Cloud Security

Cloud Identity and Access Management (IAM) Best Practices

January 11, 2026

Identity and Access Management is the foundation of cloud security. Properly configured IAM policies prevent unauthorized access and limit the blast radius of security incidents. This guide covers essential IAM best practices for AWS, Azure, and GCP.

Principle of Least Privilege

Grant only the minimum permissions required for users and services to perform their tasks. Start with zero permissions and add only what’s necessary.

# AWS - Least privilege policy example
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::my-bucket/specific-prefix/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "us-east-1"
                }
            }
        }
    ]
}

Use IAM Roles Instead of Long-term Credentials

# Terraform - EC2 instance with IAM role
resource "aws_iam_role" "ec2_role" {
  name = "ec2-application-role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = {
        Service = "ec2.amazonaws.com"
      }
    }]
  })
}

resource "aws_iam_instance_profile" "ec2_profile" {
  name = "ec2-application-profile"
  role = aws_iam_role.ec2_role.name
}

resource "aws_instance" "app" {
  ami                  = "ami-0123456789"
  instance_type        = "t3.micro"
  iam_instance_profile = aws_iam_instance_profile.ec2_profile.name
}

Implement MFA Everywhere

# Policy requiring MFA for sensitive actions
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "rds:DeleteDBInstance"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}

Service Control Policies (SCPs)

# SCP to restrict regions
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "us-east-1",
                        "eu-west-1"
                    ]
                }
            }
        }
    ]
}

IAM Access Analyzer

# Enable IAM Access Analyzer
resource "aws_accessanalyzer_analyzer" "main" {
  analyzer_name = "organization-analyzer"
  type          = "ORGANIZATION"

  tags = {
    Environment = "production"
  }
}

Key Recommendations

  • Rotate credentials regularly (90 days maximum)
  • Use permission boundaries for delegated administration
  • Implement just-in-time access for privileged operations
  • Monitor and alert on IAM changes with CloudTrail
  • Regular access reviews and unused permission cleanup

Conclusion

Strong IAM practices are non-negotiable for cloud security. By implementing least privilege, using roles over credentials, enforcing MFA, and continuously monitoring access patterns, organizations can significantly reduce their attack surface.

Related Posts: