1. What is AWS IAM?
Answer:
AWS Identity and Access Management (IAM) is a core AWS service that enables you to securely manage access to AWS resources. It allows you to create and manage users, groups, and roles, and define policies that control what actions these entities can perform. IAM provides fine-grained access control, ensuring that only authorized identities can access specific AWS services and resources.
2. Explain the purpose of IAM in AWS.
Answer:
The primary purpose of IAM is to provide a centralized and secure access management system for AWS resources. It helps organizations:
- Implement least privilege access.
- Assign permissions based on roles and responsibilities.
- Enforce compliance by auditing and monitoring access.
- Enable secure integration with external identity providers.
IAM ensures that access is controlled, monitored, and aligned with organizational security policies.
3. What are IAM users, groups, and roles?
Answer:
- IAM Users: Individual identities within your AWS account. Each user has unique credentials (password, access keys) and can be assigned permissions via policies.
- Groups: Collections of IAM users. Permissions applied to a group are inherited by all its members, simplifying management.
- Roles: Temporary identities with defined permissions that can be assumed by trusted entities (AWS services, users, or external identities). Roles do not have permanent credentials; instead, they provide temporary security tokens.
4. How do you secure your AWS account with IAM?
Answer:
Best practices include:
- Enable MFA for root and IAM users.
- Strong password policies and regular rotation.
- Principle of Least Privilege: Grant only necessary permissions.
- Avoid long-term access keys: Use roles for temporary access.
- Enable CloudTrail: Monitor all API activity.
- Regular audits: Review IAM policies and remove unused accounts.
5. How do you grant permissions to an IAM user?
Answer:
Permissions are granted by attaching IAM policies to users, groups, or roles.
- Direct attachment: Attach a policy directly to a user.
- Group-based: Add the user to a group with predefined policies.
Policies define allowed or denied actions on AWS resources.
6. Explain the concept of IAM policies.
Answer:
IAM policies are JSON documents that define permissions. They specify:
- Actions: What operations are allowed (e.g.,
s3:GetObject). - Resources: Which resources the actions apply to.
- Conditions: Optional constraints (e.g., IP address, time).
Policies can be attached to users, groups, or roles.
7. What are the different types of IAM policies?
Answer:
- Managed Policies:
- AWS Managed: Predefined by AWS for common use cases.
- Customer Managed: Created and managed by you.
- Inline Policies: Embedded directly into a user, group, or role for specific permissions.
8. What is the principle of least privilege in IAM?
Answer:
Grant only the minimum permissions required for a user or role to perform their tasks. This reduces the risk of accidental or malicious misuse.
9. How do you manage access keys for IAM users?
Answer:
Access keys (Access Key ID and Secret Access Key) allow programmatic access. Best practices:
- Rotate keys regularly.
- Delete unused keys.
- Avoid hardcoding keys in applications; use AWS SDK or Secrets Manager.
10. What is MFA (Multi-Factor Authentication) in IAM?
Answer:
MFA adds an extra layer of security by requiring two forms of authentication:
- Something you know (password).
- Something you have (MFA device or app).
This prevents unauthorized access even if credentials are compromised.
11. Explain IAM roles for EC2 instances.
Answer:
IAM roles allow EC2 instances to access AWS services without storing credentials locally. The instance assumes the role and receives temporary credentials via the Instance Metadata Service.
12. What is IAM federation?
Answer:
IAM federation integrates external identity providers (e.g., Active Directory, SAML, OIDC) with AWS. Users can access AWS resources using existing corporate credentials without creating separate IAM users.
13. What is the IAM policy evaluation logic?
Answer:
IAM follows deny by default. Evaluation steps:
- If an explicit deny exists → Access denied.
- If an explicit allow exists → Access granted.
- If no policy allows the action → Access denied.
14. How do you create a custom IAM policy?
Answer:
Create via AWS Console, CLI, or SDK:
- Define actions, resources, and conditions in JSON format.
- Validate using IAM Policy Simulator.
- Attach to users, groups, or roles.
15. What is IAM condition element in a policy?
Answer:
Conditions restrict when a policy applies. Examples:
- IP-based: Allow access only from specific IP ranges.
- Time-based: Allow access during business hours.
- Tag-based: Allow actions only on resources with specific tags.
16. How do you rotate access keys for an IAM user?
Answer:
Steps:
- Create a new access key.
- Update applications to use the new key.
- Delete the old key.
This ensures uninterrupted access during rotation.
17. What is IAM policy versioning?
Answer:
AWS maintains multiple versions of a policy. You can roll back to previous versions if needed. Only one version is active at a time.
18. How can you monitor IAM events and activities?
Answer:
Enable AWS CloudTrail to log all IAM API calls. Analyze logs for suspicious activity and integrate with Amazon CloudWatch for alerts.
19. What is AWS Organizations and how does it relate to IAM?
Answer:
AWS Organizations allows centralized management of multiple AWS accounts. It uses Service Control Policies (SCPs) to enforce permissions across accounts. IAM operates at the account level, while Organizations provides governance at the organizational level.
20. How do you troubleshoot IAM permission issues?
Answer:
- Use IAM Policy Simulator to test permissions.
- Check attached policies and resource-based policies.
- Review CloudTrail logs for denied actions.
- Validate conditions and explicit denies.
No comments:
Post a Comment