What is the principle of least privilege and how does it apply to IAM roles in AWS?
technical-conceptual · Junior level · cloud-devops-security
What the interviewer is really asking
Gauge foundational security thinking and whether the candidate can translate an abstract security principle into concrete cloud IAM practice.
What to say
- Least privilege means granting only the permissions required to perform a specific task — no more.
- In AWS IAM, this means attaching policies that name specific actions (e.g., s3:GetObject) and resources (specific bucket ARN) rather than using wildcards like * or managed policies like AdministratorAccess.
- It reduces blast radius: if a Lambda role is compromised, an attacker can only reach the S3 bucket the Lambda needs, not the entire account.
What to avoid
- Saying least privilege means 'don't give everyone admin access' without going deeper.
- Suggesting that broad policies are fine for development environments.
- Confusing authentication (who you are) with authorisation (what you can do).
Example answers
Strong: For a Lambda that reads from one DynamoDB table, I'd write an inline policy allowing only dynamodb:GetItem and dynamodb:Query on that specific table ARN — not dynamodb:* on *.
Weak: Just attach the ReadOnlyAccess managed policy — it's safer than AdminAccess and good enough.
Want questions matched to your role? Paste a job title, job description, or CV and get a personalized set, or go Pro to unlock the full bank.