Bird
Raised Fist0
AWScloud~20 mins

Least privilege principle in AWS - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Least Privilege Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
security
intermediate
2:00remaining
Identify the IAM policy that follows least privilege

Which IAM policy grants the least privilege necessary for a Lambda function to read items from a specific DynamoDB table?

A{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": ["dynamodb:DeleteItem"], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders"}]}
B{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": "dynamodb:*", "Resource": "*"}]}
C{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": ["dynamodb:GetItem", "dynamodb:Query"], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders"}]}
D{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": ["dynamodb:GetItem"], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders"}]}
Attempts:
2 left
💡 Hint

Focus on granting only the actions needed and restrict the resource to the specific table.

Best Practice
intermediate
2:00remaining
Choosing the right IAM role for EC2 instance access

You want an EC2 instance to upload files only to a specific S3 bucket. Which IAM role policy follows the least privilege principle?

A{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": ["s3:PutObject"], "Resource": "arn:aws:s3:::my-app-uploads/*"}]}
B{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": ["s3:*"], "Resource": "arn:aws:s3:::*"}]}
C{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": "arn:aws:s3:::my-app-uploads"}]}
D{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::my-app-uploads/*"}]}
Attempts:
2 left
💡 Hint

Allow only the action needed to upload files and restrict to the specific bucket path.

Architecture
advanced
2:30remaining
Designing a multi-tier app with least privilege access

You have a web app with three tiers: frontend, backend, and database. Which architecture best applies the least privilege principle for AWS IAM roles?

AAssign separate IAM roles: frontend role with no AWS permissions, backend role with DynamoDB read/write, database role with RDS access only.
BAssign one IAM role to all tiers with full access to S3, DynamoDB, and RDS.
CAssign one IAM role to frontend and backend with full S3 access, and a separate role for database with RDS access.
DAssign backend role with full access to all AWS services, frontend role with read-only S3 access, database role with no permissions.
Attempts:
2 left
💡 Hint

Think about limiting permissions to only what each tier needs.

service_behavior
advanced
2:00remaining
Effect of overly broad IAM permissions on AWS Lambda behavior

You deploy a Lambda function with an IAM role that has full access to all S3 buckets. What is the likely impact compared to a role with access only to one bucket?

AThe Lambda function will only access the specified bucket regardless of permissions.
BThe Lambda function can access all buckets, increasing risk if compromised.
CThe Lambda function will fail to execute due to too many permissions.
DThe Lambda function will run faster with broader permissions.
Attempts:
2 left
💡 Hint

Consider security risks of broad permissions.

🧠 Conceptual
expert
3:00remaining
Identifying violation of least privilege in a cross-account access scenario

An AWS account A grants an IAM role in account B permission to assume it and access all S3 buckets in account A. Which statement best describes the least privilege violation?

AAccount B should not assume any roles in account A to maintain security.
BAccount B should have full access to all resources in account A for flexibility.
CAccount A should allow the role to assume any IAM role in account B.
DAccount A should restrict the role's permissions to only required buckets instead of all buckets.
Attempts:
2 left
💡 Hint

Focus on limiting permissions granted across accounts.

Practice

(1/5)
1. What does the least privilege principle mean in AWS security?
easy
A. Users get only the permissions they need to do their job
B. Users get full access to all AWS services
C. Users share passwords to access resources
D. Users can access resources without authentication

Solution

  1. Step 1: Understand the principle meaning

    The least privilege principle means giving users only the minimum permissions they need.

  2. Step 2: Compare options to principle

    Only Users get only the permissions they need to do their job matches this by limiting permissions to what is needed.

  3. Final Answer:

    Users get only the permissions they need to do their job -> Option A

  4. Quick Check:

    Least privilege = minimal needed access [OK]
Hint: Least privilege means minimum permissions needed [OK]
Common Mistakes:
  • Thinking least privilege means full access
  • Confusing least privilege with no access
  • Assuming password sharing is secure
2. Which IAM policy snippet follows the least privilege principle for allowing S3 read-only access to a specific bucket my-bucket?
easy
A. {\"Effect\": \"Allow\", \"Action\": [\"s3:DeleteObject\"], \"Resource\": \"arn:aws:s3:::my-bucket/*\"}
B. {\"Effect\": \"Allow\", \"Action\": \"s3:*\", \"Resource\": \"*\"}
C. {\"Effect\": \"Allow\", \"Action\": [\"s3:GetObject\"], \"Resource\": \"arn:aws:s3:::my-bucket/*\"}
D. {\"Effect\": \"Allow\", \"Action\": [\"ec2:StartInstances\"], \"Resource\": \"*\"}

Solution

  1. Step 1: Identify required permissions for read-only S3 access

    Read-only means allowing only s3:GetObject on the specific bucket's objects.

  2. Step 2: Match policy actions and resources

    {\"Effect\": \"Allow\", \"Action\": [\"s3:GetObject\"], \"Resource\": \"arn:aws:s3:::my-bucket/*\"} allows only s3:GetObject on my-bucket objects, following least privilege.

  3. Final Answer:

    Policy allowing only s3:GetObject on my-bucket objects -> Option C

  4. Quick Check:

    Least privilege = specific action + resource [OK]
Hint: Allow only needed actions on specific resources [OK]
Common Mistakes:
  • Using wildcard * for all actions or resources
  • Allowing delete or write actions unnecessarily
  • Granting permissions for unrelated services
3. Given this IAM policy snippet, what is the effective permission granted? 
{
  "Effect": "Allow",
  "Action": ["s3:PutObject", "s3:GetObject"],
  "Resource": "arn:aws:s3:::example-bucket/*"
}
medium
A. Denies all access to example-bucket
B. Allows uploading and downloading objects only in example-bucket
C. Allows full access to all S3 buckets
D. Allows deleting objects in example-bucket

Solution

  1. Step 1: Analyze actions in the policy

    The policy allows s3:PutObject (upload) and s3:GetObject (download) actions.

  2. Step 2: Check resource scope

    The resource is limited to objects inside example-bucket, so permissions apply only there.

  3. Final Answer:

    Allows uploading and downloading objects only in example-bucket -> Option B

  4. Quick Check:

    Actions + resource = upload/download in example-bucket [OK]
Hint: Check actions and resource ARN carefully [OK]
Common Mistakes:
  • Assuming delete permission is included
  • Thinking permissions apply to all buckets
  • Confusing allow with deny
4. You created an IAM policy to allow only starting EC2 instances but users report they can also stop instances. What is the likely mistake?
medium
A. The users have an additional policy granting stop permissions
B. The policy includes both ec2:StartInstances and ec2:StopInstances actions
C. The policy is attached to the wrong user
D. The policy uses wildcard * for all EC2 actions

Solution

  1. Step 1: Understand the reported behavior

    Users can stop instances, which is not intended by the new policy.

  2. Step 2: Identify possible causes

    If the policy only allows starting, but users can stop, they likely have another policy granting stop permissions.

  3. Final Answer:

    Users have an additional policy granting stop permissions -> Option A

  4. Quick Check:

    Multiple policies combine permissions [OK]
Hint: Check all policies attached to users [OK]
Common Mistakes:
  • Assuming one policy overrides others
  • Not checking group or role policies
  • Ignoring policy wildcards
5. You want to apply the least privilege principle for a developer who needs to manage Lambda functions but only in the dev-environment. Which approach is best?
hard
A. Give the developer admin access to manage Lambda
B. Create an IAM policy allowing all Lambda actions on all functions
C. Attach the AWS managed policy AWSLambdaFullAccess to the developer
D. Create an IAM policy allowing only Lambda actions on functions with resource ARN containing dev-environment

Solution

  1. Step 1: Identify the scope of access needed

    The developer needs to manage Lambda functions only in the dev-environment.

  2. Step 2: Apply least privilege by limiting actions and resources

    Create an IAM policy allowing only Lambda actions on functions with resource ARN containing dev-environment restricts Lambda actions to only functions in dev-environment, minimizing risk.

  3. Step 3: Evaluate other options

    Options B, C, and D grant broader access than needed, violating least privilege.

  4. Final Answer:

    Create an IAM policy allowing only Lambda actions on functions with resource ARN containing dev-environment -> Option D

  5. Quick Check:

    Least privilege = limit actions + resource scope [OK]
Hint: Limit permissions by resource tags or names [OK]
Common Mistakes:
  • Using broad AWS managed policies
  • Granting admin or full access unnecessarily
  • Ignoring resource-level restrictions