AWS IAM Interview Questions and Answers

AWS IAM Interview Questions and Answers

Here are commonly asked AWS IAM Interview Questions and Answers to prepare you for your interview:

AWS IAM Interview Questions:

 

Q1. What is AWS IAM? 

Q2. What are the key capabilities provided by AWS IAM?

Q3. What are the different identities provided by IAM?

Q4. What is AWS account root user?

Q5. What are some best practices to manage access to AWS resources?

Q6. What are AWS policies?

Q7. What are the key elements in the JSON schema of a policy?

Q8. Explain different types of user accounts in AWS Cloud?

Q9. What is Identity based policy in AWS IAM?

Q10. What is MFA support for IAM?

Q11. What is IAM Role?

Q12. What are the features of IAM?

Q13. Define AWS users and groups. 

Q14. What is IAM Manager?

Q15. What is an IAM role?How to assign IAM role to users or groups.

Q16. What are the best practices you would follow while creating any IAM Policy? 

Q17. How do you revoke access rights? 

Q18.Explain best practices to manage access to AWS resources? 

Q19. What happens if you have one IAM statement that allows a principal to perform an operation on a resource and another statement that denies that same operation on the same resource?

Q20. What are the different types of AWS IAM policies?  Which are most important and why?

Q21. How do you implement least privilege with AWS IAM?  What’s the hardest part of doing that?

Q22. Are root users and IAM users the same?

Q23. What is federated user access management?

Q24. What are the 5 top security credentials in AWS IAM?

Q25. What are Temporary Security Credentials?

Q26. What is the IAM Hierarchy of Privileges?

Q27. In what ways can AWS IAM be used?

Q28. What is ABAC for AWS?

Q29. What are the security features outside IAM?

Q30. IAM Benefits. 

Q31. What are some usecases of AWS IAM?

Q32. What is Multi Factor Authentication for IAM ?

Q33. Different MFA devices for AWS.   

Q34. What are IAM Security Tools?

Q35. Explain some IAM Best Practices.

Q36. What is AWS congnito?

Q37. What are AWS Cognito User Pools?

Q38. What are AWS Cognito Indentiy Pools?

Q39. What is Single Sign On (SSO)?

Q40. What are least-privilege permissions?

Q41. What are AWS managed policies and when should I use them?

Q42. What are customer managed policies and when should I use them?

Q43. What are inline policies and when should I use them?

Q44. What are resource-based policies and when should I use them?

Q45. What is role-based access control (RBAC)?

Q46. What are AWS Organizations service control policies (SCPs) and when should I use them?

Q47. What is the IAM policy simulator and when should I use it?

Q48. Use of IAM Access Analyzer.

Q49. Common scenarios in which IAM roles are used.

Q50. Can I use IAM to manage access to resources in other AWS accounts?

 

Q1. What is AWS IAM? 

The Amazon Web Services Identity and Access Management service is like a security guard at the door to Amazon Web Services. This is where Azure Services and its environment are authenticated and authorized. 

The basic building blocks of AWS IAM are IAM roles, IAM users, groups and policies. 

 

Q2. What are the key capabilities provided by AWS IAM?

AWS Identity And Access Management (IAM) provides the following key capabilities.

  1. Access control to AWS resources – IAM enables fine-grained access control to AWS resources and APIs. IAM enables access control by specific conditions like – by time of day, by originating IP address, by SSL, by MFA etc.
  2. Multi-factor authentication (MFA) – IAM provides the capability for MFA, which augments the basic authentication with MFA token/device based authentication.
  3. Federated access – IAM provides the capability to grant access for AWS resources to existing employees of a company, using the companies existing identity system.
  4. Analytics – IAM provides reporting capabilities to analyze the access provided across AWS resources and services.

 

Q3. What are the different identities provided by IAM?

AWS provides three different identities – Users, User Groups, and Roles – to manage access to AWS resources.

IAM Users – Users are individual entities (can be real people or applications) in IAM, who can be provided with individual security credentials (access keys, passwords, multi-factor authentication), and individual access to AWS resources and services.

User Groups – User groups are collection of users. Permissions can be set on groups so that all users within a group have the same permissions.

IAM Roles – IAM roles are entities that can be created and assigned specific permissions. A role can be assumed by anyone who needs it, and is not associated with a single group or entity.

 

Q4. What is AWS account root user?

Root user is the user id (email id) and password used to first create the AWS account. Root user has complete access to all the AWS services and resources in the account. After creating the AWS account, it is recommended to create a separate admin user to manage admin and everyday tasks, instead of using the root user.

 

Q5. What are some best practices to manage access to AWS resources?

Following are some best practices to manage access to AWS resources.

Do not use root account – Your root account has access to all your AWS resources and services, hence it is a best practice to not share or use it.

Use Groups – Instead of giving access to AWS resources and services for individual users – create groups, give needed access to the groups, and add users to the groups – so that all users within a group has the same access.

Enable Multi-factor Authentication (MFA) – It is a best practice to enable MFA for privileged users such as admins. MFA adds an extra layer of protection on top of basic user-id and password based authentication.

Grant least privileges – Grant only the minimum required permissions for the user or group.

 

Q6. What are AWS policies?

Policies are objects in AWS that are associated with an entity (users, groups, roles) or AWS resources to define their permissions. Policies are stored in AWS as JSON objects. AWS supports six types of policies: identity-based policies, resource-based policies, permissions boundaries, Organizations SCPs, ACLs, and session policies.

 

Q7. What are the key elements in the JSON schema of a policy?

Following are some key elements in a policy JSON schema.

Version – Specifies the version of the policy language.

Statement – Main policy element that contains the following elements. You can have more than one statement in a policy.

Sid – Statement ID that differentiates between statements.

Effect – Indicates if the policy allows or denies access. Possible values are ‘Allow’ or ‘Deny’.

Principal – The account, user, or role for whom access is allowed or denied. This is applicable only for resource-based policies.

Action – Specifies the list of actions that the policy allows or denies.

Resource – Specifies the list of resources to which the policy applies. This is only applicable for IAM permissions policy.

Condition – Specifies the circumstances under which the policy grants permissions.

 

Q8. Explain different types of user accounts in AWS Cloud?

Root User is the Owner Account (administrator) and is created with the creation of AWS Account. It has full access by default to all services and resources in the AWS account. This user cannot be explicitly denied access to AWS resources or services with IAM Policies. In order to limit permissions to this user account, one has to do so with AWS Organization Service Control Policy (SCP). Some specific tasks such as closing an AWS Account can only be accomplished by the AWS Account Root User only. 

IAM User is a standard user account that has no permission to any AWS service or resource. This account is either created by root user or an IAM administrator. IAM Policies are used to define permissions to this user account. All the user, that require to login in AWS Management Console, or configure services or access resources programmatically, can have their individual IAM user account with different set of policies associated to them.

 

Q9. What is Identity based policy in AWS IAM?

Identity based policy are the most frequently used JSON permissions policy document. It’s used to control actions of an identity (Individual user, group of users or a role) can perform on an AWS Resource under certain circumstances. There are 2 types of Identity based policies, they are Managed or Inline policies.

Managed Policy: It’s simply a policy that you can apply on an individual IAM user, group of users or role in AWS account. There are 2 different types of managed policies.

AWS managed policies: These are managed policies pre created and managed by AWS. 

Customer managed policies: These are managed policies created and managed by you in AWS account. These are meant to provide granular and specific control in managing permissions in your policies that AWS managed policies.

Inline Policy: These policies are dedicated to a specific identity i.e. user, group or role. These policies are deleted as the identity associated is deleted. These policies maintain a strict, one-to-one relationship with the associated identity and can’t be associated to different identity.

 

Q10. What is MFA support for IAM?

MFA stands for Multi-Factor Authentication. IAM MFA provides an additional layer of security by prompting a user for username and password (the first factor, intellectual information) and additionally requiring the user to also enter the code generated (the second factor, randomly generated token valid for a single login session) by the MFA device associated with the user account for entering the AWS management console. 

To setup MFA for an account, one simply needs to buy a hardware device or simply install a free virtual MFA app on his mobile, other than this no extra cost is associated.

 

Q11. What is IAM Role?

IAM Role is an IAM Identity similar to IAM user, created in AWS account with specific permission policies assigned to it. These policies define what IAM role can and cannot do in the AWS account. IAM roles do not hold authentication credentials such as login passwords or access keys, instead a temporary security credential is generated for each individual role session. These are normally meant to delegate access to users, services or applications that don’t have explicit allow on AWS resource.

 

Q12. What are the features of IAM?

The features of IAM are as follows:

Shared Access to our Account helps in sharing resources with help of the shared access features.

  1. Free of cost – AWS IAM is free to use and also all the charges are added when we access other Amazon web services using IAM user.
  2. Centralized control over your Aws account – Helps in new creation of users and grops of any form of cancellation.
  3. Grant permission to the user – It holds the administrative rights and the users can grant permission to access.
  4. Multifactor Authentication – It add layers of security implementing on our account by third part.

 

Q13. Define AWS users and groups. 

IAM users can be people or applications that interact with the AWS environment services and its resources. An IAM user is an identity created in AWS to access various AWS resources and services. A user has permissions associated with it. The permissions define which actions that user can perform on a specific resource. 

 

IAM groups are collections of IAM users. Users are organized into groups so you can assign permissions in bulk rather than individually for each user. In addition, permissions are automatically inherited, making it easier to control how resources are accessed within your account

 

Q14. What is IAM Manager?

IAM managers is responsible for overseeing, It is a technical background for understanding the projects employees are responsible for. They are responsible for making decisions about the access related security practices.

 

Q15. What is an IAM role?How to assign IAM role to users or groups?

IAM role is an entity which defines a set of permissions for making AWS services request, they are not associated by a specific user or group.

We cannot assign IAM role to users or groups.

 

Q16. What are the best practices you would follow while creating any IAM Policy? 

When granting permissions, we should follow the least privileged principle. We should avoid giving users or roles more permissions than they need to accomplish their tasks by following this principle. For example, if an employee needs only access to a specific EC2 instance, specify the instance in the IAM policy. Rather than granting an employee access to every instance in your AWS account

 

Q17. How do you revoke access rights? 

If you need to revoke access rights from an existing user, it’s simple. Simply click on Manage Permissions on his or her profile page and select Revoke Access. You’ll be presented with a list of all services to which they are granted access; check each service that is correct and then click Revoke Access in the bottom right corner.

 

Q18. Explain best practices to manage access to AWS resources? 

  1. Do not use root accounts – Since root accounts have access to all the AWS resources and services, it is not a good idea to share or use them. 
  2. Use Groups – Create groups, grant access to them, and add users to them – so that all users within the group have the same access. 
  3. Enable Multi-factor Authentication (MFA) – MFA should be enabled for privileged users such as admins. MFA adds an additional layer of security. 
  4. Grant least privileges – Only grant permissions that are necessary for the user or group.

 

Q19. What happens if you have one IAM statement that allows a principal to perform an operation on a resource and another statement that denies that same operation on the same resource?

The Deny effect always wins when multiple statements apply.

 

Q20. What are the different types of AWS IAM policies?  Which are most important and why?

There are 5 types of AWS IAM policies:

  1. Service Control
  2. Identity
  3. Permission Boundary
  4. Session
  5. Resource

The three most important policy types are:

Service Control: A policy attached to an AWS account or organizational unit that establishes guardrails for what services and operations can be used within an account. A service control policy can only deny or limit allowed access; it cannot allow a principal to perform an operation on its own.

Identity: A policy attached to an IAM principal used by people and applications that allows, or sometimes denies, them to use AWS services and resources. The most common policy.

Resource: A policy attached to a data resource that allows or denies access to a specific data resource such as an S3 bucket. Often used to enable cross-account access to a data resource.

 

Q21. How do you implement least privilege with AWS IAM?  What’s the hardest part of doing that?

Organizations implement least privilege by provisioning IAM policies that only allow the access that person or application needs to perform its business function.  Conversely, data and other resources should only be accessible by principals who have a need to use the resource, and only for the specific operations that support their job function.

 

For example, an application that needs to read data from a single S3 bucket supporting the application, should not:

  • be able to read data from other S3 buckets
  • write or delete in that, or any other buckets

 

Q22. Are root users and IAM users the same?

No, the root user is also called the master user. The IAM user is subset of the root user.

 

Q23. What is federated user access management?

A user who is allowed to access AWS resources from third-party vendors – such as Google, Facebook, Linked In, Corporate credentials, etc.

 

Q24. What are the 5 top security credentials in AWS IAM?

  • User-id and Password
  • E-mail address and Password
  • Access Keyes
  • Key pair
  • Multi-factor authentication

 

Q25. What are Temporary Security Credentials?

These are short-lived security credentials. These you can create from AWSSTS service (AWS security Token Service).

 

Q26. What is the IAM Hierarchy of Privileges?

  • Root user
  • IAM user
  • user with temporary credentials

 

Q27. In what ways can AWS IAM be used?

You can work with AWS IAM in various ways, such as:

  • AWS SDKs
  • AWS Management Console
  • IAM HTTPS API
  • AWS Command Line Tools

 

Q28. What is ABAC for AWS?

Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes. In AWS, these attributes are called tags.

 

Q29. What are the security features outside IAM?

Some of the security features outside IAM are Amazon EC2 and Amazon RDS, Amazon EC2, Workspaces, Amazon RDS, and Amazon WorkDocs.

 

Q30. IAM Benefits. 

AWS IAM provides a number of benefits, including:

  1. Improved security: IAM allows you to manage access to your AWS resources more securely by controlling who can access what resources and what actions they can perform.
  2. Centralized control: IAM allows you to centrally manage users, groups, and permissions across your AWS accounts.
  3. Scalability: IAM is designed to scale with your organization, allowing you to easily manage access for a large number of users and resources.
  4. Integration with other AWS services: IAM integrates with many other AWS services, making it easy to manage access to those services.
  5. Cost-effective: Since IAM is a free service, it can help you reduce costs associated with managing access to AWS resources.
  6. Compliance: IAM can help you meet compliance requirements by providing detailed logs of all IAM activity, including who accessed what resources and when.

 

Q31. What are some use cases of AWS IAM?

AWS IAM can be used in a variety of use cases, including:

  1. User and group management: IAM allows you to create, manage, and delete users and groups in your AWS account, giving you greater control over who can access your resources.
  2. Access control: IAM provides fine-grained access control, allowing you to control who can access specific AWS resources and what actions they can perform.
  3. Federation: IAM allows you to use your existing identity management system to grant access to AWS resources, making it easier to manage access for large organizations.
  4. Multi-account management: IAM allows you to manage access to multiple AWS accounts from a single location, making it easier to manage access across your organization.
  5. Compliance: IAM provides detailed logs of all IAM activity, making it easier to meet compliance requirements.
  6. Third-party application access: IAM allows you to grant access to third-party applications that need access to your AWS resources.

 

Q32. What is Multi Factor Authentication for IAM ?

AWS multi-factor authentication (MFA) is an AWS Identity and Access Management (IAM) best practice that requires a second authentication factor in addition to user name and password sign-in credentials. You can enable MFA at the AWS account level and for root and IAM users you have created in your account.

 

Q33. Different MFA devices for AWS.

  1. Virtual MFA Device: Google Authenticator, Authy 
  2. Universal 2nd Factor (U2F) Security Key –> Physical Device, YubiKey by Yubico 
  3. Hardware Key Fob MFA device: provided by Gemalto. Physical Device 

    **Hardware key Fob MFA device for AWS GovCloud(US) –>provided by SurePassID. 

    

Q34. What are IAM Security Tools?

IAM Credential Reports (Account Level): a report that lists all your account’s users and the status of their various credentials.

IAM Access Advisor (User Level): Access advisor shows the service permissions granted to a user and when those services were last accessed.

 

Q35. Explain some IAM Best Practices.

  1. Lock away your AWS account root user access keys
  2. Grant least privilege access – don’t give open policies expecting that they will be restricted later. It will never happen
  3. Enable identity federation : centrally manage users and access across multiple applications and services. For federation to multiple accounts in your organisation AWS Single Sign On. ( Post coming soon )
  4. Enable MFA. (you can use Credential Report to export a report of all the users in your AWS organisation and check the status of their credentials, psw expiration, MFA is enabled and so on)
  5. Rotate credentials regularly
  6. Enable IAM Access Analyser to analyse public, cross-organisation access. ( see post serverless days workshop)
  7. Use Permission boundaries to prevent privilege escalation
  8. Use Roles to delegate permissions.

 

Q36. What is AWS cognito?

Amazon Cognito lets you easily add user sign-up and authentication to your mobile and web apps. Amazon Cognito also enables you to authenticate users through an external identity provider and provides temporary security credentials to access your app’s backend resources in AWS or any service behind Amazon API Gateway. 

AWS Cognito helps as Identity for your web and mobile application users. Example: Login with google, Facebook or twitter which will redirect to main application.

 

Q37. What are AWS Cognito User Pools?

Cognito User Pools are Sign in functionality for app users. Integrate with API Gateway & Application Load Balancer. Create a serverless database of user for your web & mobile apps. Federated Identities: users from Facebook, Google, SAML.

 

Q38. What are AWS Cognito Identity Pools?

Cognito Identity Pools (Federated Identity) provide AWS credentials to users so they can access AWS resources directly. Integrate with Cognito User Pools as an identity provider. Users can then access AWS services directly or through API Gateway. 

 

Q39. What is Single Sign On (SSO)?

Single Sign-On(SSO): Centrally managed Single Sign-On to access multiple accounts and 3rd party business applications. Integrated with AWS organizations and on-premises Active Directory. Supports SAML2.0. Centralized permission management. Centralized auditing with CloudTrail.

 

Q40. What are least-privilege permissions?

When you set permissions with IAM policies, grant only the permissions required to perform a task. This practice is known as  granting least privilege. You can apply least-privilege permissions in IAM by defining the actions that can be taken on specific resources under specific conditions.

 

Q41. What are AWS managed policies and when should I use them?

AWS managed policies are created and administered by AWS and cover common use cases. Getting started, you can grant broader permissions by using the AWS managed policies that are available in your AWS account and common across all AWS accounts. Then, as you refine your requirements, you can reduce permissions by defining customer managed policies specific to your use cases with the goal of achieving least-privilege permissions.

 

Q42. What are customer managed policies and when should I use them?

To grant only the permissions required to perform tasks, you can create customer managed policies that are specific to your use cases and resources. Use customer managed policies to continue refining permissions for your specific requirements.

 

Q43. What are inline policies and when should I use them?

Inline policies are embedded in and inherent to specific IAM roles. Use inline policies if you want to maintain a strict one-to-one relationship between a policy and the identity to which it is applied. For example, you can grant administrative permissions to ensure they are not attached to other roles.

 

Q44. What are resource-based policies and when should I use them?

Resource-based policies are permissions policies that are attached to resources. For example, you can attach resource-based policies to Amazon S3 buckets, Amazon SQS queues, VPC endpoints, and AWS Key Management Service encryption keys

 

Q45. What is role-based access control (RBAC)?

RBAC provides a way for you to assign permissions based on a person’s job function, known outside of AWS as a role. IAM provides RBAC by defining IAM roles with permissions that align with job functions. You then can grant individuals access to assume these roles to perform specific job functions. With RBAC, you can audit access by looking at each IAM role and its attached permissions.

 

Q46. What are AWS Organizations service control policies (SCPs) and when should I use them?

SCPs are similar to IAM policies and use almost the same syntax. However, SCPs don’t grant permissions. Instead, SCPs allow or deny access to AWS services for individual AWS accounts with Organizations member accounts, or for groups of accounts within an organizational unit. The specified actions from an SCP affect all IAM users and roles, including the root user of the member account.

 

Q47. What is the IAM policy simulator and when should I use it?

The IAM policy simulator evaluates policies you choose and determines the effective permissions for each of the actions you specify. Use the policy simulator to test and troubleshoot identity-based and resource-based policies, IAM permissions boundaries, and SCPs.

 

Q48. Use of IAM Access Analyzer.

AWS IAM Access Analyzer provides the following capabilities:

  • IAM Access Analyzer helps identify resources in your organization and accounts that are shared with an external entity.
  • IAM Access Analyzer validates IAM policies against policy grammar and best practices.
  • IAM Access Analyzer generates IAM policies based on access activity in your AWS CloudTrail logs.

 

Q49. Common scenarios in which IAM roles are used.

  1. Federate workforce identities into AWS: By using IAM Identity Center, your users can use their existing corporate credentials to federate into AWS accounts. With IAM roles, you can specify the permissions users should have when accessing AWS accounts.
  2. Access workloads within AWS: A workload is a collection of resources and code, such as an application, that requires an identity to make requests to AWS services. By using IAM roles, your application running in any AWS compute environment, such as Amazon EC2 instances, can access AWS resources with temporary credentials, removing the need to manage long-term credentials.
  3. Enable cross-account access: We recommend that you use multiple AWS accounts to isolate and manage your business applications and data. To allow your identities in one AWS account to access resources in another AWS account, you can use IAM roles to provide access.
  4. Grant access to AWS services: AWS services need to be given permission to perform actions in your AWS account on your behalf. When you set up an AWS service environment, you define a role for the service to assume. The service can then assume the service role and perform only the actions you have specified.

 

Q50. Can I use IAM to manage access to resources in other AWS accounts?

Yes, IAM allows you to manage access to resources in other AWS accounts that you own. You can do this by creating a role in the account that you want to grant access to, and then specifying the trusted entity (such as another AWS account or a federated user) in the trust policy for the role.

 

Final Words

It is important to prepare yourself with the latest AWS IAM interview questions while going for an AWS interview to crack it.

We keep updating AWS IAM interview questions if any new questions are being asked. Hope, we’ve covered most of the frequently asked AWS IAM interview questions asked. Please be thorough while preparing for AWS IAM Interview.

Related Posts:

Amazon Web Service – AWS Tutorial

What is AWS IAM?

Top 13 Reasons to Why Learn AWS in 2022