Design Secure Architectures — AWS Certified Solutions Architect – Associate Practice Questions

Learning

Loading practice session...

Loading certificate…

Ready to learn

Sample questions — Design Secure Architectures

1. A company needs to grant an application running on an EC2 instance access to S3 without embedding credentials in the code. Which IAM identity type is the BEST solution?

A.Create an IAM User with programmatic access keys and store them in environment variables on the instance.
B.Create an IAM Role with the required S3 permissions and attach it to the EC2 instance via an instance profile.✓ Correct
C.Create an IAM Group with S3 permissions and add the EC2 instance as a member of the group.
D.Use the root account access keys to grant the application full access to all AWS services.

Explanation

IAM Roles attached via instance profiles provide temporary, automatically-rotated credentials to EC2 instances — eliminating the need to manage static keys. IAM Groups only contain users (not instances), and embedding long-term credentials is a security anti-pattern.

2. An administrator wants to enforce MFA for all IAM users before they can perform sensitive operations in the AWS Console. Which approach correctly implements this requirement?

A.Enable MFA on the root account only, since root controls all other accounts by default.
B.Attach an IAM policy with a Condition element requiring aws:MultiFactorAuthPresent to be true for sensitive actions.✓ Correct
C.Configure MFA at the VPC level so that network access is blocked without a second factor.
D.Use AWS Config to audit MFA usage after the fact, and revoke access for non-compliant users weekly.

Explanation

IAM policies support the aws:MultiFactorAuthPresent condition key, which enforces MFA before allowing specific API calls. This is the correct preventive control; AWS Config is detective-only and cannot enforce MFA in real time.

3. A security engineer needs to grant a specific IAM role a narrowly scoped policy that will never be reused or attached to any other identity. Which policy type is most appropriate?

A.An AWS Managed Policy, because AWS maintains and updates it automatically for new service features.
B.A Customer-Managed Policy, because it can be versioned, shared across identities, and centrally audited.
C.An Inline Policy embedded directly in the role, because it maintains a strict one-to-one relationship with that identity.✓ Correct
D.A Service Control Policy (SCP), because it provides the tightest scope for a single IAM role.

Explanation

Inline policies are directly embedded in a single IAM identity and are deleted when the identity is deleted — ideal for strict one-to-one permission bindings. SCPs apply at the AWS Organizations level, not to individual roles.

4. Which IAM policy element explicitly overrides all Allow statements and immediately denies access regardless of any other policy attached to the identity?

A.The NotAction element, which applies permissions to all actions except those listed.
B.The Deny Effect, which takes precedence over any Allow in the same or any other attached policy.✓ Correct
C.The Condition element with a StringNotEquals operator, which conditionally blocks access.
D.The Resource element set to '*', which broadens scope and implicitly denies specific resources.

Explanation

In IAM, an explicit Deny always overrides any Allow — this is the foundational evaluation logic. NotAction and Condition elements modify scope but do not provide the same guaranteed override that an explicit Deny does.

5. A development team in Account A needs read access to an S3 bucket owned by Account B. Which combination of policies enables cross-account access?

A.An identity-based policy in Account A granting S3 access is sufficient — no changes are needed in Account B.
B.Both an identity-based policy on the Account A principal AND a resource-based bucket policy in Account B granting Account A access are required.✓ Correct
C.A Service Control Policy applied at the AWS Organizations root will automatically grant cross-account S3 access between member accounts.
D.An IAM Permission Boundary on the Account A role automatically allows access to any resource in Account B.

Explanation

Cross-account S3 access requires trust from both sides: an identity-based policy allowing the action, and a resource-based bucket policy granting access to the external principal. SCPs restrict but do not grant permissions.

Practice all 88+ questions in this domain

Start free practice →

Frequently asked questions

How many AWS Certified Solutions Architect – Associate practice questions are there for Design Secure Architectures?↓

AnyCert has 88 AWS Certified Solutions Architect – Associate practice questions specifically for the Design Secure Architectures domain, each with a detailed AI-tutored explanation.

Is Design Secure Architectures heavily tested on the AWS Certified Solutions Architect – Associate exam?↓

Design Secure Architectures is one of the core domains in the AWS Certified Solutions Architect – Associate exam blueprint. Mastering this domain is essential for passing. AnyCert's practice questions cover the full scope of testable topics in this domain.

How should I study the Design Secure Architectures domain for AWS Certified Solutions Architect – Associate?↓

Practice all 88 Design Secure Architectures questions in AnyCert, review every explanation for missed answers, and use the AI tutor to clarify any concept. Focus on understanding the reasoning behind each answer, not just memorizing the correct choice.

Sample questions — Design Secure Architectures

1. A company needs to grant an application running on an EC2 instance access to S3 without embedding credentials in the code. Which IAM identity type is the BEST solution?

A.Create an IAM User with programmatic access keys and store them in environment variables on the instance.
B.Create an IAM Role with the required S3 permissions and attach it to the EC2 instance via an instance profile.✓ Correct
C.Create an IAM Group with S3 permissions and add the EC2 instance as a member of the group.
D.Use the root account access keys to grant the application full access to all AWS services.

Explanation

2. An administrator wants to enforce MFA for all IAM users before they can perform sensitive operations in the AWS Console. Which approach correctly implements this requirement?

A.Enable MFA on the root account only, since root controls all other accounts by default.
B.Attach an IAM policy with a Condition element requiring aws:MultiFactorAuthPresent to be true for sensitive actions.✓ Correct
C.Configure MFA at the VPC level so that network access is blocked without a second factor.
D.Use AWS Config to audit MFA usage after the fact, and revoke access for non-compliant users weekly.

Explanation

3. A security engineer needs to grant a specific IAM role a narrowly scoped policy that will never be reused or attached to any other identity. Which policy type is most appropriate?

A.An AWS Managed Policy, because AWS maintains and updates it automatically for new service features.
B.A Customer-Managed Policy, because it can be versioned, shared across identities, and centrally audited.
C.An Inline Policy embedded directly in the role, because it maintains a strict one-to-one relationship with that identity.✓ Correct
D.A Service Control Policy (SCP), because it provides the tightest scope for a single IAM role.

Explanation

4. Which IAM policy element explicitly overrides all Allow statements and immediately denies access regardless of any other policy attached to the identity?

A.The NotAction element, which applies permissions to all actions except those listed.
B.The Deny Effect, which takes precedence over any Allow in the same or any other attached policy.✓ Correct
C.The Condition element with a StringNotEquals operator, which conditionally blocks access.
D.The Resource element set to '*', which broadens scope and implicitly denies specific resources.

Explanation

5. A development team in Account A needs read access to an S3 bucket owned by Account B. Which combination of policies enables cross-account access?

A.An identity-based policy in Account A granting S3 access is sufficient — no changes are needed in Account B.
B.Both an identity-based policy on the Account A principal AND a resource-based bucket policy in Account B granting Account A access are required.✓ Correct
C.A Service Control Policy applied at the AWS Organizations root will automatically grant cross-account S3 access between member accounts.
D.An IAM Permission Boundary on the Account A role automatically allows access to any resource in Account B.

Explanation

Practice all 88+ questions in this domain

Start free practice →

Frequently asked questions

How many AWS Certified Solutions Architect – Associate practice questions are there for Design Secure Architectures?↓

AnyCert has 88 AWS Certified Solutions Architect – Associate practice questions specifically for the Design Secure Architectures domain, each with a detailed AI-tutored explanation.

Is Design Secure Architectures heavily tested on the AWS Certified Solutions Architect – Associate exam?↓

How should I study the Design Secure Architectures domain for AWS Certified Solutions Architect – Associate?↓