Least privilege is easy to say and hard to operationalize. The best approach is to use a small set of patterns that you can repeat across teams and systems.

This guide covers practical least-privilege patterns for both humans and services.

1. Human access: SSO and role-based access

Human access should be centralized and short-lived.

Practical steps:

  • Use IAM Identity Center or your IdP for SSO.
  • Create roles like Admin, ReadOnly, and Deploy.
  • Require MFA for privileged role assumption.

Reference:

2. Human access: just-in-time admin

Admin access should be time-bound and audited.

Practical steps:

  • Use a break-glass role with step-up auth.
  • Require approval for admin elevation.
  • Log and alert on every admin session.

3. Service access: role per workload

Services should not share credentials.

Practical steps:

  • Use task roles for ECS and instance profiles for EC2.
  • Use IRSA for EKS workloads.
  • Keep permissions scoped to the service’s resources.

References:

4. Use permission boundaries for admin roles

Boundaries reduce the blast radius of broad roles.

Practical steps:

  • Create a boundary that blocks risky actions.
  • Attach boundaries to admin and CI/CD roles.
  • Keep the boundary short and clear.

Reference:

5. Use resource policies for shared services

Resource policies provide central control over access.

Practical steps:

  • Use S3 bucket policies to restrict access by role.
  • Use KMS key policies to control encryption access.
  • Use EventBridge resource policies for cross-account access.

References:

5a. Pattern: CI/CD roles with limited scope

CI/CD roles often become overpowered if not scoped.

Practical steps:

  • Create separate roles for build and deploy
  • Restrict deploy roles to specific accounts and services
  • Require approvals for production role assumption

6. Use session tags for ABAC

Attribute-based access control is useful for large teams.

Practical steps:

  • Tag users and roles with team and environment.
  • Use session tags in IAM policies.
  • Keep tag standards simple.

Reference:

7. Review access on a schedule

Least privilege decays over time.

Practical steps:

  • Review admin access quarterly.
  • Remove unused roles and stale keys.
  • Use Access Analyzer to find unintended access.

Reference:

8. Keep policies readable

If policies are unreadable, they are not maintainable.

Practical steps:

  • Use service-specific policies instead of one large policy.
  • Avoid wildcards unless the service requires them.
  • Name policies by purpose and scope.

Audit and logging baseline

Access control is only useful if it is auditable.

Practical steps:

  • Log role assumptions in CloudTrail
  • Alert on high-risk policy changes
  • Keep access reviews in a shared log

Service-to-service allowlists

For critical services, explicit allowlists reduce surprises.

Practical steps:

  • Allow only specific roles to access core data stores
  • Use resource policies to enforce the allowlist
  • Review the allowlist quarterly

Example: database access pattern

Keep data access scoped to the services that own the data.

Example:

  • Billing service role can read/write billing tables
  • Reporting service role has read-only access
  • Admin role can access only through a break-glass path

Access request workflow

Least privilege is easier when requests are structured.

Practical steps:

  • Use a standard access request form
  • Require a reason and a time limit
  • Review and revoke access on schedule

Short-lived access requests reduce risk and make audits easier. They also make it clear who approved access and for how long.

Common anti-patterns

These patterns expand risk and make access hard to audit.

Anti-patterns:

  • Shared admin users for multiple people
  • Service credentials stored in repos or wikis
  • Policies that use “*” for actions and resources

Starter plan for cleanup

If access sprawl is already present, use a short cleanup plan.

Starter plan:

  • Inventory all admin principals
  • Move humans to SSO roles
  • Replace shared access keys with roles
  • Remove unused roles and keys

Quick checklist

  • SSO and MFA for human access
  • Roles per service with scoped permissions
  • Permission boundaries for admin roles
  • Access reviews on a schedule
  • Policies documented and readable

Closing thought

Least privilege works when it is built into patterns people can follow. Use SSO for humans, roles for services, and small policy boundaries for safety. Those patterns reduce risk without slowing delivery.

If you want help designing least-privilege roles or cleaning up access sprawl, we can help. We focus on practical patterns that fit your team. Reach out through our consulting page to start a quick conversation.