I will provide you with top 10 AWS Identity and Access Management (IAM) interview questions and answers that would be helpful for a professional cloud developer with experience in AWS.
- Q: What is AWS Identity and Access Management (IAM)?
A: AWS Identity and Access Management (IAM) is a service that helps you securely control access to AWS resources. It enables you to create and manage AWS users and groups, and grant or deny permissions to access AWS resources using policies.
- Q: What are IAM policies?
A: IAM policies are JSON documents that define permissions for AWS resources. These policies can be attached to users, groups, and roles to grant or deny access to specific AWS services and resources.
- Q: Explain the difference between IAM users, groups, and roles.
A: IAM users are individual entities with unique credentials that are used to access AWS services. IAM groups are collections of users, making it easier to manage permissions for multiple users at once. IAM roles are temporary sets of permissions that can be assumed by AWS resources or users to access other resources without using their own credentials.
- Q: What is the Security Token Service (STS)?
A: AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS users, roles, and federated users. These temporary credentials have a limited lifespan, providing an additional layer of security.
- Q: What is an IAM policy’s effect?
A: The “Effect” in an IAM policy determines whether the policy allows or denies the specified action. The two possible values for “Effect” are “Allow” and “Deny”.
- Q: Explain the concept of Principal, Action, Resource, and Condition in IAM policies.
A: Principal: The user, group, or role that the policy is applied to. Action: The specific AWS service actions that are allowed or denied. Resource: The AWS resource that the policy is applied to. Condition: Optional statements that define when the policy is in effect based on specific conditions.
- Q: What is the IAM policy evaluation logic?
A: When AWS evaluates a request, it starts by assuming the request is denied. Then, it evaluates all applicable policies attached to the user, group, or role. If any policy has an explicit “Allow” for the requested action, the request is allowed unless there’s an explicit “Deny” statement in another policy.
- Q: What are the best practices for securing IAM?
A: Some best practices for securing IAM include:
- Enforcing the principle of least privilege
- Regularly rotating credentials
- Using multi-factor authentication (MFA)
- Auditing IAM policies and permissions
- Using IAM roles instead of sharing access keys
- Implementing strong password policies
- Q: What is the difference between resource-based and user-based policies?
A: Resource-based policies are attached directly to AWS resources, specifying which principals can perform actions on the resource. User-based policies are attached to IAM users, groups, or roles, defining what actions they can perform on which resources.
- Q: What is a federated user in AWS IAM?
A: A federated user is a user who is authenticated through an external identity provider, such as a corporate Active Directory or a social identity provider like Google or Facebook. Federated users can access AWS resources using temporary security credentials obtained through AWS STS, without the need to create an IAM user in AWS.