IAM Least Privilege

I'm not sure if I understand the question correctly.

If you're asking "how does AWS implement least-privilege access for AWS personnel to AWS services" then the best answer I can give is that we are audited for that (and other things) based on many security compliance programs. The audit process ensures that we are adhering to the standards set in those programs.

If you're asking "what's the best way for me to create least-privilege IAM permissions" then I'd suggest looking at AWS IAM Access Analyzer. There is also a workshop and quite a few blog posts.

Adding: You might look at this video from the Amazon Builder's Library - lots of other good content there too.

There is Security best practices in IAM available in the docs, specifically talking about the least privilege https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

For refining permissions we can use Access Advisor : Access Advisor shows the services that this user can access and when those services were last accessed. Review this data to remove unused permissions. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html

An AWS account is inherently least privileged. That is how they are designed. The root user has full admin but after that every resource is only given the permissions you give it as the admin.

Services can’t do anything without attached policies. You either attach those policies yourself or you deploy templates that do so. Either way, you initiated the actions.

It’s the shared responsibility model. AWS give you all the rope you want. They are security ‘of’ the cloud. You are security ‘in’ the cloud.

That is documented in most mentions of permissions and specifically in the Well Architected Frameworks security Pilar.

Review the SRM and Sec Pilar and that should give you what you are looking for.