Least privilege is easy to say and hard to operationalize. The best approach is to use a small set of patterns that you can repeat across teams and systems.
This guide covers practical least-privilege patterns for both humans and services.
1. Human access: SSO and role-based access
Human access should be centralized and short-lived.
Practical steps:
- Use IAM Identity Center or your IdP for SSO.
- Create roles like Admin, ReadOnly, and Deploy.
- Require MFA for privileged role assumption.
Reference:
2. Human access: just-in-time admin
Admin access should be time-bound and audited.
Practical steps:
- Use a break-glass role with step-up auth.
- Require approval for admin elevation.
- Log and alert on every admin session.
3. Service access: role per workload
Services should not share credentials.
Practical steps:
- Use task roles for ECS and instance profiles for EC2.
- Use IRSA for EKS workloads.
- Keep permissions scoped to the service’s resources.
References:
4. Use permission boundaries for admin roles
Boundaries reduce the blast radius of broad roles.
Practical steps:
- Create a boundary that blocks risky actions.
- Attach boundaries to admin and CI/CD roles.
- Keep the boundary short and clear.
Reference:
5. Use resource policies for shared services
Resource policies provide central control over access.
Practical steps:
- Use S3 bucket policies to restrict access by role.
- Use KMS key policies to control encryption access.
- Use EventBridge resource policies for cross-account access.
References:
5a. Pattern: CI/CD roles with limited scope
CI/CD roles often become overpowered if not scoped.
Practical steps:
- Create separate roles for build and deploy
- Restrict deploy roles to specific accounts and services
- Require approvals for production role assumption
6. Use session tags for ABAC
Attribute-based access control is useful for large teams.
Practical steps:
- Tag users and roles with team and environment.
- Use session tags in IAM policies.
- Keep tag standards simple.
Reference:
7. Review access on a schedule
Least privilege decays over time.
Practical steps:
- Review admin access quarterly.
- Remove unused roles and stale keys.
- Use Access Analyzer to find unintended access.
Reference:
8. Keep policies readable
If policies are unreadable, they are not maintainable.
Practical steps:
- Use service-specific policies instead of one large policy.
- Avoid wildcards unless the service requires them.
- Name policies by purpose and scope.
Audit and logging baseline
Access control is only useful if it is auditable.
Practical steps:
- Log role assumptions in CloudTrail
- Alert on high-risk policy changes
- Keep access reviews in a shared log
Service-to-service allowlists
For critical services, explicit allowlists reduce surprises.
Practical steps:
- Allow only specific roles to access core data stores
- Use resource policies to enforce the allowlist
- Review the allowlist quarterly
Example: database access pattern
Keep data access scoped to the services that own the data.
Example:
- Billing service role can read/write billing tables
- Reporting service role has read-only access
- Admin role can access only through a break-glass path
Access request workflow
Least privilege is easier when requests are structured.
Practical steps:
- Use a standard access request form
- Require a reason and a time limit
- Review and revoke access on schedule
Short-lived access requests reduce risk and make audits easier. They also make it clear who approved access and for how long.
Common anti-patterns
These patterns expand risk and make access hard to audit.
Anti-patterns:
- Shared admin users for multiple people
- Service credentials stored in repos or wikis
- Policies that use “*” for actions and resources
Starter plan for cleanup
If access sprawl is already present, use a short cleanup plan.
Starter plan:
- Inventory all admin principals
- Move humans to SSO roles
- Replace shared access keys with roles
- Remove unused roles and keys
Quick checklist
- SSO and MFA for human access
- Roles per service with scoped permissions
- Permission boundaries for admin roles
- Access reviews on a schedule
- Policies documented and readable
Closing thought
Least privilege works when it is built into patterns people can follow. Use SSO for humans, roles for services, and small policy boundaries for safety. Those patterns reduce risk without slowing delivery.
If you want help designing least-privilege roles or cleaning up access sprawl, we can help. We focus on practical patterns that fit your team. Reach out through our consulting page to start a quick conversation.