Agent RulesAgent Rules
AW

AWS IAM Best Practices

Identity and Access Management policies, roles, and least-privilege patterns

Amazon Web Services
Security
iam
security
access-control
least-privilege
Use in BuilderAll Amazon Web Services Options

Details

Language / Topic
awsAmazon Web Services
Category
Security

Rules

balanced
- Always use IAM roles instead of long-lived access keys for services and applications
- Apply least-privilege principle: grant only the minimum permissions required for each role
- Never hardcode AWS credentials in source code, environment variables in Dockerfiles, or config files
- Use IAM policy conditions (aws:SourceIp, aws:PrincipalOrgID) to restrict access scope
- Enable MFA for all human users, especially those with console access
- Always use IAM roles instead of long-lived access keys for services and applications
- Apply least-privilege principle: start with zero permissions and add only what's needed
- Never hardcode AWS credentials — use IAM roles, instance profiles, or AWS SSO
- Use IAM policy conditions to restrict access: aws:SourceIp, aws:PrincipalOrgID, aws:RequestedRegion
- Enable MFA for all human users; require MFA for sensitive operations via policy conditions
- Use separate AWS accounts per environment (dev/staging/prod) with AWS Organizations
- Prefer AWS managed policies as starting points, then create custom policies for fine-grained control
- Use permission boundaries to delegate IAM administration safely
- Rotate credentials regularly; use AWS Secrets Manager for automatic rotation
- Audit IAM with Access Analyzer, credential reports, and CloudTrail logs
- Tag all IAM resources for cost allocation and access control (ABAC)
- Use aws:PrincipalTag conditions for attribute-based access control patterns