Why Admin Access Is Dangerous in AWS

What this problem means

AdministratorAccess (or similar full-access policies) grants control over your entire AWS account. One compromised key—phished, leaked, or stolen—can delete resources, exfiltrate data, or rack up bills. The blast radius is your entire account.

Why this is dangerous

- Blast radius: A single compromised key can delete everything.

- Compliance: SOC2, ISO 27001, and customers expect least privilege.

- Audit failures: Overly permissive IAM is a common finding in security reviews.

Real-world example

A startup used a single IAM user with full admin for all developers and CI/CD. When a developer's key was phished, the attacker had access to everything—databases, S3 buckets, IAM itself. They had to rotate all credentials and rebuild trust. Least privilege would have limited the damage to a single service.

How to fix it

1. Create role per service: e.g., `lambda-api-role` that can only invoke Lambda and read from a specific S3 bucket.

2. Avoid wildcards: Prefer `s3:GetObject` on `arn:aws:s3:::my-bucket/*` over `s3:*` on `*`.

3. Use conditions: Restrict by IP, MFA, or resource tags where possible.

4. Review regularly: Audit permissions quarterly. Remove unused roles and policies.

5. No shared admin: Don't use one admin user for everyone. Use IAM roles and assume role.

Tools and configurations

- AWS IAM: Create custom policies with minimal actions and resources.

- IAM Access Analyzer: Identifies overly permissive policies.

- Policy simulator: Test what a policy allows before attaching.

Common mistakes

- Using `*` for actions or resources.

- One role for all services.

- Never reviewing or tightening permissions.

- Shared admin credentials.

Quick checklist

- [ ] Create separate roles per service

- [ ] Use specific resource ARNs, not wildcards

- [ ] Run IAM Access Analyzer

- [ ] Review and remove unused permissions quarterly

- [ ] No shared admin credentials