Lesson 16

Quiz: IAM

15 questions covering Shared Responsibility Model, IAM users/groups/roles/policies, root user security, MFA, and CloudTrail

Instructions: Click one option per question for immediate feedback. Target: 13/15 (87%). This quiz combines IAM fundamentals, advanced security practices, and the shared responsibility model.

IAM Quiz

Select one answer per question. You will receive immediate feedback.

1. Under the AWS shared responsibility model, who is responsible for configuring and managing security groups?

AWS — security groups are part of the infrastructure AWS manages.The customer — security groups are a customer-configurable firewall.Both — AWS creates security groups, the customer attaches them.Third-party auditors who verify AWS compliance.

2. Which service model shifts the most security responsibility to AWS, leaving the customer primarily responsible only for their data and permissions?

Infrastructure as a Service (IaaS)Platform as a Service (PaaS)Software as a Service (SaaS)Desktop as a Service (DaaS)

3. An organization has three departments: Engineering, Marketing, and Finance. Each needs different AWS permissions. What is the best IAM structure?

Create one IAM user per department and share the credentials within each team.Create three IAM groups, attach appropriate policies to each, and add users to their respective group(s).Use the root user for all departments and assign different profiles.Create three IAM roles and embed them in each department's infrastructure.

4. What happens when an IAM user has no policies attached, either directly or through any group membership?

The user can read all resources but cannot modify any.The user is implicitly denied access to all AWS resources and actions.The user gains the same permissions as the root user.The user can access only S3 and EC2 by default.

5. Policy A allows "s3:GetObject" on all buckets. Policy B explicitly denies "s3:GetObject" on bucket "finance-data". Both are attached to the same IAM user. Can the user read objects from "finance-data"?

Yes — Policy A applies to all buckets, so the allow takes precedence.No — an explicit deny always overrides any allow statement.Yes — but only if Policy A was created before Policy B.It depends on whether the policies are managed or inline.

6. An application on an EC2 instance must write data to a DynamoDB table. How should the administrator grant this access?

Create an IAM user with DynamoDB permissions and hardcode its access keys in the application.Create an IAM role with a DynamoDB write policy and attach it to the EC2 instance.Create a DynamoDB table policy that accepts traffic from the EC2 instance's IP address.Grant DynamoDB permissions to the root user and configure the application to use root keys.

7. An auditor needs read-only access to all resources in another company's AWS account. What is the safest way to grant this?

Create an IAM user in the target account and email the credentials to the auditor.Create a cross-account IAM role with a read-only policy that the auditor can assume from their own account.Share the root user credentials with the auditor and change them after the audit.Create an S3 bucket policy that grants the auditor access to all resources.

8. Which of the following can be performed only by the AWS account root user?

Creating IAM users and groupsLaunching an EC2 instanceChanging the AWS Support planCreating an S3 bucket

9. What is the recommended immediate action after creating an AWS account?

Keep using the root user — it provides full access and avoids permission errors.Create an IAM admin user, enable MFA on root, lock away root credentials, and use the IAM user going forward.Share root credentials with the team and create IAM users for additional permissions.Disable the root user — IAM users can perform all actions, including root-only tasks.

10. Which of the following is NOT a valid MFA option in AWS?

A virtual MFA application like Google AuthenticatorA U2F security key like YubiKeyA hardware MFA key fob from GemaltoAn SMS text message with a one-time code sent to the user's phone

11. AWS CloudTrail is enabled by default. What does it log?

Resource configuration changes tracked by AWS Config.All API requests to resources in supported services, viewable for the last 90 days.Application logs and performance metrics from EC2 instances.Billing data and cost allocation tags.

12. To retain CloudTrail logs beyond 90 days and trigger alerts on specific events, what must you do?

Upgrade to the Enterprise Support Plan.Create a Trail, configure an S3 bucket for storage, and apply it to all Regions.Enable CloudTrail Insights from the console.Deploy an EC2 instance to archive the CloudTrail event history.

13. What is the primary difference between an IAM role and an IAM user?

Roles are more expensive than users.Roles are associated with one person; users can be assumed by anyone.Users have permanent long-term credentials; roles provide temporary credentials when assumed.Roles can only access S3; users can access all services.

14. Which statement about IAM password policies is correct?

Password policies are enforced per IAM group, not at the account level.Password policies apply to all IAM users in the account and can enforce length, complexity, and rotation rules.Password policies automatically apply to the root user as well.Password policies are enabled by default with a minimum 12-character length.

15. IAM is a global service. What does this mean in practice?

IAM users can access resources in all AWS Regions, but only if granted by a regional policy.IAM settings, users, groups, roles, and policies are defined once and apply across all AWS Regions automatically.IAM automatically creates identical user credentials in every Region.IAM costs the same in all Regions but must be configured per Region.

Progress: 0/15 correct (0%). Answer all questions to see the final recommendation.

Ask your teacher: Scoring: 13-15/15 (87%+): Proceed to Security Services. 11-12/15 (73-80%): Review missed topics. 10/15 or below: Revisit lessons 0023-0025; IAM is a high-weight exam domain.

Primary Source: AWS Academy Module 4: AWS Cloud Security (module-4.txt).