IAM hardening follow-up

Topic: Cloud aws core

After basic IAM setup, reduce risk with permission boundaries, SCPs, and regular audit. Use when you want to tighten IAM beyond least privilege and MFA.

Intent: How-to

Quick answer

  • Permission boundaries cap what an IAM identity can do. Set on user or role. Use to delegate without granting full power.
  • Service Control Policies (SCPs) in Organizations restrict what accounts can do. Use to deny regions or risky actions across OU.
  • Audit with IAM Access Analyzer and credential report. Remove unused permissions and credentials. Rotate and use short-lived credentials.

Prerequisites

Steps

  1. Permission boundaries

    Create policy that defines max permissions. Attach as permission boundary to role or user. Identity cannot exceed boundary.

  2. SCPs if using Organizations

    Attach SCP to OU or account. Deny list or allow list. Test in non-prod first.

  3. Audit and trim

    Run credential report. Use Access Analyzer. Remove unused; rotate keys; prefer roles over long-lived keys.

Summary

Tighten IAM with permission boundaries, SCPs, and regular audit. Remove unused permissions and credentials.

Prerequisites

Steps

Step 1: Permission boundaries

Create policy for max permissions. Attach as permission boundary. Identity cannot exceed boundary.

Step 2: SCPs if using Organizations

Attach SCP to OU or account. Deny or allow list. Test in non-prod first.

Step 3: Audit and trim

Credential report. Access Analyzer. Remove unused; rotate keys; prefer roles.

Verification

  • Boundaries and SCPs in place. Audit run. Unused permissions removed.

Troubleshooting

Too restrictive — Adjust boundary or SCP. Missing permission — Add to policy within boundary.

Next steps

Continue to