Phase 2 · IAM Fundamentals · Lesson 3 of 3
Authentication vs Authorization: 15-Statement Quiz
Quiz
·
8 min
·
+5 pts
For each statement below, classify it as primarily Authentication, Authorization, Both, or Neither. This exercise builds the pattern recognition you need to categorize IAM controls accurately during audits. When you write a control narrative or map a configuration to a framework criterion, you need to know instantly whether you are describing an authentication mechanism or an authorization mechanism — the wrong classification means the control maps to the wrong audit criteria.
Take your time with the edge cases. Several statements are deliberately designed to be ambiguous, because real-world IAM configurations are ambiguous too.
Identity verification
Quick check
Statement 1: A user enters their password to log into a corporate application.
Quick check
Statement 2: A service account is granted read-only access to an S3 bucket via an IAM policy.
Quick check
Statement 3: An employee badges into the office using a proximity card.
Policy and permissions
Quick check
Statement 4: A firewall rule blocks all inbound traffic from a specific IP range.
Quick check
Statement 5: A SAML assertion is validated by the service provider after a user logs in via SSO.
Quick check
Statement 6: An IAM role trust policy in AWS allows a principal from a different account to assume the role.
Biometrics and MFA
Quick check
Statement 7: A user scans their fingerprint to unlock a company laptop.
Quick check
Statement 8: An SCP in AWS Organizations prevents any principal in any member account from calling cloudtrail:StopLogging.
Quick check
Statement 9: A JWT access token is verified against the issuer's public key before an API request is processed.
The gray areas
Quick check
Statement 10: A Conditional Access policy in Entra ID requires that users must be on a managed, compliant device AND pass MFA before accessing Microsoft 365.
Quick check
Statement 11: An API key is included in the Authorization header of an HTTP request to a third-party service.
Quick check
Statement 12: A quarterly least-privilege review removes unused IAM permissions from developer roles.
Advanced scenarios
Quick check
Statement 13: After entering their password, a user receives an MFA push notification on their phone and approves it.
Quick check
Statement 14: A permission boundary in AWS limits the maximum permissions that any policy can grant to an IAM role, regardless of what identity-based policies are attached.
Quick check
Statement 15: An OAuth 2.0 access token is exchanged at the /userinfo endpoint to retrieve the authenticated user's profile data (name, email, groups).