Access Management
IAM building blocks and the root user
Every request to AWS comes from a principal, and IAM allows it only when a policy attached to that principal permits the action: that one sentence is the engine behind every access question on the exam, from users and roles to secret storage. AWS Identity and Access Management (IAM) decides who can do what in an AWS account. It is free and global, so the identities you create are not tied to a single AWS Region.
The one model behind every IAM question: every request to AWS is made by a principal, the identity making the call (a user, an application, or an AWS service). A policy is a JSON document listing allowed (or denied) actions; it grants nothing until attached to an identity. On each request, IAM evaluates the policies attached to the calling principal and allows the action only if one permits it. The four building blocks below are the pieces of that model: who the principal can be, and how you attach permissions:
- Users: a principal for one person or application needing long-term access, with a console password, programmatic access keys, or both.
- Groups: a collection of users; a policy attached to the group is inherited by every user in it. You cannot nest groups, and a group is not itself a principal that can sign in or hold keys.
- Roles: an identity whose permissions are assumed temporarily rather than signed into. A role has no password or long-term keys: a user, application, or AWS service assumes it and gets short-lived credentials from AWS Security Token Service (STS)[1] that rotate automatically. A role is not a user you log in as: you take on its permissions for a session, then drop them.
- Policies: the JSON documents above. AWS managed policies are written by AWS for common use cases; customer managed policies are ones you create and reuse. AWS recommends starting from a managed policy and tightening toward least privilege.
When you create an AWS account you also get the root user, which signs in with the account's email address and has complete, unrestricted access to every service and resource. Because that power cannot be scoped down, AWS strongly recommends you do not use the root user for everyday tasks[2]. Treating root as a daily admin login is the classic mistake. Instead, create an administrative identity (an IAM user or, better, a user in IAM Identity Center) for daily work and lock the root user away. The exam rewards answers that protect the root user with multi-factor authentication (MFA) and remove its access keys.
A short list of root-only tasks can be performed only while signed in as the root user, including changing the account's email address or root password and closing the AWS account[2], restoring IAM permissions if an administrator locks themselves out, registering as a seller in the Reserved Instance Marketplace, and enabling MFA Delete on an Amazon S3 bucket. If a question describes one of these tasks, the root user is the correct (and only) answer.
Least privilege, MFA, and protecting credentials
This section covers the credential practices the exam tests most: how broadly to grant, how to add a second factor, and where application secrets live. Least privilege is the principle of granting a principal only the permissions it needs to do its job, and nothing more. If a credential is later leaked, least privilege limits the blast radius to just those few actions. On the exam, an answer that grants AdministratorAccess or full * permissions "to keep things simple" is almost always the wrong choice; the answer that scopes permissions to the specific task is correct.
The single most exam-relevant rule for credentials is prefer temporary credentials over long-lived ones, the trade-off behind roles above. For AWS workloads such as Amazon EC2 instances and AWS Lambda functions, AWS recommends attaching an IAM role[3] so the workload receives temporary credentials that rotate automatically; you should not embed an IAM user's access keys in the application. Long-term access keys remain valid for narrow cases (for example, a tool that cannot assume a role), and when you do use them you should rotate them on a schedule.
Multi-factor authentication (MFA) adds a second proof of identity on top of a password: something you have (an authenticator app, a hardware security key, or a passkey) in addition to something you know. AWS recommends enabling MFA for the root user and for any privileged IAM user[3]. You can also enforce a password policy for IAM users that sets minimum length, required character types, and expiration.
Application secrets (database passwords, API keys, OAuth tokens) should never be hard-coded in source. Two services hold them safely, and the diagram below shows the single question that separates them, whether you need automatic rotation:
- AWS Secrets Manager encrypts secrets with AWS KMS and can rotate supported database credentials automatically[4], with built-in support for Amazon RDS, Amazon Redshift, and Amazon DocumentDB. Choose it when you need scheduled rotation.
- AWS Systems Manager Parameter Store stores configuration data and secrets (as encrypted
SecureStringparameters) and offers a free tier for standard parameters[5]. Choose it for simple, low-cost secret and configuration storage when automatic rotation is not required.
Neither of these is an identity service: they store and serve secrets, while IAM governs the AWS-API permissions a principal holds.
Roles, IAM Identity Center, and federation: which to pick
As an account or organization grows, the question shifts from "how do I make a user" to "which identity mechanism fits this access need." Four patterns (all built on the assume-a-role idea from the model above) cover almost every CLF-C02 question.
IAM role for AWS services and cross-account access. When an EC2 instance, Lambda function, or other AWS service needs to call AWS APIs, attach an IAM role[1]; it supplies temporary credentials with no stored keys. Roles also enable cross-account access: instead of creating a user in every account, you create a role in account B that trusts account A, and principals in A assume it, as the diagram below traces. This is the standard, exam-correct way to let one account's users operate in another.
IAM Identity Center for workforce sign-in across many accounts. AWS IAM Identity Center[6] (the successor to AWS Single Sign-On, renamed in 2022) gives employees one sign-in and one portal to reach all the AWS accounts and applications they are assigned. You define reusable permission sets (collections of policies) and assign a group to an account with a permission set; users then get temporary sessions in each account. The organization instance is deployed in the AWS Organizations management account. If a stem says "a company with many AWS accounts needs centralized employee access," Identity Center is the answer, not creating IAM users in every account.
Federated identity for reusing existing logins. Federation means letting users authenticate with an external identity provider (a corporate directory such as Microsoft Entra ID, or a SAML/OIDC provider) and then assume an AWS role, so no new AWS password is created and access is centrally managed in the existing directory. Identity federation[7] is what lets a workforce reuse the logins it already has. Identity Center itself can connect to such an external IdP, combining federation with multi-account permission sets.
Exam-pattern recognition. Watch for these distractors:
- "Create an IAM user in each account for the employee": wrong when many accounts are involved; the answer is IAM Identity Center.
- "Store the access keys in the application code / EC2 user data": wrong; attach an IAM role.
- "Use the root user so the script always has access": wrong; root is for root-only tasks, never automation.
- Confusing workforce access (employees reaching AWS: IAM / Identity Center / federation) with application end-user sign-up, which is a separate customer-identity concern and not what these services do.
The through-line is consistent: temporary, centrally managed, least-privilege credentials beat long-lived per-account users every time.
Choosing an identity or credential mechanism
| Aspect | IAM user | IAM role | IAM Identity Center | Secrets Manager |
|---|---|---|---|---|
| Primary purpose | Long-term identity in one account | Temporary credentials assumed on demand | Workforce sign-in across many accounts | Store and rotate application secrets |
| Credential lifetime | Long-lived password or access keys | Temporary, auto-rotated via STS | Temporary session via permission set | Secret rotated on a schedule |
| Best for | Rare cases needing a fixed user | EC2/Lambda and cross-account access | Employees using multiple AWS accounts | DB passwords, API keys in apps |
| Federation support | No native federation | Assumed by federated identities | Connects to external IdP (SAML/SCIM) | Not an identity service |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- IAM is free and global
AWS Identity and Access Management (IAM)controls who is authenticated and authorized in an account, and it's a feature of your AWS account offered at no additional charge. You pay only for the other services your identities then use. It's global, not Regional, so a user, group, role, or policy you create works the same in every AWS Region rather than being scoped to one.Trap Assuming an IAM user or policy must be re-created per Region or that IAM carries a separate charge. IAM is global and free, unlike most AWS services.
- Root user has unrestricted access
The account root user signs in with the email address used to create the account and has complete access to every AWS service and resource. That access is effectively unlimited, which is why AWS strongly recommends not using it for everyday work and instead creating a separate administrative identity.
- Protect root with MFA and remove its access keys
Securing the root user means enabling
MFAon it, not creating (or deleting any existing) root access keys, and doing daily work from a separate administrative identity. AWS now mandates rootMFAand requires it to be registered within 35 days of the first console sign-in; the exam rewards answers that lock the root user away rather than hand it programmatic keys.Trap Creating root access keys so automation can run as the root user. Workloads should use an IAM role, and root should hold no access keys at all.
5 questions test this
- Following AWS best practices, what should a company do to protect its AWS account root user while still performing everyday administrative…
- A company is setting up their first AWS account and wants to follow security best practices for the root user. According to AWS…
- A security team wants to add an extra layer of sign-in protection to the AWS account root user so that a password alone is not sufficient…
- A startup recently created a new AWS account and needs to secure it according to AWS best practices. The account administrator wants to…
- A company recently created a new AWS account. The security team wants to implement multi-factor authentication (MFA) as quickly as possible…
- Some tasks are root-only
A short list of actions can be performed only by signing in as the root user, including changing the account's root email or password, closing the AWS account, restoring access after an IAM administrator locks themselves out, registering as a Reserved Instance Marketplace seller, and enabling S3 MFA Delete. For everything else, use an IAM or Identity Center administrative identity.
Trap Assuming routine admin work such as creating users or editing IAM policies needs the root user. Those are everyday IAM tasks, not the narrow root-only list.
- Least privilege limits blast radius
Least privilege means granting only the permissions an identity needs for its task and nothing more, narrowing what a compromised or mistaken credential can touch. On the exam, an option that attaches full administrator or
*permissions for convenience is almost always the wrong choice.Trap Attaching AdministratorAccess or a wildcard
*policy 'to keep things simple'. Convenience over least privilege is the classic distractor.6 questions test this
- A company is reviewing its IAM policies to implement least privilege access. The security team discovers that AWS managed policies attached…
- A security team configures each new IAM user to start with no permissions and then grants only the specific permissions required to perform…
- According to AWS security best practices, which principle should a company follow when assigning permissions to IAM users and roles?
- A company is using AWS managed policies for common job functions but wants to further restrict permissions for a specific team. What is the…
- An application running on an Amazon EC2 instance needs to read objects from an Amazon S3 bucket. The company wants to grant this access…
- A security administrator must give a data analyst permission to perform only a defined set of Amazon Athena and Amazon S3 actions, with no…
- Groups manage permissions for many users
An
IAMuser group is a collection of users that share the policies attached to the group, so adding a user to the group grants them its permissions in one step. Groups can't be nested (they hold only users, not other groups) and a group is not itself a principal you can authenticate or name in a policy'sPrincipal.Trap Treating a group as something you can sign in as or reference as a Principal in a resource policy. Groups relate to permissions, not authentication.
6 questions test this
- A company has multiple development teams with different AWS access requirements. The security team wants to simplify permissions management…
- A company wants to grant the same permissions to multiple IAM users who perform similar job functions. The company needs an efficient way…
- A company has 50 developers who need the same set of permissions to access Amazon S3 and Amazon EC2 resources. The security team wants to…
- A company's security policy requires that IAM policies attached to developers can ONLY be changed by security administrators, not by the…
- A company has multiple employees who need identical permissions to access AWS services. Following the principle of least privilege, what is…
- A company has multiple teams of developers who need identical permissions to access AWS resources. The security administrator wants to…
- Roles give temporary, auto-rotating credentials
An
IAMrole has no long-term password or access keys; when a principal assumes it,AWS STSissues short-lived credentials for that session that rotate automatically. Roles are the recommended way to grant access to AWS compute (Amazon EC2,AWS Lambda), to federated users, and across accounts.Trap Picking an IAM user with long-term access keys to grant an EC2 instance or Lambda function permissions. A role with auto-rotating temporary credentials is the recommended choice.
17 questions test this
- A company wants to allow users who are authenticated by a third-party identity provider to access AWS resources without creating individual…
- An application assumes an IAM role to obtain credentials that automatically expire after a short period instead of relying on long-term…
- A company contracts a third-party monitoring vendor that operates in its own separate AWS account and needs ongoing access to certain…
- A company's security team wants to allow users in a development AWS account to access resources in a production AWS account without sharing…
- A company runs an application on an Amazon EC2 instance. The application needs to read objects from an Amazon S3 bucket, and the company…
- A company wants to allow an application running on an Amazon EC2 instance to access an Amazon S3 bucket without storing long-term…
- An organization wants to grant an application running on an Amazon EC2 instance access to Amazon S3 without storing long-term credentials…
- A company needs to allow an application running on Amazon EC2 instances to securely access Amazon S3 buckets without storing long-term…
- Developers at a company need elevated permissions only occasionally to perform certain maintenance tasks. The security team wants to grant…
- An application running on an Amazon EC2 instance needs to access objects stored in Amazon S3. According to AWS security best practices, how…
- A security team is reviewing AWS IAM best practices. They want to ensure that applications running on Amazon EC2 instances access other AWS…
- An application running on an Amazon EC2 instance needs to read objects from an Amazon S3 bucket. The company wants to grant this access…
- A company has multiple AWS accounts and wants to allow users in a development account to access resources in a production account without…
- A company is building an application that runs on Amazon EC2 instances and needs to access Amazon DynamoDB tables. The security team…
- A company is implementing a security best practice for applications that require AWS access. The security team wants to ensure that…
- A company wants its IAM users to perform daily work with limited permissions but temporarily gain a higher level of permissions only when…
- A company wants to grant an Amazon EC2 instance secure access to an Amazon S3 bucket without storing long-term credentials on the instance.…
- Use roles, not access keys, for workloads
For workloads on AWS compute such as
Amazon EC2orAWS Lambda, attach anIAMrole rather than embedding an IAM user's access keys. AWS delivers and rotates the role's temporary credentials to the resource automatically, so there are no long-lived secrets to distribute or leak.Trap Storing an IAM user's access keys on an EC2 instance or in a Lambda environment variable. Embedded long-term keys are exactly what an attached role removes.
9 questions test this
- A company runs an application on an Amazon EC2 instance. The application needs to read objects from an Amazon S3 bucket, and the company…
- A company wants to allow an application running on an Amazon EC2 instance to access an Amazon S3 bucket without storing long-term…
- An organization wants to grant an application running on an Amazon EC2 instance access to Amazon S3 without storing long-term credentials…
- A company needs to allow an application running on Amazon EC2 instances to securely access Amazon S3 buckets without storing long-term…
- An application running on an Amazon EC2 instance needs to access objects stored in Amazon S3. According to AWS security best practices, how…
- A security team is reviewing AWS IAM best practices. They want to ensure that applications running on Amazon EC2 instances access other AWS…
- An application running on an Amazon EC2 instance needs to read objects from an Amazon S3 bucket. The company wants to grant this access…
- A company is building an application that runs on Amazon EC2 instances and needs to access Amazon DynamoDB tables. The security team…
- A company wants to grant an Amazon EC2 instance secure access to an Amazon S3 bucket without storing long-term credentials on the instance.…
- AWS managed vs customer managed policies
AWS managed policies are standalone policies written and updated by AWS for common use cases; customer managed policies are ones you create and tune for your specific needs. AWS advises starting from a managed policy (often by copying one) and tightening toward least privilege, since a broad managed policy rarely matches your exact requirement.
Trap Assuming you can edit an AWS managed policy to fit your needs. AWS owns and updates those, so you copy one into a customer managed policy to customize it.
19 questions test this
- A company wants to implement least-privilege access for its AWS resources. The security team needs to provide developers with permissions…
- A company is reviewing its IAM policies to implement least privilege access. The security team discovers that AWS managed policies attached…
- A company wants to grant permissions to IAM users efficiently while maintaining the ability to update permissions centrally. The company…
- A company wants to grant specific permissions to an IAM role while maintaining the ability to reuse the same set of permissions across…
- A company wants to grant its development team read-only access to Amazon EC2 and Amazon S3. The security administrator needs a solution…
- A company wants to create reusable permission policies that can be attached to multiple IAM users, groups, and roles across their AWS…
- A company wants to assign permissions to its IAM users by using predefined, standalone policies that AWS creates and maintains for common…
- A company is using AWS managed policies for common job functions but wants to further restrict permissions for a specific team. What is the…
- A security administrator needs to create an IAM policy that can be reused across multiple IAM users, groups, and roles while allowing the…
- A cloud administrator needs to create IAM policies tailored to the company's specific security requirements. The administrator wants full…
- A company's security policy requires that IAM policies attached to developers can ONLY be changed by security administrators, not by the…
- A cloud architect needs to grant permissions for common use cases across multiple IAM users in an AWS account. The architect wants a policy…
- A company's security policy requires that IAM policies be reusable across multiple IAM users, groups, and roles while being maintained and…
- A company wants to create a reusable permission set that can be attached to multiple IAM users and roles, and updated centrally when…
- A company wants to grant permissions to IAM users by using ready-made policies that align with common IT job functions and are kept up to…
- A company needs to grant permissions to an IAM user for a specific use case that no AWS managed policy adequately addresses. The security…
- A company is starting to implement IAM policies for new workloads and wants to grant common permissions quickly while understanding that…
- A security administrator must give a data analyst permission to perform only a defined set of Amazon Athena and Amazon S3 actions, with no…
- An administrator needs to apply the same permissions policy to multiple IAM users in different groups across the organization. The policy…
- MFA adds a second authentication factor
Multi-factor authentication requires something you have (a passkey or FIDO security key, a virtual authenticator app, or a hardware TOTP token) in addition to the password, so a stolen password alone can't sign in. AWS recommends enabling
MFAfor the root user and all privileged IAM users, and now ends support for SMS-based MFA.Trap Treating a strong or rotated password as multi-factor authentication. MFA requires a second, separate factor such as a security key or authenticator app, not just a better password.
4 questions test this
- A company wants each of its IAM users to provide a one-time code from an authentication app in addition to a password when they sign in to…
- A company enables multi-factor authentication for AWS Management Console sign-in. In addition to entering a password, which item represents…
- A company recently created a new AWS account. The security team wants to implement multi-factor authentication (MFA) as quickly as possible…
- A company wants to require a privileged IAM user to provide both a password and a one-time code from an authentication device when signing…
- Password policies set credential rules
An IAM account password policy sets minimum length, required character types, expiration, and reuse rules for IAM user console passwords. It governs only IAM user passwords (not the root user password, not access keys, and not federated or role-based sign-in) and it can't enforce a lockout after failed attempts.
Trap Expecting the IAM password policy to govern the root user's password or lock accounts after failed logins. It applies only to IAM user passwords and has no failed-attempt lockout.
- Secrets Manager stores and rotates secrets
AWS Secrets Managerencrypts secrets withAWS KMSand can rotate them automatically on a schedule, with managed (no-Lambda) rotation forAmazon RDS,Amazon Aurora,Amazon Redshift, andAmazon DocumentDBcredentials. Pick it over Parameter Store when you need built-in scheduled rotation of database or API credentials.Trap Reaching for Systems Manager Parameter Store when the requirement is automatic credential rotation. Parameter Store stores secrets but does not rotate them.
6 questions test this
- Some developers have proposed saving the application's sensitive credentials in a shared file inside an Amazon S3 bucket. The security team…
- A development team needs to store third-party API keys for an application, retrieve them at runtime, and have them rotated automatically on…
- A security review finds that developers have hardcoded database passwords directly in their application source code. The company must…
- A company already uses AWS Key Management Service (AWS KMS) to manage its encryption keys. The company now needs a service whose primary…
- A web application uses SSL/TLS certificates for its HTTPS endpoints and also relies on a database password to connect to its backend. The…
- An application connects to an Amazon RDS database using a password. The company wants to store this database credential securely and have…
- Parameter Store is the low-cost secret/config option
AWS Systems ManagerParameter Store holds configuration values and secrets, encryptingSecureStringparameters withAWS KMS, and its standard tier carries no additional charge. Choose it for simple, low-cost storage when you don't need automatic rotation. AWS itself points you toSecrets Managerfor rotating credentials.Trap Choosing Parameter Store when the requirement calls for built-in automatic rotation. That scheduled rotation is Secrets Manager's job, not Parameter Store's.
3 questions test this
- A company wants a single place to store credentials and other configuration values used by its applications. Staff update these values…
- A company wants a central, low-cost place to store application configuration data, including a few values that must be encrypted. The…
- A development team wants a low-cost way to centrally store application configuration data, such as plaintext settings and encrypted secure…
- Never hard-code secrets in code
Database passwords, API keys, and tokens belong in
AWS Secrets ManagerorAWS Systems ManagerParameter Store, not in source code or config files where anyone who can read the app can extract them. The application fetches the secret at runtime, so credentials never live in the codebase.Trap Treating an encrypted source file or a 'private' repository as a safe place to store credentials. Anyone who can read the app can extract embedded secrets, so they belong in Secrets Manager or Parameter Store.
- IAM Identity Center centralizes workforce access
AWS IAM Identity Center(renamed from AWS Single Sign-On in 2022) gives employees one sign-in and one portal to all the AWS accounts and applications they're assigned, and can connect to an existing identity provider. It's the answer for centralized workforce access across many accounts, instead of creating duplicate IAM users in each one.Trap Creating duplicate IAM users in every account for centralized employee access. IAM Identity Center provides one sign-in across all accounts and is the intended answer.
3 questions test this
- A company manages its workforce identities in a corporate directory and wants employees to use a single sign-on experience to access…
- A company manages many AWS accounts in AWS Organizations and wants its employees to sign in one time and then access assigned AWS accounts…
- A company uses an external corporate identity provider and wants employees to sign in once to access multiple AWS accounts in its AWS…
- Permission sets assign multi-account access
In
AWS IAM Identity Centeryou define a permission set (a reusable template of IAM policies) then assign a group to an account with it; Identity Center provisions a matching IAM role in that account and lets the users assume it. Sessions are temporary, defaulting to a one-hour AWS account session (up to 12 hours).- Federation reuses existing logins
Identity federation lets users authenticate with an external identity provider (a corporate directory or a SAML 2.0 / OIDC provider) and then assume an
IAMrole for temporary AWS access. No new AWS password is created and access stays managed in the existing directory, so there are no long-term AWS credentials to distribute.Trap Creating a matching IAM user for each employee already in the corporate directory. Federation lets them assume a role with their existing login instead of issuing new AWS credentials.
4 questions test this
- A company wants to allow users who are authenticated by a third-party identity provider to access AWS resources without creating individual…
- A company manages its workforce identities in a corporate directory and wants employees to use a single sign-on experience to access…
- A company manages many AWS accounts in AWS Organizations and wants its employees to sign in one time and then access assigned AWS accounts…
- A company uses an external corporate identity provider and wants employees to sign in once to access multiple AWS accounts in its AWS…
- Cross-account roles avoid duplicate users
To let one account's principals work in another account you own, create an
IAMrole in the target account whose trust policy names the source account, then grant those principals permission to callSTSAssumeRole. This delegates access without creating and maintaining duplicate IAM users in every account.Trap Creating a second IAM user with its own access keys in the other account for cross-account access. A role assumed via STS delegates access without duplicate users or long-term keys.
4 questions test this
- A company contracts a third-party monitoring vendor that operates in its own separate AWS account and needs ongoing access to certain…
- A company's security team wants to allow users in a development AWS account to access resources in a production AWS account without sharing…
- A company wants to grant users in Account A access to resources in Account B. The company does not want to create duplicate IAM users in…
- A company has multiple AWS accounts and wants to allow users in a development account to access resources in a production account without…
- Workforce identity is not application end-user identity
IAMandAWS IAM Identity Centergovern your workforce's access to AWS accounts and resources. Signing in the end users of your own web or mobile app is a separate customer-identity concern handled byAmazon Cognito, not by these workforce services.Trap Choosing IAM Identity Center to authenticate the customers of your public app. That's Amazon Cognito's job; Identity Center is for your workforce.
- FIDO security keys are the phishing-resistant MFA option
FIDO security keys are physical devices that use public-key cryptography for strong, phishing-resistant authentication that TOTP codes can't match. They need no batteries, and a single key can back multiple root and IAM users, which makes them AWS's recommended MFA type for highly privileged accounts.
Trap Picking an SMS text-message or TOTP authenticator code as the phishing-resistant MFA option. Only FIDO security keys use public-key cryptography that resists phishing.
6 questions test this
- A company wants to enhance security for their AWS account by implementing MFA. The security team requires a phishing-resistant…
- A security administrator needs to implement the MOST phishing-resistant multi-factor authentication (MFA) method for highly privileged IAM…
- A company's security policy requires the strongest, phishing-resistant multi-factor authentication (MFA) for administrators who sign in to…
- A company wants to use physical MFA devices to protect its AWS account root user and IAM users. The security team is evaluating hardware…
- A company is evaluating MFA options for their IAM users who access the AWS Management Console. The security team requires a solution that…
- A security administrator needs to implement the strongest phishing-resistant multi-factor authentication for the AWS account root user. The…
- IAM policy types: identity-based, inline, trust, and service-linked
Identity-based policies are JSON documents attached to IAM users, groups, or roles to define what they can do. An inline policy is embedded in a single identity in a strict one-to-one relationship and is deleted with it; a managed policy is preferred when more than one identity needs it. A role's trust policy names which principals may assume the role, and a service-linked role is predefined and owned by an AWS service, so administrators can view but not edit its permissions.
4 questions test this
- A company is setting up Amazon Lex bots and notices that AWS automatically creates a role with specific permissions for the service. The…
- A company wants to grant permissions by attaching JSON permissions documents directly to its IAM users, groups, and roles to control what…
- A company wants to attach a permissions policy that maintains a strict one-to-one relationship with a single IAM user, so that the policy…
- A solutions architect needs to configure an IAM role that allows an AWS service to perform actions on behalf of the company. The role must…
Also tested in
- DEA-C01 AWS Certified Data Engineer - Associate
- DVA-C02 AWS Certified Developer - Associate
- DVA-C02 AWS Certified Developer - Associate
- SAA-C03 AWS Certified Solutions Architect – Associate
- SAP-C02 AWS Certified Solutions Architect - Professional
- AZ-900 Microsoft Azure Fundamentals
- SC-300 Microsoft Certified: Identity and Access Administrator Associate
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
- https://aws.amazon.com/secrets-manager/faqs/
- https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html
- https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html