What best describes IAM roles vs policies and how to implement least-privilege access?

• A. Roles are individual user accounts; policies attach to role objects only.
• B. Policies grant permissions directly to users, and roles exist only as labels.
• C. Access should be granted through broad, unrestricted permissions for simplicity.
• D. Roles are collections of permissions; policies grant permissions to roles/users; attach least-privilege policies; use groups and service principals; review regularly.

Answer: (D)

Understanding how IAM uses policies and roles is key to enforcing least-privilege access. Policies are the actual permission rules that specify which actions on which resources are allowed and under what conditions. Roles are containers that bundle a set of those permissions and can be assumed by users, groups, or services, so you don’t have to grant every individual permission to each person.

To implement least-privilege, attach only the smallest, tightly scoped policies to the appropriate roles or identities—granting just the permissions needed for the task. Use groups to manage access for multiple users efficiently and service principals for applications, which helps keep permissions centralized and auditable. Regularly review and prune permissions to remove anything unnecessary, and rotate credentials as needed.

The idea here is that permissions come from policies, roles provide a reusable bundle of those permissions for identities to assume, and the goal is to keep access as narrow as possible while maintaining the ability to perform required work.