IAM Least-Privilege Policies

Intermediate

Every AWS IAM policy must follow the principle of least privilege — specific actions, specific resources, conditions where possible, and no wildcard permissions in production.

File Patterns

**/*.json**/*.tf**/iam/****/policies/****/*policy*

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# IAM Least-Privilege Policies

## Rule
All IAM policies MUST specify exact actions and resource ARNs. Wildcard permissions (`*`) are NEVER acceptable for production workloads.

## Format
```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["<specific-action>"],
      "Resource": ["<specific-arn>"],
      "Condition": { "<optional-condition>" }
    }
  ]
}
```

## Good Examples
```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::my-app-uploads/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:PutItem",
        "dynamodb:Query"
      ],
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/users"
    }
  ]
}
```

## Bad Examples
```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}
```

## Condition Keys for Extra Security
```json
{
  "Condition": {
    "StringEquals": {
      "aws:PrincipalOrgID": "o-myorgid",
      "aws:RequestedRegion": ["us-east-1", "us-west-2"]
    },
    "Bool": {
      "aws:SecureTransport": "true"
    }
  }
}
```

## Enforcement
- Use IAM Access Analyzer to identify unused permissions
- Run `aws iam simulate-principal-policy` to test policies
- Enable AWS Config rule `iam-policy-no-statements-with-admin-access`
- Regular quarterly access reviews with credential reports

FAQ

Discussion

Loading comments...

# IAM Least-Privilege Policies ## Rule All IAM policies MUST specify exact actions and resource ARNs. Wildcard permissions (`*`) are NEVER acceptable for production workloads. ## Format ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["<specific-action>"], "Resource": ["<specific-arn>"], "Condition": { "<optional-condition>" } } ] } ``` ## Good Examples ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::my-app-uploads/*" }, { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query" ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/users" } ] } ``` ## Bad Examples ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ] } ``` ## Condition Keys for Extra Security ```json { "Condition": { "StringEquals": { "aws:PrincipalOrgID": "o-myorgid", "aws:RequestedRegion": ["us-east-1", "us-west-2"] }, "Bool": { "aws:SecureTransport": "true" } } } ``` ## Enforcement - Use IAM Access Analyzer to identify unused permissions - Run `aws iam simulate-principal-policy` to test policies - Enable AWS Config rule `iam-policy-no-statements-with-admin-access` - Regular quarterly access reviews with credential reports