IAM & Least Privilege

Secure AWS environments through strict IAM roles and minimal scoping.

Amazon Web Services

Security

Use in Builder All Amazon Web Services Options

Details

Language / Topic

Amazon Web Services

Rules

IAM & Least Privilege · balanced balanced

- Never use broad `*` permissions (e.g., `s3:*` or `Resource: *`); explicitly define required actions and specific ARNs

- Do not use long-lived Access Keys locally; rely entirely on temporary STS tokens via AWS SSO / Identity Center

- Attach IAM roles directly to application compute resources (EC2, ECS, Lambda) instead of injecting keys via env vars

- Construct granular, explicit Identity-based and Resource-based policies. If an app only needs to upload data, grant only `s3:PutObject` on that precise bucket ARN

- Periodically analyze IAM usage via IAM Access Analyzer to prune inactive users, ancient keys, and broadly-scoped permissive roles

- Implement Service Control Policies (SCPs) at the Organization root to enforce invariants (e.g., 'Deny all regions except us-east-1')