWS Config to query IAM user resource configurations

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
33. Question 33Select All That ApplySecurity & Compliance

    A SysOps administrator needs to allow an application running in Account A to call DynamoDB in Account B. The administrator decides to use cross-account IAM role assumption. Which steps are required? (Select TWO)

    ACreate an IAM role in Account B with a trust policy allowing Account A's principal to assume it, and attach a policy granting DynamoDB access

    BCreate an IAM role in Account A with a policy allowing `sts:AssumeRole` for the role ARN in Account B, and assign it to the application

    CConfigure a VPC peering connection between Account A and Account B

    DAdd an SCP in the organization allowing cross-account DynamoDB access

    ECreate a resource-based policy on the DynamoDB table in Account B granting access to Account A

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
34. Question 34Security & Compliance

    A company has an on-premises Active Directory and wants to enable its AD users to sign in to the AWS Management Console and assume IAM roles using their existing corporate credentials. The company does NOT want to extend its AD schema or deploy additional domain controllers in AWS. Which AWS Directory Service option should the SysOps Administrator configure?

    AAWS Managed Microsoft AD, which creates a new directory in AWS with a trust relationship to the on-premises AD.

    BAD Connector, which is a directory gateway that proxies authentication requests to the on-premises Active Directory without caching any directory data in AWS.

    CSimple AD, which is a standalone Samba-based directory.

    DAmazon Cognito user pool with SAML federation to the on-premises AD.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
35. Question 35Deployment, Provisioning & Automation

    A SysOps administrator needs to deploy a CloudFormation stack that creates IAM roles with custom names. The stack creation fails with an `InsufficientCapabilities` error. What must the administrator do?

    AAdd `CAPABILITY_NAMED_IAM` to the stack creation request

    BAdd `CAPABILITY_IAM` to the stack creation request

    CUse an IAM role with `AdministratorAccess` to create the stack

    DRemove the custom IAM role names from the template

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
36. Question 36Networking & Content Delivery

    A SysOps administrator needs to restrict an interface VPC endpoint for AWS Secrets Manager so that only specific IAM roles can use the endpoint to retrieve secrets. How is this accomplished?

    AAttach a VPC endpoint policy that includes a condition restricting `aws:PrincipalArn` to the allowed IAM role ARNs

    BConfigure security groups on the VPC endpoint to restrict access by source IP of the allowed instances

    CModify the Secrets Manager resource policy to deny all requests not originating from the VPC endpoint

    DUse NACLs on the subnets where the endpoint ENIs are created to restrict traffic to specific instance IPs

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
37. Question 37Security & Compliance

    A SysOps administrator notices that a CloudTrail Insights event was generated for unusually high `RunInstances` API calls. Upon investigation, the calls originated from an IAM role used by an Auto Scaling group. What should the administrator do FIRST?

    AImmediately revoke the IAM role's permissions to stop the instance launches

    BReview the Auto Scaling group's scaling policies and recent CloudWatch alarms to determine if the scaling activity is expected behavior caused by a legitimate traffic spike

    CEnable GuardDuty and scan for compromised credentials

    DDelete the CloudTrail Insights event to prevent false alarms in the future

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
38. Question 38Deployment, Provisioning & Automation

    A SysOps administrator has a CloudFormation StackSet that deploys IAM roles across all accounts in an organization. After adding a new AWS account to the production OU, the administrator notices the StackSet was not automatically deployed to the new account. What is the most likely reason?

    AThe StackSet uses self-managed permissions instead of service-managed permissions

    BThe new account has not been registered with CloudFormation

    CThe StackSet deployment targets specify account IDs rather than OUs

    DCloudFormation StackSets does not support automatic deployment to new accounts

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
39. Question 39Security and Compliance

    A SysOps administrator wants all IAM users to use MFA for console login. Which AWS service can detect users without MFA enabled?

    AAWS Trusted Advisor — MFA on root account check

    BAWS Config rule (mfa-enabled-for-iam-console-access) or IAM credential report

    CCloudTrail — shows login events without MFA

    DAWS GuardDuty

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
40. Question 40Security and Compliance

    A SysOps administrator uses AWS IAM and wants to review all IAM roles that have not been used in the last 90 days. Which IAM feature provides this information?

    AIAM credential report

    BIAM Access Advisor — shows last activity date for each role's services

    CCloudTrail — AssumeRole events

    DAWS Trusted Advisor

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
41. Question 41Security and Compliance

    A SysOps administrator is reviewing a CloudTrail event and wants to determine if the action was taken by an IAM role assumed via cross-account access. Which CloudTrail field indicates this?

    AuserIdentity.type: Root

    BuserIdentity.type: AssumedRole with roleArn from a different account ID

    CsourceIPAddress field

    DrequestParameters field

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
42. Question 42Deployment, Provisioning, and Automation

    A SysOps administrator needs to deploy a CloudFormation stack that requires IAM role creation. Which IAM capability must be specified in the deployment command?

    ACAPABILITY_AUTO_EXPAND

    BCAPABILITY_NAMED_IAM (or CAPABILITY_IAM for unnamed IAM resources)

    CCAPABILITY_RESOURCE_POLICY

    DNo special capability is needed for IAM resources

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
43. Question 43Security and Compliance

    A SysOps administrator wants to verify that all IAM users in an account have multi-factor authentication (MFA) enabled. Which credential report column shows this?

    Amfa_active column in the IAM credential report

    BCloudTrail events for ConsoleLogin with MFA

    CConfig rule mfa-enabled-for-iam-console-access

    DIAM Access Analyzer findings

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
44. Question 44Deployment, Provisioning, and Automation

    A SysOps administrator uses CloudFormation and creates an IAM role. The role's name is not specified in the template. What type of name does CloudFormation assign?

    ACloudFormation requires all IAM role names to be specified explicitly

    BCloudFormation generates a physical ID (random suffix appended to the logical ID) as the role name

    CThe role name defaults to 'CloudFormationRole'

    DThe role is created without a name

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
45. Question 45Security and Compliance

    A SysOps administrator uses CloudTrail and discovers that API calls are being made from an unknown IP address using a specific IAM role. What should be done?

    AImmediately revoke all active sessions for the IAM role

    BInvestigate the role's trust policy and recent assumption events; if compromised, revoke active sessions by attaching a deny-all policy with a time condition

    CDelete the IAM role

    DChange the IAM role's permissions to read-only

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz