TOP 50 Interview Questions on AWS Cloud Computing Services – IAM
1. What is AWS Identity and Access Management (IAM)?
AWS IAM is used to securely control individual and group access to your AWS resources. You may create and manage user identities and grant permissions for those IAM users to access your resources. You may also grant permissions for users outside of AWS ( federated users).
2. How do I get started with IAM?
To start using IAM, you want to subscribe to a minimum of one among the AWS services that’s integrated with IAM. You then can create and manage users, groups, and permissions via IAM APIs, the AWS CLI, or the IAM console, which provides you a point-and-click, web-based interface. You can also use the visual editor to create policies.
3. What problems does IAM solve?
IAM makes it easy to supply multiple users secure access to your AWS resources. IAM enables you to:
Manage IAM users and their access: you’ll create users in AWS’s identity management system, assign users individual security credentials (such as access keys, passwords, multi-factor authentication devices), or request temporary security credentials to supply users access to AWS services and resources. You can specify permissions to regulate which operations a user can perform.
Manage access for federated users: Request security credentials with configurable expirations for users, without creating an IAM user account for them it allows you to supply your employees and applications secure access to resources in your AWS account. You specify the permissions for these security credentials to regulate which operations a user can perform.
4. Who can use IAM?
Any AWS customer can use IAM. The service is offered at no additional charge. You will be charged just for the utilization of other AWS services by your users.
5. What is a user?
A user may be a unique identity recognized by AWS services and applications. Similar to a login user in an OS like Windows or UNIX, a user features a unique name and may identify itself using familiar security credentials like a password or access key. Users are often a private , system, or application requiring access to AWS services. IAM supports users managed in AWS’s identity management system, and it also enables you to grant access to AWS resources for users managed outside of AWS in your corporate directory.
6. What can a user do?
A user can place requests to web services like Amazon EC2 and Amazon S3. A user’s ability to access web service APIs is under the control and responsibility of the AWS account under which it’s defined. You can permit a user to access any or all of the AWS services that are integrated with IAM and to which the AWS account has subscribed.
If permitted, a user has access to all or any of the resources under the AWS account. In addition, if the AWS account has access to resources from a special AWS account, its users could also be ready to access data under those AWS accounts. Any AWS resources created by a user are in check of and purchased by its AWS account. Users cannot independently subscribe to control resources or AWS services.
7. How do users call AWS services?
AWS services using security credentials requests are done by users. Explicit permissions govern the ability of users to call AWS services. By default, users haven’t any ability to call service APIs on behalf of the account.
8. What is a group?
A group is a collection of IAM users. Manage group membership as a simple list:
- Add users to or remove them from a gaggle .
- A user can belong to multiple groups.
- Groups cannot belong to other groups.
- Groups can be granted permissions using access control policies. This makes it easier to manage permissions for a set of users, instead of having to manage permissions for every individual user.
- Groups don’t have security credentials, and can’t access web services directly; they exist solely to form it easier to manage user permissions. For details, see Working with Groups and Users.
9. What kinds of security credentials can IAM users have?
IAM users can have any combination of credentials that AWS supports, like an AWS access key, X.509 certificate, SSH key, password for web app logins, or an MFA device. This allows users to interact with AWS in any manner that creates sense for them. An employee may need both an AWS access key and a password; a software may need only an AWS access key to form programmatic calls; IAM users might have a personal SSH key to access AWS CodeCommit repositories; and an outdoor contractor may need only an X.509 certificate to use the EC2 command-line interface. For details, see Temporary Security Credentials within the IAM documentation.
10. Which AWS services support IAM users?
You can find the entire list of AWS services that support IAM users within the AWS Services that employment with the IAM section of the IAM documentation. AWS plans to feature support for other services over time.
11. Who is able to manage users for an AWS account?
The AWS account holder can manage users, groups, security credentials, and permissions. In addition, you’ll grant permissions to individual users to put calls to IAM APIs so as to manage other users. For example, an administrator user could also be created to manage users for a corporation—a recommended practice. When you grant a user permission to manage other users, they will do that via the IAM APIs, AWS CLI, or IAM console.
12. Can IAM users have individual EC2 SSH keys?
Not in the initial release. IAM doesn’t affect EC2 SSH keys or Windows RDP certificates. This means that although each user has separate credentials for accessing web service APIs, they need to share SSH keys that are common across the AWS account under which users have been defined.
13. Where can I use my SSH keys?
Presently, IAM users can use their SSH keys only with AWS CodeCommit to access their repositories.
14. Do IAM user names have to be email addresses?
No, but they can be. Within a given AWS account user names are just ASCII strings that are unique. You can assign names using any naming convention you select , including email addresses.
15. Which character sets can I use for IAM user names?
For an IAM entity you can only use ASCII characters.
16. How are user passwords set?
initially you can set a password for an IAM user via the IAM console, AWS CLI, or IAM APIs. After the initial provisioning user passwords never appear in clear text, and are never displayed or returned via an API call. IAM users can manage their passwords via the My Password page within the IAM console. Users access this page by selecting the safety Credentials option from the drop-down list within the upper right corner of the AWS Management Console.
17. Can I set usage quotas on IAM users?
No. All limits are on the AWS account as an entire . For example, if your AWS account features a limit of 20 Amazon EC2 instances, IAM users with EC2 permissions can start instances up to the limit. You cannot limit what a private user can do.
18. What is an IAM role?
An IAM role is an IAM entity that defines a group of permissions for creating AWS service requests. IAM roles aren’t related to a selected user or group. Instead, trusted entities assume roles, like IAM users, applications, or AWS services like EC2.
19. What problems do IAM roles solve?
It allows you to delegate access with defined permissions to trusted entities without having to share long-term access keys. You can use IAM roles to delegate access to IAM users managed within your account, to IAM users under a special AWS account, or to an AWS service such as EC2.
20. How many IAM roles can I assume?
There is no limit to the amount of IAM roles you’ll assume, but you’ll only act together as an IAM role when making requests to AWS services.
21. What is the difference between an IAM role and an IAM user?
An IAM user has permanent long-term credentials and is employed to directly interact with AWS services. An IAM role doesn’t have any credentials and can’t make direct requests to AWS services. IAM roles are meant to be assumed by authorized entities, like IAM users, applications, or an AWS service like EC2.
22. When should I use an IAM user, IAM group, or IAM role?
An IAM user has permanent long-term credentials and is employed to directly interact with AWS services. An IAM group is primarily a management convenience to manage an equivalent set of permissions for a group of IAM users. An IAM role is an AWS Identity and Access Management (IAM) entity with permissions to form AWS service requests. IAM roles cannot make direct requests to AWS services; they’re meant to be assumed by authorized entities, like IAM users, applications, or AWS services like EC2.
23. How many policies can I attach to an IAM role?
For inline policies: you’ll add as many inline policies as you would like to a user, role, or group, but the entire aggregate policy size (the sum size of all inline policies) per entity cannot exceed the subsequent limits:
- User policy size cannot exceed 2,048 characters.
- Role policy size cannot exceed 10,240 characters.
- Group policy size cannot exceed 5,120 characters.
For managed policies: you’ll add up to 10 managed policies to a user, role, or group. The size of every managed policy cannot exceed 6,144 characters.
24. How many IAM roles can I create?
AWS account has limited to 1,000 IAM roles. If you would like more roles, submit the IAM limit increase request form together with your use case, and we will consider your request.
25. What are the features of IAM roles for EC2 instances?
IAM roles for EC2 instances provides the subsequent features:
- use AWS temporary security credentials when making requests from running EC2 instances to AWS services.
- Automatic rotation of the AWS temporary security credentials.
- Granular AWS service permissions for applications running on EC2 instances.
26. Can I change the IAM role on a running EC2 instance?
Yes. Although a role is usually assigned to an EC2 instance when you launch it, a role can also be assigned to an EC2 instance that is already running. To learn the way to assign a task to a running instance, see IAM Roles for Amazon EC2. You can also change the permissions on the IAM role associated with a running instance, and the updated permissions take effect almost immediately.
27. Which permissions are required to launch EC2 instances with an IAM role?
An IAM user must grant two distinct permissions to successfully launch EC2 instances with roles:
Permissions for to launch EC2 instances.
Permissions for to associate an IAM role with EC2 instances.
28. What is a service-linked role?
A service-linked role may be a sort of role that links to an AWS service (also referred to as a linked service) such that only the linked service can assume the role. Using these roles, you’ll delegate permissions to AWS services to make and manage AWS resources on your behalf.
29. Who can create and manage access keys in an AWS account?
Only the AWS account owner can manage the access keys for the basis account. The account owner and IAM users or roles that are granted the required permissions can manage access keys for IAM users.
30. What kinds of policies does the IAM policy simulator support?
It supports testing of newly entered policies and existing policies attached to groups, users, and roles. In addition, you’ll simulate whether resource-level policies grant access to a specific resource for Amazon S3 buckets, Amazon Glacier vaults, Amazon SNS topics, and Amazon SQS queues. These are included in the simulation when an Amazon Resource Name (ARN) is specified in the Resource field in Simulation Settings for a service that supports resource policies.
31. Which AWS sites can IAM users access?
IAM users can check in to the subsequent AWS sites:
- AWS Management Console
- AWS Forums
- AWS Support Center
- AWS Marketplace
32. How much do IAM roles cost?
IAM roles are free of charge. You will still buy any resources a task in your AWS account consumes.
33. How are IAM roles managed?
You can create and manage IAM roles via the IAM APIs, AWS CLI, or IAM console, which provides you a point-and-click, web-based interface.
34. Can I use the same IAM role on multiple EC2 instances?
Yes, you can use the same IAM role on multiple EC2 instances
35. Can I associate an IAM role with an Auto Scaling group?
Yes. you’ll add an IAM role as a further parameter in an Auto Scaling launch configuration and make an Auto Scaling group thereupon launch configuration. All EC2 instances launched in an Auto Scaling group that’s related to an IAM role are launched with the role as an input parameter. For more details, see What Is Auto Scaling? in the Auto Scaling Developer Guide.
36. Can I associate more than one IAM role with an EC2 instance?
No. you’ll only associate one IAM role with an EC2 instance at this point . This limit of 1 role per instance can’t be increased.
37. What happens if I delete an IAM role that is associated with a running EC2 instance?
Any application running on the instance that’s using the role is going to be denied access immediately.
38. Can I delete a service-linked role?
Yes. If you do not want an AWS service to perform actions on your behalf, you’ll delete its service-linked role. Before you delete the role, you want to delete all AWS resources that depend upon the role. This step ensures that you simply don’t inadvertently delete a task required for your AWS resources to function properly.
39. How do I delete a service-linked role?
From the IAM console you may delete a service-linked role. Choose Roles in the navigation pane, choose the service-linked role that you want to delete, and choose Delete role. (Note: For Amazon Lex, you want to use the Amazon Lex console to delete the service-linked role.)
40. How do permissions work?
Access control policies are attached to groups, roles, and users to assign permissions to AWS resources. By default, IAM users, groups, and roles have no permissions; users with sufficient permissions must use a policy to grant the desired permissions.
41. How do I assign permissions using a policy?
To set permissions, you’ll create and fasten policies using the AWS Management Console, the IAM API, or the AWS CLI. Users who are granted the required permissions can create policies and assign them to IAM users, groups, and roles.
42. How do group-based permissions work?
Use IAM groups to assign an equivalent set of permissions to multiple IAM users. A user also can have individual permissions assigned to them. The two ways to connect permissions to users work together to line overall permissions.
43. What’s the difference between assigning permissions using IAM groups and assigning permissions using managed policies?
Use IAM groups to gather IAM users and define common permissions for those users. Use managed policies to share permissions across groups, roles, and IAM users. For example, if you want a group of users to be able to launch an Amazon EC2 instance, and you also want the role on that instance to have the same permissions because the users within the group, you’ll create a managed policy and assign it to the group of users and therefore the role on the Amazon EC2 instance.
44. Can I grant permissions to access AWS resources owned by another AWS account?
Yes. Using IAM users, IAM roles and federated users can access resources in another AWS account via the AWS Management Console, the AWS CLI, and the APIs. See Manage IAM Roles for more information.
45. What can the policy simulator be used for?
In several ways you can use the policy simulator. You can test policy changes to make sure they need the specified effect before committing them to production. You may validate the existing policies that are attached to users, groups, and roles to verify and troubleshoot permissions. You can also use the policy simulator to know how IAM policies and resource-based policies work together to grant or deny access to AWS resources.
46. What are temporary security credentials?
Temporary security credentials contain the AWS access key ID, secret access key, and security token. Temporary security credentials are valid for a specified duration and for a specific set of permissions. Temporary security credentials are sometimes simply mentioned as tokens. Tokens are often requested for IAM users or for federated users you manage in your own corporate directory.
47. What are the benefits of temporary security credentials?
Temporary security credentials allow you to:
- Extend your internal user directories to enable federation to AWS, enabling your employees and applications to securely access AWS service APIs without having to make an AWS identity for them.
- Request temporary security credentials for a vast number of federated users.
- Configure the period of time after which temporary security credentials expire, offering improved security when accessing AWS service APIs through mobile devices where there’s a risk of losing the device.
48. What is AWS MFA?
AWS multi-factor authentication (AWS MFA) provides an additional level of security that you simply can apply to your AWS environment. You may enable AWS MFA for your AWS account and for individual AWS IAM users you create under your account.
49. Can I enable and disable user access?
Yes. you’ll enable and disable an IAM user’s access keys via the IAM APIs, AWS CLI, or IAM console. The user cannot programmatically access AWS services, If you disable the access keys.
50. What are federated users?
Federated users are external identities users you manage outside of AWS in your corporate directory, but to whom you grant access to your AWS account using temporary security credentials. federated users are different from IAM users, which are created and maintained in your AWS account.