Amazon: Audit and Enforce Least-Privilege IAM Permissions — DevOps Interview Q&A (2026)

All Questions Essential 0/100

6. Audit and Enforce Least-Privilege IAM Permissions

Beginner Mode

Start your terminal to use beginner mode.

Scenario

A security audit has flagged the IAM user app-deployer for having AdministratorAccess policy with far more permissions than needed. The user only needs access to:

S3: Read (GetObject) and Add objects (PutObject), list buckets (ListBucket).
CloudWatch Logs: Create log groups (CreateLogGroup), log streams (CreateLogStream), and put log events (PutLogEvents).

Task

Inspect the current policies attached to the app-deployer user
Remove the overly broad AdministratorAccess policy
Create a custom managed policy named AppDeployerPolicy that grants only the required permissions listed above
Attach the new policy to the app-deployer user

Note: You can use either the AWS Management Console or AWS CLI to complete this task.

Step 1: Inspect current policies on the user

aws iam list-attached-user-policies --user-name app-deployer

This reveals AdministratorAccess is attached - full access to all AWS services.

Step 2: Detach the overly broad policy

aws iam detach-user-policy \
  --user-name app-deployer \
  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Removes administrative access from the user.

Step 3: Create a least-privilege policy document

Create a file called app-deployer-policy.json:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:ListBucket"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "*"
    }
  ]
}

Step 4: Create the managed policy

aws iam create-policy \
  --policy-name AppDeployerPolicy \
  --policy-document file://app-deployer-policy.json

Creates a custom policy with only the required S3 and CloudWatch Logs permissions.

Step 5: Attach the new policy to the user

aws iam attach-user-policy \
  --user-name app-deployer \
  --policy-arn arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):policy/AppDeployerPolicy

Grants the user only the permissions they need.

Step 6: Verify the final configuration

aws iam list-attached-user-policies --user-name app-deployer

Confirms only AppDeployerPolicy is attached - the user now follows least-privilege.

Terminal requires a larger screen

Open this page on a desktop or tablet (≥ 768px) to launch the terminal and practice hands-on.

AWS Console Environment

Launch an AWS environment to solve this challenge.

Essential

Linux 0/29

AWS 0/10

Kubernetes 0/15

CI/CD 0/5

Networking 0/9

Question	Difficulty	Company	Access
Create AWS IAM Admin User with Group and Policy	Easy	Accenture	Free
Create IAM Role for EC2 with Full IAM Access	Easy	Coinbase	Free
Create a Hello World Lambda Function	Easy	Adobe	Free
Launch an EC2 Web Server Instance	Easy	EPAM	Free
Design Egress Only VPC with NAT	Medium	Twitch	Free
Audit and Enforce Least-Privilege IAM Permissions	Easy	Amazon	Free
Create Route 53 Hosted Zone and DNS Records	Easy	Kayak	Free
Create Route 53 Health Checks	Easy	Autodesk	Free
Build a Serverless API with Lambda, API Gateway, and DynamoDB	Hard	Amazon	Free
Deploy an Internal Web App with VPC, EC2, ALB, and Route 53	Hard	Lyft	Free
Managing High I/O Processes	Easy	Revolut	Free
Analyzing Log Partition Usage	Medium	RedHat	Free
Using Unmounted Partitions	Medium	RedHat	Free
Tracing Log File Writes	Easy	Bloomberg	Free
Port Conflict Resolution	Easy	Datadog	Free
Diagnose Nginx CPU Bottleneck	Easy	Palantir	Free
Debug SSH Lockout	Medium	TCS	Free
Monitoring Process Ownership	Medium	HashiCorp	Free
Rapid Disk Growth on /var	Hard	Google	Free
Detect Memory Leak by Monitoring RSS	Medium	Google	Free
Fix Inode Exhaustion Issue	Medium	DeutscheBank	Free
Fix HTTPS Certificate Error	Medium	GitHub	Free
Real-Time Log Timestamping	Medium	Adobe	Free
Manage Service Failure Recovery	Hard	Apple	Free
Nginx Rate Limit Calculation	Hard	Cloudflare	Free
Update Cloud Configs	Medium	Stripe	Free
Automated Archive and Retention	Hard	Microsoft	Free
Trace Process Service Ownership	Hard	NVIDIA	Free
Handling Large Log Archives	Easy	Amazon	Free
Upload-Safe File Partitioning	Medium	GoDaddy	Free
Fix Port Exhaustion for High-Speed Scraper	Medium	X	Free
Validating Network Routes	Medium	Google	Free
Validating DNS Consistency	Easy	SAP	Free
Network Packet Loss Diagnosis	Easy	Cloudflare	Free
Network Port Service Cleanup	Easy	Apple	Free
Temporary Route Configuration	Easy	Spotify	Free
Inspecting HTTP Traffic Flow	Medium	Airbnb	Free
Network Socket Usage Analysis	Easy	SAP	Free
Forward Traffic Between Ports	Medium	Meta	Free
Crashing Misconfigured Pod	Medium	Reddit	Free
Image Pull BackOff and Secrets	Medium	Datadog	Free
CronJob Schedule Misconfiguration	Medium	RedHat	Free
Traffic Splitting with Native Kubernetes	Medium	Adobe	Free
ConfigMap Reload with Sidecar	Medium	Yelp	Free
Implement StatefulSet with Stable DNS	Medium	Okta	Free
StorageClass and PVC Expansion	Medium	Datadog	Free
OOMKilled Pod Analysis & Fix	Medium	Accenture	Free
Secure Internal Service Communication	Medium	Dropbox	Free
CRD Schema Validation	Hard	Slack	Free
Dynamic Volume Expansion	Easy	EPAM	Free
Custom Resource Definition Setup	Medium	ActivisionBlizzard	Free
Create Namespace	Easy	Accenture	Free
Pod with Readiness Probe	Easy	Zscaler	Free
Pod Viewer Access	Easy	Reddit	Free
Insecure Container with Root User	Medium	Accenture	Free
Macvlan Network Configuration Fix	Hard	Uber	Free
Container CPU Limit Configuration	Easy	IBM	Free
Memory Limit and OOM Killer	Medium	DeliveryHero	Free
Graceful Shutdown with SIGTERM Handling	Medium	Robinhood	Free
Log Rotation Size Limit Configuration	Easy	DeliveryHero	Free
Docker Multi-Architecture Image	Easy	Accenture	Free
Docker Binary Architecture	Easy	Adobe	Free
Docker Storage Driver Performance	Medium	GitHub	Free
Docker Volume Cross-Platform Consistency	Easy	GitLab	Free
Optimize Dockerfile	Medium	Shopify	Free
Rebase Feature Branch onto Correct Base	Easy	Samsung	Free
Restore File to Previous Version	Medium	Slack	Free
Convert Remote from HTTPS to SSH	Easy	EPAM	Free
Rebase Feature Branch	Easy	GitHub	Free
Stash Work, Fix Bug, Restore and Update	Medium	IBM	Free
Remove Last Commit and Discard Changes	Easy	GitLab	Free
Shallow Clone Limited to Latest Commit	Easy	Elastic	Free
Checkout Single File from Another Branch	Easy	Twilio	Free
Remove File from Entire Git History	Medium	Netflix	Free
Merge Repositories Preserving Both Histories	Medium	Zscaler	Free
Fix Repository with Unrelated Histories	Medium	Zscaler	Free
Stage Only Specific Files	Easy	CrowdStrike	Free
Undo Commits but Keep Changes	Easy	CrowdStrike	Free
Cherry-Pick Specific Commit	Easy	Ubisoft	Free
Recover Lost Commits from Detached HEAD	Medium	Kayak	Free
Docker Image Tagging with Commit SHA	Medium	Microsoft	Free
Matrix Build Strategy	Medium	Spotify	Free
Multi-Job Workflow with Artifact Handoff	Medium	Anthropic	Free
Path-Based Workflow Execution	Medium	Coinbase	Free
Automated Rollback on Deployment Failure with Values File Restoration	Medium	NVIDIA	Free
Two Sum	Easy	Cloudflare	Free
Valid Palindrome	Easy	Capital One	Free
Best Time to Buy and Sell Stock	Easy	Palantir	Free
Valid Parentheses	Easy	Splunk	Free
Binary Search	Easy	Intel	Free
Group Anagrams	Medium	Netflix	Free
Top K Frequent Elements	Medium	Cloudflare	Free
Product of Array Except Self	Medium	Samsung	Free
Valid Sudoku	Medium	AMD	Free
Longest Consecutive Sequence	Medium	Meta	Free
Two Sum II - Input Array Is Sorted	Medium	Databricks	Free
Container With Most Water	Medium	Amazon	Free
Search a 2D Matrix	Medium	SAP	Free
Contains Duplicate	Easy	Apple	Free
Valid Anagram	Easy	Anthropic	Free

Need more practice in this area? Explore more questions →