AWS IAM Interview Questions​

✅ 1. What is AWS IAM?

Answer:
AWS IAM (Identity and Access Management) is a service that allows you to securely control access to AWS services and resources.

Example:
In a production setup, we created IAM roles for EC2 instances to access S3 without embedding credentials in the application code — reducing security risks.

✅ 2. What are IAM Users, Groups, and Roles?

Answer:

• Users: Individual identities with credentials.
• Groups: Collections of users with shared permissions.
• Roles: Identities with temporary credentials, typically assumed by services or external identities.

Example:
We grouped all developers under a DevTeam group with access to EC2. For Jenkins automation, we used a role with S3 access assumed via IAM.

✅ 3. How does IAM help in securing AWS resources?

Answer:
It ensures only authorized users and services access AWS resources by defining who can do what.

Example:
In one project, we limited access to a DynamoDB table to only a Lambda function by assigning a tightly scoped role — preventing accidental or malicious reads/writes from other sources.

✅ 4. What is the difference between IAM roles and users?

Answer:

• Users: Permanent credentials (username/password or keys).
• Roles: Temporary credentials, assumed when needed.

Example:
Instead of creating IAM users for Jenkins and EC2, we used IAM roles with limited access and rotated credentials automatically via STS — much safer and scalable.

✅ 5. How does IAM policy work?

Answer:
Policies are JSON documents defining permissions. AWS evaluates them to determine whether a request should be allowed or denied.

Example:
We used a policy to allow s3:PutObject only for a specific bucket with a prefix constraint, ensuring users could only upload logs to /logs/.

✅ 6. What is a permission boundary?

Answer:
A permission boundary is an advanced feature that sets the maximum permissions an IAM role or user can have — even if other policies allow more.

Example:
In a multi-team environment, we applied a permission boundary to ensure no user could exceed read-only access to EC2, even if they were assigned a broader policy by mistake.

✅ 7. What are the types of IAM policies?

Answer:

1. Identity-based policies – Attached to users, groups, roles
2. Resource-based policies – Attached directly to resources (e.g., S3 buckets)
3. Permission boundaries
4. Service Control Policies (SCPs) (within AWS Organizations)
5. Session policies

Example:
We used a resource-based policy on an S3 bucket to allow cross-account access for a partner’s account — no need to create IAM roles in our account.

✅ 8. What is the maximum size of a policy document?

Answer:
A single IAM policy document can be up to 6,144 characters, and each user/role can have up to 10 managed policies attached.

Example:
When we hit the size limit for a complex S3 policy, we refactored it into multiple managed policies and applied them modularly for better scalability.

✅ 9. Can one IAM user belong to multiple groups?

Answer:
Yes. An IAM user can be part of multiple groups, and their permissions are the union of all attached group policies.

Example:
A DevOps engineer in our team was part of both EC2Admins and S3Auditors, getting combined access to manage EC2 and read S3 logs.

✅ 10. What is the default permission of a new IAM user?

Answer:
By default, a new IAM user has no permissions until you attach a policy or assign them to a group.

Example:
We created new IAM users in a staging environment, and without adding them to the ReadOnlyAccess group, they couldn’t even list EC2 instances.

✅ 11. What is an inline policy vs a managed policy?

Answer:

• Inline Policy: Embedded directly into a single IAM user, role, or group.
• Managed Policy: Standalone policy you can attach to multiple entities.

Example:
We used managed policies like AmazonEC2ReadOnlyAccess for consistency. Inline policies were reserved for special one-off permissions like giving a finance user access to a billing report only.

✅ 12. How do you attach a policy to a user, group, or role?

Answer:
You use the IAM console, AWS CLI, or infrastructure as code (e.g., Terraform) to attach policies.

Example:
For automation, we used Terraform to attach AmazonS3FullAccess to a DataBackupRole so EC2 could push backup files to S3.

✅ 13. What are resource-based policies?

Answer:
These are policies directly attached to AWS resources like S3, SNS, SQS, etc., defining who can access the resource and how.

Example:
To enable another AWS account to read files from our S3 bucket, we used a resource-based policy allowing their account’s IAM role s3:GetObject.

✅ 14. What is a policy simulator?

Answer:
The IAM Policy Simulator tests and validates policies by simulating AWS service actions to see if they would be allowed or denied.

Example:
We used it to debug why a user couldn’t stop EC2 instances even though permissions seemed right — turned out an explicit deny existed in a service control policy.

✅ 15. How does AWS evaluate multiple policies attached to an identity?

Answer:

• All Allow policies are combined.
• Any Deny overrides all Allows.

Example:
A user had Allow for s3:DeleteObject via one policy, but was explicitly Denyed in another — the operation failed due to the overriding deny.

✅ 16. Explain Deny vs Allow in IAM policies.

Answer:

• Allow lets an action happen.
• Explicit Deny always overrides any Allow.
• Implicit Deny is the default (no permission = denied).

Example:
We explicitly denied ec2:TerminateInstances for all dev roles to avoid accidental shutdowns, even if someone had ec2:* in another policy.

✅ 17. What happens if a policy explicitly denies an action, but another allows it?

Answer:
The explicit deny wins — the action is blocked.

Example:
A developer role had Allow: s3:* but was explicitly denied s3:DeleteObject via a service control policy. The user couldn’t delete even with full S3 access.

✅ 18. How can you restrict a user to only a specific S3 bucket or EC2 instance?

Answer:
Use resource-level permissions with ARNs in the policy’s Resource block.

Example:
We created a policy that allowed access to only arn:aws:s3:::client-logs-bucket/* so analysts couldn’t access any other buckets in the account.

✅ 19. What is the purpose of Condition in IAM policies?

Answer:
Condition lets you add context — like IP address, time of day, MFA status — to control when a permission is valid.

Example:
We allowed S3 uploads only if the request came from our office IP using Condition: IpAddress.

✅ 20. What are common IAM policy conditions (e.g., IpAddress, Bool, StringEquals)?

Answer:
Examples:

• IpAddress: restrict by source IP
• Bool: check for MFA
• StringEquals: match usernames, tags, etc.

Example:
We enforced that ec2:StartInstances could only be performed if aws:MultiFactorAuthPresent = true, adding extra protection for sensitive resources.

✅ 21. What is an IAM role used for?

Answer:
IAM roles grant temporary access to AWS resources without needing permanent credentials.

Example:
Our EC2 instances assumed a role with RDS access, so app servers could securely query the database without storing usernames or passwords.

✅ 22. How does role assumption work in AWS?

Answer:
One entity (like a user, service, or another AWS account) assumes a role and gets temporary security credentials via STS.

Example:
In cross-account CI/CD, our Jenkins in account A assumed a deployment role in account B using sts:AssumeRole to push artifacts to S3.

✅ 23. What is STS (Security Token Service) and how does it relate to IAM?

Answer:
STS issues temporary, limited-privilege credentials for IAM roles or federated identities.

Example:
We used STS to grant our support team 1-hour temporary access to production logs in S3 — reducing exposure compared to long-term IAM credentials.

✅ 24. Explain the use case of AssumeRole and AssumeRoleWithSAML.

Answer:

• AssumeRole: For AWS identities or services.
• AssumeRoleWithSAML: For SSO/federated users via SAML.

Example:
Employees logged in using Okta (SAML IdP), which redirected them to AWS using AssumeRoleWithSAML — no IAM user needed.

✅ 25. How do you enable federated access with Active Directory or SAML?

Answer:

• Set up SAML 2.0 federation using AWS IAM Identity Provider.
• Map AD groups to IAM roles via assertions.

Example:
Our enterprise used Azure AD to map the CloudAdmins group to a specific IAM role with full access to AWS via a SAML trust.

Awesome — here are questions 26–30, focusing on temporary credentials and service roles (EC2, Lambda, CLI):

✅ 26. How can an EC2 instance get temporary credentials via IAM?

Answer:
Attach an IAM role to the EC2 instance. AWS automatically provides credentials via the instance metadata service.

Example:
Our EC2 app server used an instance role with access to Secrets Manager — it securely pulled DB credentials without storing any in the AMI.

✅ 27. What is cross-account access and how is it configured?

Answer:
It lets one AWS account access resources in another using IAM roles and sts:AssumeRole.

Example:
We allowed a billing system in Account A to assume a role in Account B to read usage data from an S3 bucket — secured with a trust policy.

✅ 28. What’s the difference between IAM role for service vs IAM role for user?

Answer:

• Service roles: Assigned to AWS services like EC2, Lambda, ECS.
• User-assumable roles: Temporarily assumed by IAM users or federated identities.

Example:
Our Lambda function had a service role to write to DynamoDB. Separately, our DevOps users assumed a user-assumable role for on-demand admin tasks.

✅ 29. Can a Lambda function assume an IAM role?

Answer:
Yes — each Lambda function has an execution role that it uses to access other AWS services securely.

Example:
A Lambda function that processes files in S3 used a role with s3:GetObject and rekognition:DetectLabels permissions — no hardcoded credentials needed.

✅ 30. How is AWS CLI authenticated using IAM roles?

Answer:

• If using an IAM user: via access key and secret.
• If using a role: via aws sts assume-role or automatically on EC2/Lambda.

Example:
We used aws sts assume-role in a CI/CD pipeline to temporarily gain access to the target account — credentials lasted only 1 hour.

✅ 31. How do you enforce MFA for AWS users?

Answer:
Attach an IAM policy that checks aws:MultiFactorAuthPresent in the Condition block to restrict access if MFA is not used.

Example:
We enforced MFA for users accessing the AWS Console and restricted sensitive actions (like modifying IAM or EC2) unless MFA was enabled.

✅ 32. Why is it recommended not to use the root account?

Answer:
The root account has full, irreversible access to everything — if compromised, it’s game over. It should be locked down and only used for setup.

Example:
In our account, we disabled root access keys, enabled MFA on root, and created an admin IAM user for all tasks — we only use root for billing and support.

✅ 33. How do you audit IAM usage?

Answer:
Use:

• AWS CloudTrail for API-level logging,
• IAM Access Advisor for unused permissions,
• Credential Reports for password/key usage.

Example:
We found several IAM users not using their credentials in 90+ days via the credential report and offboarded them safely.

✅ 34. What is Access Analyzer in IAM?

Answer:
It identifies resources that can be accessed publicly or by other AWS accounts, helping enforce least privilege.

Example:
Access Analyzer flagged an S3 bucket with * permissions during our audit — we updated the policy to restrict it to our internal role only.

✅ 35. What are IAM Access Advisor and Credential Report?

Answer:

• Access Advisor: Shows what services a user/role accessed and when.
• Credential Report: Lists last usage of passwords and keys for all IAM entities.

Example:
Using Access Advisor, we cleaned up roles with EC2 and S3 permissions that hadn’t been used in months — helped in minimizing attack surface.

✅ 36. How do you rotate IAM user access keys securely?

Answer:
Use two keys per user (max allowed), create a new one, test it, then delete the old one.

Example:
We built a script to notify IAM users with keys older than 90 days and guided them through safe rotation using AWS CLI.

✅ 37. What’s the significance of least privilege in IAM?

Answer:
Users should only have the minimum permissions necessary to perform their job — reducing blast radius in case of compromise.

Example:
Instead of giving AdminAccess, we scoped a policy to allow s3:PutObject on just the logs bucket — nothing else.

✅ 38. What tools does AWS provide to monitor and secure IAM usage?

Answer:

• CloudTrail: Tracks all IAM activity
• Config Rules: Validates compliance (e.g., MFA required)
• IAM Access Analyzer: Finds overly permissive access
• GuardDuty: Detects suspicious IAM behavior

Example:
GuardDuty alerted us when access keys were used from an unusual IP — we deactivated them immediately and launched a security review.

✅ 39. How do you detect unused roles or users in AWS?

Answer:
Use IAM Access Advisor, CloudTrail, or Credential Reports to check last activity timestamps.

Example:
We scheduled a Lambda job monthly to parse credential reports and flag users and roles inactive for 90+ days for deactivation.

✅ 40. What are AWS Organizations SCPs and how do they relate to IAM?

Answer:
Service Control Policies (SCPs) set max permissions boundaries for accounts in an AWS Organization — even if IAM allows more, SCPs can block.

Example:
To prevent resource creation in non-approved regions, we applied an SCP denying ec2:* actions outside us-east-1 and ap-south-1 — IAM users couldn’t override it.

✅ 41. You want to give a user S3 write access but deny delete. How?

Answer:
Attach a policy with:

• Allow: s3:PutObject
• Deny: s3:DeleteObject

Example:
We applied this for interns uploading logs to a bucket — they could upload files but couldn’t delete any, ensuring data retention compliance.

✅ 42. You get “Access Denied” even when policies allow the action. What could be wrong?

Answer:
Common causes:

• Explicit deny in another policy
• Missing permissions on a dependent resource
• SCP restriction
• Incorrect resource ARN

Example:
A dev couldn’t access S3 even with the right policy — turned out the bucket had a resource-based policy denying all external VPCs.

✅ 43. How to grant temporary access to an external vendor for a specific task?

Answer:
Create an IAM role with limited permissions, enable external account access via sts:AssumeRole, and set a session timeout.

Example:
We granted a vendor 2-hour access to scan an RDS database. Their role could only access RDS in read-only mode and expired after the job.

✅ 44. How do you handle IAM policy versioning?

Answer:
AWS automatically tracks up to 5 versions of a managed policy. You can create a new version, test it, then set it as default.

Example:
We tested a new policy restricting EC2 tagging in dev only. After validation, we promoted the version and deleted old ones to avoid confusion.

✅ 45. How do you implement just-in-time (JIT) access using IAM?

Answer:
Use automation (e.g., Lambda or access management tool) to create temporary roles or enable policies only when needed, with auto-expiration.

Example:
For production access, we had an approval workflow in Slack. On approval, a role was assumed via STS for 1 hour — access revoked automatically after.

✅ 46. Can IAM be used to control access to the billing console?

Answer:
Yes — attach the AWSBillingReadOnlyAccess or AWSBillingFullAccess managed policy.
Note: Only the root user can enable billing access for IAM users.

Example:
We enabled billing console access for our finance team with BillingReadOnlyAccess — they could view reports but not make changes.

✅ 47. What are the limits of IAM entities (users/roles/policies)?

Answer:
Examples:

• 5,000 IAM users per account
• 1,000 roles per account
• 10 managed policies per user/role
• 6,144 characters per policy

Example:
We hit the 10-policy limit on a data analytics role — we consolidated similar policies into one to reduce count and improve clarity.

✅ 48. What are identity-based vs resource-based policies in practice?

Answer:

• Identity-based: Attached to users, groups, roles
• Resource-based: Attached to resources (e.g., S3, SNS)

Example:
We gave a partner access to our SNS topic using a resource-based policy, without needing to touch their IAM setup.

✅ 49. Explain how IAM integrates with AWS Config, CloudTrail, and CloudWatch.

Answer:

• CloudTrail: Logs all IAM actions
• AWS Config: Tracks IAM changes over time
• CloudWatch: Monitors IAM API usage metrics and sends alerts

Example:
CloudTrail alerted us when an unused IAM user tried to create access keys. We investigated via Config and locked down the account.

✅ 50. How do you troubleshoot IAM policy issues in a production environment?

Answer:
Use:

• IAM Policy Simulator
• CloudTrail logs
• Access Advisor
• STS decode errors

Example:
A prod deployment failed due to AccessDenied. The Policy Simulator showed the issue: ec2:DescribeTags was missing. We patched the role instantly.

✅ 1. Master IAM Fundamentals

• Understand core concepts: Users, Groups, Roles, Policies
• Know the difference between:
  • Identity-based vs resource-based policies
  • Managed vs inline policies
  • Roles vs users vs federated identities

🧠 Tip: Be ready to explain these with examples.

✅ 2. Practice Policy Writing & Troubleshooting

• Write custom IAM policies using JSON
• Use Condition, Action, Resource, Effect blocks
• Try solving permission issues using:
  • IAM Policy Simulator
  • CloudTrail logs
  • STS decoding

💡 Hands-on: Grant a Lambda function access to only one DynamoDB table, or create a policy that restricts S3 access to a specific folder path.

✅ 3. Learn Common Real-World Use Cases

Be able to talk through scenarios like:

• Enforcing MFA for all users
• Granting external vendors temporary access
• Securing EC2 with instance profiles
• Preventing accidental deletes with explicit deny
• Cross-account access setup

📌 Tip: Interviewers love scenario-based questions.

✅ 4. Know IAM Security Best Practices

• Least privilege principle
• MFA enforcement (including for root)
• Detecting unused credentials/roles
• Using IAM Access Analyzer, Access Advisor
• Rotating access keys securely
• Using SCPs with AWS Organizations

🔐 Example question: “How would you audit all users who haven’t used their access keys in 90+ days?”

✅ 5. Use These Practice Resources

• AWS Documentation
• Hands-on labs on Qwiklabs, Cloud Academy, or AWS Skill Builder

✅ 6. Prepare STAR-Based Answers for Behavioral Rounds

• Structure: Situation, Task, Action, Result
• Example: “Tell me about a time you prevented a security issue with IAM.”

✅ 7. Review These Before the Interview

• IAM Limits (e.g., users/roles per account)
• How IAM integrates with CloudTrail, Config, and GuardDuty
• IAM role trust policies
• sts:AssumeRole and federated login flow

30-Day AWS IAM Interview Prep Checklist

📅 Week 1: Core Concepts & Fundamentals

• Understand IAM Users, Groups, Roles, and Policies
• Learn difference: Identity-based vs Resource-based policies
• Read AWS IAM docs on Permissions & Policies
• Practice: Create a basic policy to allow S3 read-only access
• Create and attach IAM role to EC2
• Set up MFA for root and IAM users in sandbox

📅 Week 2: Hands-on Practice & CLI

• Use AWS CLI to manage IAM: create users, attach policies
• Practice aws sts assume-role and understand temp credentials
• Write policies using Condition with IpAddress, Bool, StringEquals
• Use IAM Policy Simulator to troubleshoot access
• Deploy a Lambda function with IAM role access to S3
• Try IAM access from Terraform or CloudFormation

📅 Week 3: Security & Real-World Scenarios

• Understand and configure cross-account access
• Explore IAM credential report and analyze inactive users
• Create permission boundaries
• Review IAM Access Analyzer and Access Advisor usage
• Study SCPs and how they affect IAM
• Create policy that allows EC2 only in specific regions

📅 Week 4: Mock Interviews & Optimization

• Solve 20+ IAM real-world scenario questions (see below)
• Explain IAM concepts in STAR format (for behavioral interviews)
• Optimize IAM policies (e.g., modularize, avoid wildcards)
• Review IAM integration with CloudTrail, GuardDuty, Config
• Prepare a use case: temporary access to third-party auditor
• Conduct mock interview with a peer or mentor

🎯 Mock IAM Interview Questions Set

🔹 Conceptual

1. What is the difference between an IAM user and role?
2. What happens if an IAM policy allows an action and SCP denies it?
3. Explain how permission boundaries work.
4. When would you use resource-based policy over identity-based?

🔹 Hands-On Scenarios

5. How do you give EC2 read access to a specific S3 bucket?
6. Describe how to audit all unused IAM roles in the account.
7. A user has S3 access but still sees “Access Denied”. How do you troubleshoot?
8. Grant a third-party 1-hour temporary access to read from a DynamoDB table.

🔹 Security & Governance

9. How would you ensure no one creates EC2s outside us-east-1?
10. How do you enforce MFA across all IAM users?
11. How does IAM integrate with AWS Config and GuardDuty?
12. How would you set up IAM for a multi-account organization?