principlejavascriptCritical
IAM least privilege: generating minimal policies from CloudTrail access advisor
Viewed 0 times
IAM least privilegeaccess analyzerpolicy generatoriam policywildcard permissionsblast radiusCDK grant methods
Error Messages
AccessDeniednot authorized to performProblem
IAM policies with wildcards (s3: or ) grant far more permissions than needed, violating least privilege. Teams often use broad policies during development and forget to tighten them before production.
Solution
Use IAM Access Analyzer to generate least-privilege policies from CloudTrail activity. Use IAM Access Advisor to review last-accessed data per service. In CDK, use Grant methods (bucket.grantRead(fn)) which automatically scope policies. Run policy linters like cfn-guard or checkov in CI.
Why
Overly permissive IAM roles are the most common attack surface in AWS breaches. If a Lambda or EC2 instance is compromised, the blast radius is limited by the role's effective permissions.
Gotchas
- IAM policy evaluation is deny-by-default — explicit allow must exist; explicit deny always wins
- Resource-based policies (S3 bucket policy, SQS queue policy) are evaluated alongside identity-based policies — both must allow for cross-account access
- Service Control Policies (SCPs) in AWS Organizations can override even administrator-level IAM policies
- Wildcard on resource (*) is sometimes unavoidable for services that don't support resource-level permissions (e.g., CloudWatch PutMetricData)
Code Snippets
CDK Grant methods for least-privilege S3 access
// CDK: use Grant methods to auto-generate scoped policies
import * as s3 from 'aws-cdk-lib/aws-s3';
import * as lambda from 'aws-cdk-lib/aws-lambda';
const bucket = new s3.Bucket(this, 'MyBucket');
const fn = new lambda.Function(this, 'MyFn', { /* ... */ });
// Grants only s3:GetObject on this specific bucket
bucket.grantRead(fn);
// Grants only s3:PutObject
bucket.grantWrite(fn);Context
Configuring IAM roles for Lambda, EC2, ECS tasks, or CI/CD pipelines
Revisions (0)
No revisions yet.