AWS IAM - top questions - Certified Developer exam

Hello Cloud Learners,
In the process of preparing for the exam, I find examples of questions on the Internet. I will post them here and on my site all topics at once, along with explanations.
I hope this will be helpful to those who want to quickly go over the questions on each topic, as I plan to do.

A client has contracted you to review their existing AWS environment and recommend and implement best practice changes. You begin by reviewing existing users and Identity Access Management. You found out improvements that can be made with the use of the root account and Identity Access Management.

What are the best practice guidelines for use of the root account?

1. Never use the root account.
2. Use the root account only to create administrator accounts.
3. Use the root account to create your first IAM user and then lock away the root account.
4. Use the root account to create all other accounts, and share the root account with one backup administrator.

Your organization has an AWS setup and planning to build Single Sign-On for users to authenticate with on-premise Microsoft Active Directory Federation Services (ADFS) and let users log in to the AWS console using AWS STS Enterprise Identity Federation.

Which of the following services do you need to call from AWS STS service after you authenticate with your on-premise?

1. AssumeRoleWithSAML
2. GetFederationToken
3. AssumeRoleWithWebIdentity
4. GetCallerIdentity

Alice is building a mobile application. She planned to use Multi-Factor Authentication (MFA) when accessing some AWS resources.

Which of the following APIs will be leveraged to provide temporary security credentials?

1. AssumeRoleWithSAML
2. GetFederationToken
3. GetSessionToken
4. AssumeRoleWithWebIdentity

A leading insurance firm has several new members in its development team. The solutions architect was instructed to provision access to certain IAM users who perform application development tasks in the VPC.

The access should allow the users to create and configure various AWS resources, such as deploying Windows EC2 servers. In addition, the users should be able to see the permissions in AWS Organizations to view information about the user’s organization, including the master account email and organization limitations.

Which of the following should the solutions architect implement to follow the standard security advice of granting the least privilege?

1. Attach the PowerUserAccess AWS managed policy to the IAM users.
2. Attach the AdministratorAccess AWS managed policy to the IAM users.
3. Create a new IAM role and attach the SystemAdministrator AWS managed policy to it. Assign the IAM Role to the IAM users.
4. Create a new IAM role and attach the AdministratorAccess AWS managed policy to it. Assign the IAM Role to the IAM users.

A company has 100 AWS accounts that are consolidated using AWS Organizations. The accountants from the finance department log in as IAM users in the TD-Finance AWS account. The finance team members need to read the consolidated billing information in the TD-Master AWS master account that pays the charges of all the member (linked) accounts. The required IAM access to the AWS billing services has already been provisioned in the master account.

The Security Officer should ensure that the finance team must not be able to view any other resources in the master account.

Which of the following grants the finance team the necessary permissions for the above requirement?

1. Set up an IAM group for the finance users in the TD-Finance account, then attach a ViewBilling permission and AWS managed ReadOnlyAccess IAM policy to the group.
2. Set up individual IAM users for the finance users in the TD-Master account, then attach the AWS managed ReadOnlyAccess IAM policy to the group with cross-account access.
3. Set up an AWS IAM role in the TD-Finance account with the ViewBilling permission, then grant the finance users in the TD-Master account the permission to assume that role.
4. Set up an IAM role in the TD-Master account with the ViewBilling permission, then grant the finance users in the TD-Finance account the permission to assume the role.

Full set with questions on all topics and explanation can be found here