AWS Certified Solutions Architect - Associate (SAA-C03) practice questions

A company runs an application on Amazon EC2 instances that must read objects from a specific Amazon S3 bucket. Developers currently store long-lived IAM user access keys in the application configuration file. A solutions architect must remove the static credentials while granting only the access the application needs. Which approach best meets these requirements?

• AAttach an IAM role to the EC2 instances with a policy that allows the s3:GetObject action on the specific bucket, and have the application use the role credentials.check_circle Correct
• BCreate an IAM user with an S3 read-only managed policy and embed its access key and secret key in the EC2 instance user data at launch.
• CAttach an IAM role to the EC2 instances that grants the AdministratorAccess managed policy so the application can reach the bucket without stored keys.
• DStore the IAM user access keys in AWS Secrets Manager and have the running application retrieve the same long-lived keys at startup.

Why A is correct: An instance profile role supplies automatically rotated temporary credentials and a scoped GetObject policy on one bucket grants least privilege without any static keys.

Why B is wrong: Moving the key to user data still relies on long-lived static credentials that can leak, so it fails the requirement to remove static credentials entirely.

Why C is wrong: A role does remove static keys, but AdministratorAccess grants far more than the read access needed and violates the least-privilege requirement badly.

Why D is wrong: Secrets Manager protects the keys at rest, but the application still authenticates with long-lived IAM user credentials rather than removing them as required.

An identity-based policy attached to a developer grants s3:DeleteObject on a bucket, while a bucket policy on the same bucket contains an explicit Deny for s3:DeleteObject from any principal outside the production account. The developer belongs to the production account. When the developer attempts to delete an object, what is the result of IAM policy evaluation?

• AThe request is denied because an explicit Deny in any applicable policy always overrides any Allow during evaluation.
• BThe request is allowed because the identity-based Allow applies and the explicit Deny condition does not match an in-account principal.check_circle Correct
• CThe request is denied because a resource-based policy always takes precedence over an identity-based policy in cross-policy evaluation.
• DThe request is denied by implicit Deny because two conflicting statements remove the developer permission to act on the object.

Why A is wrong: Explicit Deny does win over Allow, but the Deny here is conditioned on principals outside the production account, so it does not apply to this in-account developer.

Why B is correct: The Deny targets only external principals, so it is not triggered for an in-account developer, and the matching identity-based Allow with no other Deny permits the action.

Why C is wrong: Resource and identity policies are evaluated together as a union of Allows rather than one type overriding the other, so this stated precedence rule is incorrect.

Why D is wrong: Implicit Deny applies only when no Allow exists, but an explicit Allow is present here, so the implicit Deny reasoning does not hold for this request.

A company has 60 engineers who each need identical permissions to manage Amazon EC2 and Amazon RDS resources in a development account. The security team wants to manage these permissions in one place and apply future permission changes once rather than editing each identity. How should a solutions architect grant the access?

• AAttach the EC2 and RDS managed policies directly to each of the 60 IAM users so every engineer holds an independent copy of the permissions.
• BCreate one shared IAM user with the EC2 and RDS permissions and distribute its access keys to all 60 engineers for daily use.
• CCreate an IAM group with the EC2 and RDS policies attached and add all 60 engineers to that group as members.check_circle Correct
• DCreate a federated identity provider and require every engineer to assume a unique role per session before they can touch any resource.

Why A is wrong: Direct per-user attachment works initially but forces 60 separate edits for any future change, which is exactly the management burden the team wants to avoid.

Why B is wrong: A shared identity removes individual accountability and spreads long-lived keys widely, so it is an insecure and untraceable way to grant the access.

Why C is correct: An IAM group centralises the policy set so future changes are made once on the group, while each engineer keeps a distinct, auditable individual identity.

Why D is wrong: Federation is valid for external identities, but it adds setup overhead and does not by itself centralise editing the shared permission set as a group would.