Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I grant least-privilege permissions in IAM?

3 minute read
0

I want to grant AWS Identity and Access Management (IAM) identities only the permissions that are required to perform specific tasks.

Short description

Use a phased approach to grant least-privilege permissions. Start with an AWS managed policy to grant the general permissions to perform a job function. Then, you can use IAM Access Analyzer to identify and generate a policy based IAM user activity. Or, you can define custom IAM permissions with customer managed policies.

Resolution

Start with AWS managed policies as a temporary baseline

You can attach an AWS managed policy that includes the permissions to perform a specific job function.

To attach an AWS managed policy, see Adding IAM identity permissions (console).

Use IAM Access Analyzer to generate a policy

To help you identify the permissions that your IAM users are regularly accessing, use IAM Access Analyzer. IAM Access Analyzer analyzes your AWS CloudTrail logs and then generates a permissions policy based on IAM user actions. 

Before you use IAM Access Analyzer to generate a policy, see Things to know about generating policies. To generate a policy with IAM Access Analyzer, see IAM Access Analyzer policy generation

After IAM Access Analyzer generates the policy, you can add or remove permissions, specify resources, and add conditions to the policy template. Then, save the policy as a customer managed policy and attach it to an IAM user

Create a customer managed policy without IAM Access Analyzer

If you don't use IAM Access Analyzer, then you can create a custom policy that includes only the necessary permissions to perform an action. To restrict permissions to specific resources, use the Resource element instead of the wildcard (*).

Example policy that grants read-only access to a specific Amazon Simple Storage Service (Amazon S3) bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::BUCKET-NAME",
        "arn:aws:s3:::BUCKET-NAME/*"
      ]
    }
  ]
}

Note: Replace BUCKET-NAME with your Amazon S3 bucket name.

Add conditions to further restrict access

Add condition keys to your policies to restrict access based the request source IP address, AWS Region, or resource tags. 

Example policy that uses a condition to restrict access to a specific AWS Region:

"Condition": {
  "StringEquals": {
    "aws:RequestedRegion": "YOUR-REGION"
  }
}

Note: Replace YOUR-REGION with your AWS Region.

Review and remove unused permissions

Regularly review IAM identities to identify and remove permissions that your IAM users no longer require. To identify unused access, review IAM Access Analyzer findings.

Note: IAM Access Analyzer unused access analysis incurs charges based on the number of IAM roles and users that it analyzes each month. For more information, see IAM Access Analyzer pricing.

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity Center
Language
English
AWS OFFICIALUpdated a month ago
No comments

Relevant content