IAM Policies that Address Administrative Privileges
Enforcing Least Privilege with IAM Policies
IAM policies drive the architecture within your AWS environment. The scope of these policies needs to be appropriately restricted, with permissions boundaries in place that support the principle of least privilege. Specifically, you must not create an excessive amount of policies with full administrative privileges. The CIS AWS Foundations Benchmark recommends to first determine what users need to do, and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges. It's more secure to start with a minimum set of permissions, rather than start with permissions that are too lenient.
For more information, visit the AWS documentation for managing IAM policies.
Identity and Access Management within AWS is a complex topic. Policy assignment is one critical feature of Identity and Access Management. Because of the complexity of Identity and Access Management within AWS, users sometimes default to granting all privileges to all users. Best practices state that the idea of least privilege should be implemented. Users should only be granted access based on the role and access should be defined specifically for resources within the environment. You should define what permissions each user has to those resources. By using roles and by assigning specific policies to roles or groups, users can define and limit access to their users and ensure that the idea of least privilege is implemented within their environment.