Most IAM roles are over-permissioned by default.
We know we should “enforce least privilege,” but how? AWS doesn’t make it easy — especially across dozens of roles, dev teams, and constantly shifting service usage.
This week, I broke down my real-world approach using tools already built into AWS:
- ✅ IAM Access Analyzer for external exposure
- ✅ Service Last Accessed data for stale permissions
- ✅ CloudTrail + the IAM Policy Simulator to trim roles down
- ✅ EventBridge + Lambda for real-time alerting and automation
Here’s a sample from the article — using generate-service-last-accessed-details to audit a role:
aws iam generate-service-last-accessed-details \
--arn arn:aws:iam::123456789012:role/MyAppRole
Then review which services haven’t been touched in 90+ days:
aws iam get-service-last-accessed-details \
--job-id <job-id>
💡 Combine this with CloudTrail and Access Analyzer for a full-picture review.
👉 I published the full, step-by-step guide here:
🔗 https://thehiddenport.dev/posts/aws-enforcing-least-privilege/
Includes detection tips, audit workflows, and code examples you can apply right now.
Thanks for reading — let me know how you're enforcing least privilege in your AWS org, or what your biggest roadblock has been.
Top comments (0)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.