Amazon: Audit and Enforce Least-Privilege IAM Permissions — DevOps Interview Q&A (2026)

Audit and Enforce Least-Privilege IAM Permissions

Beginner Mode

Start your terminal to use beginner mode.

Scenario

A security audit has flagged the IAM user app-deployer for having AdministratorAccess policy with far more permissions than needed. The user only needs access to:

S3: Read (GetObject) and Add objects (PutObject), list buckets (ListBucket).
CloudWatch Logs: Create log groups (CreateLogGroup), log streams (CreateLogStream), and put log events (PutLogEvents).

Task

Inspect the current policies attached to the app-deployer user
Remove the overly broad AdministratorAccess policy
Create a custom managed policy named AppDeployerPolicy that grants only the required permissions listed above
Attach the new policy to the app-deployer user

Note: You can use either the AWS Management Console or AWS CLI to complete this task.

Step 1: Inspect current policies on the user

aws iam list-attached-user-policies --user-name app-deployer

This reveals AdministratorAccess is attached - full access to all AWS services.

Step 2: Detach the overly broad policy

aws iam detach-user-policy \
  --user-name app-deployer \
  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Removes administrative access from the user.

Step 3: Create a least-privilege policy document

Create a file called app-deployer-policy.json:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:ListBucket"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "*"
    }
  ]
}

Step 4: Create the managed policy

aws iam create-policy \
  --policy-name AppDeployerPolicy \
  --policy-document file://app-deployer-policy.json

Creates a custom policy with only the required S3 and CloudWatch Logs permissions.

Step 5: Attach the new policy to the user

aws iam attach-user-policy \
  --user-name app-deployer \
  --policy-arn arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):policy/AppDeployerPolicy

Grants the user only the permissions they need.

Step 6: Verify the final configuration

aws iam list-attached-user-policies --user-name app-deployer

Confirms only AppDeployerPolicy is attached - the user now follows least-privilege.

Terminal requires a larger screen

Open this page on a desktop or tablet (≥ 768px) to launch the terminal and practice hands-on.

AWS Console Environment

Launch an AWS environment to solve this challenge.

Track

	Question	Difficulty	Company	Access

Need more practice in this area? Explore more questions →