AWS IAM Interview Questions and Answers

  • By
  • October 30, 2021
  • AWS

AWS IAM Interview Questions and Answers

Q: What is IAM service in AWS Cloud?

A: IAM is abbreviation of Identity Access Management. It’s a service offered by AWS Cloud that helps one to create user account and groups and manage their access to AWS services and resources securely. IAM is a global service and has no additional fees associated to it. 

Q: Explain different types of user accounts in AWS Cloud?

A: Root User is the Owner Account (administrator) and is created with the creation of AWS Account. It has full access by default to all services and resources in the AWS account. This user cannot be explicitly denied access to AWS resources or services with IAM Policies. In order to limit permissions to this user account, one has to do so with AWS Organization Service Control Policy (SCP). Some specific tasks such as closing an AWS Account can only be accomplished by the AWS Account Root User only. 

IAM User is a standard user account that has no permission to any AWS service or resource. This account is either created by root user or an IAM administrator. IAM Policies are used to define permissions to this user account. All the user, that require to login in AWS Management Console, or configure services or access resources programmatically, can have their individual IAM user account with different set of policies associated to them. Certain tasks such as closing an AWS Account cannot be accomplished by this user account.

For Free, Demo classes Call: 7798058777
Registration Link: Click Here!

Q: Describe the key elements used in the JSON schema of an IAM policy?

A: Following are some of the key elements used in describing a IAM Policy in JSON.

Version: Version policy element describes the policy language. IAM supports 2 different Version policy languages, 2012-10-17 and 2008-10-17. 2012-10-17 is the latest version of policy language. Policy variables were introduced in this latest version. 2008-10-17 is the older version of the policy language. It can be observed on some of the older policies still available.

Statement: It is the main element of a policy. Its mandatory to define a statement in a policy. It can be a definition of an individual statement or can as well be an array of statement. An individual statement must be described in curly brackets separated by commas and the whole enclosed within square brackets, example:  “Statement”: [{…..},{…..},{…..},{…..}]

Sid: Sid stands for Statement Identifier. This is an optional element and isn’t mandatory. An individual statement in the array of statements can be assigned a unique value. Values that are allowed in the Sid element are upper and lower case ASCII letters (A-Z , a-z) and numbers (0-9).

Effect: This is a mandatory policy element. It is used to specify if the said policy action is allowed or is implicitly denied. The values that are set for this policy element is Allow or Deny.

Action: It’s a mandatory policy element if NotAction element isn’t described. This element is a list of tasks, that will be allowed or denied. AWS services have their actions, that actually are specific tasks that can be accomplished with the said action. The values are described with the service name and the actual action that is required to be allowed or denied. Following are some examples:

  • “Action”: “iam:ChangePassword”
  • “Action”: [“ec2:StartInstances” , “ec2:StopInstances”] 

Resource: Its mandatory to define resource element in the statement of a policy if NotResource isn’t declared. It describes an individual object or multiple objects that should be covered by statement. An ARN (Amazon Resource Name) is used to describe a resource.

Following is an example of a policy definition in JSON that limits allow action to start or stop a specific ec2 instance of Virginia region of AWS. 

 

{

    “Version”: “2012-10-17”,

    “Statement”: [

        {

            “Sid”: “VisualEditor0”,

            “Effect”: “Allow”,

            “Action”: [

                “ec2:StartInstances”,

                “ec2:StopInstances”

            ],

            “Resource”: “arn:aws:ec2:us-east-1:420132313843:instance/i-052f971350eddcaab”

        }

    ]

}

For Free, Demo classes Call: 7798058777
Registration Link: Click Here!

Q: What is Identity based policy in AWS IAM?

A: Identity based policy are the most frequently used JSON permissions policy document. It’s used to control actions of an identity (Individual user, group of users or a role) can perform on an AWS Resource under certain circumstance. There are 2 types of Identity based policies, they are Managed or Inline policies.

Managed Policy: It’s simply a policy that you can apply on an individual IAM user, group of users or role in AWS account. There are 2 different types of managed policies.

AWS managed policies: These are managed policies pre created and managed by AWS. 

Customer managed policies: These are managed policies created and managed by you in AWS account. These are meant to provide granular and specific control in managing permissions in your policies that AWS managed policies.

Inline Policy: These policies are dedicated to a specific identity i.e. user, group or role. These policies are deleted as the identity associated is deleted. These policies maintain a strict, one-to-one relationship with the associated identity and can’t be associated to different identity.

Q: What is MFA support for IAM?

A: MFA stands for Multi-Factor Authentication. IAM MFA provides an additional layer of security by prompting a user for username and password (the first factor, intellectual information) and additionally requiring the user to also enter the code generated (the second factor, randomly generated token valid for a single login session) by the MFA device associated with the user account for entering the AWS management console. To setup MFA for an account, one simply needs to buy a hardware device or simply install a free virtual MFA app on his mobile, other than this no extra cost is associated.

Q: What is IAM Role?

A: IAM Role is an IAM Identity similar to IAM user, created in AWS account with specific permission policies assigned to it. These policies define what IAM role can and cannot do in the AWS account. IAM roles do not hold authentication credentials such as login passwords or access keys, instead a temporary security credential is generated for each individual role session. These are normally meant to delegate access to users, services or applications that don’t have explicit allow on AWS resource.

Q: What are access keys for IAM Users?

A: Access keys can be created for IAM users or AWS account root users. These are long term credentials, used to sign programmatic requests to AWS API or AWS CLI. Access Key is composed of 2 parts:

Access Key ID (AKIAIKATODNN7EXAMPLE)

Secret Access Key (wJnamXUtnFEMI/K7MAWQG/bPxRfiCYEXAMPLEKEY)

Access key id and secret access key should be used together, like a user name and its password, to authenticate a request.

Amazon recommends to use IAM role rather than using Access keys. These are supposed to be confidential like the user credentials, and meant to be private to the IAM user or AWS account root user only. These users can create, view, modify, rotate and delete their access keys. For ease of rotation of access keys, AWS allows one to create and possess a maximum of 2 access keys simultaneously. 

Author:-

Aftab Shaikh
Call the Trainer and Book your free demo Class  Call now!!!

| SevenMentor Pvt Ltd.

© Copyright 2021 | Sevenmentor Pvt Ltd.

 

Submit Comment

Your email address will not be published. Required fields are marked *

*
*