SEC03-BP02: Grant least privilege access
Grant only the access that identities require by allowing access to specific actions on specific AWS resources under specific conditions. Rely on groups and identity attributes to dynamically set permissions at scale, rather than defining permissions for individual users. For example, you can allow a group of developers access to manage only resources for their project. This way, when a developer is removed from the group, access for the developer is revoked everywhere that the group was used for access control, without requiring updates to the access policies.
Implementation guidance
The principle of least privilege is a fundamental security concept that involves granting only the minimum permissions necessary to perform a task. By implementing least privilege access, you can significantly reduce the risk of unauthorized access and limit the potential impact of security incidents.
Key steps for implementing this best practice:
- Start with minimum permissions:
- Begin with no permissions and add them as needed
- Use explicit deny policies to restrict sensitive actions
- Implement permission boundaries to limit maximum permissions
- Avoid using wildcard permissions (e.g.,
*) in policies - Regularly review and remove unused permissions
- Implement attribute-based access control (ABAC):
- Use tags on resources and principals for dynamic access control
- Define policies based on attributes rather than individual identities
- Implement consistent tagging strategies across your organization
- Use conditions in policies to enforce attribute-based restrictions
- Document your ABAC strategy and implementation
- Leverage IAM Access Analyzer:
- Use IAM Access Analyzer to identify unused permissions
- Generate least privilege policies based on access activity
- Regularly review findings and refine permissions
- Implement automated remediation for overly permissive policies
- Monitor for policy changes that increase permissions
- Implement time-bound permissions:
- Grant temporary access for specific tasks
- Use IAM roles with session policies for temporary elevated access
- Implement automated expiration for temporary permissions
- Require justification for access requests
- Log and monitor temporary access usage
- Use permission guardrails:
- Implement Service Control Policies (SCPs) to set organization-wide guardrails
- Use permission boundaries to limit maximum permissions for roles
- Create IAM policy conditions to restrict access based on context
- Implement resource-based policies for additional access control
- Regularly review and update guardrails
- Continuously refine permissions:
- Monitor access patterns and usage
- Identify and remove unused permissions
- Adjust permissions based on changing requirements
- Implement regular access reviews
- Use automated tools to suggest permission refinements
Implementation examples
Example 1: Least privilege IAM policy
Example 2: Attribute-based access control (ABAC)
Example 3: Permission boundary
Example 4: Using IAM Access Analyzer to generate least privilege policies
AWS services to consider
Benefits of granting least privilege access
- Reduced attack surface: Minimizes the potential impact of compromised credentials
- Improved security posture: Limits the actions that can be performed by any identity
- Enhanced compliance: Supports regulatory requirements for access control
- Better visibility: Makes it easier to understand who has access to what
- Simplified auditing: Clearer access patterns make auditing more straightforward
- Reduced risk of accidental changes: Limits the potential for unintended modifications
- Improved detection of malicious activity: Unusual access attempts are more visible