SAA-C03 Practice Questions: IAM, S3 & VPC Security

This set covers the security domain, which accounts for 30% of the SAA-C03 exam, the largest single domain. Getting these concepts solid is essential.

Question 1

A company needs to grant an EC2 instance access to S3 without embedding credentials in the application. What is the recommended approach?

• A) Store access keys in the EC2 instance user data
• B) Attach an IAM role to the EC2 instance with the required S3 permissions
• C) Create an IAM user and store credentials in an environment variable
• D) Hardcode an access key in the application configuration file

Answer: B: Attach an IAM role to the EC2 instance

IAM roles attached to EC2 instances provide temporary credentials delivered automatically via the Instance Metadata Service (IMDS). The credentials rotate automatically, with no manual key management required.

All other options involve static credentials, which are an OWASP Top 10 security anti-pattern:

• User data is readable by anyone who can call the metadata service
• Environment variables require manual rotation and are visible in process listings
• Hardcoded keys are frequently accidentally committed to version control

The AWS-recommended pattern:

EC2 Instance → Instance Profile → IAM Role → IAM Policy → S3 Permissions

The SDK automatically retrieves credentials from the metadata endpoint at 169.254.169.254. Your application code needs zero credential management.

On the exam, whenever a question asks how an AWS service should access another AWS service, the answer is almost always IAM roles, never access keys.

Question 2

A company wants to prevent any S3 objects in their account from being accidentally made public. Which S3 feature should they enable at the account level?

• A) S3 Versioning
• B) S3 Block Public Access
• C) S3 Object Lock
• D) S3 Cross-Region Replication

Answer: B: S3 Block Public Access

S3 Block Public Access, when enabled at the account level, overrides all bucket policies and ACLs. Even if a developer misconfigures a bucket policy to allow public access, Block Public Access prevents it from taking effect.

The other options serve different purposes:

• Versioning: Keeps a history of every object version (protects against accidental deletion/overwrites)
• Object Lock: Prevents objects from being deleted or overwritten for a defined retention period (WORM compliance)
• Cross-Region Replication: Copies objects to a bucket in another region (disaster recovery, not access control)

Know these four S3 protection mechanisms for the exam:

Question 3

Which AWS component provides a stateless packet filter at the subnet level in a VPC that supports explicit DENY rules?

• A) Security Groups
• B) AWS WAF
• C) Network Access Control Lists (NACLs)
• D) AWS Shield

Answer: C: Network Access Control Lists (NACLs)

NACLs operate at the subnet boundary and are stateless, so return traffic must be explicitly allowed. They support both ALLOW and DENY rules, evaluated in number order (lowest first).

The other options:

• Security Groups: Stateful, operate at the instance/ENI level, implicit deny but no explicit deny rules
• AWS WAF: Inspects HTTP/HTTPS requests at the application layer (Layer 7), not packet-level networking
• AWS Shield: DDoS protection service, not a firewall

Security Groups vs NACLs, a comparison the exam loves:

Key Takeaways

• EC2-to-S3 access → IAM Role with Instance Profile (never static credentials)
• Account-level S3 protection → Block Public Access (overrides all bucket policies)
• Subnet-level stateless firewall with explicit DENY → NACL (not Security Group, which is stateful and instance-level)