SEC03-BP04: Reduce permissions continuously

As teams and workloads determine what access they need, remove permissions they no longer use and establish review processes to achieve least privilege permissions. Continuously monitor and reduce unused identities and permissions.

Implementation guidance

Implementing least privilege is not a one-time effort but an ongoing process. As your workloads evolve, the permissions required by your identities will change. Continuously reducing permissions ensures that identities have only the access they need, minimizing security risks and maintaining a strong security posture.

Key steps for implementing this best practice:

Analyze access patterns:
- Use AWS IAM Access Analyzer to identify unused permissions
- Review CloudTrail logs to understand actual access patterns
- Identify permissions that haven’t been used in the last 90 days
- Monitor for overly permissive policies
- Track permission usage trends over time
Implement automated permission refinement:
- Use IAM Access Analyzer to generate least privilege policies
- Implement automated policy refinement based on usage data
- Set up regular jobs to identify and remove unused permissions
- Create workflows for permission reduction approvals
- Implement automated alerts for unused permissions
Establish regular review processes:
- Schedule quarterly permission reviews
- Implement role-based access reviews
- Create dashboards for permission usage and trends
- Document review procedures and responsibilities
- Track metrics on permission reduction progress
Implement permission guardrails:
- Use Service Control Policies (SCPs) to enforce permission boundaries
- Implement permission boundaries for IAM roles
- Create approval workflows for permission increases
- Set up automated validation of policy changes
- Implement policy validation in CI/CD pipelines
Educate and engage teams:
- Train teams on least privilege principles
- Provide tools for self-service permission analysis
- Create incentives for permission reduction
- Share success metrics and improvements
- Establish a permission reduction champion in each team
Measure and improve:
- Track permission reduction metrics over time
- Set goals for permission reduction
- Compare permissions across similar workloads
- Identify patterns in permission usage
- Continuously refine your approach based on results

Implementation examples

Example 1: Using IAM Access Analyzer to identify and remove unused permissions

Example 2: Automated permission review workflow

Example 3: Permission reduction metrics dashboard

AWS services to consider

AWS IAM Access Analyzer

Helps you identify unused permissions and generate least privilege policies based on access activity. Use it to continuously analyze and refine permissions.

AWS CloudTrail

Records API calls for your account and delivers log files to you. Use CloudTrail data to understand actual permission usage patterns.

Amazon CloudWatch

Monitors your AWS resources and the applications you run on AWS in real time. Create dashboards and alerts for permission usage and changes.

AWS Organizations

Helps you centrally manage and govern your environment as you scale your AWS resources. Use Service Control Policies (SCPs) to enforce permission guardrails.

AWS Step Functions

Coordinates multiple AWS services into serverless workflows. Use Step Functions to create automated permission review and reduction workflows.

Amazon QuickSight

A business intelligence service that makes it easy to deliver insights to everyone in your organization. Create dashboards to visualize permission usage and reduction metrics.

Benefits of reducing permissions continuously

Enhanced security posture: Minimizes the risk of unauthorized access and potential damage
Reduced attack surface: Limits the actions that can be performed by compromised credentials
Improved compliance: Supports regulatory requirements for least privilege access
Better visibility: Provides clearer understanding of actual permission requirements
Operational efficiency: Simplifies permission management and reduces complexity
Proactive risk management: Identifies and addresses permission issues before they can be exploited
Cultural improvement: Fosters a security-conscious culture across teams