Identity and Access Management

Identity and Access Management Quiz

Quiz

Question 1 of 31 (0 answered)

Question 1

In AWS IAM’s policy evaluation logic, what happens when there is an explicit DENY in any policy?

It is overridden by an ALLOW in a resource-based policy Access is immediately denied and evaluation stops It is ignored if the user has administrator access It depends on whether the permissions boundary allows it

✓

Correct!

Explicit DENY always wins in IAM policy evaluation. Once an explicit deny is found, evaluation stops immediately and access is denied. This cannot be overridden by any ALLOW, regardless of policy type or user privileges.

✗

Incorrect

Think about the most restrictive rule in IAM security.

Question 2

Which of the following are characteristics of IAM Roles? (Select all that apply)

They provide temporary credentials They require permanent access keys Credentials are automatically rotated They have a trust policy defining who can assume them Time-limited between 15 minutes and 12 hours

✓

Correct!

IAM Roles provide temporary credentials (not permanent access keys) that are automatically rotated. They include a trust policy that defines who can assume them, and the credentials are time-limited from 15 minutes to 12 hours.

✗

Incorrect

Roles are designed for temporary access without long-term credentials.

Question 3

Permissions boundaries grant permissions to IAM users and roles.

True False

✓

Correct!

Permissions boundaries do NOT grant permissions themselves. They only define the maximum permissions that identity-based policies can grant. Effective permissions are the intersection of the identity policy and the permissions boundary.

✗

Incorrect

Think about whether boundaries add or limit permissions.

Question 4

What AWS service generates temporary credentials when an IAM role is assumed?

✓

Correct!

AWS STS (Security Token Service) generates temporary credentials when a role is assumed. These credentials include an access key ID, secret access key, session token, and expiration time.

✗

Incorrect

AWS STS (Security Token Service) generates temporary credentials when a role is assumed. These credentials include an access key ID, secret access key, session token, and expiration time.

It’s a three-letter abbreviation for a service related to security tokens.

Question 5

Given the following IAM setup, what is the effective permission for IAM action iam:CreateUser?

Identity-Based Policy:
  Allow: s3:*, ec2:*, iam:*

Permissions Boundary:
  Allow: s3:*, ec2:*

Request: iam:CreateUser

What will this code output?

ALLOW - The identity policy grants iam:* DENY - Not within permissions boundary ALLOW - Permissions boundary doesn't restrict IAM DENY - Explicit deny in boundary

✓

Correct!

The effective permissions are the intersection of the identity policy and permissions boundary. While the identity policy allows iam:, the permissions boundary only allows s3: and ec2:*. Since iam:CreateUser is not in the boundary, the request is DENIED.

✗

Incorrect

Effective permissions = Identity Policy ∩ Permissions Boundary

Question 6

What is the Confused Deputy Problem in AWS IAM?

The Confused Deputy Problem occurs when a trusted third-party service (the “deputy”) can be tricked into accessing resources on behalf of the wrong customer.

Solution: Use External ID in cross-account trust policies. This adds a secret value that must be provided when assuming the role, ensuring the service acts on behalf of the correct customer.

Example: Without External ID, a malicious customer could trick Datadog into accessing another customer’s AWS account by providing their account ID.

Did you get it right?

✓

Correct!

✗

Incorrect

Question 7

Arrange these IAM policy evaluation steps in the correct order:

Drag to arrange in the order AWS evaluates policies

⋮⋮ Request arrives (user attempts action)

⋮⋮ Check for explicit DENY

⋮⋮ Check for ALLOW in applicable policies

⋮⋮ Apply default DENY if no ALLOW found

⋮⋮ Grant or deny access

✓

Correct!

AWS evaluates policies in this order: 1) Request arrives, 2) Check for explicit DENY (if found, deny immediately), 3) Check for ALLOW in all applicable policies, 4) If no ALLOW, apply default DENY, 5) Grant or deny access based on evaluation.

✗

Incorrect

Question 8

Complete this trust policy to allow an EC2 instance to assume the role:

Fill in the missing service principal

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "Service": "_____"
    },
    "Action": "sts:AssumeRole"
  }]
}

Your answer:

✓

Correct!

For EC2 instances to assume a role, the trust policy must specify ec2.amazonaws.com as the service principal. This allows the EC2 service to request temporary credentials on behalf of instances.

✗

Incorrect

For EC2 instances to assume a role, the trust policy must specify ec2.amazonaws.com as the service principal. This allows the EC2 service to request temporary credentials on behalf of instances.

What is the service domain for EC2?

Question 9

What is the primary difference between identity-based policies and resource-based policies?

Identity-based policies are JSON, resource-based are YAML Identity-based attach to users/roles, resource-based attach to resources Identity-based policies are temporary, resource-based are permanent Resource-based policies can only deny, not allow

✓

Correct!

The fundamental difference is where the policy is attached. Identity-based policies attach to IAM users, groups, or roles and define what those identities can do. Resource-based policies attach to AWS resources (like S3 buckets) and define who can access them.

✗

Incorrect

Think about WHERE each policy type lives.

Question 10

In cross-account access, what is required for a user in Account A to access a resource in Account B?

Only an identity-based policy in Account A allowing access Only a resource-based policy in Account B allowing access Both an identity-based policy in Account A AND a resource-based policy in Account B A permissions boundary in both accounts

✓

Correct!

For cross-account access, BOTH policies must allow the action. The user’s identity-based policy in Account A must grant permission to access the resource, AND the resource-based policy in Account B must allow the principal from Account A. Both owners must agree.

✗

Incorrect

Cross-account access requires consent from both sides.

Question 11

IAM Groups can be nested (a group can contain another group).

True False

✓

Correct!

IAM Groups cannot be nested. A group can only contain IAM users, not other groups. If you need hierarchical organization, you must use separate groups and manage membership accordingly.

✗

Incorrect

IAM Groups cannot be nested. A group can only contain IAM users, not other groups. If you need hierarchical organization, you must use separate groups and manage membership accordingly.

Think about what IAM Groups can contain.

Question 12

Which of the following are IAM best practices? (Select all that apply)

Enable MFA on the root account Share IAM user credentials among team members Use IAM roles for EC2 instances instead of embedding access keys Grant administrator access to all developers for flexibility Rotate credentials regularly Use groups to assign permissions rather than attaching directly to users

✓

Correct!

Best practices include: enabling MFA on root, using roles for services (no hardcoded keys), rotating credentials regularly, and using groups for permission management. Never share credentials or grant excessive permissions (principle of least privilege).

✗

Incorrect

Focus on security, least privilege, and automated credential management.

Question 13

What IAM principle states that all actions are denied unless explicitly allowed?

✓

Correct!

The ‘Deny by Default’ principle means all actions are implicitly denied unless there is an explicit ALLOW in a policy. This is a fundamental security concept in IAM that ensures restrictive access control.

✗

Incorrect

It’s about the default state when no policy grants permission.

Question 14

What is the purpose of External ID in IAM trust policies?

To encrypt the trust policy for security To prevent the confused deputy problem in cross-account access To define the maximum duration for assumed role credentials To specify which AWS regions the role can be assumed from

✓

Correct!

External ID prevents the confused deputy problem by adding a secret value to trust policies. When a third-party service (like Datadog) needs access to multiple customer accounts, the External ID ensures they can only assume the role on behalf of the correct customer.

✗

Incorrect

It’s about preventing unauthorized cross-account access by third parties.

Question 15

What is the effective permission for this scenario?

Policy 1 (Identity):
  Effect: Allow
  Action: s3:*
  Resource: *

Policy 2 (Boundary):
  Effect: Deny
  Action: s3:DeleteBucket
  Resource: *

Request: s3:DeleteBucket

What will this code output?

ALLOW - Identity policy grants s3:* DENY - Explicit deny in boundary ALLOW - Permissions boundaries don't deny Depends on resource-based policy

✓

Correct!

Even though the identity policy grants s3:* (which includes DeleteBucket), there is an explicit DENY in the permissions boundary. Explicit DENY always wins, so the request is DENIED. Evaluation stops as soon as an explicit deny is found.

✗

Incorrect

Remember: Explicit DENY always wins.

Question 16

What is the difference between a Trust Policy and a Permissions Policy in IAM roles?

Trust Policy (Assume Role Policy):

Defines WHO can assume the role
Contains Principal element
Uses sts:AssumeRole action
Attached only to IAM roles
Always inline (cannot be reused)

Permissions Policy (IAM Policy):

Defines WHAT actions are allowed
No Principal element
Uses service-specific actions (s3:, ec2:, etc.)
Can attach to users, groups, or roles
Can be managed (reusable) or inline

Together: Trust policy controls access to the role, permissions policy controls what the role can do.

Did you get it right?

✓

Correct!

✗

Incorrect

Question 17

Which of the following credentials types are considered long-term? (Select the best answer)

IAM role temporary credentials IAM user access keys and passwords STS session tokens EC2 instance profile credentials

✓

Correct!

IAM user access keys and passwords are long-term credentials that don’t expire automatically. In contrast, IAM role credentials, STS tokens, and instance profile credentials are all temporary and automatically rotated.

✗

Incorrect

Which credentials require manual rotation?

Question 18

AWS managed policies can be modified by customers to fit their specific requirements.

True False

✓

Correct!

AWS managed policies are created and maintained by AWS and cannot be modified by customers. If you need custom permissions, you must create customer managed policies instead.

✗

Incorrect

AWS managed policies are created and maintained by AWS and cannot be modified by customers. If you need custom permissions, you must create customer managed policies instead.

Who controls AWS managed policies?

Question 19

When should you use IAM roles instead of IAM users? (Select all that apply)

For EC2 instances accessing AWS services For individual human developers needing console access For Lambda functions needing AWS permissions For cross-account access between AWS accounts For federated users from corporate identity providers

✓

Correct!

Use IAM roles for: EC2 instances (instance roles), Lambda functions (execution roles), cross-account access, and federated identities. Use IAM users for individual human access with long-term credentials. Roles provide temporary credentials without hardcoded keys.

✗

Incorrect

Roles are for temporary access and services; users are for people.

Question 20

Complete this IAM policy to allow read-only access to a specific S3 bucket:

Fill in the missing action that allows listing bucket contents

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "s3:GetObject",
      "_____"
    ],
    "Resource": [
      "arn:aws:s3:::my-bucket/*",
      "arn:aws:s3:::my-bucket"
    ]
  }]
}

Your answer:

✓

Correct!

s3:ListBucket allows listing the contents of the bucket. Together with s3:GetObject (which retrieves objects), this provides complete read-only access. Note that ListBucket applies to the bucket itself, while GetObject applies to objects within it.

✗

Incorrect

What action lets you see what’s inside the bucket?

Question 21

What happens when an IAM user belongs to multiple groups with different policies?

Only the first group’s policies apply Only the most restrictive policy applies All policies from all groups are combined (union of permissions) The policies conflict and access is denied

✓

Correct!

When a user belongs to multiple groups, all policies from all groups are combined. The effective permissions are the union of all ALLOW statements (unless an explicit DENY exists). This makes group membership additive.

✗

Incorrect

Think about how multiple policies interact - additive or restrictive?

Question 22

Arrange these IAM identity types in order from most specific to most general:

Drag to arrange from most granular to broadest

⋮⋮ IAM User (individual person/application)

⋮⋮ IAM Group (collection of users)

⋮⋮ IAM Role (assumable by multiple entities)

⋮⋮ AWS Account Root User (full account access)

✓

Correct!

From most specific to most general: IAM User (individual), IAM Group (collection of users), IAM Role (can be assumed by various entities), Root User (complete account control). Specificity decreases as scope broadens.

✗

Incorrect

Think about scope and who/what can use each identity type.

Question 23

Inline policies can be attached to multiple IAM users, groups, or roles for reusability.

True False

✓

Correct!

Inline policies have a strict 1:1 relationship with a single IAM identity. They cannot be reused across multiple users, groups, or roles. For reusability, use managed policies (AWS managed or customer managed) instead.

✗

Incorrect

What does ‘inline’ imply about the relationship?

Question 24

What is the Principle of Least Privilege in IAM?

Principle of Least Privilege means granting only the minimum permissions necessary to perform required tasks.

Implementation:

Start with no permissions (deny by default)
Add permissions only as needed
Regularly review and revoke unused permissions
Use specific actions and resources instead of wildcards

Benefits:

Reduces security risk from compromised credentials
Limits blast radius of accidents or mistakes
Improves compliance and auditability
Forces intentional permission design

Example: Give a developer read-only S3 access to specific buckets, not full S3 admin access to all buckets.

Did you get it right?

✓

Correct!

✗

Incorrect

Question 25

Which element is REQUIRED in a resource-based policy but NOT in an identity-based policy?

Effect Action Principal Resource

✓

Correct!

The Principal element is required in resource-based policies to specify who can access the resource. Identity-based policies don’t need Principal because it’s implicit (the identity the policy is attached to).

✗

Incorrect

Resource-based policies need to specify WHO, identity-based policies don’t.

Question 26

Which AWS services commonly use resource-based policies? (Select all that apply)

Amazon S3 (bucket policies) IAM Users AWS Lambda (function policies) Amazon SQS (queue policies) IAM Groups

✓

Correct!

S3 buckets, Lambda functions, and SQS queues all support resource-based policies. IAM Users and Groups only support identity-based policies, not resource-based policies.

✗

Incorrect

S3 buckets, Lambda functions, and SQS queues all support resource-based policies. IAM Users and Groups only support identity-based policies, not resource-based policies.

Which of these are AWS resources vs IAM identities?

Question 27

For this cross-account scenario, will access be granted?

Account A (111111111111):
  User: Alice
  Identity Policy: Allow s3:GetObject on bucket-B/*

Account B (222222222222):
  Bucket: bucket-B
  Resource Policy: (no policy exists)

Request: Alice tries to get object from bucket-B

What will this code output?

ALLOW - Alice's identity policy grants access DENY - No resource policy in Account B allowing Account A ALLOW - Same-account access doesn't need resource policy Depends on Alice's permissions boundary

✓

Correct!

For cross-account access, BOTH the identity policy (Account A) AND resource policy (Account B) must allow the action. Even though Alice’s identity policy allows s3:GetObject, there’s no resource policy on bucket-B permitting Account A access, so the request is DENIED.

✗

Incorrect

Cross-account requires two-way approval.

Question 28

What IAM tool helps identify resources shared with external entities and unused access?

✓

Correct!

IAM Access Analyzer continuously monitors your resources to identify those shared with external entities. It also helps identify unused access (unused roles, passwords, access keys) to help apply least privilege.

✗

Incorrect

It’s a service that analyzes your IAM configuration for security insights.

Question 29

What is the maximum duration for temporary credentials from an assumed IAM role?

1 hour 6 hours 12 hours 24 hours

✓

Correct!

IAM role temporary credentials can be configured for a duration between 15 minutes (minimum) and 12 hours (maximum). The default is typically 1 hour.

✗

Incorrect

IAM role temporary credentials can be configured for a duration between 15 minutes (minimum) and 12 hours (maximum). The default is typically 1 hour.

It’s measured in hours, and it’s the longest option that doesn’t exceed half a day.

Question 30

MFA (Multi-Factor Authentication) should be enabled for all IAM users in an AWS account.

True False

✓

Correct!

While MFA is a security best practice, it should be enabled at minimum for the root account and privileged users (those with administrative or sensitive access). Enabling MFA for all users is ideal but not always required, especially for service accounts or limited-access users.

✗

Incorrect

Consider the difference between ‘best practice’ and ‘minimum requirement.’

Question 31

What are the three main IAM identity types and when should each be used?

1. IAM Users

For: Individual people or applications
Credentials: Long-term (username/password, access keys)
Use when: Need persistent human access or dedicated application credentials

2. IAM Groups

For: Collections of IAM users with similar permissions
Credentials: None (users have credentials)
Use when: Managing permissions for multiple users (teams, roles)

3. IAM Roles

For: Temporary access for services, cross-account, or federated users
Credentials: Temporary (STS-generated, auto-rotated)
Use when: EC2/Lambda need AWS access, cross-account access, or federated identity

Best Practice: Prefer roles over users for services; use groups to manage user permissions.

Did you get it right?

✓

Correct!

✗

Incorrect

Quiz Results

Score

0/0

Accuracy

Right

Wrong

Skipped

Last updated on January 6, 2026

Load Balancing and Scaling Storage Services