What is the maximum number of access keys an IAM user can have?

2 access keys (active or inactive) for rotation purposes

True or False: IAM groups can be referenced as principals in S3 bucket policies.

False. Groups cannot be used as principals in resource-based policies.

An EC2 instance needs DynamoDB access. What's the most secure credential method?
A) IAM user with access keys
B) IAM role via instance profile
C) Embedded credentials in code
D) Root account credentials

B) IAM role via instance profile

Fill in the blank: _____ always overrides Allow statements in AWS policy evaluation.

Explicit Deny

What AWS service exchanges external identity tokens for temporary AWS credentials?

AWS Security Token Service (STS)

Which condition key restricts IAM actions to specific AWS regions?

Aws:RequestedRegion

True or False: Service Control Policies grant permissions to AWS accounts.

False. SCPs only restrict permissions, they don't grant them.

A user has Allow for S3:GetObject but bucket policy denies it. What happens?
A) Access allowed
B) Access denied
C) Depends on MFA
D) Depends on region

B) Access denied

What is the default session duration for assumed IAM roles?

1 hour

Fill in the blank: _____ boundaries set maximum permissions without granting any permissions.

Permissions

Which federation method should enterprises use for Active Directory integration?

SAML 2.0 federation

What prevents the 'confused deputy' problem in cross-account role assumptions?

External ID in the trust policy

True or False: IAM Access Analyzer automatically fixes detected security issues.

False. It only identifies issues; manual remediation is required.

An organization needs region restrictions across all AWS accounts. What should they use?
A) IAM policies
B) Permission boundaries
C) Service Control Policies
D) Resource policies

C) Service Control Policies

What is the maximum configurable session duration for user-assumed roles?

12 hours

Fill in the blank: EC2 instances retrieve temporary credentials from the _____ metadata service.

Instance

Which IAM report shows when services were last accessed by users?

Access Advisor

What condition key enforces HTTPS-only API requests in IAM policies?

Aws:SecureTransport

True or False: Root users in member accounts are restricted by SCPs.

True. SCPs affect root users in member accounts.

A developer creates users but shouldn't grant admin access. What prevents privilege escalation?
A) IAM groups
B) Permission boundaries
C) Resource policies
D) MFA requirements

B) Permission boundaries

What is the maximum number of managed policies per IAM user?

10 managed policies

Fill in the blank: _____ is more secure than IMDSv1 against SSRF attacks.

IMDSv2

Which AWS service provides user directories for mobile and web applications?

Amazon Cognito

What type of policy defines who can assume an IAM role?

Trust policy

True or False: Permission boundaries apply to IAM groups.

False. They only apply to users and roles.

Cross-account access requires policies in both accounts. What must the source account allow?
A) sts:GetSessionToken
B) sts:AssumeRole
C) iam:PassRole
D) sts:DecodeAuthorizationMessage

B) sts:AssumeRole

What is the maximum inline policy size per IAM user?

2 KB

Fill in the blank: _____ keys check if MFA was used during authentication.

Condition

Which AWS Organizations feature prevents service usage outside approved regions?

Service Control Policies (SCPs)

What happens when no IAM policy explicitly allows an action?

The request is implicitly denied by default

True or False: IAM credential reports can be generated multiple times per hour.

False. Maximum one report every 4 hours.

An app needs temporary S3 access for mobile users. What's the best approach?
A) Create IAM users
B) Use Amazon Cognito
C) Share access keys
D) Use SAML federation

B) Use Amazon Cognito