AWS IAM Security
Identity & Access Management 2026
Least Privilege, SCPs, Permission Boundaries, OIDC
Least PrivilegeSCPOIDC
AWS IAM Security Pillars
Identity
- • IAM Users (avoid!)
- • IAM Roles (prefer!)
- • Identity Center (SSO)
- • Federation (SAML/OIDC)
Access Control
- • Least Privilege Policies
- • Permission Boundaries
- • Service Control Policies
Monitoring
- • Access Analyzer
- • IAM Access Advisor
- • CloudTrail
Terraform IAM Configuration
# Production-Grade IAM Role with OIDC
resource "aws_iam_role" "app" {
name = "production-app"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = { Federated = "arn:aws:iam::123:oidc-provider/gitlab.com" }
Action = "sts:AssumeRoleWithWebIdentity"
Condition = {
StringEquals = { "gitlab.com:sub" = "project_path:group/app:ref_type:branch:ref:main" }
}
}]
})
}
# Least Privilege S3 Policy
resource "aws_iam_role_policy" "s3" {
name = "s3-access"
role = aws_iam_role.app.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Sid = "SpecificBucketOnly"
Effect = "Allow"
Action = ["s3:GetObject", "s3:PutObject"]
Resource = "arn:aws:s3:::bucket-name/app/*"
}]
})
}Service Control Policies
# Deny Root Account Usage
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DenyRoot",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:PrincipalArn": ["arn:aws:iam::*:root"]
}
}
}]
}
# Require MFA for Sensitive Operations
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "RequireMFA",
"Effect": "Deny",
"Action": [
"iam:CreateUser",
"cloudtrail:StopLogging"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}]
}