AWS Solutions Architect Associate 2025

Question 1

What is an IAM role?

Answer 1

Entities you create and assign specific permissions to that are assumed by trusted identities such as workforce identities and applications to perform actions in AWS. Roles are temporary and do not have long term credentials.

Question 2

What is an IAM policy?

Answer 2

An IAM policy is a JSON document in AWS that defines permissions for identities (users, groups, roles) or resources. It specifies what actions (e.g., s3:PutObject) are allowed or denied, on which resources (e.g., arn:aws:s3:::example-bucket/*), and under what conditions (optional). Policies can be identity-based (attached to users, groups, or roles), resource-based (attached to resources like S3 buckets), managed (predefined by AWS or custom reusable policies), or inline (specific to one identity). They are essential for controlling access to AWS resources and enforcing the principle of least privilege.

Question 3

What does IAM stand for?

Answer 3

AWS Identity and Access Management

Question 4

What is an IAM user?

Answer 4

An IAM identity that you create in AWS representing the human, workload or application, that interacts with AWS. Users have credentials (access keys for APIs/CLI, passwords for the console) and are granted permissions via policies.

Question 5

What is a root user?

Answer 5

When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. The root user has special privileges like the ability to enable MFA or close the aws account.

It’s bad practice to use the root user for any actions.

Question 6

How can you identify an IAM user?

Answer 6

• a freindly name (e.g. John)
• An ARN (an Amazon Resource Name)
• a unique identifier

Question 7

How might an IAM role and IAM user interact?

Answer 7

A user might assume an IAM role temporarily.

Question 8

How might an IAM user be used? What does it identify?

Answer 8

Typically, to identify a human. It can also be used to ID an application, but using an IAM role is more appropriate for enhanced security.

Question 9

Can you assign an IAM role to an IAM user?

Answer 9

Yes.

Question 10

What kinds of IAM policies are there?

Answer 10

Types of IAM Policies
1. Identity-Based Policies
• Attached to users, groups, or roles.
• Define what actions the identity can perform on AWS resources.
2. Resource-Based Policies
• Attached directly to resources (e.g., S3 buckets, KMS keys).
• Specify who can access the resource and what actions they can perform.
3. AWS Managed Policies
• Predefined by AWS for common use cases.
• Cannot be edited but can be attached to identities.
4. Customer Managed Policies
• Custom reusable policies created by you.
• Offer flexibility for specific permissions.
5. Inline Policies
• Embedded directly in a user, group, or role.
• Used for specific, tightly scoped permissions.
6. Permissions Boundaries
• Define the maximum permissions an identity-based policy can grant.
• Acts as a guardrail for roles or users.
7. Session Policies
• Temporary, inline policies passed when assuming a role or federating.
• Restrict permissions for the duration of a session.

Question 11

What are identity based IAM policies?

Answer 11

Identity-based policies are JSON permissions policy documents that control what actions an identity (users, groups of users, and roles) can perform, on which resources, and under what condition. They are attached to an IAM identity.

Question 12

What are resource based IAM policies?

Answer 12

Resource-based policies are JSON policy documents that you attach to a resource such as an Amazon S3 bucket. These policies grant the specified principal permission to perform specific actions on that resource and defines under what conditions this applies. Resource-based policies are inline policies

Question 13

What are IAM permissions boundaries?

Answer 13

A permissions boundary is an advanced feature in which you set the maximum permissions that an identity-based policy can grant to an IAM entity.

Question 14

What are service control policies?

Answer 14

SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU).

Question 15

What are access control lists?

Answer 15

Access control lists (ACLs) are service policies that allow you to control which principals in an account can access a resource.

They are more straightforward and less flexible than resource based policies, but they are easier to do .

They are largely deprecated and are limited: For example, you can grant permissions only to other AWS accounts; you cannot grant permissions to users in your account. You cannot grant conditional permissions, nor can you explicitly deny permissions. ACLs are suitable for specific scenarios. For example, if a bucket owner allows other AWS accounts to upload objects, permissions to these objects can only be managed using object ACL by the AWS account that owns the object.

Question 16

What are session policies?

Answer 16

Session policies are advanced policies that you pass as a parameter when you programmatically create a temporary session for a role or federated user.

Question 17

What is a principal in AWS?

Answer 17

A principal is a human user or workload that can make a request for an action or operation on an AWS resource.

Question 18

What is a workload in AWS?

Answer 18

A workload is a collection of resources and code that delivers business value, such as a customer-facing application or a backend process.

Question 19

What is a federated identity?

Answer 19

A federated identity is a user that can access secure AWS account resources with external identities. External identities can come from a corporate identity store (such as LDAP or Windows Active Directory) or from a third party (such as Login in with Amazon, Facebook, or Google). Federated identities don’t sign in with the AWS Management Console or AWS access portal. The type of external identity in use determines how federated identities sign in.

Question 20

What is the .aws/credentials file for?

Answer 20

It is a plaintext file used to define the following values for services or profiles: aws_access_key_id, aws_secret_access_key, aws_session_token , aws_token expiration

Question 21

What is the .aws/config file for?

Answer 21

It is used to further specify settings for profiles or services, like region and output (specifies output format of any command issued under this profile)

Question 23

What is a control plane?

Answer 23

Control planes provide the administrative APIs used to create, read/describe, update, delete, and list (CRUDL) resources. For example, the following are all control plane actions: launching a new Amazon Elastic Compute Cloud (Amazon EC2) instance, creating an Amazon Simple Storage Service (Amazon S3) bucket, and describing an Amazon Simple Queue Service (Amazon SQS) queue. When you launch an EC2 instance, the control plane has to perform multiple tasks like finding a physical host with capacity, allocating the network interface(s), preparing an Amazon Elastic Block Store (Amazon EBS) volume, generating IAM credentials, adding the Security Group rules, and more. Control planes tend to be complicated orchestration and aggregation systems.

Question 24

Must you specify access policies on both the aws resource and the role?

Answer 24

It is not required, but it is safer.

Question 25

What is a data plane?

Answer 25

The data plane is what provides the primary function of the service. For example, the following are all parts of the data plane for each of the services involved: the running EC2 instance itself, reading and writing to an EBS volume, getting and putting objects in an S3 bucket, and Route 53 answering DNS queries and performing health checks.

Data planes are intentionally less complicated, with fewer moving parts compared to control planes, which usually implement a complex system of workflows, business logic, and databases.

Question 26

What do A records map to?

Answer 26

Static IPs

Question 27

What do CNAME’s route to?

Answer 27

Other domain names

Question 28

What is an alias record?

Answer 28

An alias record is a type of DNS record that allows you to map a domain name to an AWS resource, such as an Amazon CloudFront distribution, an Elastic Load Balancer, an S3 bucket configured as a static website, or other Route 53 record. Alias records are unique to Route 53 and offer a few advantages

Question 29

IAM = ?

Answer 29

Identify & Access Management

Question 30

What are groups?

Answer 30

Groups are entities that group users within an organization. A user can be a part of many groups, a group can have many users. A user can be without a group. A group can’t contain another group.

Question 31

Are users global?

Answer 31

Yes

Question 31

What is the least privilege principle?

Answer 31

Do not give more permissions than a user needs.

Question 32

What are inline policies?

Answer 32

Policies attached to a single user, as opposed to a group.

Question 33

What is the IAM policy structure?

Answer 33

A JSON doc with version, ID (optional), and at least one statement.

Question 34

What does an IAM policy statement consist of?

Answer 34

Sid (statement id), Effect (Allow or Deny), Principal (account, user, role to which the policy applies), Actions (list of actions this policy allows or denies), and resource (resources to which the actions apply to)

Question 35

What is EBS?

Answer 35

EBS (Elastic Block Store): AWS service providing durable, high-performance block storage for EC2 instances, used for data storage, backup, and applications requiring low-latency access.

Question 36

What is an application in AWS?

Answer 36

An application in AWS refers to a software program or suite designed to perform a specific function.

Question 36

What is a workload in AWS?

Answer 36

A workload in AWS represents the resources and processes required to deliver a specific business or technical objective. It includes applications, infrastructure (servers, storage, networking), and any supporting elements.

Question 37

What is a workforce identity?

Answer 37

A workforce identity in AWS refers to the digital identity of employees, contractors, or other members of an organization who need access to AWS resources or applications as part of their work.

Question 38

What is a resource?

Answer 38

In AWS, a resource is any object or entity that you can create, manage, or interact with in the AWS ecosystem.

Question 39

What is an IAM identity?

Answer 39

An IAM identity in AWS is a component within the Identity and Access Management (IAM) service that represents a user, group, or role. These identities are used to manage access to AWS resources securely by attaching policies that define their permissions.

Question 40

What kinds of Big O notations are there?

Answer 40

O(1): Constant complexity.
O(logn): Logarithmic complexity.
O(n): Linear complexity.
O(nlogn): Loglinear complexity.
O(n^x): Polynomial complexity.
O(X^n): Exponential time.
O(n!): Factorial complexity.