Cloud Expert
AWS IAM — Identity & Access Management¶
AWSIAMSecurityLeast Privilege 5 min read
IAM policies, roles, STS, permission boundaries and least privilege best practices.
Policy Structure¶
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"],
"Condition": {"StringEquals": {"aws:RequestedRegion": "eu-west-1"}}
}]
}
Permission Boundaries¶
They limit the maximum permissions of a role/user — even an admin cannot exceed the boundary:
aws iam put-role-permission-boundary \
--role-name dev-role \
--permissions-boundary arn:aws:iam::123:policy/DevBoundary
STS AssumeRole¶
aws sts assume-role \
--role-arn arn:aws:iam::987654321:role/CrossAccountRole \
--role-session-name my-session
Always use AssumeRole over long-lived credentials.
Best Practices¶
- Root — MFA, no API keys
- Least privilege — deny-all, add permissions gradually
- IAM Access Analyzer — unused permissions
- SCPs — guardrails at the Organization level
Need Help with Implementation?¶
Our team has experience designing and implementing modern architectures. We’re happy to help.