BlogCloud

AWS IAM least privilege with Access Analyzer

Generate tight IAM policies from real CloudTrail activity and find resources shared outside your account.

Jan 8, 2026·10 min readIntermediate

IAM least privilege is easy to say and hard to do because nobody knows which permissions a role actually uses. AWS gives you two tools that turn guesswork into evidence: Access Analyzer can generate a policy from CloudTrail history, and it flags any resource shared outside your account.

Generate a policy from real usage

Point Access Analyzer at a role's CloudTrail trail and it emits a policy containing only the actions that role actually called over the window — a tight starting point instead of *.

bash — from activity to policylive
aws accessanalyzer start-policy-generation \
--policy-generation-details ...
generated policy: 14 actions across 3 services
was: "s3:*","ec2:*" — now: the 14 it actually uses

Find access that leaves your account

bash — external-access findingslive
aws accessanalyzer list-findings --analyzer-arn ...
S3 bucket acme-backups -> shared with account 9999...
IAM role deploy -> assumable by *
Resource wildcards hide in plain sight
Action scoping gets attention; Resource: "*" does not. Scope resources to specific ARNs, and add conditions (source VPC, MFA, tag) where the action supports them.

Tighten with conditions

policy.json
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::acme-app/*",
"Condition": { "Bool": { "aws:SecureTransport": "true" } }
}
Go deeper in a courseAWS security for DevOps engineersIAM that scales, OIDC federation, and org guardrails.View course

Related posts