BlogCloud
AWS IAM least privilege with Access Analyzer
Generate tight IAM policies from real CloudTrail activity and find resources shared outside your account.
IAM least privilege is easy to say and hard to do because nobody knows which permissions a role actually uses. AWS gives you two tools that turn guesswork into evidence: Access Analyzer can generate a policy from CloudTrail history, and it flags any resource shared outside your account.
Generate a policy from real usage
Point Access Analyzer at a role's CloudTrail trail and it emits a policy containing only the actions that role actually called over the window — a tight starting point instead of *.
aws accessanalyzer start-policy-generation \ --policy-generation-details ...generated policy: 14 actions across 3 serviceswas: "s3:*","ec2:*" — now: the 14 it actually usesFind access that leaves your account
aws accessanalyzer list-findings --analyzer-arn ...S3 bucket acme-backups -> shared with account 9999...IAM role deploy -> assumable by *Resource wildcards hide in plain sight
Action scoping gets attention; Resource: "*" does not. Scope resources to specific ARNs, and add conditions (source VPC, MFA, tag) where the action supports them.
Tighten with conditions
policy.json
{"Effect": "Allow","Action": "s3:GetObject","Resource": "arn:aws:s3:::acme-app/*","Condition": { "Bool": { "aws:SecureTransport": "true" } }}