Interview AWS

Explain how an IAM policy is evaluated when there is both an allow and an explicit deny.

AWS · Basic level

Answer

IAM starts from implicit deny. An explicit deny always wins, then AWS looks for an applicable allow across the relevant identity, resource, boundary, session, and organization policy layers.

Technical explanation

Permissions boundaries and SCPs limit maximum permissions; they do not grant access by themselves.

IAM evaluation is layered: identity policies, resource policies, trust policies, boundaries, SCPs, session policies, and explicit denies all contribute to the final decision.

Prefer temporary credentials through STS, roles, IAM Identity Center, instance profiles, IRSA, or OIDC federation instead of long-lived access keys.

Use conditions, resource ARNs, tags, MFA requirements, external IDs, source account/source ARN constraints, and Access Analyzer to reduce blast radius.

Hands-on example

1. Create a least-privilege IAM role for a small workload, including trust policy, permission policy, tags, and CloudTrail visibility.

2. Test the role with aws sts get-caller-identity and one allowed action, then deliberately test one denied action.

3. Run IAM Access Analyzer or policy simulation and refine broad actions/resources before production.

4. Record the access pattern in IaC and require review for future policy changes.

Preparing for an interview?

Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.

More AWS interview questions

← All AWS questions