06 IAM - gannurohith/devops-interview-wiki GitHub Wiki

📁 06 - IAM (Identity and Access Management) (Basic to Intermediate Q&A)

  1. What is IAM in AWS? Identity and Access Management allows you to manage users, groups, roles, and policies to securely control access to AWS resources.

  2. What are IAM users? Individual accounts with credentials (username/password and access keys) to access AWS resources.

  3. What are IAM groups? A collection of users with the same permissions via policies attached to the group.

  4. What are IAM roles? Roles provide temporary credentials to entities like EC2, Lambda, or federated users.

  5. What is the difference between an IAM user and a role?

    • User: Long-term credentials.
    • Role: Temporary, assume-able credentials.

  6. What are IAM policies? JSON documents that define permissions (Allow/Deny) for actions on AWS resources.

  7. How are IAM policies attached? To users, groups, or roles.

  8. What is the difference between managed and inline policies?

    • Managed: Reusable, AWS or customer-managed.
    • Inline: One-to-one attached directly to a single user/group/role.

  9. What are AWS managed policies? Predefined policies created and maintained by AWS (e.g., AmazonS3ReadOnlyAccess).

  10. What is an IAM trust policy? Defines which entities (users, services) can assume a role.

  11. How do you assume an IAM role? Via AWS CLI (sts assume-role), console switch role, or AWS SDKs.

  12. What is the principle of least privilege? Users should be granted only the permissions necessary to perform their job.

  13. What are IAM access keys? Used for programmatic access (CLI, SDKs); consists of an Access Key ID and Secret Access Key.

  14. How do you rotate IAM access keys securely? Create a new key, test it, then disable/delete the old one.

  15. What is IAM identity federation? Grants temporary access to AWS resources via external identity providers (AD, SAML, Google, etc.).

  16. What is AWS STS? Security Token Service provides temporary security credentials for IAM roles.

  17. How do you audit IAM activity? Use CloudTrail, IAM Access Analyzer, and Credential Reports.

  18. What are service-linked roles? IAM roles linked to specific AWS services for them to perform actions on your behalf.

  19. What is a resource-based policy? Policies attached directly to resources like S3 buckets or Lambda functions.

  20. What is a permissions boundary? An advanced feature to set the maximum permissions an IAM role or user can have.

  21. How can you restrict a user to a specific S3 bucket only? Attach a policy allowing only actions on that bucket using ARN condition.

  22. Can IAM policies deny access explicitly? Yes, using "Effect": "Deny". Explicit deny always overrides allow.

  23. How do you enforce MFA in IAM? Attach an IAM policy with condition: "aws:MultiFactorAuthPresent": true

  24. What is IAM policy versioning? Policies can have multiple versions but only one active at a time (up to 5 versions).

  25. What is an IAM credential report? CSV file listing all IAM users and the status of their credentials.

  26. What is IAM Access Analyzer? Tool that finds unintended public or cross-account access to your resources.

  27. Can IAM roles be assumed across accounts? Yes, using trust policies that allow roles from another account to assume them.

  28. What tools help manage IAM permissions visually?

  • IAM Policy Simulator
  • AWS Access Analyzer
  • IAM console policy editor

  1. How do you restrict IAM access by IP address? Add a condition in the policy: "aws:SourceIp": "203.0.113.0/24"

  2. What are the IAM best practices?

  • Use roles, not users, for applications
  • Enable MFA
  • Rotate keys regularly
  • Apply least privilege principle
  • Audit with CloudTrail and Access Analyzer

07. IAM – Identity and Access Management (Q&A)

  1. What is IAM in AWS? Answer: IAM is AWS's security service to manage users, groups, roles, and policies for controlling access to AWS resources.

  2. What’s the difference between IAM user and IAM role? Answer: IAM user is for a specific person; IAM role is assumed temporarily by users/services and used for cross-account or service-level access.

  3. What is a policy in IAM and what types exist? Answer: A policy defines permissions in JSON. Types: identity-based, resource-based, SCPs (for Org), ACLs (for S3), and session policies.

  4. How does IAM help in achieving least privilege? Answer: By assigning only required permissions via scoped policies and regularly reviewing roles, adhering to security best practices.

  5. How do you allow read-only access to S3 for a group of users? Answer: Attach an AWS managed or custom read-only S3 policy to the IAM group.

  6. What is an IAM inline policy? When should it be used? Answer: Inline policies are embedded directly into a user, group, or role. Use for tightly coupled permissions.

  7. What is the IAM policy evaluation logic? Answer: Explicit Deny > Allow > Default Deny. If any explicit deny matches, access is denied regardless of allows.

  8. How do you grant temporary access using IAM? Answer: Use IAM roles with STS (e.g., AssumeRole) to grant time-limited, scoped access.

  9. How can you delegate access to IAM users from another AWS account? Answer: Use role assumption with trust policy allowing the external account to assume the role.

  10. How do IAM permissions differ from resource policies (e.g., in S3)? Answer: IAM permissions are identity-based; resource policies are attached to the resource and can allow cross-account access.

  11. What is a service-linked role? Answer: A pre-defined IAM role linked to an AWS service for managing it securely. Created automatically or manually as needed.

  12. What is an access key and how is it used? Answer: Access key = Key ID + Secret. Used for CLI/SDK access. Should be rotated regularly and never hardcoded.

  13. How do you audit IAM usage and permissions? Answer: Use IAM Access Analyzer, CloudTrail for API activity, and IAM Credential Reports.

  14. How can you restrict an IAM user from deleting resources? Answer: Use deny actions in the policy for delete operations (e.g., "ec2:TerminateInstances"), or create scoped permissions.

  15. What is a permission boundary in IAM? Answer: It’s a managed policy that acts as the maximum permissions a user/role can get—even if their policies allow more.

  16. Explain how IAM integrates with EC2. Answer: IAM roles can be attached to EC2 instances to allow access to AWS services (e.g., S3, CloudWatch) without using credentials.

  17. What is the difference between AssumeRole and SwitchRole? Answer: AssumeRole is an API call used programmatically; SwitchRole is for UI-based role switching between accounts.

  18. How do you restrict access to AWS Console only (no CLI)? Answer: Don’t generate access keys, or use a policy denying API access (Deny on "*" with "NotAction": ["aws-portal:ViewBilling"], etc.).

  19. How do you monitor unauthorized access attempts? Answer: Enable CloudTrail logs and configure GuardDuty or CloudWatch alarms to detect unusual activity.

  20. Can IAM users be assigned to multiple groups? Answer: Yes. A user can belong to multiple IAM groups and inherits permissions from all.

  21. What’s the maximum policy size in IAM? Answer: 6,144 characters per policy document (individual), up to 10 managed policies per user/role.

  22. What are the IAM best practices? Answer: Enable MFA, use roles over users, follow least privilege, avoid root usage, rotate credentials, use IAM Access Analyzer.

  23. How do you enforce MFA for a user or group? Answer: Use a condition in the policy: "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "true" } }

  24. What is the IAM Credential Report? Answer: A downloadable report showing password age, key rotation, MFA status for all users in the account.

  25. What is AWS Organizations and how does IAM relate to it? Answer: Organizations manages multiple accounts centrally. IAM works at account level; Org policies (SCPs) control max permissions across accounts.