90% of AWS Breaches Come from IAM
In my audit experience, nearly all AWS security issues stem from overly permissive IAM configurations. Here's how to avoid them.
1. Least Privilege Principle
Each IAM role should only access strictly necessary resources. Nothing more.
Red flags:
"Action": "*"in a policy"Resource": "*"without justification- Roles shared between multiple services
- Using the root account for routine operations
2. Structure Your Policies
- Inline policies: only for very specific cases
- Managed policies: for reusable permissions
- Permission boundaries: to limit what developers can grant themselves
- Service Control Policies: at the organization level
3. Regular Auditing
Set up a monthly IAM audit cycle:
- Review unused roles via IAM Access Analyzer
- Check for old access keys
- Analyze last access with IAM Last Accessed
- Alert on policy changes via CloudTrail
4. MFA Everywhere
MFA is not optional. It must be active on:
- The root account (mandatory)
- All IAM users with console access
- Sensitive operations via policy conditions
5. The 5 Most Common Mistakes
- Using long-lived access keys instead of IAM roles
- Not enabling CloudTrail in all regions
- Granting AdministratorAccess to application services
- Forgetting to revoke access for former employees
- Not using AWS Organizations to segment accounts
Need an IAM security audit? Contact me.