Hello, fellow cloud enthusiasts! Continuing our series on the AWS Academy Cloud Architecting course—great for AWS Certified Solutions Architect – Associate (SAA-C03) prep. Module 3, Securing Access, focuses on foundational security concepts: the Security pillar, shared responsibility model, principle of least privilege, IAM basics (users, groups, roles, policies), root user best practices, and policy evaluation/evaluation logic.

In this post, we’ll cover the Module 3 Knowledge Check questions (typically 10 multiple-choice, some select-multiple). For each:

• Full question with all options,
• Correct answer(s),
• Very detailed explanation why it’s correct (and why others are incorrect).

These reinforce the Security pillar and IAM fundamentals—critical for secure architectures!

Question 1: Which statement reflects a design principle of the Security pillar of the AWS Well-Architected Framework?

Options:

• A. Automate everything to reduce human error.
• B. Apply security at all layers of an architecture.
• C. Focus security only on data encryption.
• D. Implement security only after deployment.

Correct Answer: B

Very Detailed Explanation:
The Security pillar emphasizes defense in depth—applying controls at every layer (network, compute, data, etc.). B directly matches this best practice. A aligns more with Operational Excellence. C is too narrow (encryption is important but not the only focus). D contradicts proactive security (“secure by design”). Layered security reduces risk if one control fails.

Question 2: Which statements about responsibility are accurate based on the AWS shared responsibility model? (Select TWO)

Options:

• A. AWS is responsible for the physical security of data centers.
• B. Customers are responsible for managing their user data.
• C. AWS is responsible for patching guest operating systems.
• D. Customers are responsible for securing the underlying hardware.
• E. AWS manages access to user data in all cases.

Correct Answers: A and B

Very Detailed Explanation:
The shared responsibility model divides duties: AWS handles “security of the cloud” (physical facilities, hardware, global infrastructure)—so A is correct. Customers handle “security in the cloud” (data, applications, IAM configurations)—so B is correct. C is customer responsibility for EC2 instances. D is AWS’s job. E is false—customers control their data access. This model clarifies obligations to avoid gaps.

Question 3: Which options are characteristics of the principle of least privilege? (Select TWO)

Options:

• A. Craft security policies that limit access to specific tasks.
• B. Grant access only as needed.
• C. Provide full administrative access to all users by default.
• D. Allow broad access and revoke later if needed.
• E. Require users to request additional permissions annually.

Correct Answers: A and B

Very Detailed Explanation:
Least privilege means granting only the minimum permissions required for tasks—reducing blast radius from compromises. A describes granular policies (e.g., action-specific allows). B emphasizes need-based, temporary access. C/D are opposites (over-permissive). E is good practice but not core to the definition. Enforce via IAM policies, roles, and regular reviews.

Question 4: Which statement about AWS Identity and Access Management (IAM) is true?

Options:

• A. IAM controls access only to the AWS Management Console.
• B. With IAM, you can grant principals granular access to resources.
• C. IAM users automatically have full access to all services.
• D. IAM is only for external federated users.

Correct Answer: B

Very Detailed Explanation:
IAM centrally manages access to AWS resources via principals (users, groups, roles) with fine-grained permissions (e.g., allow s3:GetObject on specific buckets). B is core to IAM. A is false (controls API/CLI too). C is wrong—new users have no permissions by default. D is partial (supports federation but also native users/roles).

Question 5: Which statements describe AWS Identity and Access Management (IAM) roles? (Select TWO)

Options:

• A. They provide temporary security credentials.
• B. Individuals, applications, and services can assume roles.
• C. Roles are permanent credentials like IAM users.
• D. Roles can only be assumed by AWS services.
• E. Roles require passwords for assumption.

Correct Answers: A and B

Very Detailed Explanation:
Roles are for temporary access without long-term credentials (use AssumeRole for STS tokens). A highlights security (tokens expire). B shows flexibility (EC2 instances, Lambda, cross-account, federated users). C is false (unlike users). D is wrong (many assumers). E is no—programmatic or console assumption. Roles enable secure delegation.

Question 6: Which statement reflects a best practice for the root user on an AWS account?

Options:

• A. Use the root user for daily administrative tasks.
• B. Create an admin user and perform most admin tasks with this user instead of the root user.
• C. Share root credentials across the team.
• D. Disable MFA on the root user for easier access.

Correct Answer: B

Very Detailed Explanation:
Root user has unrestricted access—AWS strongly recommends locking it down: enable MFA, don’t use for routine tasks. B follows this: create IAM admin user/group with full permissions, use that instead. A/C increase risk. D violates mandatory best practice (MFA required for root in many actions). Protects against compromise.

Question 7: How does AWS Identity and Access Management (IAM) evaluate a policy?

Options:

• A. It checks for explicit allow statements before deny.
• B. It checks for explicit deny statements before it checks for explicit allow statements.
• C. All policies are evaluated simultaneously with no priority.
• D. Default allow overrides everything.

Correct Answer: B

Very Detailed Explanation:
IAM decision logic: explicit deny anywhere overrides everything (even allows). Then explicit allow needed; otherwise default deny. B is exact order. A reverses it. C is false (hierarchy: deny > allow > default deny). D wrong—no default allow. This ensures secure defaults.

Question 8: Which statement about AWS Identity and Access Management (IAM) policies is accurate?

Options:

• A. Resource-based policies are attached to a user, group, or role.
• B. Identity-based policies are attached to a user, group, or role.
• C. All policies are resource-based only.
• D. Policies cannot be attached to groups.

Correct Answer: B

Very Detailed Explanation:
Two main policy types: Identity-based (attached to IAM principals: users/groups/roles) and resource-based (attached to resources like S3 buckets). B correctly describes identity-based. A reverses them. C incomplete. D false (groups common for policy inheritance).

Question 9: Which AWS Identity and Access Management (IAM) policy element includes information about whether to allow or deny a request?

Options:

• A. Principal
• B. Action
• C. Resource
• D. Effect
• E. Condition

Correct Answer: D

Very Detailed Explanation:
In JSON policy: Effect is “Allow” or “Deny”. Core to permission. A specifies who. B what actions. C on which resources. E optional context (e.g., IP). Understanding structure essential for writing/evaluating policies.

Question 10: Which option accurately describes the statement element in an AWS Identity and Access Management (IAM) policy?

Options:

• A. It lists the principal assuming the policy.
• B. The statement element contains other elements that together define what is allowed or denied.
• C. It is optional and only used for conditions.
• D. It specifies only the Effect.

Correct Answer: B

Very Detailed Explanation:
Policies have “Statement” array—each statement is an object with Effect, Action, Resource, (optional) Condition/Principal. B captures this (multiple elements combine for rules). A wrong (Principal in some policies). C false (required). D incomplete. Statements can be multiple for complex permissions.

Final Thoughts

Module 3 builds a secure foundation with IAM and best practices. These concepts appear heavily in the SAA-C03 exam—focus on policy evaluation, least privilege, and shared responsibility!

Practice creating policies in the IAM console. Comment if you want Module 4 (Adding a Storage Layer with Amazon S3) next!

Happy securing! 🔒☁️

Er. Bikash Subedi
January 17, 2026