Here are some common AWS IAM (Identity and Access Management) interview questions
and answers:
1. What is AWS IAM?
Answer: AWS Identity and Access Management (IAM) is a service that enables you to securely
control access to AWS services and resources for your users. You can create and manage AWS
users, groups, roles, and permissions to control access to AWS resources. IAM allows you to
define who can access which resources and what actions they can perform.
2. What are IAM Users, Groups, and Roles?
Answer:
IAM User: An IAM user is an entity that you create in IAM to represent a person or
service. It has permanent credentials (username and password or access keys) and is
associated with specific permissions to access AWS resources.
IAM Group: A collection of IAM users. Groups allow you to apply policies to multiple
users at once. Users within a group inherit the permissions assigned to the group.
IAM Role: A role is an IAM identity with specific permissions that can be assumed by
IAM users, AWS services, or external users (via federation). Roles are often used for
granting permissions to resources in a temporary and controlled manner.
3. What is an IAM Policy?
Answer: An IAM policy is a document that defines permissions. It is written in JSON and
specifies what actions are allowed or denied on specific AWS resources. IAM policies are
attached to users, groups, or roles, and they grant or deny permissions to AWS services or
resources. There are two types of policies:
Managed Policies: AWS provides pre-built policies (AWS managed and customer-
managed).
Inline Policies: Policies that are directly embedded within a single user, group, or role.
4. What is the difference between an IAM User and an IAM Role?
Answer:
� IAM User: An IAM user represents a specific person or service with long-term
credentials. Users authenticate directly using their username and password or API keys to
access resources.
IAM Role: An IAM role is an AWS identity that defines a set of permissions and can be
assumed by an IAM user, AWS service, or external identity. Unlike users, roles are
temporary and are used for delegating permissions to different entities (e.g., EC2
instances, other AWS accounts, or federated users).
5. What is an IAM Policy Document?
Answer: An IAM policy document is a JSON file that defines permissions. It includes:
Version: Specifies the policy version.
Statement: The core element containing the actual permissions. Each statement includes:
o Effect: Specifies whether the action is allowed or denied (Allow or Deny).
o Action: The specific API actions that are allowed or denied.
o Resource: The specific AWS resources the actions apply to.
o Condition: Optional conditions that specify when the policy is applied.
6. What are IAM Access Keys?
Answer: IAM Access Keys are used to authenticate API requests made to AWS services. They
consist of:
Access Key ID: A unique identifier for the access key.
Secret Access Key: A secret key used to sign the requests.
Access keys are typically used by programmatic access, such as when interacting with AWS
through the AWS CLI, SDKs, or API requests.
7. What is the principle of Least Privilege in IAM?
Answer: The principle of Least Privilege means granting only the minimum necessary
permissions to a user, group, or role to perform their job or task. This minimizes the risk of
accidental or malicious misuse of permissions and reduces the attack surface by ensuring that
entities have only the permissions they absolutely need.
�8. How do you manage access to AWS resources across multiple accounts?
Answer: AWS provides several ways to manage access across multiple accounts:
IAM Roles with Cross-Account Access: You can create IAM roles in one account and
grant permission to other accounts to assume those roles.
AWS Organizations: You can organize multiple AWS accounts and use service control
policies (SCPs) to centrally manage permissions and restrict access across accounts.
AWS Resource Access Manager (RAM): Allows sharing resources across accounts,
such as VPC subnets, license configurations, etc.
9. What is an IAM Policy Simulator?
Answer: The IAM Policy Simulator is a tool provided by AWS that allows you to test and
validate IAM policies before applying them. It helps you understand the effect of a policy on a
given user, group, or role in terms of the actions that are allowed or denied. It is useful for
troubleshooting and ensuring that the correct permissions are granted.
10. What is MFA (Multi-Factor Authentication) and how do you enable it in
IAM?
Answer: Multi-Factor Authentication (MFA) is an extra layer of security that requires a user to
provide two or more forms of authentication to access an AWS resource. In addition to the
password (something you know), MFA requires a time-sensitive code generated by a hardware
or virtual MFA device (something you have).
To enable MFA in IAM:
You first assign an MFA device to the user (virtual or hardware).
Then, you enable MFA in the AWS Management Console for the user and associate the
MFA device.
The user must provide the MFA code along with their password when logging in.
11. What is an IAM Trust Policy?
Answer: A Trust Policy is a policy that defines who (which entities) can assume a particular
IAM role. It is a part of the role's configuration and typically includes conditions like the type of
identity or service that is allowed to assume the role. Trust policies are used in roles to enable
cross-account access or allow AWS services to assume roles.
�12. What is the difference between Allow and Deny in IAM policies?
Answer:
Allow: Grants permission to perform an action on a resource.
Deny: Explicitly denies permission to perform an action, even if other policies (e.g.,
Allow) are attached. Deny statements override Allow statements.
The general rule in IAM is that Explicit Deny always takes precedence over Allow. If there’s
both an Allow and Deny for the same action, the Deny will take precedence.
13. What is a Service Control Policy (SCP)?
Answer: Service Control Policies (SCPs) are used within AWS Organizations to manage
permissions across multiple AWS accounts. SCPs are applied at the organizational unit (OU) or
account level and define the maximum permissions that can be granted to accounts. SCPs do not
grant permissions directly but instead set the boundaries for what actions can be allowed within
an account.
14. What is the difference between Managed Policies and Inline Policies in IAM?
Answer:
Managed Policies: These are standalone policies that can be created and reused across
multiple IAM users, groups, or roles. AWS provides managed policies (AWS-managed
and customer-managed), and they can be applied to multiple entities.
Inline Policies: These policies are directly embedded within a specific user, group, or
role. They are not reusable and are tied to the entity they are attached to.
15. How would you troubleshoot an IAM permission issue?
Answer: To troubleshoot IAM permission issues:
Check the IAM policy: Review the IAM policies attached to the user, group, or role to
ensure the permissions are correctly defined.
Use the IAM Policy Simulator: Test the policy using the IAM Policy Simulator to
verify whether the permissions allow or deny the required action.
� Check for explicit denies: Remember that explicit deny overrides any allow
permissions. Look for any deny statements in the policy or permissions.
Verify resource-level permissions: Ensure the resource-level permissions are correctly
specified.
Review CloudTrail logs: AWS CloudTrail can provide logs of the actions being
performed and any permission errors encountered.
These questions and answers provide a solid foundation for understanding AWS IAM concepts
and help you prepare for IAM-related interview topics.
