Cloud#aws#iam#least-privilege
How do I actually achieve least-privilege in AWS IAM without breaking things?
By Karthik Nair·April 15, 2026 7 min 11,204
Short answer
Start broad in dev, use IAM Access Analyzer to generate policies from real CloudTrail activity, then ratchet down in staging before prod.
The full answer
Hand-writing least-privilege policies from documentation is a losing battle. The services you depend on call dozens of undocumented sub-actions.
Workflow that works: deploy with a permissive role in a sandbox account, run a full integration test suite, then use Access Analyzer's policy generation to produce a tight policy from CloudTrail logs.
Layer SCPs at the organization level to enforce non-negotiables (no public S3, no IAM user creation, region restrictions). That way individual role mistakes can't escalate to org-wide incidents.
Was this helpful?
Upvotes help us prioritise what to answer next.