What is the difference between an IAM role and an IAM user, and when do you use a role?
AWS · Basic level
Answer
An IAM user is persistent and often has long-lived credentials; an IAM role is assumed temporarily by a trusted principal. I use roles for AWS services, workloads, federation, and cross-account access because temporary credentials reduce credential-leak risk.
Technical explanation
A role has a trust policy that controls who may assume it and permission policies that control what it may do afterward.
IAM evaluation is layered: identity policies, resource policies, trust policies, boundaries, SCPs, session policies, and explicit denies all contribute to the final decision.
Prefer temporary credentials through STS, roles, IAM Identity Center, instance profiles, IRSA, or OIDC federation instead of long-lived access keys.
Use conditions, resource ARNs, tags, MFA requirements, external IDs, source account/source ARN constraints, and Access Analyzer to reduce blast radius.
Hands-on example
1. Create a least-privilege IAM role for a small workload, including trust policy, permission policy, tags, and CloudTrail visibility.
2. Test the role with aws sts get-caller-identity and one allowed action, then deliberately test one denied action.
3. Run IAM Access Analyzer or policy simulation and refine broad actions/resources before production.
4. Record the access pattern in IaC and require review for future policy changes.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More AWS interview questions
- What is the AWS shared responsibility model, and where is the line between AWS and the customer?
- Explain the difference between a Region, an Availability Zone, and an Edge Location.
- What is a VPC, and what are its core components (subnets, route tables, IGW, NAT)?
- Difference between a public and a private subnet, and how does each reach the internet?
- What is the difference between a Security Group and a Network ACL?
- Are Security Groups stateful or stateless? What about NACLs?
- What is an Internet Gateway versus a NAT Gateway, and when do you need each?
- How does a NAT Gateway differ from a NAT instance?