AWS IAM Interview Questions and Answers
Q: What is Identity and Access Management (IAM)?
Answer: AWS IAM is a fundamental component of AWS security, that helps you manage access to your AWS resources. IAM allows you to control who can access your resources and what actions they can perform. For example, a user allows to access EC2 service but deny to access S3 Service.
IAM enables you to create and manage users, groups, and roles that can be assigned specific permissions to access AWS services and resources.
Q: What are the key features of AWS IAM?
Answer: The key features of AWS IAM are:
Identity Management: Manage IAM users, groups, and roles to control access to AWS resources.Fine-Grained Access Control: Assign precise permissions using IAM policies for granular control over resource access.Multi-Factor Authentication (MFA): Enable an extra layer of security by requiring users to provide additional authentication factors.Access Key Management: Generate and manage access keys for programmatic access to AWS services.Integration with AWS Services: Seamlessly integrate IAM with various AWS services for secure access management.Identity Federation: Enable single sign-on (SSO) and federated access using external identity providers (e.g., Active Directory).Security Token Service (STS): Obtain temporary security credentials for cross-account access and identity delegation.Audit and Compliance: Monitor and log IAM events for auditing, compliance, and security analysis.Cross-Account Access: Grant permissions to users in other AWS accounts through IAM roles.AWS Organizations Integration: Centrally manage IAM policies and accounts across multiple AWS accounts using AWS Organizations, etc.
Q: Define AWS users, groups, and roles?
Answer: Users – AWS IAM user is a unique identity with security credentials like a password or access & secret key. User is associated with permissions to control the use of AWS resources.
Groups – A user group can contain many users. You can grant permissions to group using access control policies, assigned permissions applicable to all users belongs to that group.
Roles – An IAM role is like an IAM user, Roles are used to delegating access to AWS resources and AWS Users temporarily instead of sharing credentials. A role is intended to be assumable by anyone who needs it.
Q: What are the best practices you will follow while creating IAM users?
Answer: You can use following best practices while creating IAM Users –
Use Strong and Unique Passwords: Ensure that IAM users have strong, complex passwords that are unique to their accounts.Enable Multi-Factor Authentication (MFA): Implement MFA for IAM users to add an extra layer of security to their login process.Implement the Principle of Least Privilege: Grant IAM users the minimum permissions required to perform their tasks and regularly review and update their permissions as needed.Use IAM Roles for Applications and Services: Instead of using long-term access keys for applications and services, assign IAM roles with appropriate permissions to them.Regularly Rotate Access Keys: Set a policy to rotate access keys periodically to mitigate the risk of compromised credentials.Monitor and Review IAM Activity: Enable logging and monitoring for IAM user activity and review logs periodically to identify any suspicious or unauthorized activities.Disable Unused IAM User Accounts: Disable or delete IAM user accounts that are no longer in use to minimize the attack surface.Enable AWS CloudTrail: Enable AWS CloudTrail to capture all API activities and store the logs in a secure location for auditing and compliance purposes.Implement Separation of Duties: Avoid assigning conflicting or excessive permissions to a single IAM user and implement separation of duties to prevent misuse or unauthorized access.Regularly Review IAM Policies and Permissions: Conduct periodic reviews of IAM policies and permissions to ensure they align with the organization’s security requirements and best practices.
Q: Explain AWS IAM Policies?
Answer: AWS IAM policies are JSON documents that define permissions and access controls for AWS resources. They determine what actions users, groups, and roles can perform on specific resources within your AWS account.
By default, Users, groups, and roles have no permissions, you need to assign the right policies to enforce security and compliance requirements within your organization.
AWS policies are of two types –
Identity-based policies: Identity-based policies are attached to AWS identities like user, group, or role.Resource-based policies: Resource-based policies are attached to the AWS resources like Amazon S3 buckets, VPC endpoints, Amazon SQS queues, AWS KMS, and other services.
Q: Explain the IAM Policy Structure?
Answer: A JSON policy document contains following elements:
Version– The version of the policy language (2012-10-17). As a best practice, use the latest version.Statement– Main policy element as a container. You can add multiple statements in a policy.Sid– It is an optional identifier for the policy to differentiate between your statements.Effect– Grant permission (allow or deny)Principal– Who can access it. In case of resource-based policy, you need to add a principle (account, user, role, or federated) to define allow or deny access.Action– List of actions that the policy allows or denies.Resource– If you create an IAM permissions policy, you need to specify the list of resources to which the actions apply. In case of resource-based policy, this element is optional.Condition– It is an optional element. You can specify the condition under which the policy grants permission.
Q: What is MFA in AWS IAM?
Answer: Multi-factor authentication (MFA) adds an extra layer of protection to user sign-ins by requiring users to provide additional authentication factors beyond just a username and password.
In the context of AWS IAM, MFA involves using a physical or virtual device to generate a time-based one-time password (TOTP) or receive a push notification. The user must enter this additional code or approve the notification to complete the authentication process.
Q: What are IAM users’ access and secret keys?
Answer: IAM users’ access and secret keys are credentials used for programmatic access to AWS services and resources.
Access Key: An access key is a unique identifier associated with an IAM user or an IAM role. It is a long string of characters (e.g., AKIAIOSFODNN7EXAMPLE) that is used to authenticate requests made to AWS services.
Secret Key: A secret key is a cryptographic key associated with an access key. It is a separate, confidential value (e.g., wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY) that must be kept secure. The secret key is used to sign the requests made with the access key, providing a form of authentication.
Q: How do you monitor user activity with IAM?
Answer: Monitoring user activity and roles is an important task for IAM managers. By using monitoring features, you can see what IAM users are doing, spot any unusual or unauthorized actions, and make sure security rules are followed. Monitoring user activity helps keep your AWS environment safe and secure.
You can use following services and tools to monitor User’s activity –
AWS CloudTrail: CloudTrail records API activity within your AWS account, including IAM user activity.IAM User Activity Reports: IAM provides user activity reports that give you insights into the activity of IAM users in your AWS account.CloudWatch Events: You can configure CloudWatch Events rules to monitor and respond to IAM events.IAM Access Analyzer: IAM Access Analyzer helps you identify unintended access to your AWS resources.