How to Restrict IAM Roles Properly

What this problem means

Your IAM roles grant more permissions than needed. Maybe you used `s3:*` on `*` to "get it working." Or one role is used by multiple services. When a key is compromised, the damage is larger than necessary.

Why this is dangerous

- Blast radius: A compromised key with broad permissions can affect many resources.

- Compliance: SOC2, ISO 27001, and customers expect least privilege.

- Audit failures: Overly permissive IAM is a common finding in security reviews.

Real-world example

A startup used a single IAM role for all Lambda functions. The role had `s3:*` on `*`. When one Lambda was compromised, the attacker had access to all S3 buckets. Scoping the role to specific buckets would have limited the damage.

How to fix it

1. One role per service: Don't share roles across services. Each Lambda, EC2, or ECS task gets its own role.

2. Specific actions: Use `s3:GetObject`, `s3:PutObject` instead of `s3:*`.

3. Specific resources: Use `arn:aws:s3:::my-bucket/*` instead of `*`.

4. Conditions: Restrict by IP, MFA, or resource tags where possible.

5. IAM Access Analyzer: Run it to find overly permissive policies.

Tools and configurations

- AWS IAM: Create custom policies with minimal actions and resources.

- IAM Access Analyzer: Identifies overly permissive policies.

- Policy simulator: Test what a policy allows before attaching.

Common mistakes

- Using `*` for actions or resources.

- One role for all services.

- Never reviewing or tightening permissions.

- Copying policies from tutorials without scoping.

Quick checklist

- [ ] Create separate roles per service

- [ ] Use specific actions, not wildcards

- [ ] Use specific resource ARNs

- [ ] Run IAM Access Analyzer

- [ ] Review permissions quarterly