This guide covers the most frequently asked IAM and Security interview questions for AWS Solution Architect, Cloud Architect, AI Architect, DevOps, Platform Engineering, and Enterprise Architecture roles.

1. What is AWS IAM?

Answer

AWS Identity and Access Management (IAM) is the AWS service used to securely manage:

• Authentication (Who are you?)
• Authorization (What can you do?)
• Access to AWS resources

IAM enables organizations to:

• Create users and groups
• Define roles
• Apply policies
• Enforce least-privilege access
• Manage temporary credentials

Example

Developer:

• Access EC2
• Cannot delete VPC

Database Admin:

• Full RDS Access
• No EC2 Access

IAM controls these permissions.

2. Authentication vs Authorization

Authentication

Verifies identity.

Examples:

• Username/Password
• MFA
• SSO

Question:

Who are you?

Authorization

Determines permissions.

Question:

What are you allowed to do?

Example:

Developer authenticated successfully but cannot delete production database.

3. What are IAM Users?

Answer

IAM User represents a person or application requiring AWS access.

Examples:

• Developer
• Admin
• CI/CD pipeline

User can have:

• Password
• Access Keys
• MFA Device

Best Practice:

Avoid long-term IAM users.

Use:

• IAM Roles
• AWS IAM Identity Center (SSO)

instead.

4. What are IAM Groups?

Answer

IAM Group is a collection of IAM users.

Example:

Group: Developers

Permissions:

• EC2 Access
• CloudWatch Access

All users in group inherit permissions.

Benefits:

• Simplifies administration
• Centralized permission management

5. What are IAM Roles?

Answer

IAM Role is an AWS identity with permissions but without permanent credentials.

Roles provide:

• Temporary credentials
• Better security
• Cross-account access

Examples:

• EC2 Role
• Lambda Role
• EKS Service Account Role
• Cross-account Role

6. Why are IAM Roles Better Than Access Keys?

Answer

Access Keys:

• Long-term credentials
• Risk of leakage
• Manual rotation

Roles:

• Temporary credentials
• Automatic rotation
• More secure

Interview Statement:

“AWS recommends using IAM roles instead of long-term access keys wherever possible.”

7. What is an IAM Policy?

Answer

Policy is a JSON document that defines permissions.

Example:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Action":"s3:GetObject",
      "Resource":"*"
    }
  ]
}

Meaning:

Allow reading objects from S3.

8. Components of IAM Policy

Answer

Key components:

Effect

"Effect":"Allow"

or

"Effect":"Deny"

Action

"Action":"ec2:StartInstances"

Resource

"Resource":"arn:aws:s3:::mybucket/*"

Condition

"Condition":{
  "IpAddress":{
     "aws:SourceIp":"10.0.0.0/8"
  }
}

9. What is Principle of Least Privilege?

Answer

Users should receive only permissions required to perform their job.

Bad:

"Action":"*"

Good:

"Action":[
 "s3:GetObject"
]

Benefits:

• Reduced attack surface
• Better compliance
• Lower risk

10. What is Explicit Deny?

Answer

Explicit Deny always overrides Allow.

Example:

User Policy:

Allow S3 Full Access

SCP:

Deny DeleteBucket

Result:

DeleteBucket denied.

Rule:

Explicit Deny > Allow

11. Policy Evaluation Logic

Answer

AWS evaluates permissions in this order:

1. Authentication
2. SCPs
3. Resource Policies
4. IAM Policies
5. Permissions Boundaries
6. Session Policies

If any Explicit Deny exists:

Access denied.

12. What is MFA?

Answer

Multi-Factor Authentication requires:

Something you know:

• Password

Something you have:

• Mobile App
• Hardware Token

Examples:

• Google Authenticator
• Authy

Benefits:

• Protects against credential theft

13. Why is MFA Important?

Answer

Even if attacker steals password:

They still need:

• MFA code

Prevents:

• Credential stuffing
• Password attacks

14. What is AWS Organizations?

Answer

AWS Organizations centrally manages multiple AWS accounts.

Features:

• Consolidated billing
• SCPs
• Central governance

Example:

Accounts:

• Production
• Development
• Security
• Shared Services

15. What are Service Control Policies (SCPs)?

Answer

SCPs define maximum permissions for accounts.

Example:

Block EC2 termination.

"Deny":"ec2:TerminateInstances"

Even Administrator cannot terminate instances.

16. Difference Between IAM Policy and SCP

17. What is Cross-Account Access?

Answer

Allows one AWS account to access resources in another account.

Uses:

• IAM Roles
• Trust Policies

Example:

Account A accesses S3 bucket in Account B.

18. What is a Trust Policy?

Answer

Defines who can assume a role.

Example:

{
 "Effect":"Allow",
 "Principal":{
   "AWS":"123456789012"
 },
 "Action":"sts:AssumeRole"
}

Account can assume role.

19. What is AWS STS?

Answer

AWS Security Token Service provides:

• Temporary credentials
• Federated access
• Cross-account access

Credentials include:

• Access Key
• Secret Key
• Session Token

20. What is Federation?

Answer

Federation allows users to login using external identity providers.

Examples:

• Microsoft Entra ID (Azure AD)
• Okta
• Ping Identity

Benefits:

• No IAM users required
• Centralized identity management

21. What is AWS IAM Identity Center?

Answer

IAM Identity Center (formerly AWS SSO) provides:

• Single Sign-On
• Centralized access management
• Federation

Supports:

• AWS Accounts
• Applications
• SAML Providers

22. What is KMS?

Answer

AWS Key Management Service manages encryption keys.

Uses:

• S3 encryption
• EBS encryption
• RDS encryption
• Secrets encryption

Features:

• Key rotation
• Auditing
• Access control

23. Customer Managed Key vs AWS Managed Key

Architects generally prefer Customer Managed Keys for regulated workloads.

24. What is Envelope Encryption?

Answer

AWS encrypts data using:

1. Data Key
2. KMS Master Key

Process:

Data → Data Key → Data Key encrypted by KMS Key

Benefits:

• High performance
• Strong security

25. What is Secrets Manager?

Answer

Stores sensitive information:

• Database passwords
• API keys
• Tokens

Features:

• Automatic rotation
• Encryption using KMS

26. Secrets Manager vs Parameter Store

27. What is CloudTrail?

Answer

CloudTrail records AWS API activity.

Example:

Who deleted EC2 instance?

CloudTrail shows:

• User
• Time
• IP Address
• Action

Essential for auditing and incident response.

28. What is AWS Config?

Answer

Tracks configuration changes.

Example:

Security group opened to internet.

AWS Config records:

• Before state
• After state

Used for compliance.

29. CloudTrail vs Config

30. What is GuardDuty?

Answer

Threat detection service using:

• CloudTrail
• VPC Flow Logs
• DNS Logs

Detects:

• Compromised credentials
• Crypto mining
• Malware activity

31. What is Security Hub?

Answer

Central security dashboard.

Aggregates findings from:

• GuardDuty
• Inspector
• Macie
• Config

Single pane of glass for security posture.

32. What is Amazon Inspector?

Answer

Automated vulnerability assessment service.

Scans:

• EC2
• ECR Images
• Lambda Functions

Detects:

• CVEs
• Vulnerabilities
• Exposures

33. What is Amazon Macie?

Answer

Machine learning service that discovers:

• PII
• Sensitive data

Inside S3 buckets.

Examples:

• SSN
• Credit Cards
• Personal Data

34. What is AWS WAF?

Answer

Web Application Firewall.

Protects applications from:

• SQL Injection
• XSS
• Bot attacks

Used with:

• ALB
• CloudFront
• API Gateway

35. What is AWS Shield?

Answer

DDoS protection service.

Types:

Shield Standard

Included free.

Shield Advanced

Enhanced DDoS protection.

36. Explain Security in Amazon EKS

Answer

Important controls:

• IAM Roles for Service Accounts (IRSA)
• Pod Security
• Network Policies
• Private Endpoints
• Secrets Encryption
• EKS Audit Logs

Interview Highlight:

Avoid storing AWS access keys in Kubernetes pods.

Use IRSA.

37. Explain Security in AWS Lambda

Answer

Security Best Practices:

• Least privilege IAM role
• VPC when required
• Secrets Manager
• KMS encryption
• CloudWatch monitoring

38. Explain Bedrock Security

Answer

For Amazon Bedrock:

• IAM controlled access
• Private VPC endpoints
• KMS encryption
• CloudTrail auditing
• No customer data used to train foundation models by default

Useful for regulated AI workloads.

39. How Would You Secure a Production AWS Environment?

Answer

1. AWS Organizations
2. SCPs
3. SSO
4. MFA
5. Least Privilege
6. KMS Encryption
7. Secrets Manager
8. CloudTrail
9. Config
10. GuardDuty
11. Security Hub
12. WAF
13. Shield Advanced
14. Automated Compliance Checks

40. Interview Scenario Question

Q: A developer hardcoded AWS access keys in a GitHub repository. What should you do?

Answer

Immediate:

1. Disable key
2. Rotate credentials
3. Investigate CloudTrail logs
4. Check resource activity

Long-Term:

1. Use IAM Roles
2. Secrets Manager
3. Git scanning
4. Security Hub alerts

Top 15 “Must-Memorize” Interview Topics

1. IAM Users vs Roles
2. IAM Policies
3. Policy Evaluation Logic
4. Explicit Deny
5. Least Privilege
6. MFA
7. STS
8. Cross-Account Access
9. Trust Policies
10. IAM Identity Center (SSO)
11. KMS
12. Secrets Manager
13. CloudTrail
14. GuardDuty
15. Security Hub

For senior AWS Architect, AI Architect, and EKS/Bedrock-focused interviews, mastery of IAM Roles, STS, SCPs, KMS, IRSA, Cross-Account Access, CloudTrail, GuardDuty, and Zero-Trust security architecture is especially important.