Bird
Raised Fist0
AWScloud~20 mins

IAM best practices in AWS - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
IAM Mastery Badge
Get all challenges correct to earn this badge!
Test your skills under time pressure!
security
intermediate
2:00remaining
IAM Policy Scope Restriction

You have an IAM policy that allows full access to all S3 buckets. Which option correctly restricts access to only the bucket named my-company-data?

A{"Effect": "Allow", "Action": "s3:*", "Resource": ["arn:aws:s3:::my-company-data", "arn:aws:s3:::my-company-data/*"]}
B{"Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::*"}
C{"Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::my-company-data"}
D{"Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::my-company-data/*", "Condition": {"StringEquals": {"s3:prefix": "*"}}}
Attempts:
2 left
💡 Hint

Think about the difference between bucket and object ARNs in S3.

Best Practice
intermediate
1:30remaining
IAM User vs Role Usage

Which option best describes when to use an IAM role instead of an IAM user?

AUse IAM users for applications running on EC2 instances needing AWS access.
BUse IAM roles only for human users logging in to AWS Console.
CUse IAM users for temporary access to AWS resources.
DUse IAM roles for applications running on EC2 instances needing AWS access.
Attempts:
2 left
💡 Hint

Think about temporary credentials and automatic rotation.

Architecture
advanced
2:30remaining
Designing Least Privilege Access

You need to design IAM policies for a team that manages EC2 instances but should not modify S3 buckets. Which approach follows the least privilege principle?

ACreate a policy allowing all EC2 actions and deny all S3 actions explicitly.
BCreate a policy allowing only necessary EC2 actions and do not include any S3 permissions.
CCreate a policy allowing all EC2 and S3 actions but monitor usage with CloudTrail.
DCreate a policy allowing all EC2 actions and grant read-only access to S3 buckets.
Attempts:
2 left
💡 Hint

Least privilege means granting only what is needed, nothing more.

service_behavior
advanced
1:30remaining
Effect of MFA on IAM User Access

An IAM user has a policy that requires MFA for deleting S3 buckets. What happens if the user tries to delete a bucket without MFA?

AThe delete request triggers an alert but is allowed.
BThe delete request succeeds because the user has delete permissions.
CThe delete request is denied because MFA was not used.
DThe delete request is logged but allowed without MFA.
Attempts:
2 left
💡 Hint

Consider how MFA conditions affect permission evaluation.

🧠 Conceptual
expert
3:00remaining
Cross-Account Access with IAM Roles

You want to allow an IAM user in Account A to access resources in Account B using an IAM role. Which configuration is required in Account B's role trust policy?

AThe trust policy must allow the AWS account ID of Account A as a principal.
BThe trust policy must allow the IAM role ARN from Account A as a principal.
CThe trust policy must allow the IAM group ARN from Account A as a principal.
DThe trust policy must allow the IAM user ARN from Account A as a principal.
Attempts:
2 left
💡 Hint

Think about how trust policies specify principals for cross-account roles.

Practice

(1/5)
1. What is the main reason to follow the principle of least privilege in AWS IAM?
easy
A. To create permanent access keys for all users
B. To allow users full access to all AWS services
C. To give users only the permissions they need to do their job
D. To disable multi-factor authentication (MFA) for easier access

Solution

  1. Step 1: Understand least privilege concept

    Least privilege means giving users only the permissions they need, nothing more.

  2. Step 2: Identify correct option

    To give users only the permissions they need to do their job matches this concept by limiting permissions to what is necessary.

  3. Final Answer:

    To give users only the permissions they need to do their job -> Option C

  4. Quick Check:

    Least privilege = minimal permissions [OK]
Hint: Least privilege means minimal needed permissions only [OK]
Common Mistakes:
  • Giving users full access unnecessarily
  • Using permanent keys instead of temporary credentials
  • Ignoring MFA setup
2. Which of the following is the correct way to assign permissions to an AWS service using IAM?
easy
A. Create an IAM role and assign it to the AWS service
B. Generate permanent access keys and embed them in the service code
C. Create an IAM user and attach policies directly to the user
D. Use root account credentials for the service

Solution

  1. Step 1: Understand IAM roles for services

    IAM roles allow AWS services to assume permissions temporarily without permanent keys.

  2. Step 2: Identify best practice

    Assigning an IAM role to the service is the recommended way to grant permissions securely.

  3. Final Answer:

    Create an IAM role and assign it to the AWS service -> Option A

  4. Quick Check:

    Use roles for services, not permanent keys [OK]
Hint: Use roles for AWS services, not permanent keys [OK]
Common Mistakes:
  • Attaching policies directly to users for services
  • Embedding permanent keys in code
  • Using root account credentials
3. Consider this IAM policy snippet attached to a user:
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["s3:ListBucket"],
    "Resource": ["arn:aws:s3:::example-bucket"]
  }]
}

What can this user do?
medium
A. Upload files to example-bucket
B. List the contents of the example-bucket
C. Delete files from example-bucket
D. Access all S3 buckets

Solution

  1. Step 1: Analyze the policy actions

    The policy allows only the "s3:ListBucket" action on the specific bucket resource.

  2. Step 2: Determine allowed operations

    "s3:ListBucket" lets the user see the list of objects but not upload or delete.

  3. Final Answer:

    List the contents of the example-bucket -> Option B

  4. Quick Check:

    Action = s3:ListBucket means list only [OK]
Hint: Check the Action field to know allowed operations [OK]
Common Mistakes:
  • Assuming upload or delete permissions from list permission
  • Thinking the policy applies to all buckets
  • Ignoring the specific resource ARN
4. You created an IAM user with full S3 access but forgot to enable MFA. What is the best way to fix this?
medium
A. Attach an MFA policy and require MFA for sensitive actions
B. Delete the user and create a new one with MFA enabled
C. Remove all permissions from the user
D. Share the root account credentials with the user

Solution

  1. Step 1: Understand MFA enforcement

    MFA can be required by attaching policies that enforce MFA for sensitive actions.

  2. Step 2: Apply best practice

    Attaching an MFA policy is better than deleting the user or removing permissions.

  3. Final Answer:

    Attach an MFA policy and require MFA for sensitive actions -> Option A

  4. Quick Check:

    Enable MFA via policy, don't delete users [OK]
Hint: Use policies to enforce MFA, not user deletion [OK]
Common Mistakes:
  • Deleting users unnecessarily
  • Removing all permissions without MFA
  • Sharing root credentials
5. Your company wants to allow temporary access to AWS resources for contractors without creating permanent IAM users. Which approach follows best IAM practices?
hard
A. Give contractors permanent access keys with admin permissions
B. Create permanent IAM users with full access for contractors
C. Share your root account credentials with contractors
D. Create IAM roles with limited permissions and let contractors assume them

Solution

  1. Step 1: Identify temporary access method

    IAM roles allow temporary credentials that contractors can assume without permanent users.

  2. Step 2: Match best practice

    Creating roles with limited permissions follows least privilege and avoids permanent keys.

  3. Final Answer:

    Create IAM roles with limited permissions and let contractors assume them -> Option D

  4. Quick Check:

    Temporary roles for contractors = best practice [OK]
Hint: Use roles for temporary access, avoid permanent users [OK]
Common Mistakes:
  • Creating permanent users for contractors
  • Sharing root credentials
  • Giving admin permissions unnecessarily