In AWS, proper access management and authentication ensure secure workloads in the cloud. From IAM policies to MFA (Multi-Factor Authentication), and from KMS (Key Management Service) to PKI (Public Key Infrastructure), these features form the foundation of AWS security.
This section provides 50 AWS MCQs (101–150) with correct answers and explanations covering:
- IAM Access Control & Roles
- Authentication Mechanisms (MFA, Federation, SSO)
- PKI, Certificates, and AWS Certificate Manager (ACM)
- Encryption with AWS KMS & CloudHSM
Whether you’re preparing for AWS Solutions Architect, SysOps, Security Specialty, or Developer exams, these MCQs will sharpen your knowledge and exam readiness.
AWS Implementation MCQs (101–150): Access, Authentication & PKI
MCQ 101
Which AWS service is primarily used to create and manage encryption keys for secure access?
a) AWS WAF
b) AWS KMS
c) AWS GuardDuty
d) AWS Inspector
Answer: b) AWS KMS
Explanation: AWS Key Management Service (KMS) helps create, manage, and control cryptographic keys for encryption and decryption. It integrates with IAM policies and other AWS services to enforce secure access.
MCQ 102
Which AWS feature enables temporary access to AWS resources using security tokens?
a) IAM Roles
b) IAM Groups
c) S3 Policies
d) Security Hub
Answer: a) IAM Roles
Explanation: IAM Roles provide temporary credentials via STS (Security Token Service) that are short-lived and widely used for secure cross-account and service access.
MCQ 103
AWS recommends enabling MFA (Multi-Factor Authentication) for which of the following accounts first?
a) IAM Users
b) Root User
c) EC2 Instances
d) Lambda Functions
Answer: b) Root User
Explanation: The root account has unrestricted access. Enabling MFA on the root account is the first best practice to prevent unauthorized access.
MCQ 104
Which AWS service allows you to manage SSL/TLS certificates for PKI-based security?
a) AWS CloudTrail
b) AWS Certificate Manager (ACM)
c) AWS Secrets Manager
d) AWS Shield
Answer: b) AWS Certificate Manager (ACM)
Explanation: ACM handles SSL/TLS certificates, enabling secure HTTPS connections and public key infrastructure (PKI) integration without manual certificate management.
MCQ 105
Which AWS service helps organizations federate identities from Active Directory or SAML providers?
a) AWS Config
b) AWS IAM Federation
c) AWS Cognito
d) AWS Trusted Advisor
Answer: b) AWS IAM Federation
Explanation: IAM Federation allows external identities (from corporate directories or SAML 2.0 providers) to access AWS resources securely without needing individual IAM users.
MCQ 106
What is the default validity period for AWS temporary security credentials (STS)?
a) 15 minutes
b) 1 hour
c) 12 hours
d) 24 hours
Answer: b) 1 hour
Explanation: By default, AWS STS credentials last for 1 hour, though they can be configured to last anywhere from 15 minutes to 36 hours depending on the service.
MCQ 107
Which AWS service supports hardware-based key storage for highest level of cryptographic security?
a) AWS Shield
b) AWS CloudHSM
c) AWS Secrets Manager
d) AWS Inspector
Answer: b) AWS CloudHSM
Explanation: AWS CloudHSM provides hardware security modules (HSMs) to manage encryption keys in a dedicated, hardware-based environment, ensuring compliance with strict regulatory standards.
MCQ 108
Which AWS feature enables single sign-on (SSO) access to multiple AWS accounts and third-party apps?
a) IAM Policies
b) AWS Organizations
c) AWS SSO (IAM Identity Center)
d) AWS Config
Answer: c) AWS SSO (IAM Identity Center)
Explanation: AWS SSO allows centralized authentication for multiple AWS accounts and integrated applications. It’s now called AWS IAM Identity Center.
MCQ 109
Which of the following is NOT a valid AWS IAM policy type?
a) Inline Policy
b) Managed Policy
c) Group Policy
d) Resource-based Policy
Answer: c) Group Policy
Explanation: There is no such thing as a “Group Policy” in AWS IAM. The valid policy types are Inline, Managed, and Resource-based. Groups can be attached to policies, but they don’t have a standalone “Group Policy” type.
MCQ 110
In AWS, which service issues X.509 certificates used in IoT authentication?
a) AWS IoT Core
b) AWS KMS
c) AWS GuardDuty
d) AWS Inspector
Answer: a) AWS IoT Core
Explanation: AWS IoT Core issues and manages X.509 certificates for device authentication, enabling secure communication in IoT-based solutions.
MCQ 111
Which AWS service is recommended for managing and rotating application secrets (like DB passwords)?
a) AWS CloudHSM
b) AWS Certificate Manager
c) AWS Secrets Manager
d) AWS Config
Answer: c) AWS Secrets Manager
Explanation: AWS Secrets Manager securely stores, rotates, and retrieves secrets such as database credentials and API keys, helping enforce least privilege and reducing hardcoding of credentials.
MCQ 112
Which cryptographic algorithm is primarily used in AWS KMS for key encryption?
a) RSA
b) SHA-256
c) AES-256
d) ECC
Answer: c) AES-256
Explanation: AWS KMS primarily uses AES-256 symmetric encryption to ensure secure key management, though asymmetric key pairs (RSA/ECC) are also supported.
MCQ 113
In IAM policies, what does the Effect element define?
a) Which service to apply policy
b) Whether the statement allows or denies access
c) Who can assume the role
d) How long access lasts
Answer: b) Whether the statement allows or denies access
Explanation: The Effect element can only be “Allow” or “Deny”. Deny always overrides Allow.
MCQ 114
Which AWS feature enforces additional verification for API access using HMAC signatures?
a) IAM Password Policy
b) Access Keys
c) Signature Version 4 (SigV4)
d) Security Hub
Answer: c) Signature Version 4 (SigV4)
Explanation: AWS SigV4 uses HMAC with SHA-256 to sign requests, ensuring message integrity and authentication of API calls.
MCQ 115
When granting cross-account access in AWS, which resource type policy is used?
a) IAM Inline Policy
b) Bucket Policy
c) Role Trust Policy
d) Group Policy
Answer: c) Role Trust Policy
Explanation: A Role Trust Policy defines which principals (users, roles, or accounts) are allowed to assume a role, enabling secure cross-account access.
MCQ 116
Which AWS tool helps simulate the effect of IAM policies before applying them?
a) AWS Config
b) IAM Policy Simulator
c) AWS Trusted Advisor
d) Security Hub
Answer: b) IAM Policy Simulator
Explanation: The IAM Policy Simulator allows administrators to test and validate IAM and resource-based policies before enforcement.
MCQ 117
In AWS PKI, what is the role of a Certificate Authority (CA)?
a) Encrypts EC2 data volumes
b) Issues and manages SSL/TLS certificates
c) Creates IAM policies
d) Monitors VPC traffic
Answer: b) Issues and manages SSL/TLS certificates
Explanation: A CA validates identities and issues digital certificates to establish secure trust relationships.
MCQ 118
Which AWS service supports OAuth2.0 and OpenID Connect for app authentication?
a) AWS Cognito
b) AWS Shield
c) AWS GuardDuty
d) AWS Inspector
Answer: a) AWS Cognito
Explanation: Cognito enables user authentication via standards like OAuth2.0, SAML, and OpenID Connect, making it suitable for web/mobile apps.
MCQ 119
What’s the maximum number of MFA devices that can be assigned to a single IAM user?
a) 1
b) 2
c) 5
d) Unlimited
Answer: b) 2
Explanation: As of 2023, AWS allows two MFA devices per IAM user (for backup purposes).
MCQ 120
Which AWS CLI command generates temporary credentials for an IAM Role?
a) aws iam create-access-key
b) aws sts assume-role
c) aws configure
d) aws iam attach-role-policy
Answer: b) aws sts assume-role
Explanation: The sts assume-role command generates temporary security credentials using AWS STS.
MCQ 121
What is AWS’s recommended way to give EC2 instances access to S3 without storing access keys?
a) Attach IAM Role
b) Embed Access Key in app
c) Use S3 Bucket Policy only
d) Store key in user-data
Answer: a) Attach IAM Role
Explanation: The best practice is attaching an IAM Role to EC2, so temporary credentials are automatically provided via Instance Metadata Service (IMDS).
MCQ 122
Which AWS authentication method is recommended for mobile/web apps with millions of users?
a) IAM Users
b) Cognito User Pools
c) Root User
d) S3 Signed URLs
Answer: b) Cognito User Pools
Explanation: Cognito User Pools are scalable for millions of app users and support standard authentication protocols.
MCQ 123
Which AWS feature enables access delegation without sharing long-term credentials?
a) Access Keys
b) IAM Groups
c) IAM Roles
d) Security Hub
Answer: c) IAM Roles
Explanation: IAM Roles allow delegation of access with temporary credentials, avoiding long-term exposure of access keys.
MCQ 124
In IAM, which is evaluated first: explicit “Deny” or “Allow”?
a) Allow
b) Deny
c) Both at the same time
d) None
Answer: b) Deny
Explanation: Explicit Deny always overrides any Allow, enforcing the principle of least privilege.
MCQ 125
Which AWS service automatically manages public SSL certificates for CloudFront and Elastic Load Balancing?
a) AWS ACM
b) AWS CloudHSM
c) AWS Inspector
d) AWS GuardDuty
Answer: a) AWS ACM
Explanation: AWS Certificate Manager (ACM) provisions and renews public SSL/TLS certificates automatically for CloudFront and ELB.
MCQ 126
Which type of AWS IAM entity should be avoided for everyday operations?
a) IAM Roles
b) IAM Users
c) Root Account
d) IAM Groups
Answer: c) Root Account
Explanation: The Root Account should never be used for daily operations. Instead, create IAM users/roles with least-privilege access.
MCQ 127
Which of the following is a recommended IAM password policy best practice?
a) Minimum 6 characters
b) Force rotation every 30–90 days
c) Allow dictionary words
d) Disable MFA
Answer: b) Force rotation every 30–90 days
Explanation: Enforcing strong password policies with periodic rotation reduces risks of compromised credentials.
MCQ 128
Which AWS service provides signed URLs and signed cookies for secure temporary access to content?
a) AWS CloudFront
b) AWS S3 Standard
c) AWS Cognito
d) AWS GuardDuty
Answer: a) AWS CloudFront
Explanation: CloudFront Signed URLs and Cookies enable secure, time-limited access to restricted content.
MCQ 129
Which IAM feature enables different levels of access for different resources within the same service?
a) Resource-based policies
b) Inline Policies only
c) Group Memberships
d) Security Hub Rules
Answer: a) Resource-based policies
Explanation: Resource-based policies (like S3 bucket policies) allow fine-grained access control at the resource level.
MCQ 130
Which AWS feature automatically rotates access keys for applications?
a) IAM Role
b) AWS STS
c) AWS Secrets Manager
d) AWS CloudTrail
Answer: c) AWS Secrets Manager
Explanation: Secrets Manager can automatically rotate access keys, ensuring no long-term credentials are exposed.
MCQ 131
Which AWS service can integrate with Active Directory for centralized authentication?
a) AWS Directory Service
b) AWS Cognito
c) AWS GuardDuty
d) AWS Secrets Manager
Answer: a) AWS Directory Service
Explanation: AWS Directory Service (Managed AD) enables integration with on-premises Active Directory, centralizing authentication and group policies.
MCQ 132
Which AWS feature helps reduce credential exposure for Lambda functions?
a) Store secrets in environment variables
b) Use IAM Role for Lambda
c) Hardcode credentials in code
d) Enable VPC Flow Logs
Answer: b) Use IAM Role for Lambda
Explanation: The best practice is attaching IAM roles to Lambda, ensuring AWS automatically provides temporary credentials securely.
MCQ 133
What’s the maximum session duration allowed for IAM Role credentials?
a) 6 hours
b) 12 hours
c) 24 hours
d) Unlimited
Answer: c) 24 hours
Explanation: IAM role sessions can last up to 24 hours (default is 1 hour). Session duration must be configured in the role.
MCQ 134
Which AWS feature allows centralized governance and cross-account IAM access control?
a) AWS Organizations
b) AWS CloudTrail
c) AWS IAM Roles
d) AWS Security Hub
Answer: a) AWS Organizations
Explanation: AWS Organizations enables consolidated billing, centralized governance, and cross-account IAM access control.
MCQ 135
Which authentication factor is something you have in MFA?
a) Password
b) Mobile phone/Hardware token
c) Security question
d) Biometrics
Answer: b) Mobile phone/Hardware token
Explanation: MFA uses something you know (password) + something you have (token/device) + optionally something you are (biometrics).
MCQ 136
Which AWS service provides external identity federation with providers like Google or Facebook?
a) AWS Config
b) AWS Cognito Federated Identities
c) AWS CloudTrail
d) AWS Shield
Answer: b) AWS Cognito Federated Identities
Explanation: Cognito Federated Identities enable federation with external IdPs like Google, Facebook, SAML providers.
MCQ 137
What is the best AWS feature for encrypting data at rest in S3?
a) IAM Role
b) Server-Side Encryption (SSE)
c) CloudTrail Logging
d) MFA
Answer: b) Server-Side Encryption (SSE)
Explanation: S3 SSE encrypts data at rest using KMS or S3-managed keys (AES-256).
MCQ 138
Which AWS feature provides fine-grained, attribute-based access control (ABAC)?
a) IAM Groups
b) IAM Roles
c) IAM Policy Tags
d) S3 Bucket ACLs
Answer: c) IAM Policy Tags
Explanation: ABAC uses IAM policy tags for dynamic, fine-grained authorization across resources.
MCQ 139
Which AWS authentication method allows temporary credentials via third-party identity providers?
a) IAM Root User
b) AWS STS with AssumeRoleWithSAML/OIDC
c) S3 Signed URLs
d) CloudHSM
Answer: b) AWS STS with AssumeRoleWithSAML/OIDC
Explanation: STS allows federated users from identity providers (SAML, OIDC) to assume roles and get temporary credentials.
MCQ 140
Which IAM feature reduces management overhead for large organizations with multiple AWS accounts?
a) IAM Groups
b) IAM Inline Policies
c) Service Control Policies (SCPs)
d) Secrets Manager
Answer: c) Service Control Policies (SCPs)
Explanation: SCPs in AWS Organizations manage permissions centrally across accounts without modifying IAM roles directly.
MCQ 141
Which AWS tool allows logging of all API calls across AWS accounts?
a) AWS GuardDuty
b) AWS Config
c) AWS CloudTrail
d) AWS Security Hub
Answer: c) AWS CloudTrail
Explanation: CloudTrail logs all API calls and is essential for auditing authentication & access.
MCQ 142
Which AWS feature ensures credentials are only valid for a short time and automatically expire?
a) IAM Inline Policy
b) STS Temporary Credentials
c) Long-Term Access Keys
d) Resource Policy
Answer: b) STS Temporary Credentials
Explanation: STS issues temporary credentials that expire automatically, reducing the risk of long-term exposure.
MCQ 143
In AWS IAM, which type of policy is directly attached to a single user, group, or role?
a) Managed Policy
b) Inline Policy
c) SCP
d) ABAC
Answer: b) Inline Policy
Explanation: Inline policies are embedded directly in one IAM entity, unlike managed policies that can be reused.
MCQ 144
Which AWS service provides a private CA for internal enterprise certificates?
a) AWS ACM PCA
b) AWS KMS
c) AWS CloudHSM
d) AWS Cognito
Answer: a) AWS ACM PCA
Explanation: ACM Private CA issues and manages private certificates for internal applications.
MCQ 145
What’s the recommended way to enforce passwordless authentication for AWS Console logins?
a) Use Cognito only
b) Enable SSO with IdP (SAML, OIDC)
c) Share root account
d) Create inline policies
Answer: b) Enable SSO with IdP (SAML, OIDC)
Explanation: AWS SSO with external IdPs enables secure passwordless logins via SAML/OIDC.
MCQ 146
Which AWS authentication service is best for IoT devices?
a) AWS Cognito
b) AWS IAM Root
c) AWS IoT Core with X.509 certificates
d) AWS KMS
Answer: c) AWS IoT Core with X.509 certificates
Explanation: AWS IoT Core uses X.509 certificates to securely authenticate IoT devices.
MCQ 147
Which AWS IAM feature allows granting access to AWS resources without needing IAM users?
a) Access Keys
b) IAM Roles
c) IAM Groups
d) IAM Inline Policies
Answer: b) IAM Roles
Explanation: IAM roles grant access to AWS resources without the need for permanent IAM users.
MCQ 148
What happens if an IAM policy includes both “Allow” and “Deny” for the same action?
a) Allow takes precedence
b) Deny takes precedence
c) Both are ignored
d) Randomly applied
Answer: b) Deny takes precedence
Explanation: Explicit Deny always overrides Allow in AWS IAM policy evaluation logic.
MCQ 149
Which AWS feature should be enabled to protect the root user with additional verification?
a) IAM Groups
b) MFA on Root User
c) SCP on Root
d) CloudTrail
Answer: b) MFA on Root User
Explanation: MFA must always be enabled on the root user to prevent compromise.
MCQ 150
Which AWS CLI service retrieves current caller identity and credentials details?
a) aws iam list-users
b) aws sts get-caller-identity
c) aws configure list
d) aws s3api get-bucket-acl
Answer: b) aws sts get-caller-identity
Explanation: This command retrieves AWS Account ID, User/Role, and ARN of the identity making the call.
Access and identity management are the first line of defense in AWS security. By mastering IAM, PKI, and authentication, you’ll be well-prepared for any AWS certification exam.
✅ Next, check out:
Keep practicing daily. AWS exam success is all about consistent learning + hands-on practice. 🚀