AWScloud~5 mins

Least privilege principle in AWS - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Giving users or programs only the permissions they need helps keep systems safe. This stops accidental or harmful actions by limiting access.

When creating a new user or role that needs access to AWS services.

When setting permissions for an application to access only required resources.

When you want to reduce the risk of accidental data loss or security breaches.

When auditing existing permissions to improve security.

When granting temporary access to contractors or external partners.

Config File - least_privilege_policy.json

least_privilege_policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::example-bucket",
        "arn:aws:s3:::example-bucket/*"
      ]
    }
  ]
}

This JSON file defines a policy that allows listing and reading objects only from a specific S3 bucket named example-bucket. It does not allow any other actions or access to other buckets. This follows the least privilege principle by granting only the permissions needed.

Commands

This command creates a new IAM policy named ExampleS3ReadOnlyPolicy using the permissions defined in the JSON file. It sets up the least privilege permissions for S3 read access.

Terminal

aws iam create-policy --policy-name ExampleS3ReadOnlyPolicy --policy-document file://least_privilege_policy.json

Expected OutputExpected

{ "Policy": { "PolicyName": "ExampleS3ReadOnlyPolicy", "PolicyId": "ABCDEFGHIJKLMN1234567", "Arn": "arn:aws:iam::123456789012:policy/ExampleS3ReadOnlyPolicy", "Path": "/", "DefaultVersionId": "v1", "AttachmentCount": 0, "PermissionsBoundaryUsageCount": 0, "IsAttachable": true, "CreateDate": "2024-06-01T12:00:00Z", "UpdateDate": "2024-06-01T12:00:00Z" } }

→

--policy-name - Sets the name of the new IAM policy.

→

--policy-document - Specifies the JSON file with the policy permissions.

This command attaches the newly created least privilege policy to a user named example-user, giving them only the permissions defined in the policy.

Terminal

aws iam attach-user-policy --user-name example-user --policy-arn arn:aws:iam::123456789012:policy/ExampleS3ReadOnlyPolicy

Expected OutputExpected

No output (command runs silently)

→

--user-name - Specifies the IAM user to attach the policy to.

→

--policy-arn - Specifies the ARN of the policy to attach.

This command lists all policies attached to example-user to verify the correct policy is attached.

Terminal

aws iam list-attached-user-policies --user-name example-user

Expected OutputExpected

{ "AttachedPolicies": [ { "PolicyName": "ExampleS3ReadOnlyPolicy", "PolicyArn": "arn:aws:iam::123456789012:policy/ExampleS3ReadOnlyPolicy" } ] }

→

--user-name - Specifies the IAM user to check.

Key Concept

If you remember nothing else from this pattern, remember: always give only the exact permissions needed, nothing more.

Common Mistakes

Giving users full access instead of limited permissions.

This increases risk by allowing accidental or malicious actions beyond what is needed.

Create and attach policies that specify only the required actions and resources.

Using wildcard (*) permissions for actions or resources.

Wildcards grant broad access, defeating the purpose of least privilege.

Specify exact actions and resource ARNs in the policy.

Not verifying which policies are attached to users or roles.

You might think permissions are limited when they are not, causing security gaps.

Use commands to list attached policies and audit permissions regularly.

Summary

Create a JSON policy file that defines only the needed permissions.

Use AWS CLI to create the policy and attach it to users or roles.

Verify attached policies to ensure least privilege is enforced.