Sign in to practice all 50 questions with progress tracking and AI explanations.
1. A company wants to grant an EC2 instance access to an S3 bucket without embedding long-term credentials in the application code. What is the correct IAM approach?
- A.Create an IAM role with an S3 access policy and attach it to the EC2 instance as an instance profile, so the instance receives temporary credentials automatically.✓ Correct
- B.Create an IAM user with S3 permissions, generate access keys, and store them in environment variables on the EC2 instance for the application to use.
- C.Create an IAM group with S3 permissions and add the EC2 instance as a member of the group to inherit the policy.
- D.Enable AWS SSO on the EC2 instance and assign permission sets that include S3 access for the application to authenticate.
Explanation
IAM roles attached as instance profiles provide temporary, auto-rotating credentials via the instance metadata service — no static keys needed. IAM users use long-term keys (risky); EC2 instances cannot be added to IAM groups; SSO does not apply to EC2 service identity.
2. Which IAM entity is automatically created and managed by AWS services like Amazon RDS or ElasticSearch, and cannot be deleted or modified independently?
- A.A service-linked role, which is a predefined IAM role that grants the AWS service the permissions it needs to call other AWS services on your behalf.✓ Correct
- B.An IAM managed policy, which AWS attaches to service principals automatically and updates whenever the service requires new permissions.
- C.An IAM instance profile, which wraps an IAM role and is assigned to EC2 or RDS instances to provide service-level authentication.
- D.An AWS Organizations service control policy, which AWS creates and enforces at the account level to restrict what services can perform.
Explanation
Service-linked roles are unique IAM roles pre-configured with the exact permissions a service needs; AWS creates and manages them, and they cannot be arbitrarily deleted. Managed policies, instance profiles, and SCPs are different constructs with distinct purposes.
3. A mobile application needs to authenticate users with a username/password and also federate with Google Sign-In. After authentication, users must access an S3 bucket directly from the mobile client. Which combination of Cognito components satisfies both requirements?
- A.Use a Cognito User Pool for authentication and identity management, then use a Cognito Identity Pool to exchange the User Pool token for temporary AWS credentials to access S3.✓ Correct
- B.Use a Cognito Identity Pool alone, because it handles both user authentication via built-in user directories and issues temporary AWS credentials for S3 access.
- C.Use a Cognito User Pool alone, because it can issue AWS SigV4-signed credentials that mobile clients use to call S3 directly without any identity pool.
- D.Use AWS IAM federation directly with the mobile app to issue temporary credentials, bypassing Cognito entirely for a simpler architecture.
Explanation
User Pools handle authentication (IdP) and return JWTs; Identity Pools exchange those tokens for temporary IAM credentials via STS. Identity Pools alone cannot authenticate users with username/password; User Pools alone do not issue AWS credentials; direct IAM federation is not designed for mobile end-user auth.
4. A developer is confused about the difference between Cognito User Pools and Cognito Identity Pools. Which statement correctly distinguishes the two?
- A.User Pools act as an identity provider that handles sign-up, sign-in, and returns JWT tokens, while Identity Pools provide temporary AWS credentials (via STS) to grant access to AWS services.✓ Correct
- B.User Pools provide temporary AWS IAM credentials for accessing AWS resources, while Identity Pools manage user directories, sign-up workflows, and MFA settings.
- C.User Pools and Identity Pools are two names for the same service — both authenticate users and issue temporary AWS credentials interchangeably.
- D.Identity Pools replace IAM roles entirely by maintaining a persistent user session that authorizes calls to AWS APIs without needing STS AssumeRole.
Explanation
User Pools = authentication/IdP (JWT tokens). Identity Pools = authorization/AWS credentials via STS AssumeRoleWithWebIdentity. The roles are distinct and complementary, not interchangeable. SCPs or IAM roles are not replaced by Identity Pools.
5. A gaming company wants unauthenticated guest users to access a leaderboard stored in DynamoDB without requiring sign-in. How should they implement this using Cognito?
- A.Enable unauthenticated identities on the Cognito Identity Pool and assign a restrictive IAM role to the unauthenticated identity pool role, granting read-only DynamoDB access.✓ Correct
- B.Configure the Cognito User Pool to allow guest access by disabling the sign-up confirmation step, so users get tokens without providing credentials.
- C.Create a public IAM user with DynamoDB read permissions and distribute the access keys inside the mobile application for guest users.
- D.Use an API Gateway resource policy to allow anonymous callers to invoke the DynamoDB API directly without any Cognito or IAM configuration.
Explanation
Cognito Identity Pools natively support unauthenticated (guest) identities; enabling this and defining the unauthenticated IAM role grants temporary AWS credentials with scoped permissions. Embedding IAM keys in apps is a critical security risk; User Pools cannot issue AWS credentials directly.
Practice all 50+ questions in this domain
Start free practice →