We want least-privilege IAM but every policy ends up as AdministratorAccess
Don't start from a whitepaper, start from the roles teams already use. Give each role an AWS-managed policy that comes close, then trim based on what CloudTrail actually shows.
Try this first
- 1List the three to five access paths that really exist: developer, deploy bot, read-only for finance, ops, and maybe a data role.
- 2For each path, start with an AWS-managed policy like PowerUserAccess or ReadOnlyAccess, not a custom policy from scratch.
- 3Turn on CloudTrail, run for two weeks and inspect which actions those roles actually use. Trim what never appears.
- 4Use a service-control-policy in AWS Organizations as a guardrail on top, so even Administrator can't touch regions or services you don't want.
- 5Review every quarter with IAM Access Analyzer. It surfaces unused permissions and is a good trigger to trim further.
When to bring us in
If you handle customer production data or work in a regulated sector, a one-time policy audit by someone with IAM routine is worth it.
See also
- Everyone logs in with the AWS root accountRoot is for emergencies and billing. Day-to-day work belongs in IAM users or SSO.
- Every developer has AdministratorAccessAdministratorAccess everywhere is convenient now, painful later. Start with role-based policies.
- Everyone has individual IAM users with their own passwordIdentity Center (formerly AWS SSO) links to your IdP and issues temporary credentials per session.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.