Back to AWS Identity and Access Management (IAM)

IAM Users and Credentials

5 minutes 5 Questions

IAM users are individual identities that you create in your AWS account to represent users or applications accessing AWS services. When creating IAM users, it is essential to provide them with the right set of credentials so they can assume the necessary permissions within your resource structure. …

Understanding IAM Users and Credentials - An AWS Solution Architect Guide

Introduction:
AWS Identity and Access Management (IAM) is a feature of your AWS account that is provided at no additional charge. It allows you to securely control access to AWS services and resources for your users.

Importance:
Understanding IAM is crucial because it helps to manage users, groups, roles, and their corresponding level of access to AWS Console. It also centrally manages your AWS environment’s security, providing essential features like multi-factor authentication for a robust and secure environment.

What is it?:
IAM Users are entities with unique security credentials that are used to access AWS Services. These users can be people, applications or servers.

How it Works:
IAM users can be created under your AWS account, and you can assign them individual security credentials, such as access keys, passwords, and multi-factor authentication devices, or request temporary security credentials to provide users access to AWS services and resources.

Exam Tips:
Answering Questions on IAM Users and Credentials:
Remember the following key points while answering questions concerning IAM:
- IAM is universal and does not apply to a specific region.
- Root user is the first user, it possesses complete access by default.
- In IAM, new users have no permissions when they are first created.
- We can attach and detach IAM policies from IAM users, groups, and roles. If a policy is attached to a group, that policy is inherited by the users in that group.
- IAM Roles allow applications to borrow security credentials.
- IAM supports identity federation for delegated access to the AWS Management Console or AWS APIs.
- IAM is essential for follow security best practices in AWS.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

AWS Certified Solutions Architect - IAM Users and Credentials Example Questions

Test your knowledge of IAM Users and Credentials

Question 1

A company has a web application that uses the AWS SDK to connect to an S3 bucket. They want to ensure secure access to AWS resources for their root user, but they have misplaced their access key. What should they do?

Use the AWS Key Management Service (KMS) to recover the misplaced access keys. Generate new keys for the root user and rotate them regularly. Create a new IAM user with the necessary permissions and generate access keys for that user. Create a new bucket policy to restrict access to authorized IAM users.

Correct Answer: Create a new IAM user with the necessary permissions and generate access keys for that user.

Creating a new IAM user with the necessary permissions and generating access keys for that user is the best security practice. Root users have full access to all resources and should not be used for everyday AWS tasks. Generating new keys for the root user, using KMS, or contacting AWS Support are not recommended practices.

Question 2

A company does not use an external identity provider or AWS IAM Identity Center. They need to grant a newly hired developer programmatic (CLI/SDK) access to AWS services in the same AWS account using least privilege. What is the recommended approach?

Create a Cross-Account role. Create an IAM user, assign the required permissions, and generate access keys. Use the AWS Management Console to delegate access. Give the developer the root account access keys.

Correct Answer: Create an IAM user, assign the required permissions, and generate access keys.

When a developer needs programmatic access (CLI/SDK) in the same AWS account and the organization is not using an external identity provider or AWS IAM Identity Center, the recommended approach is to create an IAM user, attach least‑privilege policies, and generate access keys for API use. Root account keys should never be shared or used for routine tasks. A cross‑account role is used to grant access between different AWS accounts and is not applicable here. Delegating access via the AWS Management Console addresses console sign‑in, not programmatic access through APIs.

Question 3

An external organization has its own AWS account. You must grant them time-bound, auditable, least-privilege programmatic access to specific objects in an S3 bucket in your account, without sharing IAM users or long-term access keys or making the bucket public. What is the recommended approach?

Create an access point to share access to the specified S3 resources. Create a bucket policy providing public read access to the required resources. Create an IAM role with the required S3 permissions and a trust policy allowing the external AWS account to assume the role via STS. Use VPC endpoints to grant access to the external organization.

Correct Answer: Create an IAM role with the required S3 permissions and a trust policy allowing the external AWS account to assume the role via STS.

The best practice for granting cross-account access to S3 without sharing long-term credentials is to create an IAM role in your account with least-privilege S3 permissions and a trust policy that allows principals from the external AWS account to assume it via AWS STS. The external organization then obtains temporary credentials by calling AssumeRole, enabling time-bound, auditable access that can be easily revoked. S3 Access Points do not provide temporary credentials and typically rely on the external party's long-term credentials; bucket policies granting public access are insecure and violate least-privilege; and VPC endpoints control network paths, not authorization, and do not grant cross-account access by themselves.

🎓 Unlock Premium Access

AWS Certified Solutions Architect - Associate + ALL Certifications

🎓 Access to ALL Certifications: Study for any certification on our platform with one subscription
5645 Superior-grade AWS Certified Solutions Architect - Associate practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
AWS Certified Solutions Architect: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

Start Your Free 7-Day Trial

More IAM Users and Credentials questions

16 questions (total)

Start 16 question test