34 thoughts on “AWS IAM Role

  1. Hi Jayendrapatil

    For Q#14 , I have a confusion whether the answer is A or B? Because question clearly stated user will login using their social media credentials. And the question is the best approach to store the data.
    So i believe A is the right answer. Please clarify ?

    1. The important point is the user needs to be authenticated through an external service and the role able to do things.
      You need to use Web Identity Federation to allows users to be authenticated and then to generate Temporary Security Credentials which can then assume role to be able to perform the actions on S3 and DynamoDB.
      For #A, there is no authentication mechanism and the EC2 has the access which is more static, so if an user gets unauthorized in the Mobile app he would be able to perform these actions.

    1. Hi Pradeep, the question mentions the Corporate Active Directory and hence the need for the AD Connector.

  2. You are designing a photo sharing mobile app the application will store all pictures in a single Amazon S3 bucket. Users will upload pictures from their mobile device directly to Amazon S3 and will be able to view and download their own pictures directly from Amazon S3. You want to configure security to handle potentially millions of users in the most secure manner possible. What should your server-side application do when a new user registers on the photo-sharing mobile application?

    Shouldn’t the user info be stored in Dynamo DB?

    1. DynamoDB would be ideal here. Only reason the option is not selected is cause, it does not mention the creation of the Role and the step to assume the role which would be needed in case you want the mobile application to interact with AWS services

  3. Hi Jayendra,

    For Question#13.can you please elaborate why the answer is c&d instead of A&D,why should we choose C over A

    1. Hi Pradeep, it should be B and C. Corrected the Answers.
      Couple of things to look out for, the authentication should always be with LDAP and not IAM or STS.
      Also, the application or identity broker should either use a AssumeRole functionality or federated token approach.

      1. Hi Jayendra,

        >>Also, the application or identity broker should either use a AssumeRole functionality or federated token approach.

        What do you mean by the “federated token approach” here? I’m trying to understand the concept. Could you please provide any links that explains federated token.


  4. Hi, There are people discussing question 13 and 14 but I can’t see these questions. There are only 10 questions on this page (AWS IAM Role – Certification April 2, 2016 ~ jayendrapatil), please let me know what part I am missing here. Thanks.

    In addition, how can I just get the topics and questions for AWS Certified Solutions Architect – Associate only. I have ordered official study guide, please let me know if this is sufficient. Thank.

    1. Hi Jo, yup i have moved the Identity Federation to a separate post so thats why the questions number do not match. You might have to match the question.
      Not sure for the Official study guide. But the blog should cover all of it I think and much more.
      For Associate, would rather suggest going for the acloud guru, it covers the topics well, read FAQs and few good reinvent videos + Blog should be good enough.

      1. Thanks Jayendra for quick reply.

        So it means that all of these sample questions and topics are combination of many AWS certificates preparation (Associate and Professional) and I cannot use this as a reference for a single exam as it can be too much detail for me, please explain.

        Thanks again.

  5. Question No 7, Looks like Option A is correct answer ? Instead of Option C. Reason being the meaning of “creating reference role” may not be correct possible way? With option A, it makes more sense as it states ” and associate the Role to the application instances” Any comment ?

  6. Hi Jayendra, Great scores and good content only one question:
    Is it possible to hide the correct answers (either add another page/link or a + fold out that shows the correct answer.
    I want to be able to reason it and not just learn the answers by heart.

    1. Thanks Andre, frankly speaking I have had multiple requests for this and had been trying to do the same 🙂
      Couple of reasons, I did not find a good plugin to start with and hence went ahead with this format and second now its grown to over 120 posts to revisit them I need time. But Hopefully I would be able to make it quiz like as you suggest soon.

  7. Hi, really useful post.
    Could you please explain the differences between option A and C in Q7. I can not figure out the difference between:
    – associate the Role to the application instances by referencing an instance profile.
    – reference the Role in the instance profile property of the application instance.

    Thank you.

    1. As Role needs to be referenced in the instance profile property which is used by the application.
      Refer AWS documentation – CloudFormation IAM Instance Profile

      "Resources": {
      "MyInstanceProfile": {
      "Type": "AWS::IAM::InstanceProfile",
      "Properties": {
      "Path": "/",
      "Roles": ["MyIAMRole"]
      "Instance": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
      "IamInstanceProfile": {
      "Ref": "MyInstanceProfile"

  8. Hello Jayendra,

    Regarding Q:4 , i think the correct answers should be a , b . Since we can assign the Roles to the running instances . We need not to launch the new instance to assign the roles.

    Please correct me if i am wrong.


    1. Thanks Sumeet, its the latest enhancement from AWS, where IAM role can now be assigned to an existing instance. We update the same.

    1. yup, i had split the sections as it was getting to long and hence the questions where moved as well.

  9. for q. no. 7 why answer is “B” not “A” please provide some explanation.i want clear my doubt

  10. Hi Jay,

    What does the word PROFESSIONAL next to the question signify. Is that professional level exam and not associate?

    1. Thats right, i had tried to segregate the professional level questions. However, it is not consistent across the blog.

  11. Hello Jayendra Sir. Your Blog is very awesome and very useful those are prepering AWS Exam.

Comments are closed.