AWS IAM is at the heart of AWS and no matter which role you are getting interviewed for having good knowledge of IAM is always needed.
Security is a cross-cutting concern and IAM is one of the first services that comes to our mind when it comes to accessing our resources securely.
If you have an interview scheduled that demands AWS skills especially IAM, worry not.
In this article, I’ll cover-
- Basic AWS IAM interview questions for freshers
- AWS IAM Interview questions for experienced
- AWS IAM scenario Bases Question
Don’t want to miss any posts from us? join us on our Facebook group, and follow us on Facebook, Twitter, LinkedIn, and Instagram. You can also subscribe to our newsletter below to not miss any updates from us.
Basic AWS IAM interview questions for freshers
When you are just starting your career in the field of Cloud computing. As a fresher, these are some of the most frequently asked AWS IAM questions that you will face.
1. What is AWS IAM?
As you might already know, IAM stands for Identity and Access Management. It is one of the core AWS services and lets you securely control access to your AWS resources.
In simple words, If I say as you can see in the below screenshot, It simplifies as Who Can Access What? As simple as that.
2. What is the meaning of Resources in AWS?
In terms of AWS, resource is something you can work with. For example-
- An S3 Bucket
- An EC2 Instance
- A DynamoDB Table
- An SQS Queue etc.
And AWS IAM helps provide/restrict access to them.
3. How to get started with AWS IAM?
Your AWS IAM journey starts as soon as you create your AWS account. By default an identity called root user gets created in your account. You log in to your AWS account using this root user by providing the email/password you used to create your account.
Here you can create a user, group, role, policy etc. to manage various identities and their access to an AWS account.
4. Explain the difference between Authentication and Authorization in terms of AWS IAM
Authentication is the way/process of verifying who someone is or confirming that users are who they claim to be. In AWS there are many ways to authenticate and one of them is to log in using your username/password as root user/IAM user.
Whereas-
Authorization means what that someone is allowed to do in terms of accessing applications, data, resources etc. For example, if you are trying to create an EC2 instance in AWS, AWS IAM will first check if you are allowed to do so using something called policy and then allow/reject your request.
5. What is the difference between an IAM user and a Root user?
The root user has full access to all the resources in your AWS account whereas the IAM user’s access is limited and depends on the policy attached to it.
There are certain privileges that only a root user is allowed to do for example closing an AWS account.
6. Should you use your root user for day-to-day operations? Why or Why not?
As you saw in the answer to the previous question the root user has Godly permission and it can do anything.
Therefore, it’s not a good idea to use your root user daily. If compromised, the attack surface is huge and you will be left devastated.
7. Explain the least privilege principle in IAM
When you are providing permission to an entity, as a best practice you should only give permission required to do the work. This is called the least privilege principle.
For example – if a user only needs read access to s3, you should be giving just that, nothing less, nothing more.
8. Explain AWS IAM Role and when should them.
AWS IAM role is an entity that provides a way to access AWS resources without having long-term credentials such as an access key/secret key.
An IAM role doesn’t belong to a user or group. Rather you use it to grant access to trusted entities such as AWS service, applications running on AWS or other authenticated users for example users of other AWS accounts.
So ideally, whenever you want to give temporary access to a trusted entity, you use an IAM role. You attach a policy to an IAM role to define what an IAM role is allowed to do.
9. What is an IAM Policy?
An IAM policy is a JSON document that defines permission for an action in AWS. For example, to grant access to an IAM user, group or role, you create a policy and attach the policy to it.
The policy determines whether an action is allowed or denied to the entity the policy is attached to.
10. What are the charges of using AWS IAM?
AWS IAM is provided to you free of cost.
11. What is MFA in AWS?
MFA or multi-factor authentication is a feature that requires a second authentication factor along with a username/password. It is a security best practice and you must enable MFA for your root user as well as IAM users.
Once enabled, you are required to provide an MFA code along with your username/password. That enhances the overall security of your AWS account and resources.
Here is a post on how to enable MFA for IAM users and root users.
Intermediate AWS IAM Interview questions for experienced
In the first section, we saw some basic questions that are mostly asked if someone is just starting with AWS. However, if you are an experienced professional, expect to get some deeper questions to evaluate your understanding of IAM service and how confident you are to use it.
1. What are different ways to authenticate to AWS?
Here are some of the ways you can authenticate to AWS-
- Log in to the AWS console as a root user using your email address and password.
- As an IAM user, you need to prove your account ID/alias along with your username/password
- If you are a federated user, you are authenticated by your identity provider and granted access to AWS resources by assuming IAM roles.
- If you are trying to authenticate using API or AWS CLI, you can use temporary credentials by using a role or you can use long-term credentials which are your access key and secret key.
2. How does AWS IAM work?
AWS IAM provides authentication and authorization for AWS services and resources. Any request to AWS is denied by default. The request is evaluated and access is allowed only when there is a policy that explicitly grants access.
3. Explain AWS IAM Policy Structure.
IAM policy is a JSON document that defines permission. This is what an example IAM policy looks like-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1708102754588",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
An IAM policy contains the following elements-
- Effect: It can be
Allow
orDeny
- Action: It is the specific API action that the policy is allowing/denying
- Resource: Resource on which action is allowed/denied. * means all resources.
- Condition: Specifies user what condition the policy is in effect
4. What is the difference between identity-based policy and resource-based policy?
Identity-based policies are policies that are attached to an identity such as IAM user, group, or role. It specifies what these identities are allowed to do.
whereas
Resource-based policies are attached to an AWS resource such as S3. Using this you can specify who has access to this resource and what they are allowed to do.
5. What is the AWS IAM Policy Simulator?
AWS IAM policy simulator is a tool that lets you validate an AWS IAM policy.
Let’s say you have created an IAM policy to allow certain API actions for a user. Before assigning the policy to the user, you would like you validate if the policy correctly gives that permission or not. You can use the AWS IAM policy simulator for the same.
The simulator makes it easy for you to test or debug an IAM policy.
6. What are some use cases for resource-based policy?
Here are some of the most frequent use cases of resource-based policy-
- cross-account access
- Specify who can access this resource
An example of a resource-based policy is the AWS S3 bucket policy.
7. How can you monitor the activity of an IAM user?
You can monitor the activity of an IAM user using AWS CloudTrail logs as all the events are logged there.
You can also use CloudWatch log insights for the same.
8. How to manage cross-account access in IAM?
You can create a cross-account IAM role and use that for cross-account access. It can be assumed by an entity that needs cross-account access. A cross-account IAM role includes a trust policy that allows IAM principals in another AWS account to assume the role.
If you are trying to provide cross-account access to a resource that supports resource-based policy, you can use a resource-based policy as well to grant cross-account access.
9. How to achieve the goal of least privilege permission in AWS?
You can start with broader permissions and as you understand the permission needs more granularly you can refine it to grant only the permission that’s required to do the work.
One recommended way is to get started with an AWS-managed policy and use an AWS IAM access advisor to understand the uses and refine it further to meet the least privilege.
10. What is a Service control policy?
A service control policy is an organization-level policy that you can use to control the maximum level of permission for a member AWS account.
For example, if you create an SCP in your organization to allow only S3 actions, your member account will not be able to access any other service despite granting explicit permission for the same in the account.
11. Tell me a few AWS IAM best practices that you followed
Here are some of the best practices you must follow to secure your AWS account and resources-
- Grant the least privilege to identities
- Enable MFA for your root as well as IAM users.
- Do not use the root user for day-to-day activities.
- Create an Admin IAM user for day-to-day operations.
- Use temporary credentials using IAM roles wherever possible.
AWS IAM Scenario Bases Interview Questions
If you are showcasing that you have hands-on experience with AWS IAM, be prepared to answer questions that prove the same.
Here are a few questions that I feel we should know if we have hands-on experience with AWS IAM.
1. If an IAM policy has two statements. One of them allows an action and the other one denies it. What will be the effective permission?
If you remember the IAM policy evaluation logic, deny always takes precedence over any allow.
Hence overall the request will be denied.
2. You have just created your AWS account and you have to secure root user. How will you do it.
To secure a root user-
- Do not use the root user for day-to-day activities instead create an IAM user and use the same.
- Do not create access keys for the root user
- Enable MFA for the root user
- Monitor access/uses of your root user.
3. How would you grant s3 access to an application running on AWS EC2?
The very first things that comes to mind is having an access/secret keys on the EC2 of a user that has access to S3. However it’s a big no no.
You should use short term credential that is an IAM role for the same. Create an IAM role with policy to allow access to access and attach it to your EC2 instance. And your application running on it should have access to S3 securely.
4. How can you restrict access using IAM?
You can use a deny statement in your IAM policy to restrict access that is required. Once you attach this policy to an entity, that entity is not allowed/denied to perform specified action. And that way you are able to restrict access.
5. How to know the status of your IAM user’s different credential in your account?
You can generate a crdential report of your AWS account that has information about all your users and status of their credentials.
It includes status of-
- Password
- Access keys
- MFA devices
Conclusion
These were some of the most frequently asked AWS IAM interview questions that you might encounter in your next interview for an AWS cloud opportunity.
Hope you liked the questions and it was helpful to you. Do let me know what additional questions you were asked in your interview, and I will add them here as well.
Thank you 🙂
Also Read
How to Create an IAM User using AWS Console